https://gdprhub.eu/index.php?title=Special:NewPages&feed=atom&hideredirs=1&limit=50&offset=&namespace=0&username=&tagfilter=&size-mode=max&size=0GDPRhub - New pages [en]2024-03-19T07:49:18ZFrom GDPRhubMediaWiki 1.39.6https://gdprhub.eu/index.php?title=CJEU_-_C%E2%80%91479/2_-_OC_v_CommissionCJEU - C‑479/2 - OC v Commission2024-03-18T22:35:26Z<p>So.h: </p>
<hr />
<div>{{CJEUdecisionBOX<br />
<br />
|Case_Number_Name=C‑479/2 OC v Commission<br />
|ECLI=ECLI:EU:C:2024:215<br />
<br />
|Opinion_Link=<br />
|Judgement_Link=https://curia.europa.eu/juris/document/document.jsf?text=&docid=283526&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=3322609<br />
<br />
|Date_Decided=07.03.2024<br />
|Year=2024<br />
<br />
|GDPR_Article_1=Article 4(1) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#1<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=2018/1725<br />
|EU_Law_Link_1=https://eur-lex.europa.eu/eli/reg/2018/1725/oj<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
|EU_Law_Name_3=<br />
|EU_Law_Link_3=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=OC<br />
|Party_Link_1=<br />
|Party_Name_2=European Commission <br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Reference_Body=<br />
|Reference_Case_Number_Name=<br />
<br />
|Initial_Contributor=so.h<br />
|<br />
}}<br />
<br />
The CJEU held that the definition of personal data does not depend on whether an 'average reader' can identify the data subject.<br />
<br />
==English Summary==<br />
<br />
=== Facts ===<br />
This is an appeal of the earlier case [[T‑384/20 - OC v European Commission.]] <br />
<br />
The claimant (OC) appealed the general court’s decision on three grounds. That the General Court had legally misinterpreted the definition of personal data and had failed to observe proper administrative procedures when making its judgement (right to a presumption of innocence and the right to good administration under the Charter of Fundamental Rights). <br />
<br />
On the concept of personal data, the claimant argued that the general court had legally misinterpreted the concept of an ‘identifiable natural person’. They used two points to make this argument: <br />
<br />
1) Identifiability is not tied to whether an “average reader” can identify you. The case law states that identifiability depends on whether an individual holds ‘additional factors...necessary for identification... [these factors] can be available to a person other than the controller’ (see C-582/14 at para 39 and 41). The General Court’s use of an average reader (at para 32) does not analyse the factors that the specific reader in the case holds. Thus, contra the case law, it does not test whether a person has the additional factors needed for identification. The General Court’s novel use of this test is therefore erroneous. <br />
<br />
2) The General Court had erred in arguing that the ‘means reasonable likely’ to be used to identify a data subject (recital 26 GDPR and recital 16 EUDPR) was limited. Rather, the court should have looked at the costs and time required for the identification of the claimant to determine whether the claimant could be identified using ‘reasonable means’. This would be in line with what the recital actually states (at para 33). <br />
<br />
The Commission asked for these two points, and subsequently the crux of the first ground, to be declared inadmissible by the court (at para 34).<br />
<br />
=== Holding ===<br />
The Court held that the General Court had made several errors of law and that the first ground of appeal must be upheld. <br />
<br />
First, the Court noted that the EUDPR (Regulation 2018/1725) and the GDPR share the same definition of personal data. Given that the legislator (at recital 4 and 5 of 2018/1725) intended to establish an equivalent law to the GDPR, both regimes must be read in the same way (at para 43). <br />
<br />
Second, identifiability is defined by Article 3(1) 2018/1725 [[Article 4 GDPR|(Article 4(1) GDPR)]]. The use of the word ‘indirectly’ in these Articles means that it is not necessary for information alone to be the factor that identifies someone (at para 47). It is not required that all the information enabling the identification be in the hand of one person (at para 48). The fact that additional information is necessary to identify a data subject does not mean that the data cannot be classified a personal (at para 44).<br />
<br />
Third, it is ‘reasonably likely’ that combining OLAF’s press report with additional information would be used as a way to identify the claimant (at para 50). The General Court had been wrong to limit this ‘reasonable means’ test by confusing it with liability. Article 3(1) 2018/1725 states that only acts attributable to an EU Institution can give rise to liability on part of the European Union, it took this to mean that the identification of the claimant must only have resulted from the press release alone (at para 52). On the facts the German journalist who identified the claimant had specialist information and so the General Court ruled that these were not ‘reasonable means’ and that the claimant could not be identified (at para 53). The Court made clear that liability and identification are separate (at para 54). The fact that additional information is needed and that it comes from a source other than the controller does not rule out the identifiable nature of the claimant and thus, the personal nature of the data (at para 55). This is supported by the fact that recital 16 (recital 26 GDPR) makes specific that identification can come from ‘any other person’. <br />
<br />
Fourth, the Court rejected the General Court’s invention of an ‘average reader’. The General Court had invented this test and used it for the first time in [[T‑384/20 - OC v European Commission]]. The fact that the reader of the press release is a journalist, cannot lead to the conclusion that data is not personal (at para 58). <br />
<br />
Last, the Court looked at the facts of the case and determined that the fact that the press release contained the claimant’s; gender, nationality, father’s occupation, grant amount for a scientific project and the geographical location of the entity hosting that project, would together allow the Claimant to be identifiable (at para 61). Furthermore, the Court applied the ‘reasonable means’ test and determined that identification could occur without a disproportionate effort in terms of time, cost and labour. There is no obligation on the claimant to prove that they had actually been identified by the time of the case as no such condition is contained in Article 3(1) 2018/1725 [[Article 4 GDPR|(Article 4(1) GDPR).]] It follows that the General Court erred in finding that the claimant was not identifiable and that therefore, the data was not personal.<br />
<br />
The court also upheld the second ground of appeal (presumption of innocence) and partially upheld the third ground of appeal (right to good administration). The Court sent the case back to the General Court to be decided again. <br />
<br />
== Comment ==<br />
This a potentially landmark case. The Court has gone the furthest since Breyer in scoping out what identifiability means as well as how the test of ‘reasonable means’ (recital 26 GDPR) relates to it.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''</div>So.hhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202202954AEPD (Spain) - EXP2022029542024-03-18T17:51:59Z<p>Lm: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=EXP202202954<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Agencia Española de Protección de Datos<br />
|Original_Source_Link_1=https://www.aepd.es/documento/ps-00070-2023.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=31.01.2022<br />
|Date_Decided=26.01.2024<br />
|Date_Published=<br />
|Year=2024<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1c<br />
|GDPR_Article_2=Article 6(1)(c) GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR#1c<br />
|GDPR_Article_3=Article 9(1) GDPR<br />
|GDPR_Article_Link_3=Article 9 GDPR#1<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=Articulo 20(a), Ley Orgánica 3/2007, de 22 de marzo, para la igualdad efectiva de mujeres y hombres<br />
|National_Law_Link_1=https://www.boe.es/buscar/act.php?id=BOE-A-2007-6115<br />
|National_Law_Name_2=Articulo 26, Ley 12/1989, de 9 de mayo, de la Función Estadística Pública<br />
|National_Law_Link_2=https://www.boe.es/buscar/doc.php?id=BOE-A-1989-10767<br />
|National_Law_Name_3=Ley 2/2021, de 7 de junio, de igualdad social y no discriminación por razón de identidad de género, expresión de género y características sexuales<br />
|National_Law_Link_3=https://www.boe.es/buscar/act.php?id=BOE-A-2021-11382<br />
|National_Law_Name_4=<br />
|National_Law_Link_4=<br />
|National_Law_Name_5=<br />
|National_Law_Link_5=<br />
<br />
|Party_Name_1=Consejería de Economía, Conocimiento y Empleo<br />
|Party_Link_1=https://www.gobiernodecanarias.org/ece/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=lm<br />
|<br />
}}<br />
<br />
The DPA imposed warning fines on a government agency that included ‘nonbinary’ as a response in a form question about sex, finding that the response constituted processing of a special category of data and violated the principle of data minimization.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
On 31 January 2022, a complaint was filed with the Spanish DPA concerning a government webpage that required certain personal data to submit a form for conciliation of labor disputes to the Canary Islands’ Department of Economy, Knowledge and Employment (controller). In particular, the form included a question concerning sex/gender that obliged a response of man, woman, or nonbinary. The complainant argued that the nonbinary response required disclosure of personal data related to sexual orientation and that such data is beyond the scope of the controller’s legal basis and the form’s purpose. <br />
<br />
The controller argued that there was no violation of Article 5(1)(c) or 9(1) GDPR and that it was in fact required to collect such information under Spanish law. In particular, Article 26 of Law 12/89 and Article 20(a) of Law 3/2007 obliges public institutions to collect sex/gender information in all forms for statistical purposes.<br />
<br />
=== Holding ===<br />
The DPA found that the controller exceeded its legal basis for processing under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]], violated the data minimisation principle under [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], and improperly processed a special category of information under [[Article 9 GDPR#1|Article 9(1) GDPR]]. <br />
<br />
First, in finding a violation of [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]], the DPA determined that the controller exceeded their legal basis for processing under Spanish legal requirements. A number of Spanish laws including Article 20 of Law 3/2007 and Article 26 of Law 12/1989 require public institutions to collect data about the applicant’s sex for statistical purposes and monitoring of gender equality. Article 26 of Law 12/1989 specifies ‘woman’ and ‘man’ as the responses to inquiries about sex. On the other hand, the DPA noted that no Spanish laws obliging sex to be documented require the nonbinary response to be included. Including it as a response thus exceeded the scope of the legal requirements that formed the basis for processing under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]]. <br />
<br />
Second, the DPA held that the nonbinary response collected personal data that was not necessary for the purpose of processing in violation of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. It considered that the nonbinary response was not related to the purpose for which data was being collected in the form, which related to labor disputes between employers and employees. <br />
<br />
Finally, the DPA determined that the controller processed special categories of information prohibited under [[Article 9 GDPR#1|Article 9(1) GDPR]]. Though it noted that gender identity and sexual orientation are distinct, the DPA determined that a response other than man or woman (in this case, nonbinary) can still be considered to relate to sexual life, even if the form does not explicitly refer to sexual orientation or sex life. There was no applicable exception to the prohibition on processing of special categories in this case under Article 9(2) GPDR. As a result, the DPA concluded that the nonbinary response violated [[Article 9 GDPR#1|Article 9(1) GDPR]].<br />
<br />
The DPA imposed undisclosed warning sanctions for the controller’s violations of [[Article 5 GDPR#1c|Article 5(1)(c)]] and [[Article 9 GDPR#1|9(1) GDPR]] pursuant to [[Article 83 GDPR#5a|Article 83(5)(a) GDPR]]. It also ordered the controller to bring processing operations into compliance by removing the nonbinary response in form inquiries of sex/gender from not only in the form arising in the case but also more broadly in the processing of forms and documents before its public institutions altogether.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
17/26<br />
And in its article 72, it considers for the purposes of prescription, which are: “Infringements<br />
considered very serious:<br />
1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,<br />
considered very serious and will prescribe after three years the infractions that involve<br />
a substantial violation of the articles mentioned therein and, in particular, the<br />
following:<br />
a) The processing of personal data violating the principles and guarantees<br />
established in article 5 of Regulation (EU) 2016/679.<br />
(…)”.<br />
VII<br />
Second unfulfilled obligation: violation of article 9.1 of the GDPR<br />
Article 9 of the GDPR states:<br />
"1. The processing of personal data that reveals ethnic origin is prohibited<br />
or racial, political opinions, religious or philosophical convictions, or affiliation<br />
union, and the processing of genetic data, biometric data aimed at identifying<br />
univocally to a natural person, data relating to health or data relating to<br />
“the sexual life or sexual orientation of a natural person.”<br />
And in section 2:<br />
"2. Section 1 will not apply when one of the circumstances occurs<br />
following:<br />
a) the interested party gave explicit consent for the processing of said data<br />
personal data for one or more of the specified purposes, except when the Right to<br />
the Union or the Member States establishes that the prohibition referred to in<br />
section 1 cannot be lifted by the interested party;”<br />
Also article 9.1 of the LOPDGDD that:<br />
"1. For the purposes of article 9.2.a) of Regulation (EU) 2016/679, in order to avoid<br />
discriminatory situations, the mere consent of the affected person will not be enough to<br />
lift the prohibition on the processing of data whose main purpose is to identify<br />
your ideology, union membership, religion, sexual orientation, beliefs or racial origin or<br />
ethnic."<br />
There is a special category of personal data, collected in the article<br />
9.1 RGPD, which differs from the rest of personal data in that its processing is<br />
is prohibited. However, this prohibition is not applicable in certain cases<br />
when any of the exceptions contemplated in article 9.2 do not apply<br />
of the GDPR.<br />
The Sentence handed down by the T.C. 67/2022, of 06/02/022, appeal for protection 6375-<br />
2019, considers the question raised to be of special constitutional importance because<br />
allows him to establish doctrine on a problem related to a fundamental right that does not<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
18/26<br />
had been sufficiently treated, defining in the presence of what cause of<br />
discrimination we find when analyzing the assumption that is presented for its<br />
analysis, starting from the distinction between the notions of sex and gender, without forgetting<br />
personal conditions such as sexual orientation and identity<br />
gender.<br />
“Sex, which allows people to be identified as female living beings,<br />
masculine or intersex, is given by a complex series of characteristics<br />
morphological, hormonal and genetic, to which certain<br />
physical characteristics and potentialities that define us. Features such as<br />
example and without intending to formulate an exhaustive description, the internal genitalia and<br />
external factors, hormonal structure and chromosome structure (characteristics<br />
primary) or muscle mass, hair distribution and height (characteristics<br />
high schools).<br />
These biological characters, which may not be mutually exclusive in<br />
statistically exceptional situations, such as those that occur in people<br />
intersex, tend to formulate a binary classification, and only exceptionally<br />
tertiary, of the living beings of the human species.”<br />
For its part, although gender is connected to the realities or characteristics<br />
biological, does not fully identify with them, but rather defines the social identity<br />
of a person based on the social, educational and cultural constructions of the<br />
roles, personality traits, attitudes, behaviors and values<br />
that are associated or attributed, differentially, to men and women, and that include<br />
norms, behaviors, roles, external appearance, image and social expectations<br />
associated with one or another gender. While sex is linked to the concurrence of<br />
a series of objectively identifiable or measurable physical characters, the characters<br />
associated with gender are relative and circumstantial and can vary from one society to<br />
another and from one historical time to another.”<br />
And he continues “Sex and gender are not mutually exclusive, but neither are they<br />
synonyms, in such a way that their translation to the legal field requires assuming the difference<br />
existing between the two to evaluate the normative consequences of such a distinction and<br />
ensure adequate respect for legal certainty (art. 9.3 CE). He comes to verify the<br />
distinction between both notions, from the legal point of view, the mention<br />
differentiated to sex and gender, as diverse characteristics of the human being,<br />
contained in art. 4.3 of the Council of Europe Convention on prevention and control<br />
against violence against women and domestic violence (Istanbul Convention,<br />
of 2011), when it establishes that the "application by the parties of the provisions of the<br />
this Convention, in particular measures to protect the rights of<br />
victims, must be ensured without any discrimination, based in particular on the<br />
sex, gender […] sexual orientation, gender identity, […] or any other<br />
situation". Regardless of the normative scope given to the notions of<br />
sex and gender, neither one nor the other can be defined in a strict sense as rights,<br />
but as conditions or states that have an impact on the exercise of rights<br />
fundamental and that make up one of the many identity elements that can<br />
come to define the right to personal self-determination or to develop, with full<br />
respect for human dignity (art. 10 CE), one's own personal identity.”<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
19/26<br />
Also the T.C. in his sentence he refers to the sexual orientation and identity of<br />
gender, pointing out that “Sexual orientation and gender are also personal conditions.”<br />
gender identity, the first referring to the preference for establishing relationships<br />
affective relationships with people of either sex, and the second to the identification of a<br />
person with gender-defining characteristics that may or may not coincide with<br />
the sex attributed to it, by virtue of the predominant biological characteristics that<br />
presented since birth. But in addition to being personal conditions, they are<br />
elements fundamentally linked to the right to develop a<br />
certain private and family life (art. 8 ECHR), as derived from a<br />
consolidated jurisprudence of the European Court of Human Rights that attributes<br />
to the concept of "private life" a broad definition, which encompasses the right to<br />
physical and psychological integrity of a person, including in that notion of integrity<br />
your sexual life and sexual orientation…; some aspects of physical identity and<br />
social of the person…; or the gender identity of trans people… Furthermore, the<br />
art. 8 ECHR protects the right of transgender people to personal development and<br />
physical and moral security.”<br />
It must be remembered that the variable present in the form was “sex/gender”, and<br />
the possible answers or options “man/woman/non-binary”.<br />
The model form with the question raised by the respondent does not comply with the<br />
purpose pursued, supposedly to obtain data for statistical purposes,<br />
issue that has already been explained in the previous foundations and that violates the<br />
principle of minimization because it is considered that the data collected in this way does not<br />
They are necessary and excessive.<br />
On the other hand, the inclusion of the non-binary response/option within the variable<br />
sex/gender is also not related strictlyu sensu to the sex option, which would be the<br />
included in the standard for statistical purposes in order to effectively guarantee the<br />
integration of the gender perspective in its scope of action in accordance with<br />
Article 20.a) of Organic Law 3/2007, for the effective equality of women and<br />
men and article 11 of law 1/2020, Canary Islands on Equality between Women and<br />
Men, who similarly establish: a) Systematically include the variable<br />
sex in the statistics, surveys and data collection that they carry out”, but rather<br />
would link with a question of gender identity and that is introduced in the<br />
form without any justification.<br />
The inclusion of said response in the “sex” variable alters the meaning of the norms<br />
since in the planned data collection the concept would normally be modified<br />
accepted when moving to the concept of “felt sex”, embedded in the identity of<br />
gender.<br />
The completion of said variable is based on the standards defined by the INE,<br />
which in relation to the statistical variable "sex" indicates the following: "Sex is<br />
refers to the biological sex of the person. According to the WHO, “sex” refers to the<br />
biological and physiological characteristics that define men and women”, while<br />
What “gender” refers to refers to the social and cultural construction that defines<br />
different emotional, affective, intellectual characteristics, as well as the<br />
behaviors that each society assigns as typical and natural of men or<br />
of women, but there may be people who do not identify with these characteristics<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
20/26<br />
of men and women and thus, apart from the masculine and feminine there would be other genders. Of<br />
In this way, there are as many genders as there are identities, and therefore as many identity identities.<br />
gender as people.<br />
While “sexual orientation” is the emotional, romantic, sexual and<br />
psychological that the person feels in a sustained way over time and is described<br />
different from gender identity.<br />
The Universal Declaration of Human Rights, the International Covenant on Rights<br />
Civil and Political Rights and the International Covenant on Economic, Social and<br />
Cultural rights include in their guarantees on non-discrimination, lists of fundamentals<br />
prohibited from discrimination. These lists do not explicitly mention the orientation<br />
sexual or gender identity, but conclude with the expressions “any other<br />
condition” or “any other social condition.” The use of these expressions shows<br />
that the intention was for these lists to be open and illustrative; In other words, the<br />
foundations of discrimination are not closed.<br />
It is clear that sexual orientation and gender identity are different aspects. In<br />
its jurisprudence, general observations and concluding observations, the organs of the<br />
United Nations treaties have uniformly held that<br />
sexual orientation and gender identity are prohibited grounds of<br />
discrimination under international law. Furthermore, it has been a long time since<br />
special procedures of the Human Rights Council have recognized the<br />
discrimination that exists due to sexual orientation and gender identity.<br />
In the same sense, various mechanisms for the protection of Human Rights<br />
international level, such as the Committees, have affirmed that States have the<br />
obligation to protect people from discrimination due to their orientation<br />
sexual. This position is reflected in decisions of the Human Rights Committee<br />
Humans – (Toonen v. Australia case 1994) and in general observations of the<br />
Committee on Economic, Social and Cultural Rights, of the Committee on Human Rights<br />
of the child of the committee against torture, of the committee for the elimination of discrimination<br />
against women. For example, in its general comment, the human rights committee<br />
economic, social and cultural aspects points out that the States parties must ensure<br />
that a person's sexual preferences do not constitute an obstacle to doing<br />
reality the rights recognized by the pact. Gender identity is also<br />
recognized as a prohibited ground of discrimination. The Committee on the Rights of<br />
Niño has interpreted that the right to non-discrimination in article 2 of the<br />
Convention on the Rights of the Child includes sexual orientation and identity of<br />
gender.<br />
Now, the introduction of gender identity, identifying its holder, would have<br />
must be carried out in any case, as long as there is a relationship between what is being asked, with<br />
the purpose for which you want to obtain it so that the data must be processed, without<br />
try to obtain the data for the sake of having it, without any specific purpose and, in this case,<br />
the form “Prior conciliation in labor disputes” and whose purpose is for the<br />
employers and workers involved in labor-related claims achieve<br />
compromise and agreement avoiding judicial proceedings, the inclusion of the<br />
gender issue, nor is this aspect examined or considered, so it lacks<br />
It makes no sense to introduce a response with that scope, without any connection to the object<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
21/26<br />
of the same. In that sense, no need is seen in the treatment of said<br />
response when filling out the form.<br />
In any case, a form is presented in which, although it does not explicitly refer to<br />
sexual orientation or sexual life, it can be deduced that if the<br />
male/female response and the non-binary option is noted, it can be considered<br />
related to sexual life, since basically what is being discussed<br />
Manifesto is a question that could be related to expressing your beliefs<br />
since gender identity is an internal issue for each person, as derived from the<br />
definition made by the Inter-American Committee on Human Rights in<br />
compliance with resolution AG/RES. 2653 (XLI-O/11): Human Rights,<br />
Sexual Orientation and Gender Identity, 04/23/2012 which defines it as: “The<br />
Gender identity is the internal and individual experience of gender as each<br />
person experiences it deeply, which may or may not correspond to sex<br />
signed at the moment of birth, including the personal experience of the body (which<br />
could involve modifying bodily appearance or function through<br />
medical, surgical or other techniques, provided that it is freely<br />
chosen) and other expressions of gender, including clothing, speech<br />
and manners.”<br />
That is, he is questioning his perceived sex, with which he identifies, if<br />
coincides with that assigned at birth: female/male, or non-binary, when their sex is felt,<br />
with which he identifies, does not coincide with the one assigned at birth, which goes beyond the objective and<br />
the purpose of the form within the context of Prior Conciliation, which is not<br />
oriented or established in that sense and people should not be forced to<br />
express or declare about your personal and intimate beliefs. This prohibition,<br />
finds its foundation, as indicated in the transcribed precept, in avoiding<br />
discriminatory situations, such as those that could occur when there is an inventory or<br />
record in which the sexual orientation of the people is recorded or collection of the<br />
gender identity without a specific purpose or legitimate basis or belief.<br />
The same ruling of the TC referred to in section 2, of this same<br />
foundation points out in reference to gender identity that: “As it has been<br />
recognized, as an argumentative presupposition in the previous legal basis, the<br />
Gender identity is a circumstance that has to do with the free development of<br />
personality, closely linked to respect for human dignity (art. 10.1 CE),<br />
and this trait of identity, when it does not fit hetero-normative parameters<br />
classics, that is, where gender identity and sex of the person are not<br />
absolutely coincident, can make the individual a creditor of a position of<br />
historically rooted social disadvantage of those prohibited by art. 14 CE.”<br />
However, the prohibition of article 9.1 is not applicable in certain cases when<br />
any of the exceptions contemplated in article 9.2 of the RGPD apply and,<br />
In that sense, in accordance with the aforementioned, in the present case there is no<br />
exception to article 9.2 of the RGPD that lifts the prohibition contained therein.<br />
Therefore, it is concluded that the defendant has violated article 9.1 of the RGPD which<br />
It is classified in article 83.5.e) of the aforementioned Regulation.<br />
VII<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
22/26<br />
Classification of the violation of article 9.1 RGPD<br />
The infraction attributed to the defendant is classified in article 83.5<br />
a) of the RGPD, which considers that the violation of “the basic principles for the<br />
processing, including the conditions for consent pursuant to articles 5,<br />
6, 7 and 9” is punishable, in accordance with section 5 of the aforementioned article 83 of the<br />
cited Regulation.<br />
The LOPDGDD in its article 71, Infractions, states that: “They constitute infractions<br />
the acts and conduct referred to in sections 4, 5 and 6 of article 83 of the<br />
Regulation (EU) 2016/679, as well as those that are contrary to this law<br />
organic”.<br />
And in its article 72, it considers for the purposes of prescription, which are: “Infringements<br />
considered very serious:<br />
1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,<br />
considered very serious and will prescribe after three years the infractions that involve<br />
a substantial violation of the articles mentioned therein and, in particular, the<br />
following:<br />
(…)<br />
e) The processing of personal data of the categories referred to in the article<br />
9 of Regulation (EU) 2016/679, without any of the circumstances occurring<br />
provided for in said precept and in article 9 of this organic law.<br />
(…)”.<br />
VIII<br />
Regime applicable to Public Administrations<br />
Article 83 “General conditions for the imposition of administrative fines” of the<br />
GDPR in section 7 establishes: “Without prejudice to the corrective powers of the<br />
supervisory authorities under Article 58(2), each Member State<br />
may establish rules on whether, and to what extent, fines may be imposed<br />
administrative to authorities and public organizations established in said State<br />
member."<br />
The LOPDGDD in its article 77, Regime applicable to certain categories of<br />
responsible or in charge of the treatment, establishes the following:<br />
"1. The regime established in this article will apply to the treatments of<br />
who are responsible or in charge:<br />
(…)<br />
c) The General Administration of the State, the Administrations of the communities<br />
autonomous and the entities that make up the Local Administration.<br />
(…)<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
23/26<br />
2. When the persons responsible or in charge listed in section 1 commit<br />
any of the infractions referred to in articles 72 to 74 of this law<br />
organic, the competent data protection authority will dictate<br />
resolution declaring the violation and establishing, where appropriate, the measures that<br />
appropriate to adopt to cease the conduct or correct the effects of the infraction<br />
that had been committed, with the exception of that provided for in article 58.2.i of the<br />
Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27,<br />
2016.<br />
The resolution will be notified to the person responsible or in charge of the treatment, to the body of the<br />
that depends hierarchically, if applicable, and to those affected who have the condition<br />
of interested party, if applicable.<br />
3. Without prejudice to what is established in the previous section, the authority for the protection of<br />
data will also propose the initiation of disciplinary actions when there are<br />
sufficient evidence for this. In this case, the procedure and sanctions to apply<br />
will be those established in the legislation on disciplinary or sanctioning regime that<br />
results of application.<br />
Likewise, when the infractions are attributable to authorities and managers, and are<br />
prove the existence of technical reports or recommendations for the treatment that<br />
had not been duly attended to, in the resolution in which the<br />
sanction will include a reprimand with the name of the responsible position and<br />
will order the publication in the Official State or autonomous Gazette that<br />
correspond.<br />
4. The resolutions that<br />
fall in relation to the measures and actions referred to in the sections<br />
previous.<br />
5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions<br />
of the autonomous communities the actions carried out and the resolutions issued<br />
under this article.<br />
6. When the competent authority is the Spanish Data Protection Agency,<br />
This will publish on its website with due separation the resolutions referring to<br />
the entities of section 1 of this article, with express indication of the identity<br />
of the person responsible or in charge of the treatment who had committed the infraction.<br />
When the jurisdiction corresponds to an autonomous authority for the protection of<br />
data will be, regarding the publicity of these resolutions, to what is provided by its<br />
specific regulations.”<br />
In the case examined, the present sanctioning procedure has its cause in the<br />
presumption that the defendant, as stated in the facts, has violated the<br />
regulations on the protection of personal data in relation to the<br />
principle of minimization and the prohibition of data processing especially<br />
protected or sensitive.<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
24/26<br />
In accordance with the evidence available, said conduct constitutes,<br />
by the person complained of the violation of the provisions of articles 5.1.c) and 9.1 of the<br />
GDPR.<br />
It should be noted that the RGPD, without prejudice to the provisions of its article 83,<br />
Article 77 contemplates the possibility of declaring the infringement and establishing the<br />
appropriate measures to correct the processing of personal data that is not<br />
adapt to its forecasts, when the persons responsible or in charge listed in the<br />
section 1 commit any of the infractions referred to in articles 72<br />
to 74 of this organic law.<br />
Additionally, article 58 of the RGPD contemplates in section 2 d) that each<br />
control authority may “order the person responsible or in charge of the treatment to<br />
processing operations comply with the provisions of this<br />
Regulation, where appropriate, in a certain manner and within a period<br />
specified…".<br />
IX<br />
Corrective measures<br />
Once the violations have been confirmed, it is appropriate to impose on the person responsible the adoption of<br />
appropriate measures to adjust its actions to the regulations mentioned in this<br />
act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the<br />
which each control authority may “d) order the person responsible or in charge of the<br />
treatment that the processing operations comply with the provisions of the<br />
this Regulation, where appropriate, in a certain manner and within a<br />
specified period.” The imposition of this measure is compatible with the sanction<br />
consisting of a warning, as provided in art. 83.2 of the GDPR.<br />
Therefore, it would be considered appropriate to order the defendant so that within the period of<br />
six months from the finality of this resolution to adapt the<br />
treatments that are the subject of this procedure to the applicable regulations and<br />
communicate to this organization. The text of this agreement establishes which<br />
were the events that gave rise to the violation of the regulations for the protection of<br />
data, from which it is clearly inferred what measures to adopt, without prejudice<br />
that the type of procedures, mechanisms or specific instruments to<br />
implementing them corresponds to the sanctioned party, since it is the one who fully knows<br />
your organization and must decide, based on proactive responsibility and focus<br />
of risks, how to comply with the RGPD and the LOPDGDD.<br />
These measures could be specified, in which the requirements of the<br />
regulations on data protection regarding the processing carried out<br />
evading the processing of the forms related to “Prior conciliation in<br />
labor conflicts” of claims and legal demands of a labor nature.<br />
non-binary response/option within the sex/gender variable included in the standard a<br />
statistical effects, as well as in all those procedures, forms,<br />
applications and documents processed before their public bodies, implementing the<br />
relevant measures.<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
25/26<br />
Please note that failure to comply with the order imposed by this body may be<br />
considered as an administrative offense in accordance with the provisions of the RGPD,<br />
classified as an infraction in its articles 83.5 and 83.6, and such conduct may be motivated by<br />
opening of a subsequent administrative sanctioning procedure.<br />
Therefore, in accordance with the applicable legislation and evaluated the criteria of<br />
graduation of sanctions whose existence has been proven,<br />
The Director of the Spanish Data Protection Agency,<br />
RESOLVES:<br />
FIRST: Impose on the DEPARTMENT OF ECONOMY, KNOWLEDGE AND<br />
EMPLOYMENT, with NIF S3511001D,<br />
- For violation of article 5.1.c) of the RGPD, typified in article 85.3.a) of the RGPD,<br />
a warning sanction and.<br />
- For a violation of article 9.1 of the RGPD, typified in article 83.5.e) of the<br />
RGPD, a warning sanction.<br />
SECOND: File the DEPARTMENT OF ECONOMY, KNOWLEDGE AND<br />
EMPLOYMENT, with NIF S3511001D, for the violation of article 6.1 of the RGPD, classified<br />
in article 83.5.a) of the RGPD.<br />
THIRD: ORDER the DEPARTMENT OF ECONOMY, KNOWLEDGE AND<br />
EMPLOYMENT, with NIF S3511001D, which by virtue of article 58.2.d) of the RGPD, in the<br />
within six months from when this resolution is final and enforceable, accredit<br />
having proceeded to comply with what is stated therein, adjusting its actions to<br />
the data protection regulations, in the terms established in the Fundamentals<br />
of Law IX, especially regarding the treatments it carries out, avoiding in the<br />
processing of forms and documents before their public bodies, not<br />
only, as in the case analyzed, those related to “Prior conciliation in conflicts<br />
“borales” of claims and legal demands of a labor nature, the<br />
non-binary response/option within the sex/gender variable, implemented and<br />
collected for statistical purposes, implementing and establishing the relevant measures.<br />
FOURTH: NOTIFY this resolution to the DEPARTMENT OF ECONOMY,<br />
KNOWLEDGE AND EMPLOYMENT.<br />
FIFTH: COMMUNICATE this resolution to the Ombudsman, in accordance<br />
with the provisions of article 77.5 of the LOPDGDD.<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
Resolution will be made public once it has been notified to the interested parties.<br />
Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the<br />
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the<br />
Interested parties may optionally file an appeal for reconsideration before the<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
26/26<br />
Director of the Spanish Data Protection Agency within a period of one month to<br />
count from the day following the notification of this resolution or directly<br />
contentious-administrative appeal before the Contentious-administrative Chamber of the<br />
National Court, in accordance with the provisions of article 25 and section 5 of<br />
the fourth additional provision of Law 29/1998, of July 13, regulating the<br />
Contentious-administrative Jurisdiction, within a period of two months from the<br />
day following the notification of this act, as provided for in article 46.1 of the<br />
referred Law.<br />
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,<br />
may provisionally suspend the final resolution through administrative channels if the<br />
interested party expresses his intention to file a contentious-administrative appeal.<br />
If this is the case, the interested party must formally communicate this fact through<br />
writing addressed to the Spanish Data Protection Agency, presenting it through<br />
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-<br />
web/], or through any of the other registries provided for in art. 16.4 of the<br />
cited Law 39/2015, of October 1. You must also transfer to the Agency the<br />
documentation that proves the effective filing of the contentious appeal<br />
administrative. If the Agency was not aware of the filing of the appeal<br />
contentious-administrative within a period of two months from the day following the<br />
notification of this resolution would terminate the precautionary suspension.<br />
Sea Spain Martí<br />
Director of the Spanish Data Protection Agency<br />
</pre></div>Lmhttps://gdprhub.eu/index.php?title=UODO_(Poland)_-_DKN.5131.42.2022UODO (Poland) - DKN.5131.42.20222024-03-18T17:26:36Z<p>Im: Created page with "{{DPAdecisionBOX |Jurisdiction=Poland |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoPL.png |DPA_Abbrevation=UODO |DPA_With_Country=UODO (Poland) |Case_Number_Name=DKN.5131.42.2022 |ECLI= |Original_Source_Name_1=UODO |Original_Source_Link_1=https://www.uodo.gov.pl/decyzje/DKN.5131.42.2022 |Original_Source_Language_1=Polish |Original_Source_Language__Code_1=PL |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Poland<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoPL.png<br />
|DPA_Abbrevation=UODO<br />
|DPA_With_Country=UODO (Poland)<br />
<br />
|Case_Number_Name=DKN.5131.42.2022<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=UODO<br />
|Original_Source_Link_1=https://www.uodo.gov.pl/decyzje/DKN.5131.42.2022<br />
|Original_Source_Language_1=Polish<br />
|Original_Source_Language__Code_1=PL<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=27.07.2022<br />
|Date_Decided=19.12.2023<br />
|Date_Published=14.03.2024<br />
|Year=2023<br />
|Fine=2,324<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 33 GDPR<br />
|GDPR_Article_Link_1=Article 33 GDPR<br />
|GDPR_Article_2=Article 34(1) GDPR<br />
|GDPR_Article_Link_2=Article 34 GDPR#1<br />
|GDPR_Article_3=Article 34(2) GDPR<br />
|GDPR_Article_Link_3=Article 34 GDPR#2<br />
|GDPR_Article_4=Article 55(3) GDPR<br />
|GDPR_Article_Link_4=Article 55 GDPR#3<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
|GDPR_Article_6=<br />
|GDPR_Article_Link_6=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Sąd Okręgowy w Krakowie<br />
|Party_Link_1=https://krakow.so.gov.pl/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=im<br />
|<br />
}}<br />
<br />
The DPA found that District Court of Kraków failed to notify a personal data breach related to legal proceedings resulting in a fine of €2,324.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The Polish Minister of Foreign Affairs ('Minister') informed the DPA that the Consulate General of the Republic of Poland ('Consulate') sent, at the request of the District Court of Kraków ('Court'), correspondence through a postal operator to an addressee. The infringement covered a various categories of personal data, namely first and last names, ID numbers, addresses of residence, dates of birth, bank account numbers, photographs. Personal data of two children were also breached.<br />
<br />
The addressee informed the Consulate that a delivered parcel was damaged, additionally wrapped and was incomplete. <br />
<br />
The DPA identified the Court as a controller of the data affected by the breach. It invited the Court to indicate whether a risk analysis had been done to assess whether a data protection breach required notifying the President of the Data Protection Authority (DPA) and the affected individuals. In its defence, the Court referred to Article 175dd of the Law on the Common Court System, stating that the District Court of Kraków, under the President of the Court of Appeal in Krakow, is responsible for overseeing data processing in court proceedings and legal protection tasks.<br />
<br />
As a response, the DPA clarified that it, indeed, is the competent authority to investigate the infringement in question. However, the Court reiterated its stance, referencing various articles of the Law on the System of Common Courts and a decision by the CJEU from March 24, 2022 (Case C-245/20).<br />
<br />
The Court emphasized that the protection of judicial independence is paramount, stating that judicial functions should be exercised independently without external interference or pressure. They asserted that the administration of justice encompasses all operations related to judicial activities, including informing parties about court proceedings. Additionally, the Court referenced a decision by the DPA (no. ZSOŚS.440.109.2018) regarding the authority's reluctance to interfere with documents collected in court proceedings. <br />
<br />
Consequently, they argued that the DPA lacks the authority to control courts in matters related to adjudicatory activities.<br />
<br />
=== Holding ===<br />
In investigating the incident, the DPA assessed whether the reported event constituted a breach of personal data protection and whether the DPA was the competent authority to verify compliance with GDPR by the data controller (the Court) involved in the incident. <br />
<br />
Referencing [[Article 4 GDPR#12|Article 4(12) GDPR]], the DPA found that the event reported by the Minister, involving the delivery of damaged correspondence to the addressee, was considered a breach of personal data protection, as it compromised data confidentiality and availability. The Court did not disprove the occurrence of this event during the proceedings. <br />
<br />
The DPA, as the competent supervisory authority, determined that the delivery of correspondence did not constitute judicial or legal protection by the Court but rather a technical administrative task. Therefore, the DPA was within its rights to assess the infringement. As [[Article 55 GDPR#3|Article 55(3) GDPR]] specifies that supervisory authorities cannot supervise processing operations carried out by courts in the administration of justice, the opposite applies to administrative activities of the court, such as the delivery of correspondence.<br />
<br />
The Court's reference to C-245/20 was deemed unjustified as it pertained to information provision in court proceedings, not administrative activities. The DPA's intervention did not impinge on judicial independence but focused on rectifying data protection irregularities, aligning processing operations with GDPR provisions. These remedial actions did not interfere with pending proceedings or judicial competence but addressed administrative aspects of the court's activities.<br />
<br />
The Court's reference to the decision of the DPA is misapplied. This decision pertained to a case where an individual filed a complaint seeking to be recognized as a party to court proceedings under data protection legislation, not procedural rules. It involved the inclusion of personal data from a law firm's website in a court file by the district court, which the complainant argued was unnecessary as the document was not admitted as evidence. However, the decision by the DPA could not interfere with the Court's decision on evidence admission, as it falls under the court's jurisdiction.<br />
<br />
Furthermore, the Court of Appeal in Kraków cannot be considered the supervisory body over the Court in this case. According to Article 175dd of the Law on the Common Court System, judicial supervisory bodies are not authorized to receive notifications of personal data protection violations or assess high-risk situations resulting from such breaches.<br />
<br />
Consequently, the DPA assessed the incident as a breach of confidentiality and accessibility, regardless of the postal operator's fault. The assessment focused on the failure to report the breach and notify data subjects, which falls within the DPA's jurisdiction without interfering with court decisions.<br />
<br />
The DPA found a breach of [[Article 33 GDPR|Article 33 GDPR]] and Article 34(1) and (2) GDPR resulting in a fine of €2,324.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.<br />
<br />
<pre><br />
Based on Article. 104 § 1 and art. 105 § 1 of the Act of June 14, 1960, Code of Administrative Procedure (Journal of Laws of 2023, item 775) in connection with Art. 7(1) 1 and 2, art. 60, art. 102 section 1 point 1 and section 3 of the Personal Data Protection Act (Journal of Laws of 2019, item 1781) and Art. 57 section 1 letter a) and letter h), art. 58 section 2 lit. e) and letter i), art. 83 section 1 and 2, art. 83 section 4 lit. a) in connection with Art. 33 section 1, section 3 and section 5 and art. 34 section 1 - 2 and section 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation data) (OJ EU L 119 of 4/05/2016, p. 1 and OJ EU L 127 of 23/05/2018, p. 2 and OJ EU L 74 of 4/03/2021, p. 35 ), hereinafter referred to as Regulation 2016/679, after administrative proceedings initiated ex officio regarding violations of the provisions on the protection of personal data by the District Court in Kraków with its registered office in Kraków at ul. Przy Rondo 7, President of the Personal Data Protection Office<br />
<br />
1) finding an infringement by the District Court in Kraków with its registered office in Kraków at ul. At Rondo 7 provisions: a) Art. 33 section 1 and section 3 of Regulation 2016/679, consisting in failure to report a personal data protection breach to the President of the Personal Data Protection Office without undue delay, no later than 72 hours after discovering the breach, b) Art. 34 section 1 and section 2 of Regulation 2016/679, consisting in failure to notify data subjects about a breach of personal data protection without undue delay,2) imposes a penalty on the District Court in Kraków for violating Art. 33 section 1 and section 2 and art. 34 section 1 and section 2 of Regulation 2016/679 an administrative fine in the amount of PLN 10,000 (in words: ten thousand zlotys and 00/100),3) orders the District Court in Kraków to notify, within 3 days from the date of receipt of this decision, (...) persons, whose data were contained in the documents contained in the damaged postal item (i.e. the plaintiff, the defendant and their two children), about the violation of the protection of their personal data in order to provide them with the information required in accordance with Art. 34 section 2 of Regulation 2016/679, i.e.: a) description of the nature of the personal data protection breach; b) name and contact details of the data protection officer or designation of another contact point from which more information can be obtained; c) description of the possible consequences of the data protection breach personal data, taking into account the categories of persons and the scope of data subject to the breach; d) a description of the measures applied or proposed by the controller to remedy the breach - including measures to minimize its possible negative effects, taking into account the categories of persons and the scope of data subject to the breach, 4) in other respects discontinues the proceedings.<br />
<br />
Justification<br />
<br />
On July 27, 2022, the Personal Data Protection Office received a notification of a personal data protection breach submitted by the Minister of Foreign Affairs with its registered office in Warsaw at (...) (hereinafter: the Minister), consisting in the delivery to the addressee by the postal operator R. (...) of a damaged and incomplete correspondence containing personal data, sent by the Consulate General of the Republic of Poland in October at the request of the District Court in Krakow with its registered office in Krakow at ul. Przy Rondo 7 (hereinafter: Court or Administrator). As established, the Consulate General of the Republic of Poland in October, in a letter dated (...) July 2022, no. (...), informed the District Court in Kraków about the delivery of a damaged and incomplete shipment to the addressee. The notification of a personal data protection breach made by the Minister was registered under the reference number DKN.5130.8015.2022.<br />
<br />
The President of the Personal Data Protection Office, hereinafter also referred to as the President of the Personal Data Protection Office, as a result of the explanatory proceedings conducted regarding the reported personal data protection breach and the administrative proceedings initiated ex officio regarding the violation of the provisions of Art. 33 and art. 34 section 1-2 of Regulation 2016/679 by the District Court in Kraków, in connection with a breach of personal data protection consisting in "delivery to the addressee by the postal operator R. (...) of damaged and incomplete correspondence containing personal data, sent by the Consulate General of the Republic of Poland in October to request of the District Court in Kraków (...)", established the following factual situation.<br />
<br />
The Minister informed the supervisory authority that the Consulate General of the Republic of Poland in October, July 2022, at the request of the District Court in Kraków, sent correspondence via the postal operator R. (...). The addressee of the correspondence informed on (...) July 2022 the above-mentioned Consulate that he was delivered a damaged shipment and "there may have been a breach of correspondence." The information obtained from the addressee also showed that the correspondence was additionally packed in protective foil to protect the damaged envelope, as well as that it did not contain all documents to be delivered.<br />
<br />
The Consulate General of the Republic of Poland in October informed the Administrator about the event in a letter dated (...) July 2022 (which was delivered on (...) August 2022). Its content shows that the correspondence was delivered to the addressee on (...) July 2022 via the postal operator R. (...). Moreover, this letter also indicated that "the delivered parcel was delivered damaged and incomplete".<br />
<br />
The administrator of the data affected by the breach is the District Court in Kraków as the sender of the shipment.<br />
<br />
In a letter of (...) August 2022, the supervisory authority called on the Court to indicate whether an analysis of the risk of violating the rights and freedoms of natural persons was carried out, necessary to assess whether there was a data protection breach resulting in the need to notify the President of the Personal Data Protection Office and the persons affected by the breach. . In a letter of (...) August 2022, the Court indicated that "pursuant to Art. 175dd of the Act on the Organization of Common Courts (...), the body competent to supervise the processing of personal data processed in court proceedings as part of the administration of justice or the implementation of tasks in the field of legal protection, the administrator of which are the courts within the meaning of Art. 174da and 175db is for the District Court in Kraków, President of the Court of Appeal in Kraków (...).”<br />
<br />
In a letter of (...) September 2022, the supervisory authority again turned to the Court, demanding an answer to the question contained in the letter of (...) August 2022, at the same time informing that the President of the Personal Data Protection Office is the supervisory authority in this case and competent to investigate the infringement in question. In response, in a letter of (...) September 2022, the Court maintained its position, again referring to the content of Art. 174 da [no such provision in the Act], Art. 175 db and art. 175 dd of the Act on the Organization of Common Courts[1]. Moreover, the Court referred to the judgment of the Court of Justice of the European Union of 24 March 2022 in case C-245/20, in which the Court noted that "the protection of the independence of the judiciary assumes, in principle, that judicial functions are performed in a completely , independent; "the courts are not subject to any chain of command or subordination to anyone, nor do they receive orders or directions from any source, and are therefore protected from any external interference or pressure that may impair the independence of judgment of their members and influence their decisions." The CJEU came to the conclusion that the activity/process of administering justice cannot and is not limited only to the processing of personal data as part of specific court proceedings, but its broad scope covers all operations carried out as part of judicial activity. This also applies to code procedures for informing parties about ongoing and initiated court proceedings. The above means that the scope of understanding "the administration of justice by the courts" is broad and includes everything that can be related to the independence of the courts. The above was also emphasized by the Advocate General of the CJEU (...) in the opinion preceding the mentioned judgment, where he drew attention to the fact that these may also be decisions that at first glance are of an administrative nature, but in fact should be related to the adjudication, e.g. recording hearings , transmitting them or even applying security measures (see: C-245/20 - Opinion of the Advocate General, Court of Justice of the European Union, Article 55(3) of the Regulation). In turn, against the background of Art. 175 section 1 of the Constitution of the Republic of Poland, it is assumed that the administration of justice is the binding resolution of disputes about law by a court. “The essence of the justice system is the resolution of legal disputes (disputes arising from legal relations)” within the framework of special forms of proceedings (provisions of civil and criminal court proceedings) (see: judgment of the Constitutional Tribunal 28/97). The national supervisory authority is therefore not authorized to supervise courts to the extent to which they perform judicial activities, and such activities include adjudicating not only in the main case, but also in all incidental cases (see the judgment of the Supreme Administrative Court of May 26, 2020 r. I OSK 1533/19). (…)” In addition, the Court also referred to the decision of the President of the Office of Personal Data Protection, ref. no. ZSOŚS.440.109.2018, in which the authority found itself incompetent to interfere with the content of documents collected in the files of court proceedings.<br />
<br />
The Court, in a letter dated September 2022, indicated that, in the Court's opinion, the President of the Personal Data Protection Office does not have the authority to consider a case regarding the processing of personal data contained in the exercise of justice by this Court. In the opinion of the Court, the judicial activity of courts, which is a manifestation of the administration of justice, is determined by the provisions contained, among others, in the Act of November 17, 1964, Code of Civil Procedure (hereinafter: Code of Civil Procedure). Activities related to serving the statement of claim together with attachments to the defendant in a civil case are regulated in detail and comprehensively in the Code of Civil Procedure. The court explained that these norms create a detailed legal framework for the court's administration of justice in civil law cases. The court also referred to the judgment of the Court of Justice of March 24, 2022, ref. no. file: C-245/20, pointing out that "(...) processing operations whose supervision by the supervisory authority could directly or indirectly affect the independence of members of these courts or influence their decisions are excluded from the jurisdiction of the supervisory authority (see: judgment of the Court of Justice of March 24, 2022 C-245/20). Therefore, the administration of justice undoubtedly includes activities related to the delivery of procedural documents to the parties, including a copy of the lawsuit to the defendant. A copy of the statement of claim is a court document directly related to the court proceedings, for the transmission of which the applicable national law provides for formalized service (...).” Moreover, the Court indicated that "the above issues are regulated in the provisions of the Code of Civil Procedure, i.e. Title VI, Section I, Chapter II "Delivery" and Section II, Chapter 2a "Organization of proceedings". Pursuant to Art. 2051 § 1 and 2 of the Code of Civil Procedure the chairman orders the service of the lawsuit on the defendant and calls on him to submit a response to the lawsuit within a set deadline of no less than two weeks. The plaintiff is notified of the order to serve the statement of claim. (…) In the circumstances of the case, a copy of the complaint together with attachments in the case (…) was delivered to the defendant in accordance with the judge's order through the Consulate General of the Republic of Poland in October, by way of legal assistance pursuant to Art. 1130 et seq. k.p.c. and § 37 et seq. Regulation of the Minister of Justice of January 28, 2002 on detailed court activities in matters relating to international civil and criminal proceedings in international relations (Journal of Laws of 2014, item 1657). This regulation provides for delivery by Polish consuls. Correspondence sent to diplomatic missions is signed by a judge and the letter is marked with, among others: official seal (§ 14(1) and (2) of the Regulation). Taking into account the above, there is no doubt that the judge's actions in the case (...) in the scope of processed personal data, related to the delivery of a copy of the lawsuit with attachments to the defendant, took place within the framework of the administration of justice, i.e. to the extent not falling within the competence of the President of the Personal Data Protection Office. The President of the Personal Data Protection Office cannot interfere with the internal organization of the Court's work, and in particular with the rules for the circulation of procedural documentation, since this circulation takes place in connection with the administration of justice by the court. By serving a copy of the complaint with attachments to the defendant, the court acts as part of the administration of justice, because these activities have a measurable impact on the content of the judgment issued by the court in the proceedings. Therefore, in the circumstances of the case, it is justified to discontinue the proceedings due to the lack of material jurisdiction of the President of the Personal Data Protection Office in the scope of considering cases regarding the processing of personal data by courts in the course of administering justice. Pursuant to Art. 175 dd § 1 of the Act of 27 July 2001, u.s.p. the supervisory authority for the Court as the administrator of personal data processed in court proceedings as part of the administration of justice or the implementation of tasks in the field of legal protection is not the President of the Personal Data Protection Office, but - in relation to the subordinate district court - the president of the court of appeal. (…) The exercise by the President of the Personal Data Protection Office - as the authority competent in data protection matters - to supervise the processing of data in the scope of court rulings could constitute unacceptable interference in their judicial activities. The President of the Personal Data Protection Office, within the powers granted to him by law, cannot therefore interfere in the course of the proceedings or the manner in which they are conducted by other bodies authorized under separate provisions, including in particular courts. Therefore, the President of the Personal Data Protection Office cannot interfere with the principles of serving the defendant with a copy of the complaint together with attachments (often constituting part of the evidence). (…) Therefore, the President of the Personal Data Protection Office shall examine whether the controller has allegedly violated the provisions on the protection of personal data or failed to fulfill the obligations arising from Art. 33 and 34 section 1 and 2 of the GDPR remain irrelevant. (…) The lack of material jurisdiction of the body - the President of the Office of Personal Data Protection, who is not authorized to issue a substantive decision in the case in question, determines the groundlessness of the administrative proceedings. Regardless of the above, it should be noted that the allegation that the Court may have acted as a data controller in connection with a breach of personal data protection by delivering damaged and incomplete correspondence containing personal data to the addressee remains completely misplaced and groundless. In the case (...), the judge, acting on the basis of applicable legal norms, in a letter of May 11, 2022, asked the Consul General of the Republic of Poland in October, as part of legal assistance, to deliver to the defendant M.O. a copy of the lawsuit together with attachments (listed in detail in the cover letter) . The correspondence was set in motion and sent for shipment on (...) June 2022, in accordance with the rules arising from the Regulation of the Minister of Justice of January 28, 2002 on detailed court activities in matters relating to international civil and criminal proceedings in international relations . On (...) July 2022, the Consulate General of the Republic of Poland in October 2022 delivered the parcel to the addressee by registered mail with acknowledgment of receipt. According to the information available in the electronic system of the postal operator R. (...), the parcel was delivered to the addressee on (...) July 2022 (no annotations about any damage during transport - records in postal systems) (...)". The court attached a violation report describing the event to the explanations in question.<br />
<br />
As a result of the above the event resulted in a breach of both confidentiality and data availability (point 4E of the notification form sent by the Minister). In the Minister's opinion, it concerned the following scope of data: name and surname, address of residence or stay, and other information related to the court proceedings themselves. In a letter of October 2022, the court explained that the breach covered personal data of (...) persons in the following scope: 1) the plaintiff: her name and surname, PESEL number, address, date of birth, data included in the medical documentation, bank account number, 2) the defendant: his name and surname, PESEL number, residential address, date of birth, image contained in the photograph, 3) personal data of two children: their names and surnames, PESEL numbers, residential address, dates of birth, data included in the psychological opinion, 4) personal data (...) of witnesses: their names and surnames, telephone numbers, residential addresses, e-mail addresses (in the case of (...) witnesses). Moreover, the Court stated that the court proceedings concerned the dissolution of a marriage.<br />
<br />
The case file includes a report from August 2022 sent by the Court regarding a personal data protection breach, which shows, among other things, that the damaged shipment concerned the lawsuit with attachments. The operator did not note any damage during transport, however, the addressee of the correspondence reported the above. The consulate is damaged and incomplete.<br />
<br />
In a letter of January 9, 2023, the Court, responding to the authority's request of January 4, 2023, regarding the indication of actions that allowed the Court to find that the correspondence was neither damaged nor incomplete, explained that "[b]here is also no reasons to conclude that the correspondence was sent incomplete or was not properly secured. All procedures resulting from the provisions of the Code of Civil Procedure were followed. However, the court did not explain how it found the above.<br />
<br />
The case files contain three photos of the parcel in question taken by its addressee. The first photo shows correspondence wrapped in foil with a visibly torn paper envelope inside, the second photo shows the package/correspondence without foil, but with a significantly torn paper envelope enabling removal of all the documents contained therein, and the third photo shows its addressee opening the damaged envelope to show its contents. The photos were sent to the authority by the Minister.<br />
<br />
After considering all the evidence collected in the case, the President of the Office for Personal Data Protection considered the following.<br />
<br />
The subject of these proceedings was the Administrator's violation of the provisions of Art. 33 and art. 34 section 1 and 2 of Regulation 2016/679, resulting from failure to report a personal data protection breach to the supervisory authority and failure to notify the affected persons in connection with the delivery to the addressee by the postal operator of damaged and incomplete correspondence containing personal data, sent by the Consulate General of the Republic of Poland in Warsaw at the request of the District Court in Krakow.<br />
<br />
When assessing the event in question, the President of the Personal Data Protection Office examined whether the event reported by the Minister constituted a breach of personal data protection, as well as whether the President of the Personal Data Protection Office is the competent supervisory authority to verify the correct compliance with the provisions of Regulation 2016/679 by the data controller (Court) covered by the above-mentioned. event, i.e. whether in this case the Court exercised justice or legal protection.<br />
<br />
Pursuant to Art. 4 point 12 of Regulation 2016/679, the concept of personal data protection breach should be understood as a security breach leading to accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed. Due to the fact that the event reported by the Minister consisted in the delivery of a damaged and incomplete parcel by the postal operator to the addressee, in the opinion of the President of the Personal Data Protection Office there was a breach of personal data protection due to the breach of data confidentiality (the correspondence was delivered in a damaged envelope) as well as their availability (the addressee reported the incompleteness of the shipment to the Minister). At no stage of the proceedings did the court demonstrate that the event described by the Minister did not occur.<br />
<br />
Moreover, it should be noted that, in the opinion of the President of the Personal Data Protection Office, he is the supervisory authority competent to assess the above-mentioned. violations. The delivery of correspondence does not constitute the administration of justice by the Court or legal protection, but a technical, administrative activity of the Court. Therefore, there is no premise excluding the competences of the President of the Personal Data Protection Office as a supervisory authority. Pursuant to Art. 55 section 3 of Regulation 2016/679, supervisory authorities are not competent to supervise processing operations carried out by courts in the course of their administration of justice. Moreover, according to recital 20 of Regulation 2016/679, the jurisdiction of supervisory authorities should not cover the processing of personal data by courts in the administration of justice - so as to protect the independence of the administration of justice. It should be possible to entrust the supervision of such data processing operations to specific authorities in the justice system of a Member State, and those authorities should, in particular, ensure compliance with the provisions of this Regulation, increase the knowledge of the judiciary of its obligations under this Regulation and deal with complaints related to such processing operations data. Pursuant to Art. 175 dd § 1 of the Act of July 27, 2001, Law on the Organization of Common Courts (Journal of Laws of 2023, item 217), supervision over the processing of personal data whose administrators are the courts, in accordance with Art. 175da and art. 175db, perform within the scope of the court's activities: district court - president of the district court; regional – president of the court of appeal; appeal – National Council of the Judiciary. Taking into account this legal status, it should be assumed that the supervisory bodies over common courts, as part of the administration of justice, are those listed in Art. 175 dd § 1 of the Act on the Organization of Common Courts. However, in matters that do not fall within the scope of the concept of "exercising justice", the competent supervisory authority for common courts is the President of the Personal Data Protection Office. In the opinion of the President of the Personal Data Protection Office, the concept of administering justice in the context of the personal data protection framework established by Regulation 2016/679 should be understood narrowly in this case. The Constitutional Tribunal in its judgment of December 1, 2008, ref. no. file: P 54/07, (Journal of Laws of 2008, item 218, no. 1400), pointed out that "[according to the dominant view of legal doctrine, the administration of justice is the activity of the state consisting in adjudicating, i.e. binding dispute resolution o law in which at least one of the parties is an individual or other similar entity [see L. Garlicki, Polish constitutional law. Outline of the lecture, Warsaw 2006, p. 342; Z. Czeszejko-Sochacki, On the administration of justice in the light of the Constitution, international standards and practice, "Państwo i Prawo" z. 9/1999, p. 3; S. Włodyka, The system of legal protection bodies, Warsaw 1968, p. 16]. It should be noted that, apart from the judicial sphere, courts also perform administrative activities, the essence of which is to ensure appropriate technical and organizational conditions for the court to perform the tasks entrusted to it in the field of administration of justice and legal protection. Pursuant to Art. 8 of the Law on the Organization of Common Courts, the administrative activity of courts consists in: ensuring appropriate technical, organizational and financial conditions for the functioning of the court and the performance by the court of the tasks referred to in Art. 1 § 2 and 3 (point 1); ensuring the proper conduct of the court's internal operations, directly related to the performance of the court's tasks referred to in Art. 1 § 2 and 3 (point 2). Therefore, activities of a strictly technical nature performed by a court official and then a postal operator, such as sending correspondence in accordance with a judge's order or order, do not fall within the sphere of "the administration of justice", but belong to the administrative sphere of the court's activities. At the same time, it should be emphasized here that the Administrator's reference to the judgment of the Court of Justice of the EU of March 24, 2022, ref. no. C-245/20, is unjustified because it does not concern the administrative activities of the court. This judgment refers to the disclosure of information about court proceedings to journalists (the case concerned the Kingdom of the Netherlands). In this ruling, the Tribunal interpreted Art. 55 section 3 of Regulation 2016/679, regarding the "temporary disclosure" by the court of pleadings containing personal data to journalists. In this judgment, the Court found that the "administration of justice" includes the "court's information policy" in order to ensure media coverage of a given case. Therefore, the above judgment cannot be applied to the present case, because in the analyzed case there was a violation of personal data protection in connection with the delivery of a damaged and incomplete parcel to the addressee by the postal operator, i.e. an activity of a technical and administrative nature. Moreover, it should be emphasized that the President of the Personal Data Protection Office, when dealing with the case in question, does not interfere with the rules for serving procedural documents or what documents should be served to the addressee. The supervisory authority is only interested in the loss of data confidentiality and its incompleteness as a result of the postal operator's actions, which is within the scope of the court's administrative activities. Therefore, the competences of the President of the Personal Data Protection Office do not violate judicial independence, because they do not concern the judge's competences in the proceedings. Moreover, they are remedial powers which, by their nature, do not have a nature that may affect ongoing proceedings (e.g. they do not lead to the suspension of ongoing proceedings or to order the removal of part of a witness's testimony) and concern the administrative sphere of the court's activity. Identified irregularities violating the principle of "integrity and confidentiality" expressed in Art. 5(1) 1 letter f) of Regulation 2016/679, correspond to the corrective powers of the President of the Personal Data Protection Office, which do not affect the independence of the court, as they only consist in ordering the controller to adapt the processing operations to the provisions of Regulation 2016/679.<br />
<br />
At the same time, the Court's reference to the decision of the President of the Personal Data Protection Office with reference number ZSOŚS.440.109.2018 is also inappropriate. The decision indicated by the Court was issued in a case in which a natural person filed a complaint and wanted to create his or her situation as a party to court proceedings on the basis of the provisions on the protection of personal data, and not on the proper procedure. The complaint concerned the inclusion in the court files kept by the district court of a printout from the website of a law firm, containing the complainant's personal data regarding his image. According to the complainant, in the above-mentioned In this case, it was unnecessary for evidentiary purposes, because the document to which this printout was attached was not admitted by the court as evidence in the case. The President of the Personal Data Protection Office could not take a position in such a case (and order, in accordance with the complainant's request, the removal of the image from the court case files), because the admission of evidence in the case or not depends solely on the court's decision (and is an element of the administration of justice). However, the judgment referred to by the Court (judgment of the Supreme Administrative Court of May 26, 2020, file ref. no. I OSK 1533/19) refers to the provisions on the protection of personal data that are no longer in force - the Act of 1997[2]. Moreover, this case also concerned a situation in which the complainant questioned court actions after applying for exemption from court costs. The court asked the complainant to prove her assets by submitting an asset declaration and to complete the application in formal terms. In this judgment, the Supreme Administrative Court stated that neither the authority nor the administrative court can make a substantive assessment of summons issued to the parties by a common court (and therefore, again, in the scope of the administration of justice).<br />
<br />
Taking the above into account, it should be noted that both the above-mentioned decision, as well as the above-mentioned the judgment of the Supreme Administrative Court, concern procedural activities undertaken by the court as part of the administration of justice, and not administrative (technical) activities, as is the case in the case in question.<br />
<br />
Regardless of the above, it should be noted that the President of the Court of Appeal in Kraków, as the body indicated in Art. 175 dd § 1 of the Act on the Organization of Common Courts, in the present case cannot be considered a supervisory body over the Court. Pursuant to the wording of Art. 175dd of the Law on the Organization of Common Courts, judicial supervisory authorities (including the President of the Court of Appeal in Kraków) are not authorized to receive reports of personal data protection breaches (Article 33 of Regulation 2016/679), nor to assess whether in connection with a breach of protection personal data, there was a high risk of violating the rights and freedoms of natural persons, resulting in the need to notify data subjects about the breach (Article 34 of Regulation 2016/679).<br />
<br />
When examining the event in question, the President of the Personal Data Protection Office assessed it as a breach of confidentiality (data security issues - a damaged envelope, the contents of which could have been accessed by unauthorized persons) as well as a breach of availability (some documents were missing). It does not matter that the postal operator was at fault by damaging the shipment, because the subject of these proceedings is the failure to report a data protection breach and the failure to notify data subjects about the breach of the protection of their personal data. Moreover, it should be emphasized that the President of the Personal Data Protection Office, when analyzing the breach of personal data protection reported by the Minister, concerning data of which the District Court in Krakow is the administrator, does not in any way affect the independence of the court, as it does not affect the Court's decision or individual decisions taken by the Court within the framework of ongoing proceedings. It is also worth emphasizing that while the President of the Personal Data Protection Office is not an entity that controls or supervises the application of substantive or procedural law by courts in the course of their administration of justice (which takes place in the course of an instance), nor does he interfere with the rules for serving court documents (e.g. whether by registered letter, ordinary letter or by delivery at a hearing), or what documents should be served on the party to the proceedings by the court, the authority is entitled to control and verify the correct application of the provisions on the protection of personal data, including the security measures applied by the administrator data (including the administrator's response to a data protection breach) and the implementation of obligations arising from Art. 33 and art. 34 of Regulation 2016/679. The method of securing personal data by the Court is not subject to judicial review as part of its judicial function and does not relate to the administration of justice by the court. Therefore, it is subject to the control of the President of the Personal Data Protection Office, as is the implementation of the administrator's obligations arising from the above-mentioned. provisions of Regulation 2016/679.<br />
<br />
Taking the above into account, it should be noted that if there has been a breach of personal data protection in connection with the administrative part of the court's activities, it should be reported in the manner provided for in Art. 33 section 1 of Regulation 2016/679 to the President of the Personal Data Protection Office, as the competent supervisory authority. The fact that the judicial competences of the supervisory authorities referred to in Art. 175 dd § 1 of the Act on the Organization of Common Courts, it is not necessary to accept reports of personal data protection violations or evaluate them substantively. The scope of competences of these bodies is listed exhaustively in Art. 175 dd § 2 and 3 of the Act on the Organization of Common Courts (and should be treated as a closed catalogue).<br />
<br />
Article 33 of Regulation 2016/679 states that in the event of a breach of personal data protection, the data controller shall report it without undue delay - whenever possible, no later than 72 hours after discovering the breach - to the supervisory authority competent in accordance with Art. 55, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. The notification submitted to the supervisory authority after 72 hours is accompanied by an explanation of the reasons for the delay (section 1). The notification referred to in section 1, must at least: a) describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects and the categories and approximate number of personal data entries affected by the breach; b) contain the name and contact details of the data protection officer or the designation of another contact point from which more information can be obtained; c) describe the possible consequences of a personal data breach; d) describe the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to minimize its possible negative effects (paragraph 3).<br />
<br />
Referring to the rights and freedoms of persons affected by the violation, it should be noted that Art. 34 section 1 of Regulation 2016/679 indicates that in a situation where a breach of personal data protection may result in a high risk to the rights and freedoms of natural persons, the controller is obliged to notify the data subject of such a breach without undue delay. Pursuant to Art. 34 section 2 of Regulation 2016/679, a proper notification should: 1) describe the nature of the personal data protection breach in clear and plain language; 2) contain at least the information and measures referred to in Art. 33 section 3 lit. b), c) and d) of Regulation 2016/679, i.e.: name and surname and contact details of the data protection officer or designation of another contact point from which more information can be obtained; a description of the possible consequences of a personal data breach; a description of the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to minimize its possible negative effects.<br />
<br />
Reporting personal data protection breaches by controllers is an effective tool contributing to a real improvement in the security of personal data processing. When reporting a breach to the supervisory authority, controllers inform the President of the Personal Data Protection Office whether, in their opinion, there is a high risk of violating the rights and freedoms of data subjects and - if such a risk occurred - whether they have provided appropriate information to natural persons affected by the breach. In justified cases, they may also provide information that, in their opinion, notification is not necessary due to the fulfillment of the conditions specified in Art. 34 section 3 lit. a) – letter c) Regulation 2016/679. The President of the Personal Data Protection Office verifies the assessment made by the controller and may - if the controller has not notified the data subjects - request such notification from the controller. Reports of personal data protection breaches allow the supervisory authority to respond appropriately to limit the effects of such breaches, as the controller is obliged to take effective actions to ensure the protection of natural persons and their personal data, which will, on the one hand, allow for control of the effectiveness of existing solutions and, on the other hand, the assessment of modifications and improvements to prevent irregularities similar to those covered by the infringement.<br />
<br />
In the case in question, there was a violation of the protection of personal data of (...) persons, and (...) of them were at high risk of violating their rights and freedoms due to the scope of the personal data violated. In the case of the plaintiff, the violation included, among others: her PESEL number and data on her health condition contained in the medical documentation, in the case of the defendant, her PESEL number, and in the case of two children, information on their health condition (contained in the psychological opinion). These data were included in the documentation sent to the party to the divorce proceedings. Moreover, which should be emphasized again, the authority received information about a personal data protection breach from an entity other than the Administrator.<br />
<br />
It should be emphasized at this point that the President of the Personal Data Protection Office, before initiating the administrative proceedings, first asked the Court (twice) whether the Court had knowledge about the infringement in question, however, in its answer, the Court presented the position that the President of the Personal Data Protection Office was not the competent authority. to investigate the event in question, without providing answers to the questions asked by the authority (at the same time making it difficult to investigate the event in question, whether there was actually a breach of personal data protection and to assess the level of risk of violating the rights and freedoms of persons whose data was included in the correspondence in question, or scope of data covered by the breach). This approach of the Court resulted in the initiation of administrative proceedings by the President of the Personal Data Protection Office. According to the case material, the Court checked the information received from the Minister about the incomplete and damaged shipment only in the postal operator's system, concluding that the lack of annotations in this regard proves that no incident occurred (this is evidenced by the Report (...) from on (...).08/2022). In the course of the proceedings, the President of the Personal Data Protection Office established that the envelope and documents received by the addressee were significantly damaged (which is confirmed by the photos of the parcel received from the Minister). The damage to the envelope made it possible to get acquainted with its contents, i.e. documents containing personal data in the scope indicated above. It is also worth emphasizing that the President of the Personal Data Protection Office, in a letter of January 4, 2023, asked the Court about the actions taken by the Administrator, which allowed him to conclude that the correspondence was not damaged or incomplete, despite the information provided by the Minister. The Administrator, responding in a letter of January 2023, limited himself to stating that he did not find any shortcomings on the part of the Court in the delivery of correspondence. In the opinion of the Court, there are no grounds to assume that the correspondence reached the addressee incomplete or improperly secured. However, the President of the Personal Data Protection Office, based on the photos received from the Minister, made different findings (described above), stating that there was a risk of violation of data confidentiality as well as completeness (violation of availability). The content of the correspondence in question (the plaintiff's medical documentation, psychological opinions regarding the children), their PESEL numbers, but also the descriptions of the marriage itself mean that the handling of an event that includes such data should be considered as requiring special attention and diligence on the part of the data controller. . Each category of data, such as the PESEL number or information about health status, represents a high risk of violating the rights and freedoms of data subjects. In this case, the high risk of violating rights and freedoms concerned (...) people. It is also worth emphasizing the ease of identifying these people, based on the above-mentioned. data.<br />
<br />
As indicated in Guidelines 9/2022[3], a personal data breach involving high-risk data may potentially cause a number of negative consequences for the natural persons whose data is subject to the breach. The possible effects of a breach include: physical damage, material or non-material damage. Examples of such damages include, but are not limited to: discrimination, identity theft or identity fraud, financial loss, damage to reputation, breach of confidentiality of personal information and significant economic or social damage. In this case, there is no doubt that due to the scope of data covered by the personal data protection breach in question, including the PESEL registration number with name and surname and health data, there is a high probability of the above-mentioned damages occurring.<br />
<br />
It should be noted here that the PESEL number, i.e. an eleven-digit numerical symbol containing the date of birth, serial number, gender designation and control number, uniquely identifies a specific natural person, and is therefore closely related to the private sphere of the natural person and, as such, is subject to also, as a national identification number, exceptional protection under Art. 87 of Regulation 2016/679. Due to the fact that the PESEL number is data of a special nature, its disclosure to unauthorized entities may result in a high risk of violating the rights and freedoms of natural persons (see: https://www.bik.pl/poradnik-bik/wyluczenie-kredytu- this is how scammers work - where a case was described in which: "Only the name, surname and PESEL number were enough for fraudsters to extort several loans worth tens of thousands of zlotys in total. Nothing else was correct: neither the ID number nor the residential address" It is also impossible to ignore that the analyzed personal data protection breach also concerned data other than the PESEL number, e.g. information about health status. Guidelines 9/2022 emphasize that a collection of various personal data is usually more sensitive than individual data.<br />
<br />
It is worth mentioning here one of the examples listed in the EDPB Guidelines 01/2021 on examples regarding reporting personal data protection breaches, hereinafter Guidelines 01/2021 (case no. 14, p. 31), referring to the situation of "sending by post by mistake highly confidential personal data.” In the above-mentioned case guidelines, the social security number, which is the equivalent of the PESEL number used in Poland, was disclosed. In this case, the EDPB had no doubt that the disclosed data in the scope of: name and surname, e-mail address, postal address, social security number indicate a high risk of violating the rights and freedoms of natural persons ("involvement of their [victims'] social security number social media, as well as other, more basic personal data, further increases the risk, which can be described as high). The EDPB recognizes the importance of national identification numbers (in this case the PESEL number), at the same time emphasizing that this type of personal data protection breach, which includes data such as: name and surname, e-mail address, correspondence address and social security number, requires the implementation of actions, i.e.: notification of the supervisory authority and notification of a breach to data subjects. The EDPB also has no doubt that an individually assigned number uniquely identifying a natural person should be subject to special protection, and its disclosure to unauthorized entities may involve high risk of violating the rights and freedoms of natural persons.<br />
<br />
The EDPB also points out in other examples provided in Guidelines 01/2021 that data that uniquely identifies a natural person may result in a high risk of violating rights or freedoms. Points 65 and 66 of Guidelines 01/2021 indicate: "(...) The breached data allows for the unambiguous identification of data subjects and contains other information about them (including gender, date and place of birth), and may also be used by the attacker to guess customer passwords or to conduct a spear phishing campaign aimed at bank customers. For these reasons, the data breach has been deemed likely to result in a high risk to the rights and freedoms of all data subjects. Therefore, material (e.g. financial losses) and intangible (e.g. identity theft or fraud) damage may occur.”<br />
<br />
The Provincial Administrative Court in Warsaw did not have similar doubts (that the disclosure of the PESEL number together with other personal data may result in a high risk of violating the rights and freedoms of natural persons), in its judgment of September 22, 2021, ref. no. no. II SA/Wa 791/21, stated that "[t]here is no doubt that the examples of damage mentioned in the guidelines may occur in the case of persons whose personal data - in some cases, including the PESEL registration number or the series and number of the ID card – were recorded on shared recordings. Not without significance for such an assessment is the possibility of identifying persons whose data were subject to the breach, based on the disclosed data. Further, the Court in the cited judgment indicated that "The data was made available to unauthorized persons, which means that there was a security breach leading to unauthorized disclosure of personal data, and the scope of this data, including in some cases also the PESEL registration number or the series and number of the ID card, determines the that there is a high risk of violating the rights and freedoms of natural persons.” When considering the above issues, it is also necessary to recall the position of the Provincial Administrative Court in Warsaw expressed in the judgment of July 1, 2022 issued in the case with reference number file II SA/Wa 4143/21. In justification of this judgment, the Court stated that: "[i]t should be agreed with the President of the Personal Data Protection Office that the loss of confidentiality of the PESEL number in connection with personal data, such as: name and surname, registered address, bank account numbers and the identification number assigned to the Bank's clients - CIF number, involves a high risk of violating the rights and freedoms of natural persons. In the event of a breach of data such as name, surname and PESEL number, identity theft or falsification is possible, resulting in negative consequences for the data subjects. Therefore, in the case in question, the Bank should have acted without undue delay, pursuant to Art. 34 section 1 GDPR, to notify data subjects about a personal data breach, so as to enable them to take the necessary preventive actions. It is also worth mentioning the judgment of August 31, 2022, ref. no. No. II SA/Wa 2993/21, in which the Provincial Administrative Court in Warsaw emphasized that "(...) the authority correctly assumed that there was a high risk of violating the rights and freedoms of persons affected by the violation in question due to the possibility of easy, based on the disclosed data , identification of persons whose data was subject to the breach. These data include name and surname, correspondence address, telephone number, and PESEL number of persons with Polish citizenship. In this situation, the controller was obliged to notify data subjects about the breach without undue delay. The Provincial Administrative Court in Warsaw expressed a similar opinion in its judgments of November 15, 2022, ref. no. no. II SA/Wa 546/22, and June 21, 2023, ref. no. no. II SA/Wa 150/23.<br />
<br />
From the latest infoDOK report[4] (which is prepared as part of the social Information Campaign of the RESTRICTED DOCUMENTS System, organized by the Polish Bank Association and some banks, under the patronage of the Ministry of Internal Affairs and Administration and in cooperation with, among others, the Police and the Consumer Federation) , it shows that in the second quarter of 2023, 2,116 attempts at credit and loan fraud were recorded, amounting to PLN 50.3 million. Over the last twelve months, the total amount of thwarted loan fraud attempts is PLN 191.6 million. Moreover, it should be noted that in the second quarter of 2022, 1,806 attempts at credit and loan fraud were recorded, amounting to PLN 54.4 million[5]. This means a significant increase in credit and loan fraud attempts in the presented period.<br />
<br />
Moreover, as evidenced by case law, judgments in loan fraud cases are not uncommon and have been issued by Polish courts in similar cases for a long time - as an example, the judgment of the District Court in Łęczyca of July 27, 2016 (reference number I C) 566/15), in which fraudsters taking out a loan using someone else's data used a PESEL number, a fictitious address and an incorrect ID number (invalid). In the course of the court proceedings, the defendant demonstrated that it had not incurred the above-mentioned obligations, even though someone used her PESEL number. However, this required evidentiary proceedings. However, there are many more such situations and they require injured persons (de facto victims of crime) to take action (in court or amicably) to prove that they were not the ones who performed specific actions resulting in, for example, incurring an obligation or theft of other people's funds (in the case of crimes related to e.g. internet fraud).<br />
<br />
To sum up, the personal data protection breach in question creates a high risk of violating the rights and freedoms of natural persons not only because it involves the PESEL numbers of the above-mentioned persons. people, but also their special categories of data - information about the plaintiff's health condition and information contained in the psychological opinions of two children. This information is related to, among others: names and surnames and the context of the divorce case may result in loss of control over the data and not only the risks associated with providing the PESEL number, but also may cause discrimination among these people, or even infringement of their personal rights.<br />
<br />
The Administrator did not take all these circumstances into account when analyzing the event, even one forced by a request from the President of the Personal Data Protection Office.<br />
<br />
It should also be borne in mind that the Administrator's performance of his obligation under Art. 33 section 1 and 34 section 1 of Regulation 2016/679 may not be made dependent on the materialization of the risk resulting from the violation of the rights and freedoms of natural persons whose data is affected by a personal data breach. As stated by the Provincial Administrative Court in Warsaw in the judgment of September 22, 2021 issued in case no. no. II SA/Wa 791/21: "[it] should be emphasized that the possible consequences of the event do not have to materialize. In the content of art. 33 section 1 of Regulation 2016/679 indicates that the very occurrence of a breach of personal data protection, which involves a risk of violating the rights and freedoms of natural persons, implies the obligation to report the breach to the competent supervisory authority, unless the breach is unlikely to result in a risk of violating the rights and freedoms of natural persons. natural persons” (this Court ruled similarly in the previously cited judgment of July 1, 2022, issued in the case with reference number II SA/Wa 4143/21 and in the judgments of August 31, 2022, reference number II SA/Wa 2993/21, of November 15, 2022, ref. no. II SA/Wa 546/22 and of April 26, 2023, ref. no. II SA/Wa 1272/22).<br />
<br />
When analyzing the above, you should also not forget about the basic principles. When applying the provisions of Regulation 2016/679, it should be borne in mind that the purpose of this regulation (expressed in Article 1(2)) is to protect the fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data, and that the protection of natural persons in in connection with the processing of personal data is one of the fundamental rights (first sentence of recital 1 of the preamble). In case of any doubts, e.g. as to the performance of obligations by administrators - including in situations where there has been a breach of personal data protection - these values should be taken into account first.<br />
<br />
It is worth emphasizing in particular that when assessing the risk of violating the rights and freedoms of natural persons, which determines the notification of a personal data protection breach and the notification of the breach to the data subject, the probability factor and the importance of potential negative effects should be taken into account jointly. A high level of any of these factors affects the overall rating, which determines the fulfillment of the obligations specified in Art. 33 section 1 and art. 34 section 1 of Regulation 2016/679. Bearing in mind that due to the scope of personal data disclosed in the analyzed case, there was a possibility of significant negative consequences for data subjects (as shown above), the importance of the potential impact on the rights and freedoms of a natural person should be considered high. At the same time, the probability of a high risk occurring as a result of the breach in question is not small and has not been eliminated. Therefore, it should be stated that in connection with the breach in question, there was a high risk of violating the rights and freedoms of data subjects, which consequently determines the obligation to report the personal data protection breach to the supervisory authority and to notify the persons affected by the personal data protection breach.<br />
<br />
In Guidelines 9/2022, the EDPB, indicating the factors to be taken into account when assessing the risk, refers to recitals 75 and 76 of Regulation 2016/679, which suggest that the administrator should take into account both the probability of occurrence and the seriousness of the threat to the rights or freedoms of the person whose data applies. In the event of a personal data protection breach, the controller should focus on the risk of the breach resulting from the breach on a natural person. Therefore, when assessing the risk to an individual arising from a personal data breach, the controller should take into account the specific circumstances of the breach, including the severity of the potential impact and the likelihood of its occurrence. Therefore, when assessing the risk, the EDPB recommends taking into account criteria such as the type of breach, the nature, sensitivity and amount of personal data, as well as ease of identification, as they may affect the level of risk for natural persons. The risk of violating the rights or freedoms of a natural person in accordance with Guidelines 9/2022 will be greater when the consequences of the violation are more serious, as well as when the likelihood of their occurrence increases. The guidelines advise that in case of any doubts, the administrator should report a violation, even if such caution might prove excessive.<br />
<br />
To sum up the above, it should be stated that in the case in question there is a high risk of violating the rights and freedoms of persons affected by the personal data protection breach, which in turn results in the Court's obligation to report the personal data protection breach to the supervisory authority, in accordance with Art. 33 section 1 of Regulation 2016/679, which must include the information specified in Art. 33 section 3 of Regulation 2016/679 and notification of data subjects about the breach, in accordance with Art. 34 section 1 of Regulation 2016/679, which must include the information specified in Art. 34 section 2 of Regulation 2016/679.<br />
<br />
Referring to the Administrator's obligation specified in Art. 34 section 2 of Regulation 2016/679, the President of the Personal Data Protection Office stated that the Administrator (taking into account the nature of the breach and the categories of data that have been breached) should indicate to the data subject the most likely negative consequences of the breach of his or her personal data. Certainly, in the event of a breach of data such as name, surname and PESEL registration number, it is necessary to point out, first of all, possible identity theft or falsification by third parties obtaining, to the detriment of the person whose data was breached, loans from non-bank institutions or insurance fraud or insurance funds, which may result in negative consequences related to an attempt to attribute responsibility to the data subject for committing such fraud. The description of possible consequences should reflect the risk of violating the rights and freedoms of that person, so as to enable him to take the necessary preventive actions. However, in the case of other data subject to a breach of personal data protection and resulting in a high risk of violating the rights and freedoms of natural persons (special categories of data within the meaning of Article 9 of Regulation 2016/679), the Administrator should indicate discrimination, violation of personal rights, slander or other form persecution of these people due to the disclosed health data.<br />
<br />
In a situation where, as a result of a breach of personal data protection, there is a high risk of violating the rights and freedoms of natural persons, the administrator is obliged to implement all appropriate technical and organizational measures to immediately determine the breach of personal data protection and quickly inform the supervisory authority, as well as the persons whose data applies. The administrator should fulfill this obligation as quickly as possible.<br />
<br />
Recital 85 of the preamble to Regulation 2016/679 explains: "[w]ithout an appropriate and rapid response, a breach of personal data protection may result in physical harm, material or non-material damage to natural persons, such as loss of control over their own personal data or limitation of rights, discrimination, identity theft or falsification, financial loss, unauthorized reversal of pseudonymisation, damage to reputation, breach of confidentiality of personal data protected by professional secrecy or any other significant economic or social damage. Therefore, immediately upon becoming aware of a personal data breach, the controller should notify it to the supervisory authority without undue delay, where practicable and no later than 72 hours after becoming aware of it, unless the controller can demonstrate, in accordance with the principle of accountability, that it is unlikely that that the violation may result in a risk of violating the rights and freedoms of natural persons. If a report cannot be made within 72 hours, the report should be accompanied by an explanation of the reasons for the delay and the information may be provided gradually, without further undue delay.”<br />
<br />
In turn, recital 86 of the preamble to Regulation 2016/679 states: "The controller should, without undue delay, inform the data subject about a breach of personal data protection if it may result in a high risk to the rights and freedoms of that person, so as to enable that person to take necessary preventive actions. Such information should include a description of the nature of the personal data breach and recommendations for the individual concerned to minimize potential adverse effects. Information should be provided to data subjects as soon as reasonably possible, in close cooperation with the supervisory authority, respecting instructions provided by that authority or other relevant authorities, such as law enforcement authorities. For example, the need to minimize an immediate risk of harm will require immediate information to data subjects, while the implementation of appropriate measures against the same or similar data protection breaches may justify subsequent information.<br />
<br />
By notifying the data subject without undue delay, the controller enables the person to take the necessary preventive measures to protect the rights and freedoms against the negative effects of the breach. Article 34 section 1 and 2 of Regulation 2016/679 is intended not only to ensure the most effective possible protection of the fundamental rights and freedoms of data subjects, but also to implement the principle of transparency, which results from Art. 5(1) 1 letter a) Regulation 2016/679 (see W. Chomiczewski [in:] GDPR. General Data Protection Regulation. Commentary. ed. E. Bielak - Jomaa, D. Lubasz, Warsaw 2018). Proper fulfillment of the obligation specified in Art. 34 of Regulation 2016/679 is to provide data subjects with quick and transparent information about a breach of the protection of their personal data, along with a description of the possible consequences of the personal data protection breach and the measures they can take to minimize its possible negative effects. Acting in accordance with the law and demonstrating concern for the interests of data subjects, the controller should have provided data subjects with the best possible protection of personal data without undue delay. To achieve this goal, it is necessary to provide at least the information listed in Art. 34 section 2 of Regulation 2016/679, which the administrator failed to fulfill. Therefore, by deciding not to notify the supervisory authority and the data subjects about the breach, the controller in practice deprived them of reliable information about the personal data protection breach and the opportunity to counteract potential damage, provided without undue delay.<br />
<br />
It should also be noted here that the Court's Data Protection Inspector incorrectly assessed the level of risk of violating the rights and freedoms of natural persons in connection with the personal data protection breach in question. He pointed out that due to the fact that the documents were prepared in Polish and sent to Great Britain, this did not result in a high risk in this respect. In the opinion of the President of the Personal Data Protection Office, the fact that documents containing personal data were prepared in Polish and sent to a country where English is the primary language does not reduce the level of this risk. In the era of instruments enabling quick translation of entire documents, as well as due to the fact that in Great Britain a large part of the population speaks Polish, it cannot be assumed that this circumstance reduces the level of risk.<br />
<br />
The President of the Personal Data Protection Office obviously recognizes the fact that for providing the above-mentioned documentation was the responsibility of the postal operator, however, damage to it or loss of some of the documents by the postal operator gives rise to certain obligations on the part of the administrator (the Court) (resulting from the provisions of Regulation 2016/679), the failure of which results in his liability. The court, as the sender of this correspondence, has knowledge of its content, including whether the documents contained in the shipment contain personal data and to what extent. As indicated by the Provincial Administrative Court in Warsaw in its judgment of July 1, 2022, ref. no. II SA/Wa 4143/21, "[i]n case of irregularities in the delivery of the shipment, the obligation to protect the interests of the data subject from the point of view of the risk of violating the rights and freedoms of the data subject rests with the sender of the shipment, who, knowing the content of the lost correspondence, is able to assess the risks posed to the data subject. However, the postal operator and courier company may perform the administrator's duties, within the meaning of the provisions of the GDPR, but only in relation to the personal data of the senders and addressees of the parcels. Consequently, the Provincial Administrative Court in Warsaw emphasized that "It is the Bank [here: the District Court in Krakow as the sender of the shipment] that can assess the risk to the rights and freedoms of a natural person resulting from the loss of the shipment and therefore has the opportunity to fulfill the obligation to report a violation personal data protection to the supervisory authority and notification of a breach to the data subject. The courier company does not have such knowledge.<br />
<br />
Consequently, it should be stated that the Administrator did not report a personal data protection breach to the supervisory authority in fulfillment of the obligation under Art. 33 section 1 of Regulation 2016/679 and failed to notify data subjects without undue delay of a breach of data protection, in accordance with Art. 34 section 1 of Regulation 2016/679, which means a violation of these provisions by the Administrator.<br />
<br />
Therefore, the President of the Personal Data Protection Office found it justified to send a decision to the data controller, using his corrective powers, ordering the notification of data subjects about a breach of the protection of their personal data, in order to provide them with the information specified in Art. 34 section 2 of Regulation 2016/679.<br />
<br />
Pursuant to Art. 34 section 4 of Regulation 2016/679, if the controller has not yet notified the data subject about the personal data protection breach, the supervisory authority - taking into account the likelihood that the personal data breach will result in a high risk - may require him to do so or may determine that that one of the conditions referred to in section 3. In turn, according to the content of Art. 58 section 2 lit. e) of Regulation 2016/679 states that each supervisory authority has the corrective power to order the controller to notify the data subject about a data protection breach.<br />
<br />
Pursuant to art. 58 section 2 lit. i) of Regulation 2016/679, each supervisory authority has the power to apply, in addition to or instead of other corrective measures provided for in Art. 58 section 2 of Regulation 2016/679, an administrative fine under Art. 83 of Regulation 2016/679, depending on the circumstances of the specific case. The President of the Personal Data Protection Office states that in the case under consideration there are circumstances justifying the imposition of an administrative fine on the Administrator based on Art. 83 section 4 lit. a) of Regulation 2016/679, which states, among others, that violation of the administrator's obligations referred to in Art. 33 and 34 of Regulation 2016/679, is subject to an administrative fine of up to EUR 10,000,000, and in the case of an enterprise - up to 2% of its total annual worldwide turnover from the previous financial year, whichever is higher. However, from Art. 102 section 1 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781) states that the President of the Personal Data Protection Office may impose, by way of a decision, administrative fines of up to PLN 100,000 on: public finance sector units referred to in Art. 9 points 1-12 and 14 of the Act of 27 August 2009 on public finances, a research institute or the National Bank of Poland. From paragraph 3 of this article also states that the administrative fines referred to, among others, in section 1, the President of the Office shall impose on the basis and under the conditions specified in Art. 83 of Regulation 2016/679.<br />
<br />
Pursuant to the content of Art. 83 section 2 of Regulation 2016/679, administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or instead of the measures referred to in Art. 58 section 2 lit. a) - h) and letters j) Regulation 2016/679. When deciding to impose an administrative fine on the Court, the President of the Personal Data Protection Office - pursuant to Art. 83 section 2 lit. a) - k) of Regulation 2016/679 - took into account the following circumstances of the case, constituting the need to apply this type of sanctions in the present case and having an aggravating effect on the amount of the administrative fine imposed:<br />
<br />
1) The nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing in question, the number of affected data subjects and the extent of the damage suffered by them [Art. 83 section 2 lit. a of Regulation 2016/679]. The violation found in this case is of significant importance and serious nature, because reporting personal data protection breaches by data controllers is an effective tool contributing to a real improvement in the security of personal data processing. First of all, based on the information provided by controllers in reports of personal data protection breaches, the supervisory authority may assess whether the controller has correctly analyzed the impact of the breach on the rights and freedoms of the data subjects covered by the breach and, consequently, whether there is a high risk of breach. rights or freedoms of natural persons and it is necessary to notify these persons about a breach of their data. Correctly fulfilled by administrators the obligations specified in Art. 33 section 1 and 34 section 1 of Regulation 2016/679 also allow for limiting the negative effects of personal data protection breaches and eliminating or at least limiting the risk of such breaches in the future, as controllers are obliged to take actions that will ensure proper protection of personal data by applying appropriate security measures and monitoring their effectiveness. . Moreover, reporting a violation to the supervisory authority gives the authority the opportunity to respond appropriately, which would limit the effects of the violation. Failure to notify data subjects about a breach of the protection of their personal data may lead to material or non-material damage, and the probability of its occurrence is high. The President of the Personal Data Protection Office considers the long duration of the infringement to be an aggravating factor. (...) has passed since the Administrator received information about a personal data protection breach ((...) August 2022 - i.e. the date of delivery of the letter from the Consulate General of the Republic of Poland in October, July 2022) to the date of issuance of this decision ( ...) months during which the risk of violating the rights or freedoms (...) of persons for whom such a high level of risk occurred could have materialized, and which these persons could not have counteracted due to the Administrator's failure to comply the obligation to notify them of the violation. It is also important that the personal data protection breach in question was related to the delivery of court correspondence to a party to divorce proceedings and in total concerned (...) persons (in the case of (...) persons there was a high risk of violating their rights or freedoms, which determines the obligation to notify them about a personal data protection breach). Therefore, the nature of the information contained in the above-mentioned correspondence indicates the family situation of the persons affected by the breach, and therefore the personal nature of this information. And this, in turn, affects the level of risk of violating the rights or freedoms of persons affected by the violation.<br />
<br />
2) Intentional nature of the infringement [Art. 83 section 2 lit. b) of Regulation 2016/679]. According to the Guidelines of the Article 29 Working Party on the application and determination of administrative fines for the purposes of Regulation No. 2016/679 WP253 (adopted on 3 October 2017, willfulness "covers both knowledge and "deliberate action, in connection with the characteristics of the prohibited act." The Administrator has made a conscious decision not to notify the President of the Personal Data Protection Office or the data subjects about a personal data breach. Special protection of personal data, including in particular the PESEL number and information about health condition is required from public trust institutions, which undoubtedly include the Administrator. Being aware of this, the Administrator decided to resign from reporting the violation to the President of the Personal Data Protection Office and notifying the data subjects, despite the fact that the President of the Personal Data Protection Office first informed Administrator about the administrator's obligations in connection with a data protection breach. Finally, the very initiation of these proceedings by the President of the Personal Data Protection Office regarding the obligation to report a personal data protection breach to the supervisory authority and to notify data subjects about the breach should at least raise doubts for the Administrator as to the validity of the position he has adopted.<br />
<br />
3) Categories of personal data affected by the breach [Art. 83 section 2 lit. g) of Regulation 2016/679]. The personal data protection breach in question covered the personal data of (...) persons (violation of Article 33(1) of Regulation 2016/679), of which in the case of (...) there was a high risk violation of their rights or freedoms (violation of Article 34(1) of Regulation 2016/679). This violation covered the following data: 1) the plaintiff: her name and surname, PESEL number, residential address, date of birth, data contained in the medical documentation, bank account number, 2) the defendant: his name and surname, PESEL number, residential address , date of birth, image contained in the photograph, 3) personal data of two children: their names and surnames, PESEL numbers, address of residence, dates of birth, data contained in the psychological opinion. Moreover, the Court stated that the court proceedings concerned the dissolution of a marriage. This scope proves that there is a high level of risk of violating the rights and freedoms of these persons, in particular due to the PESEL number and health information, which is data subject to special protection under Art. 9 of Regulation 2016/679.<br />
<br />
When determining the amount of the administrative fine, the President of the Personal Data Protection Office found no grounds to take into account mitigating circumstances that affect the final penalty. All the conditions listed in Art. 83 section 2 lit. a)-j) of Regulation 2016/679, in the opinion of the supervisory authority, constitute either aggravating or only neutral conditions. Also applying the premise specified in Art. 83 section 2 lit. k) of Regulation 2016/679 (ordering to take into account any other aggravating or mitigating factors applicable to the circumstances of the case), no mitigating circumstances were found, only neutral ones (as noted below in point 9).<br />
<br />
Other circumstances indicated below, referred to in Art. 83 section 2 of Regulation 2016/679, after assessing their impact on the violation found in this case, were considered by the President of the Personal Data Protection Office to be neutral in his opinion, i.e. having neither an aggravating nor mitigating effect on the amount of the administrative fine imposed.<br />
<br />
1. Actions taken by the controller to minimize the damage suffered by data subjects [Art. 83 section 2 lit. c) of Regulation 2016/679]. Based on the evidence collected in the case, no such actions were found to have been taken by the Administrator.<br />
<br />
2. The degree of responsibility of the controller, taking into account the technical and organizational measures implemented by him pursuant to Art. 25 and 32 [art. 83 section 2 lit. d) of Regulation 2016/679]. The violation assessed in these proceedings (failure to report a personal data protection breach to the President of the Personal Data Protection Office and failure to notify about a personal data breach of data subjects) is not related to the technical and organizational measures used by the controller.<br />
<br />
3. Relevant previous infringements of the provisions of Regulation 2016/679 on the part of the controller [Art. 83 section 2 lit. e) of Regulation 2016/679]. The President of the Personal Data Protection Office did not find any previous violations of the provisions on the protection of personal data committed by the Administrator, therefore there are no grounds to treat this circumstance as an aggravating one. And since such a state (compliance with the provisions on the protection of personal data) is a natural state resulting from the legal obligations incumbent on the Administrator, it cannot have a mitigating effect on the assessment of the violation made by the President of the Personal Data Protection Office.<br />
<br />
4. The degree of cooperation with the supervisory authority in order to remove the violation and mitigate its possible negative effects [Art. 83 section 2 lit. f) of Regulation 2016/679]. In the course of the explanatory proceedings and in the course of initiated administrative proceedings, the Administrator provided answers to requests from the supervisory authority aimed at explaining all circumstances related to the breach of personal data protection.<br />
<br />
5. How the supervisory authority learned about the infringement [Art. 83 section 2 lit. h) Regulation 2016/679]. The President of the Personal Data Protection Office was informed by the Minister, not by the Administrator, about the occurrence of a personal data protection breach, i.e. about the postal operator delivering a damaged and incomplete parcel to the addressee. However, the failure to notify the supervisory authority of a breach of personal data protection and to notify data subjects about the breach of personal data protection (and therefore a violation of the provisions of Article 33(1) and Article 34(1) of Regulation 2016/679) is, however, the sole subject of these proceedings and in the circumstances of the considered facts, the supervisory authority assumed that it would not treat this condition as an aggravating circumstance.<br />
<br />
6. Compliance with previously applied measures in the same case, referred to in Art. 58 section 2 of Regulation 2016/679 [Art. 83 section 2 lit. and Regulation 2016/679]. Before issuing this decision, the President of the Personal Data Protection Office did not apply any measures listed in Art. 58 section 2 of Regulation 2016/679, therefore the Administrator was not obliged to take any actions related to their application, and these actions, assessed by the President of the Personal Data Protection Office, could have an aggravating or mitigating effect on the assessment of the identified violation.<br />
<br />
7. Application of approved codes of conduct under Article 40 of Regulation 2016/679 or approved certification mechanisms under Art. 42 of Regulation 2016/679 [Art. 83(2)(a) j) of Regulation 2016/679]. The administrator does not use the instruments referred to in Art. 40 and art. 42 of Regulation 2016/679. However, their adoption, implementation and application are not - as provided for in the provisions of Regulation 2016/679 - mandatory for controllers and processors, therefore the fact of their non-application cannot be considered to the detriment of the Controller in this case. However, the adoption and use of this type of instruments as measures guaranteeing a higher than standard level of protection of processed personal data could be taken into account to the Administrator's advantage.<br />
<br />
8. Financial benefits or avoided losses obtained directly or indirectly in connection with the infringement [Art. 83 section 2 lit. k) of Regulation 2016/679]. The President of the Personal Data Protection Office did not find that the Administrator obtained any financial benefits or avoided such losses in connection with the violation. Therefore, there are no grounds to treat this circumstance as aggravating the Administrator. The finding of measurable financial benefits resulting from the violation of the provisions of Regulation 2016/679 should be assessed definitely negatively. However, the failure of the Administrator to obtain such benefits, as a natural state, independent of the violation and its effects, is a circumstance which, by its nature, cannot be mitigating for the Administrator. The same wording of the provision of Art. 83 section 2 lit. k) of Regulation 2016/679, which requires the supervisory authority to pay due attention to the benefits "achieved" - obtained on the part of the entity committing the infringement.<br />
<br />
9. Other aggravating or mitigating factors applicable to the circumstances of the case [Art. 83 section 2 lit. k) of Regulation 2016/679]. The President of the Personal Data Protection Office, comprehensively considering the case, did not note any circumstances other than those described above that could affect the assessment of the violation and the amount of the imposed administrative fine.<br />
<br />
In the opinion of the President of the Personal Data Protection Office, the administrative fine imposed, in the established circumstances of this case, meets the functions referred to in Art. 83 section 1 of Regulation 2016/679, i.e. it is effective, proportionate and dissuasive in this individual case.<br />
<br />
It should be emphasized that the penalty will be effective if its imposition leads to the Administrator fulfilling its obligations in the field of personal data protection in the future, in particular in the scope of reporting a personal data protection breach to the President of the Personal Data Protection Office and notifying persons of a personal data protection breach. affected by the infringement.<br />
<br />
In the opinion of the President of the Office for Personal Data Protection, the administrative fine will fulfill a repressive function as it will be a response to the Administrator's violation of the provisions of Regulation 2016/679. It will also have a preventive function; in the opinion of the President of the Personal Data Protection Office, it will indicate to both the Administrator and other data controllers the reprehensibility of disregarding the obligations of controllers related to the occurrence of a personal data protection breach, which are intended to prevent its negative and often painful effects for the persons affected by the breach, as well as removing these effects or at least limiting them.<br />
<br />
In connection with the above, it should be noted that an administrative fine in the amount of PLN 10,000 (in words: ten thousand zlotys) meets, in the established circumstances of this case, the conditions referred to in Art. 83 section 1 of Regulation 2016/679, due to the seriousness of the identified violation in the context of the basic objective of Regulation 2016/679 - the protection of fundamental rights and freedoms of natural persons, in particular the right to the protection of personal data. At the same time, the amount of the administrative fine imposed by this decision on the administrator being a unit of the public finance sector (public authorities, including government administration bodies, state control and law enforcement bodies, as well as courts and tribunals - indicated in Article 9, point 1 of the Act of August 27, 2009 on public finances), falls within the scope specified in Art. 102 section 1 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), with a limit of PLN 100,000.<br />
<br />
Pursuant to Art. 33 section 5 of Regulation 2016/679, the controller documents all personal data protection breaches, including the circumstances of the personal data protection breach, its effects and the remedial actions taken. This documentation must enable the supervisory authority to verify compliance with this Article.<br />
<br />
Due to the fact that the Administrator submitted a document marked as: "Report (...)" in the course of the proceedings, it should be considered that the Administrator keeps documentation related to personal data protection breaches, including documentation regarding the personal data protection breach in question. It is true that the assessment of the event contained therein, in the opinion of the President of the Personal Data Protection Office, is incorrect (as already demonstrated above), but this cannot constitute an allegation of violation of the above-mentioned. provision of Regulation 2016/679. The above means that the proceedings in this respect are groundless and subject to discontinuation.<br />
<br />
Due to the above, pursuant to the provisions of Art. 105 § 1 of the Act of June 14, 1960, Code of Administrative Procedure (Journal of Laws of 2023, item 775), hereinafter referred to as the Code of Administrative Procedure, when the proceedings have become groundless for any reason, the administrative authority issues a decision to discontinue the proceedings. The subject of the proceedings is related to the application of the provisions of substantive administrative law by a public authority. The doctrine indicates that: "the groundlessness of administrative proceedings, as stipulated in Art. 105 § 1 of the Code of Administrative Procedure means that one of the elements of a substantive legal relationship is missing, and therefore a decision cannot be issued to settle the matter by resolving it on its merits. The premise for discontinuing the proceedings may exist even before the initiation of the proceedings, which will be revealed only in the ongoing proceedings, and it may also arise during the proceedings, i.e. in a case already pending before the administrative body" (B. Adamiak, J. Borkowski, Code of Procedure administrative. Comment, C.H. Beck, Warszawa 2006, p. 489).<br />
<br />
Determination by a public authority of the existence of the condition referred to in Art. 105 § 1 of the Code of Administrative Procedure, obliges him, as emphasized in the doctrine and case law, to discontinue the proceedings, because if this condition exists, there are no grounds to resolve the case on the merits, and continuing the proceedings in such a case would constitute its defectiveness, which would have a significant impact on influence on the outcome of the case.<br />
<br />
In this factual and legal situation, the President of the Office for Personal Data Protection decided as in the operative part.<br />
<br />
[1] Act on the Organization of Common Courts - Act of 27 July 2001, Law on the Organization of Common Courts (Journal of Laws of 2020, item 2072, as amended).<br />
<br />
[2] Act of 1997 - Act of August 29, 1997 on the protection of personal data (Journal of Laws of 2016, item 922, as amended).<br />
<br />
[3] EDPB Guidelines 9/2022 on reporting personal data protection breaches in accordance with the GDPR;<br />
<br />
[4] https://www.zbp.pl/getmedia/45bb9af8-95a4-4cc2-9767-05c73e5b1eb3/Raport-InfoDOK-II-kwartal-2023;<br />
<br />
[5] https://www.zbp.pl/getmedia/b5257020-2baa-4507-828c-a1b78c769c6d/infodok-2022-04-06-wydanie-50-sklad-220725-gk05;<br />
</pre></div>Imhttps://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_32/2024APD/GBA (Belgium) - 32/20242024-03-18T17:10:00Z<p>Nzm: /* Comment */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Belgium<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoBE.png<br />
|DPA_Abbrevation=APD/GBA<br />
|DPA_With_Country=APD/GBA (Belgium)<br />
<br />
|Case_Number_Name=32/2024<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=GBA<br />
|Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/bevel-nr.-32-2024.pdf<br />
|Original_Source_Language_1=Dutch<br />
|Original_Source_Language__Code_1=NL<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Partly Upheld<br />
|Date_Started=26.12.2023<br />
|Date_Decided=13.02.2024<br />
|Date_Published=<br />
|Year=2024<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 15(1) GDPR<br />
|GDPR_Article_Link_1=Article 15 GDPR#1<br />
|GDPR_Article_2=Article 15(3) GDPR<br />
|GDPR_Article_Link_2=Article 15 GDPR#3<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=nzm<br />
|<br />
}}<br />
<br />
The DPA held that when files constituted by other entities have been consulted in examining a data subject’s credit application, if the latter makes an access request, the controller must give him access to all the documents consulted during the examination.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A data subject’s credit application was refused by the controller. Consequently, the data subject exercised his right of access with the controller and filed a complaint with its Financial Services Ombudsman. The controller informed him that 3 files had been consulted in examining his credit application: (i) his own file, (ii) the Central Individual Credit Register file and (iii) a finance company’s file. The controller shared the full content of the data subject’s file and only the identity and contact details of the respective controllers. It also told the data subject to contact the controllers of those files to exercise his right of access regarding said documents. <br />
<br />
The data subject claimed that the information to which he had been given access to was incomplete, as the controller also had the “purpose of the credit” as well as an image of his identity card. The data subject asked the controller to confirm that he had been given access to all his personal data. The controller responded that it had other data in its possession, namely the one it received as part of the data subject’s complaint to the Financial Services Ombudsman. <br />
<br />
Following this, the data subject lodged a complaint with the Belgian DPA (“APD”).<br />
<br />
=== Holding ===<br />
Under [[Article 15 GDPR#1|Article 15(1) GDPR]], the data subject has the right to obtain from the controller, a confirmation as to whether or not personal data concerning him are being processed and if so, to obtain access to such personal data. The APD considered that in the present case, the controller did not respond directly to the data subject’s question asking it to confirm that he had been given access to all his personal data. Thus, the data subject did not obtain a conclusive answer or access as required by [[Article 15 GDPR#1|Article 15(1) GDPR]]. <br />
<br />
Moreover, [[Article 15 GDPR#3|Article 15(3) GDPR]] provides that the controller must provide a copy of the personal data being processed. The APD held that the controller processed an image of the data subject’s identity card and failed to provide a copy in response to the request. Therefore, the controller violated [[Article 15 GDPR#3|Article 15(3) GDPR]].<br />
<br />
Finally, the APD pointed out that the purpose of the right of access is to “to be aware of, and verify, the lawfulness of the processing” (Recital 63 GDPR). The right of access therefore supports the right to rectification. Regarding the 2 other files the controller consulted, the APD considered that the controller determines the means and purposes of the processing of the personal data in question. However, without access to these 2 files, the data subject could not determine whether it was necessary to contact the controllers of those files in order to exercise his right to rectification. <br />
<br />
The APD therefore ordered the controller to comply with the data subject’s access request by granting him access to all the personal data concerning him, as well as a copy of the data in question.<br />
<br />
== Comment ==<br />
As this was a prima facie decision, if the controller does not agree with the contents of the decision or believes that it has factual and/or legal arguments that could lead to a different decision, it may submit a request for a hearing to the APD within 30 days of the notification of the decision.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.<br />
<br />
<pre><br />
1/7<br />
<br />
<br />
<br />
Dispute Chamber<br />
<br />
<br />
Decision 32/2024 of February 13, 2024<br />
<br />
<br />
File number: DOS-2024-00078<br />
<br />
<br />
Subject: Complaint due to insufficient response to a request for access<br />
<br />
<br />
<br />
The Disputes Chamber of the Data Protection Authority, composed of Mr<br />
<br />
Hielke HIJMANS, sole chairman;<br />
<br />
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016<br />
<br />
on the protection of natural persons with regard to the processing of<br />
<br />
personal data and regarding the free movement of such data and to the revocation of<br />
<br />
Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;<br />
<br />
<br />
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,<br />
<br />
hereinafter “WOG”;<br />
<br />
In view of the internal rules of order, as approved by the House of Representatives<br />
<br />
Representatives on December 20, 2018 and published in the Belgian Official Gazette on<br />
<br />
January 15, 2019;<br />
<br />
<br />
Considering the documents in the file;<br />
<br />
<br />
Has made the following decision regarding:<br />
<br />
<br />
Complainant: X, hereinafter “the complainant”<br />
<br />
<br />
<br />
The defendant: Y, hereinafter “the defendant” Decision 32/2024 — 2/7<br />
<br />
<br />
I. Facts and procedure<br />
<br />
<br />
1. On December 26, 2023, the complainant will submit a complaint to the Data Protection Authority<br />
<br />
against the defendant.<br />
<br />
2. The subject of the complaint concerns the exercise of the right of access by the complainant<br />
<br />
without receiving an adequate response from the controller.<br />
<br />
The complainant had exercised his right of access after his credit application was refused<br />
<br />
by the defendant. As a result, the defendant informed the complainant that there were three<br />
<br />
files were consulted in examining his credit application, namely that<br />
<br />
from the defendant itself, the Central Office for Credit to Private Individuals, and a<br />
financing company. The defendant sent “a complete content of the data<br />
<br />
that are in our files” to the complainant. Of the data in the remaining<br />
<br />
two files, the defendant shared only the identity and contact information of the<br />
<br />
respective controllers.<br />
<br />
The complainant disputed that the data he was given access to was complete. He asked<br />
<br />
namely that the defendant also had the “purpose of the credit” and an image<br />
<br />
of his identity card. He once again requested the defendant “to provide the files you as<br />
<br />
lender [sic] has in your possession, as you inform me, to transfer to me.” The complainer<br />
<br />
had also filed a complaint with the defendant's financial services ombudsman, and<br />
the documents available to the Disputes Chamber show that communication between the<br />
<br />
defendant and the complainant focused mainly on the rest for a certain period of time<br />
<br />
investigating the substantive reasons for the refusal of the credit, which is outside the<br />
<br />
scope of this decision. After some time, the complainant made contact again<br />
<br />
contacted the defendant to ask for confirmation that he had been given access to all<br />
<br />
his personal data. The defendant responded as follows:<br />
<br />
"Dear,<br />
<br />
We have other data in our possession, namely the one we received in the context<br />
<br />
of your complaint to the financial services ombudsman.<br />
<br />
3. On January 8, 2024, the complaint will be declared admissible by the First Line Service on the grounds<br />
<br />
of Articles 58 and 60 of the WOG and the complaint is filed on the basis of Article 62, § 1 of<br />
<br />
the WOG has been transferred to the Disputes Chamber.<br />
<br />
4. In accordance with Article 95, § 2, 3° of the WOG as well as Article 47 of the internal regulations<br />
<br />
order of the GBA, the parties can request a copy of the file. If one<br />
<br />
both parties wish to make use of the opportunity to consult and<br />
<br />
copying the file, he or she must contact the secretariat of the<br />
<br />
Disputes Chamber, preferably via litigationchamber@apd-gba.be. Decision 32/2024 — 3/7<br />
<br />
<br />
II. Justification<br />
<br />
<br />
5. According to Article 15.1 GDPR, the data subject has the right to obtain from the<br />
<br />
controller to obtain clarity about whether or not to process<br />
<br />
personal data concerning him and, if applicable, to obtain access to it<br />
those personal data and the information referred to in Article 15.1.a) to h), GDPR.<br />
<br />
<br />
In accordance with Article 12.1 GDPR, read in conjunction with recital 58 hereof<br />
<br />
Regulation, the controller must take appropriate measures to ensure that<br />
the data subject the communications referred to in Article 15 GDPR in connection with the processing<br />
<br />
in a concise, transparent, understandable and easily accessible form and in<br />
<br />
receives clear and simple language”. Article 12.2 GDPR also stipulates that the<br />
<br />
controller must exercise the data subject's rights<br />
<br />
facilitate.<br />
<br />
6. The Disputes Chamber notes that the complainant submitted his request for access on 6<br />
<br />
October 2023.<br />
<br />
7. On October 17, 2023, the defendant informed the complainant that in the investigation of his<br />
<br />
file, three files were consulted. These files were those of (1) the<br />
<br />
defendant itself, (2) the Central Office for Credit to Private Individuals, and (3) a<br />
<br />
financing company. The same email contained, according to the defendant, “a complete<br />
<br />
content of the data contained in our files”. However, the complainant disputed<br />
that this information was complete. In particular, he stated that the defendant would also<br />
<br />
have the “purpose of the credit”.<br />
<br />
<br />
On December 26, 2023, the complainant asked the defendant to confirm that he had access<br />
had received in all his personal data. The defendant responded that also “other<br />
<br />
data” were processed, and referred to the data provided by the complainant<br />
<br />
provides financial services in the context of his complaint to the Ombudsman<br />
<br />
defendant. Since the defendant did not directly answer the question of the<br />
<br />
complainant whether he had been given access to all his personal data, the complainant did not obtain any<br />
<br />
clear information about whether or not certain personal data are processed.<br />
Consequently, the complainant has not been provided with sufficient clarity or insight as required in Article<br />
<br />
15.1 GDPR.<br />
<br />
<br />
8. Furthermore, the complainant states that the defendant has an image of his identity card<br />
processed, and failed to provide a copy of it in response to the<br />
<br />
request for inspection. In this context, the Disputes Chamber recalls that Article 15.3 GDPR<br />
<br />
provides that the controller “a copy of the personal data that<br />
<br />
are processed” must be provided to the data subject. If the defendant indeed Decision 32/2024 — 4/7<br />
<br />
<br />
processes an image of the complainant's identity card, the defendant must also have one<br />
<br />
provide a copy of this image to satisfy the complainant's right of inspection.<br />
<br />
<br />
9. Regarding the two other files that the defendant consulted, communicated<br />
<br />
the defendant only the identification details and addresses of the respective<br />
<br />
controllers. The results of the consultations by the defendant –<br />
<br />
namely the contents of the files – the defendant did not communicate this to the complainant. At<br />
<br />
the latter was told to contact the administrators of that<br />
<br />
files to exercise his right of access. To the extent that the defendant<br />
<br />
determines the purposes and means of the processing of the personal data concerned<br />
However, he is a data controller and is therefore obliged to follow up himself<br />
<br />
the complainant's right of access in accordance with Article 15.1 GDPR. In this respect it is<br />
<br />
appropriate to recall that the aim of the right of access is to ensure that<br />
<br />
the data subject “can inform himself of the processing and its lawfulness<br />
<br />
can check this” (recital 63 GDPR). The right of access thus supports it<br />
<br />
right to the protection of personal data, and facilitates the exercise of others<br />
<br />
rights included in the GDPR, and in particular the right to rectification. Without<br />
<br />
access to the data that the defendant did or did not consult with the two parties involved<br />
<br />
files, the complainant is unable to determine whether it is necessary to contact them<br />
<br />
with those responsible for those files to assert his right to rectification.<br />
<br />
Furthermore, it should be noted that Article VII.79 of the Code of Economic Law<br />
<br />
stipulates that the “lender shall immediately provide the consumer with the result of the loan free of charge<br />
<br />
consultation [communicates] as well as the identity and address of the person responsible for the<br />
<br />
processing the files he consulted” (emphasis added).<br />
<br />
<br />
10. The Disputes Chamber is of the opinion that based on the above analysis<br />
<br />
concluded that the defendant may have violated the provisions of the GDPR<br />
was committed, which justifies taking one in this case<br />
<br />
decision on the basis of Article 95, § 1, 5° of the WOG, more specifically the<br />
<br />
order the controller to comply with the exercise by the<br />
<br />
complainant of his right of access (Article 15.1 GDPR).<br />
<br />
<br />
11. This decision is a prima facie decision taken by the Disputes Chamber<br />
<br />
in accordance with Article 95 of the WOG on the basis of the complaint submitted by the complainant,<br />
2<br />
in the context of the “procedure prior to the decision on the merits” and none<br />
<br />
decision on the merits of the Disputes Chamber within the meaning of Article 100 of the WOG.<br />
<br />
<br />
<br />
<br />
<br />
<br />
1CJEU December 20, 2017, Peter Nowak v. Data Protection Commissioner, C-434/16, ECLI:EU:C:2017:994<br />
2Section 3, Subsection 2 of the WOG (Articles 94 to 97). Decision 32/2024 – 5/7<br />
<br />
<br />
The Disputes Chamber has thus decided, on the basis of Article 58.2.c) GDPR and<br />
<br />
Article 95, § 1, 5° of the WOG, to order the defendant to comply with the request<br />
<br />
of the data subject to exercise his rights, in particular the right of access such as<br />
<br />
determined in Article 15 GDPR.<br />
<br />
<br />
12. The purpose of this decision is to inform the defendant of the fact that this<br />
<br />
may have committed an infringement of the provisions of the GDPR and this in the<br />
<br />
the opportunity to still comply with the aforementioned provisions.<br />
<br />
<br />
13. If the defendant does not agree with the content of the present primafacie<br />
<br />
decision and is of the opinion that it can apply factual and/or legal arguments<br />
<br />
that could lead to a different decision, this can be done via the e-mail address<br />
<br />
litigationchamber@apd-gba.be send a request to hear the merits of the case<br />
<br />
to the Disputes Chamber within 30 days after notification of this<br />
<br />
decision. The implementation of this decision will, if necessary, continue for a period of time<br />
<br />
suspended for the aforementioned period.<br />
<br />
14. In the event of a continuation of the merits of the case, the<br />
<br />
Dispute Chamber the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 WOG<br />
<br />
invite them to submit their defenses as well as any documents they consider useful in the case<br />
<br />
<br />
file to add. If necessary, the present decision will be permanently suspended.<br />
<br />
15. Finally, for the sake of completeness, the Disputes Chamber points out that a hearing on the merits<br />
<br />
of the case may lead to the imposition of the measures stated in Article 100 of the WOG. 3<br />
<br />
<br />
16. In accordance with Article 57WOG, and with regard to the language in which the complaint is submitted,<br />
<br />
Dutch is used as the procedural language.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
3Article 100. § 1. The Disputes Chamber has the authority to:<br />
1° to dismiss a complaint;<br />
2° to order the dismissal of prosecution;<br />
3° order the suspension of the ruling;<br />
<br />
4° to propose a settlement;<br />
5° formulate warnings and reprimands;<br />
6° order that the data subject's requests to exercise his rights be complied with;<br />
7° to order that the person concerned is informed of the security problem;<br />
8° order that processing be temporarily or permanently frozen, restricted or prohibited;<br />
9° to order that the processing be brought into compliance;<br />
10°the rectification, limitation or deletion of data and its notification to the recipients of the data<br />
recommend data;<br />
11° order the withdrawal of the recognition of certification bodies;<br />
12° to impose penalty payments;<br />
13° to impose administrative fines;<br />
14° the suspension of cross-border data flows to another State or an international institution<br />
<br />
command;<br />
15° to transfer the file to the public prosecutor's office in Brussels, who will inform it of the<br />
follow-up given to the file;<br />
16° decide on a case-by-case basis to publish its decisions on the website of the<br />
Data Protection Authority. Decision 32/2024 — 6/7<br />
<br />
<br />
<br />
III. Publication of the decision<br />
<br />
17. Considering the importance of transparency with regard to decision-making<br />
<br />
Dispute Chamber, this decision will be published on the website of the<br />
<br />
Data Protection Authority. However, it is not necessary that the<br />
<br />
identification details of the parties are disclosed directly.<br />
<br />
<br />
<br />
FOR THESE REASONS ,<br />
<br />
<br />
the Disputes Chamber of the Data Protection Authority decides, with reservations<br />
<br />
from the submission of a request by the defendant for a hearing on the merits<br />
<br />
in accordance with Article 98 et seq. of the WOG, to:<br />
<br />
- on the basis of Article 58.2.c) of the GDPR and Article 95, § 1, 5° of the WOG the<br />
<br />
order the defendant to comply with the data subject's request<br />
<br />
to exercise its rights, in particular the right of access (Article 15 GDPR), by<br />
<br />
to grant the complainant access to all personal data relating to him<br />
<br />
processed by the defendant, as well as a copy of the data concerned<br />
<br />
provided, and this within a period of 30 days from the<br />
<br />
notification of this decision;<br />
<br />
- order the defendant to contact the Data Protection Authority (Dispute Chamber)<br />
<br />
by e-mail within the same period of the consequences<br />
<br />
this decision will be given via the email address litigationchamber@apd-gba.be;<br />
<br />
and<br />
<br />
<br />
- in the absence of timely implementation of the above by the defendant,<br />
to consider the merits of the case ex officio in accordance with Articles 98 et seq.<br />
<br />
of the WOG.<br />
<br />
<br />
<br />
Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the<br />
<br />
notice, an appeal against this decision will be filed with the Market Court (court of<br />
<br />
appeal Brussels), with the Data Protection Authority as defendant.<br />
<br />
<br />
Such an appeal can be lodged by means of an inter partes petition<br />
4<br />
must contain statements listed in Article 1034ter of the Judicial Code. It<br />
<br />
<br />
<br />
4The petition states, under penalty of nullity:<br />
1° the day, month and year;<br />
2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or<br />
company number;<br />
3° the surname, first name, place of residence and, where applicable, the capacity of the person to be<br />
summoned;<br />
4° the subject matter and brief summary of the grounds of the claim;<br />
5° the judge before whom the claim is brought; Decision 32/2024 — 7/7<br />
<br />
<br />
an objection petition must be submitted to the registry of the Market Court<br />
<br />
in accordance with Article 1034quinquies of the Dutch Civil Code. , 5 or via e-Deposit<br />
<br />
IT system of Justice (Article 32ter of the Judicial Code).<br />
<br />
<br />
<br />
<br />
<br />
<br />
(get). Hielke IJMANS<br />
<br />
Chairman of the Disputes Chamber<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
6° the signature of the applicant or his lawyer.<br />
5<br />
The petition with its attachment will be sent by registered letter, in as many copies as there are parties involved.<br />
deposited with the clerk of the court or at the registry.<br />
</pre></div>Nzmhttps://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_38/2024APD/GBA (Belgium) - 38/20242024-03-18T16:12:20Z<p>Nzm: Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=38/2024 |ECLI= |Original_Source_Name_1=APD |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/zonder-gevolg-nr.-38-2024.pdf |Original_Source_Language_1=French |Original_Source_Language__Code_1=FR |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_So..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Belgium<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoBE.png<br />
|DPA_Abbrevation=APD/GBA<br />
|DPA_With_Country=APD/GBA (Belgium)<br />
<br />
|Case_Number_Name=38/2024<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=APD<br />
|Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/zonder-gevolg-nr.-38-2024.pdf<br />
|Original_Source_Language_1=French<br />
|Original_Source_Language__Code_1=FR<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Rejected<br />
|Date_Started=09.08.2022<br />
|Date_Decided=21.02.2024<br />
|Date_Published=<br />
|Year=2024<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 7(3) GDPR<br />
|GDPR_Article_Link_1=Article 7 GDPR#3<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=nzm<br />
|<br />
}}<br />
<br />
The DPA dismissed a cookie complaint regarding the absence of a “withdraw consent” option as the controller set one up before the DPA’s investigation.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A data subject represented by noyb (European Centre for Digital Rights) complained that a website did not provide a “withdraw consent” or similar options. Therefore, noyb considered that the cookie banner infringed both the GDPR as well as the ePrivacy directive as it was not as easy to give consent as it was to withdraw it. <br />
<br />
On 9 August 2022, the data subject lodged a complaint with the Belgian DPA (“APD”).<br />
<br />
=== Holding ===<br />
On 24 August 2022, the APD visited the controller’s website and discovered that the cookie banner included an "Accept all" button, a “Reject all” button and a “Cookie settings” button. The APD therefore considered that the sole infringement invoked by the data subject was no longer founded. These findings were still applicable on 19 February 2024, thus, the APD decided to close the case. <br />
<br />
Additionally, the APD also found that none of the categories of non-essential cookies were ticked by default.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the French original. Please refer to the French original for more details.<br />
<br />
<pre><br />
1/6<br />
<br />
<br />
<br />
<br />
<br />
Litigation Chamber<br />
<br />
Decision 38/2024 of February 21, 2024<br />
<br />
<br />
File number: DOS-2022-03263<br />
<br />
<br />
Subject: Complaint due to the processing of personal data through<br />
<br />
of a website, without the valid consent of the person concerned<br />
<br />
<br />
<br />
The Litigation Chamber of the Data Protection Authority, made up of Mr.<br />
<br />
Hielke HIJMANS, president, sitting alone;<br />
<br />
<br />
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the<br />
<br />
protection of natural persons with regard to the processing of personal data and<br />
<br />
to the free movement of these data, and repealing Directive 95/46/EC (general regulation on the<br />
data protection), hereinafter “GDPR”;<br />
<br />
<br />
Having regard to the Law of December 3, 2017 establishing the Data Protection Authority, hereinafter<br />
<br />
“ACL”;<br />
<br />
<br />
Having regard to the Law of July 30, 2018 relating to the protection of individuals with regard to<br />
<br />
processing of personal data, hereinafter “LTD”;<br />
<br />
Having regard to the Internal Regulations as approved by the House of Representatives on<br />
<br />
December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;<br />
<br />
<br />
Considering the documents in the file;<br />
<br />
<br />
Has taken the following decision regarding:<br />
<br />
<br />
<br />
The complainant: X, hereinafter “the complainant”, represented by NOYB - EUROPEAN CENTER FOR<br />
<br />
DIGITALR IGHTS, Goldschlagstraße 172/4/3/2 – 1140 Vienna (Austria)<br />
<br />
<br />
The defendant: Y, hereinafter “the defendant” Decision 38/2024 — 2/6<br />
<br />
<br />
<br />
<br />
I. Facts and procedure<br />
<br />
<br />
1. The complaint concerns processing of personal data through the page<br />
<br />
internal […], without the valid consent of the person concerned.<br />
<br />
The complainant states that she visited the website on 22-10-2021. This web page presented<br />
<br />
a “banner” of a consent management platform (hereinafter, “Z1”) provided by<br />
<br />
Z2. Ended on 10-06-2022, the complainant signs a mandate of representation, in accordance<br />
<br />
in Article 80(1) GDPR, with NOYB.<br />
<br />
The complaint mentions several personal data processing operations,<br />
<br />
in the context of providing the web page, allegedly based on consent<br />
<br />
of the person concerned. More precisely, the complaint alleges an infringement of the GDPR as well<br />
<br />
than the ePrivacy Directive (ePD), namely that it would not be as easy to withdraw your<br />
<br />
consent than giving it. According to the complaint, the option to accept the activities<br />
<br />
of processing concerned appears prominently in the banner, but the complainant does not<br />
<br />
was able to easily find the option allowing him to withdraw his consent. There was no<br />
<br />
notably no clearly visible button entitled “withdraw consent” or options<br />
<br />
similar. The complaint also specifies that despite the possibility that Z2 offers to display on<br />
<br />
all pages have a floating and permanently visible icon, allowing people to<br />
<br />
concerned to return to their cookie settings in order to withdraw their consent, the<br />
<br />
defendant deliberately chose not to activate this option.<br />
<br />
2. On August 9, 2022, the complainant filed a complaint with the Data Protection Authority.<br />
<br />
<br />
3. On August 9, 2022, the First Line Service of the Data Protection Authority<br />
<br />
declares the complaint admissible on the basis of articles 58 and 60 of the LCA, and transmits it<br />
er<br />
to the Litigation Chamber in accordance with article 62, § 1 of the LCA.<br />
<br />
<br />
II. Motivation<br />
<br />
<br />
4. Based on the facts described in the complaint file as summarized above, and on the<br />
<br />
basis of the powers assigned to it by the legislator under article 95, § 1<br />
<br />
of the LCA, the Litigation Chamber decides on the follow-up to be given to the file; as it happens,<br />
<br />
the Litigation Chamber decides to proceed with the classification without further action of the complaint,<br />
<br />
in accordance with article 95, § 1, 3° of the LCA, for the reasons set out below.<br />
<br />
<br />
5. In matters of dismissal, the Litigation Chamber is required to provide reasons for its decision.<br />
1<br />
decision by step and to:<br />
<br />
<br />
<br />
<br />
<br />
<br />
1Market Court (Brussels Court of Appeal), September 2, 2020, judgment 2020/AR/329, p. 18. Decision 38/2024 — 3/6<br />
<br />
<br />
<br />
- pronounce a classification without technical follow-up if the file does not contain or not<br />
<br />
sufficient evidence likely to lead to a sanction or if it includes a<br />
<br />
technical obstacle preventing it from rendering a decision;<br />
<br />
- or pronounce a classification without further opportunity, if despite the presence<br />
<br />
of elements likely to lead to a sanction, the continuation of the examination of the<br />
<br />
file does not seem appropriate given the priorities of the Authority of<br />
<br />
data protection as specified and illustrated in the Privacy Policy<br />
<br />
classification without further action by the Litigation Chamber. 2<br />
<br />
<br />
6. In the event of dismissal based on several reasons for dismissal, these<br />
<br />
last (respectively, classification without technical follow-up and classification without follow-up<br />
<br />
opportunity) must be treated in order of importance.3<br />
<br />
<br />
7. In this case, the Litigation Chamber decides to proceed with a classification without further action.<br />
<br />
the complaint on grounds of expediency. The decision of the Litigation Chamber is based<br />
<br />
more precisely on a reason for which it considers it inappropriate to pursue<br />
<br />
the follow-up of the file, and therefore decides not to proceed, among other things, with an examination<br />
<br />
of the case as to its merits.<br />
<br />
8. In this case, the Litigation Chamber was able to note, on August 24, 2022, that the<br />
<br />
site concerned by the complaint presented a cookie banner including not only a<br />
<br />
button allowing you to reject all (non-essential) cookies, but also included<br />
<br />
a functional URL address at the bottom of the page, entitled “Cookie Settings”:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
2<br />
In this regard, the Litigation Chamber refers to its policy of classification without further action as developed and published on the<br />
website of the Data Protection Authority: https://www.autoriteprotectiondonnees.be/publications/politique-de-<br />
classification-without-suite-of-the-contentious-chamber.pdf.<br />
3Cf. Title 3 – In what cases is my complaint likely to be dismissed by the Litigation Chamber? of the<br />
policy of dismissal without further action by the Litigation Chamber. Decision 38/2024 — 4/6<br />
<br />
<br />
<br />
It therefore appears that the only violation invoked by the complaint is no longer founded from the<br />
<br />
datementioned.TheContentiousChamberconsequentlydecidestoclassifywithoutfurther<br />
<br />
the complainant's grievance, taking into account the fact that the subject of the complaint has disappeared due to the<br />
<br />
measures taken by the controller before transferring the complaint to the Chamber<br />
4<br />
Litigation by the APD Front Line Service. The Litigation Chamber<br />
<br />
further emphasizes that the above findings still apply as of 19<br />
<br />
February 2024:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
9. In the alternative, the Litigation Chamber was also able to observe, on the occasion of this<br />
<br />
visit to the site concerned, that none of the categories of non-essential cookies were checked<br />
<br />
by default. The Litigation Chamber recalls in this regard that the European Committee of<br />
<br />
Data Protection (EDPB) adopted, on January 17, 2023, the report established by the group<br />
5<br />
work on cookie banners (“Cookie Banner Taskforce”), in which the<br />
<br />
European supervisory authorities have notably adopted a common position on<br />
<br />
the prohibition of using pre-selected preferences authorizing the placement and<br />
<br />
reading of non-essential cookies, as well as the obligation to provide the possibility for<br />
users to easily withdraw their consent at any time. Bedroom<br />
<br />
litigation notes that the data controller has, in the present case, configured<br />
<br />
the cookies banner in accordance with the requirements listed in the report<br />
<br />
aforementioned.<br />
<br />
<br />
10. Finally, the Litigation Chamber specifies that it is not necessary to rule on<br />
<br />
the complainant's interest in taking action in the specific case, given the reasons for dismissal<br />
<br />
stated above.<br />
<br />
<br />
<br />
4Cf. criterion B.6 in the Dispute Chamber's policy of dismissal.<br />
<br />
5EDPB – Report on the work undertaken by the Cookie Banner Taskforce (adopted on 17 January 2023), available at the link<br />
following: https://edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf. Decision 38/2024 — 5/6<br />
<br />
<br />
<br />
III. Publication and communication of the decision<br />
<br />
<br />
<br />
11. Considering the importance of transparency regarding the process<br />
<br />
decision-making and the decisions of the Litigation Chamber, this decision will be published on the<br />
<br />
website of the Data Protection Authority. However, it is not necessary for this<br />
<br />
so that the identification data of the parties are directly communicated.<br />
<br />
<br />
12. In accordance with its policy of dismissal, the Litigation Chamber<br />
6<br />
will communicate the decision to the defendant. Indeed, the Litigation Chamber decided to<br />
<br />
communicate the decisions of dismissal to the defendants by default. There<br />
<br />
Chambre Litigation, however, refrains from such communication when the complainant<br />
<br />
requested anonymity vis-à-vis the defendant and when the communication of the decision to the<br />
<br />
defendant, even pseudonymized, nevertheless risks allowing his reidentification. This 7<br />
<br />
is not the case in the present case.<br />
<br />
<br />
<br />
<br />
FOR THESE REASONS ,<br />
<br />
<br />
the Litigation Chamber of the Data Protection Authority decides, after<br />
<br />
deliberation, to classify this complaint without further action in application of article 95,§ 1, 3° er<br />
<br />
of the LCA.<br />
<br />
<br />
<br />
<br />
In accordance with article 108, § 1 of the LCA, an appeal against this decision may be lodged,<br />
<br />
within thirty days from its notification, to the Court of Markets (court<br />
<br />
of Appeal of Brussels), with the Data Protection Authority as defendant.<br />
<br />
<br />
Such an appeal may be introduced by means of an interlocutory request which must contain the<br />
<br />
information listed in article 1034ter of the Judicial Code. The interlocutory request must be<br />
<br />
filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or 9<br />
<br />
<br />
via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. judic.).<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
6<br />
Cf.Title 5–Will the classification without further action be published? Will the opposing party be informed? of the classification policy<br />
without further action by the Contentious Chamber.<br />
7Ibidem.<br />
<br />
8The request contains barely any nullity:<br />
1° indication of the day, month and year;<br />
2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualifications and his national register number or<br />
Business Number;<br />
<br />
3° the surname, first name, address and, where applicable, the status of the person to be summoned;<br />
4° the object and summary of the grounds of the request;<br />
5° indication of the judge who is seized of the request;<br />
6° the signature of the applicant or his lawyer.<br />
9 The request, accompanied by its annex, is sent, in as many copies as there are parties involved, by letter<br />
<br />
recommended to the court clerk or filed with the court registry. Decision 38/2024 — 6/6<br />
<br />
<br />
<br />
<br />
To enable it to consider any other possible course of action, the Litigation Chamber refers<br />
<br />
the complainant to the explanations provided in its policy of dismissal. 10<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
(sé). Hielke HIJMANS<br />
<br />
<br />
<br />
President of the Litigation Chamber<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
10Cf. Title 4 – What can I do if my complaint is closed? of the Chamber's policy of dismissal<br />
Contentious.<br />
</pre></div>Nzmhttps://gdprhub.eu/index.php?title=VwGH_-_Ro_2020/04/0031-9VwGH - Ro 2020/04/0031-92024-03-18T15:02:23Z<p>Ec: </p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Austria<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=VwGH<br />
|Court_Original_Name=Verwaltungsgerichtshof<br />
|Court_English_Name=Austrian Administrative Supreme Court<br />
|Court_With_Country=VwGH (Austria)<br />
<br />
|Case_Number_Name=Ro 2020/04/0031-9<br />
|ECLI=ECLI:AT:VWGH:2024:RO2020040031.J00<br />
<br />
|Original_Source_Name_1=RIS<br />
|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokumente/Vwgh/JWT_2020040031_20240201J00/JWT_2020040031_20240201J00.pdf<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Date_Decided=01.02.2024<br />
|Date_Published=<br />
|Year=2024<br />
<br />
|GDPR_Article_1=Article 6(1)(f) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1f<br />
|GDPR_Article_2=Article 17 GDPR<br />
|GDPR_Article_Link_2=Article 17 GDPR<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
<br />
|EU_Law_Name_1=Article 7 CFR<br />
|EU_Law_Link_1=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%253A12012P%252FTXT<br />
|EU_Law_Name_2=Article 8 CFR<br />
|EU_Law_Link_2=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%253A12012P%252FTXT<br />
|EU_Law_Name_3=<br />
|EU_Law_Link_3=<br />
|EU_Law_Name_4=<br />
|EU_Law_Link_4=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Austrian Data Protection Authority<br />
|Party_Link_1=https://www.data-protection-authority.gv.at/<br />
|Party_Name_2=K GmbH<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_From_Body=BvWG<br />
|Appeal_From_Case_Number_Name=W211 2225136-1/6E<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=https://360.lexisnexis.at/d/entscheidungen-ris/bvwg_w211_2225136_1/u_verwaltung_BVwG_2020_BVWGT_20200728_W_be70d0c11c<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=ec<br />
|<br />
}}<br />
<br />
The Austrian Supreme Administrative Court found that the storing and processing of personal data from the public insolvency register by a credit agency after the date that the data is made unavailable to the public is unlawful.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
In 2010, debt settlement proceedings were issued against the data subject. The data subject settled the payments of the debt in March 2018. <br />
<br />
The controller, a credit agency, processed and stored personal data of the data subject that related to his debt settlement procedure, for the data subject’s creditworthiness profile and of a company’s creditworthiness profile of which the data subject was the sole shareholder.<br />
<br />
In light of this, the appellant requested the erasure of personal data on 4 May 2018, after fulfilling his debt payment plan.<br />
On 24 October 2018, the data subject lodged a complaint at the Austrian DPA against the controller for the infringement of the right to erasure under [[Article 17 GDPR|Article 17 GDPR]]. <br />
<br />
The controller informed the DPA by letter the same day that it would not comply with this request.<br />
<br />
The DPA dismissed the data protection complaint. <br />
<br />
The data subject appealed this decision at the Federal Administrative Court (Bundesverwaltungsgericht).<br />
<br />
The Court dismissed the appeal. The Court found that the controller’s purpose for processing the personal data in question was necessary, as the data is necessary for making a forecast about the future payment behaviour of the data subject. The Court found that the interests of the controller and its third parties outweighed the interests of the data subject. <br />
<br />
The Court concluded that the processing of data on historical insolvencies and payment defaults of the data subject is necessary and lawful and that the objections raised by the data subject could not justify his request for erasure.<br />
<br />
The data subject appealed to the decision before the Verwaltungsgerichtshof (Austrian Supreme Administrative Court).<br />
<br />
The Austrian Supreme Administrative Court held off its judgement until the CJEU issued its decision on [[C-26/22 and C-64/22 – Schufa]].<br />
<br />
=== Holding ===<br />
The Supreme Administrative Court ruled on two questions. Firstly, it examined the legality of the storage of data from the insolvency registry by the controller.<br />
<br />
Previous Austrian jurisprudence stated that credit agencies could collect and process personal data out of the public insolvency register up to 5 years after deletion of the data concerned in the registry. However, the recent [[CJEU C-26/22 and C-64/22 – Schufa]] case stated that the lawfulness of the processing of personal data on insolvency by the controller must be assessed solely in light of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. Moreover, the CJEU also ruled that credit agencies cannot process data they collected from the insolvency register once that data is expired and deleted in the registry they collected the data from (see [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62022CJ0026 CJEU C-26/22 and C-64/22 – Schufa] para 99). The CJEU explained that the data in the insolvency register is only kept for up to 6 months and therefore, considers that, after the expiry of a six-month period, the rights and interests of the data subject take precedence over those of the public to have access to that information.<br />
<br />
The controller argued it had a legitimate interest in the processing of the creditworthiness data of the data subject due to national law. The Federal Administrative Court also ruled that the processing also served to protect the legitimate interests of the controller’s contractual partners.<br />
In light of the [[CJEU C-26/22 and C-64/22 – Schufa]] case, the Supreme Administrative Court found the processing of this data, including the storage, analysis and disclosure of this data to a third party by the controller, constitutes a serious interference with the fundamental rights of the data subject under [[Article 7 CFR]] and [[Article 8 CFR]]. The processing of such data can significantly harm the interests of the data subject because the disclosure is likely to make it considerably more difficult for him to exercise his freedoms, especially when it comes to meeting basic needs. <br />
<br />
The Court stated that the objective of a payment plan is the economic recovery of the data subject. The request to erasure of personal data due to fulfilling the payment plan is intended to prevent the data subject from being impaired in business dealings by the public announcement of earlier insolvency proceedings. Therefore, the data subject’s economic recovery is jeopardised if a credit agency, thus the controller in this case, stores data on the data subject’s insolvency proceedings in order to assess the data subject’s creditworthiness, as this data is always used as a negative factor in the assessment. In light of this, the legitimate interests of the controller to process data regarding the insolvency proceedings of the data subject, which ended with the fulfilment of the legally confirmed payment plan, can no longer justify the processing of these personal data, which were previously publicly accessible in the insolvency register. <br />
<br />
The storage of this data by the controller after the decision of the insolvency court to remove the data from the public register can therefore not be based on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. Thus, it is unlawful for the controller to store and process data relating to the insolvency proceedings of the data subject from the public insolvency register once the data is not available anymore in the register, contrary to the decision of the DPA and the administrative court.<br />
<br />
Secondly, the Court examined the request for erasure in accordance with [[Article 17 GDPR|Article 17 GDPR]]. The Court ruled that due to the absence of lawful processing of the data subject’s data from the insolvency proceedings, the controller is obliged to erase the data concerned immediately under [[Article 17 GDPR#1d|Article 17(1)(d) GDPR]].<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
Ro 2020/04/0031-9<br />
February 1, 2024<br />
<br />
<br />
<br />
<br />
<br />
<br />
I M N A M E N D E R R E P U B L I K!<br />
<br />
The Administrative Court has through the presiding Senate President<br />
<br />
Dr. Kleiser, Councilor Dr. Mayr, court councilor Mag. Hainz-Sator and the court councilors<br />
<br />
Dr. Pürgy and Mag. Brandl as judges, with the participation of the secretary<br />
Löffler, LL.M., on the revision of the A G in W, represented by the<br />
<br />
Brand Rechtsanwälte GmbH in 1020 Vienna, Schüttelstraße 55, Carré Rotunde,<br />
against the decision of the Federal Administrative Court of July 28, 2020,<br />
<br />
Zl. W211 2225136-1/6E, concerning a data protection matter<br />
(authority concerned before the administrative court: data protection authority;<br />
<br />
Co-involved party: K GmbH, represented by BLS Rechtsanwälte GmbH<br />
<br />
in 1010 Vienna, Kärntner Straße 10; other party: Federal Minister of Justice),<br />
rightly recognized:<br />
<br />
The contested finding is due to illegality of the content<br />
<br />
lifted.<br />
<br />
The federal government has incurred expenses of €1,346.40 for the appeal applicant<br />
<br />
to be replaced within two weeks if otherwise executed. The additional request<br />
is rejected.<br />
<br />
<br />
Reasons for the decision:<br />
<br />
1 The appellant's assets were reported in 2010<br />
<br />
Debt settlement proceedings before District Court D (Insolvency Court)<br />
opened and the repayment rate set in 2012 in mid-March 2018<br />
<br />
Fulfills. The insolvency court approved this procedure<br />
Resolution of May 4, 2018, the “deletion” requested by the appeal applicant<br />
<br />
the entries from the insolvency file” in accordance with Section 256 Paragraph 3 IO due to the<br />
Proof of fulfillment of the payment plan by the appeal applicant.<br />
<br />
<br />
2 The participating party operates, among other things, the business of<br />
Credit information agency in accordance with Section 152 of the 1994 Trade Code (GewO 1994) and<br />
<br />
stored, among other things, the following excerpts from the data<br />
<br />
Applicant in relation to his debt settlement procedure<br />
in the personal credit profile of the audit applicant, as well as in the<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
<br />
2 of 26<br />
<br />
<br />
<br />
<br />
Credit profile of XY GmbH, whose sole shareholder is<br />
<br />
The applicant for appeal is, under the heading “Insolvency”:<br />
“Current status of the proceedings since 2018-04-01”; “Procedural status: payment plan<br />
<br />
was settled directly by the debtor”, “Liabilities according to the insolvency application<br />
<br />
[EUR] 167,596.54”.<br />
<br />
3 On October 24, 2018, the applicant filed an appeal against the party involved<br />
<br />
data protection complaint filed by the party as the respondent<br />
Violation of the right to deletion in accordance with<br />
<br />
Art. 17 General Data Protection Regulation (GDPR), after writing<br />
of May 23, 2018 the deletion of the entry concerning him about his<br />
<br />
Bankruptcy both in his “personal profile” and in the profile of the<br />
XY GmbH desires the database of the party involved and the<br />
<br />
co-involved party had informed this party in a letter dated the same day<br />
<br />
Not complying with desires.<br />
<br />
4 In a decision dated September 20, 2019, the data protection authority (appealed<br />
<br />
Authority) rejects the data protection complaint as unfounded.<br />
<br />
5 The complaint lodged by the appellant against this rejected this<br />
<br />
Federal Administrative Court (Administrative Court) with the contested<br />
The finding of July 28, 2020 was unfounded and stated that the<br />
<br />
Revision is permissible.<br />
<br />
6 In summary, the administrative court stated that:<br />
<br />
The participating party processes the data in the course of operating the business<br />
Credit information agency in accordance with Section 152 GewO 1994 historical information about<br />
<br />
Payment defaults and insolvency proceedings of the appeal applicant<br />
(potential) creditors in order to determine the risk of any<br />
<br />
to provide payment defaults.<br />
<br />
This is a purpose recognized by the legal system.<br />
<br />
The data on the insolvency proceedings are correct, complete and fundamental<br />
<br />
necessary and suitable to make a forecast about the future<br />
payment behavior of the appeal applicant.<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
3 of 26<br />
<br />
<br />
<br />
<br />
<br />
Neither the GDPR nor the regulations on the credit reporting agency business<br />
(§ 152 GewO 1994) contained concrete deadlines “for the permissible storage period<br />
<br />
historical insolvency proceedings and payment defaults”. The permissible one<br />
<br />
Storage duration depends on the individual case.<br />
<br />
Historical payment information is essential for the future<br />
Payment behavior of (potential) debtors<br />
<br />
to be able to predict. However, they would have less informative value<br />
longer they would be in the past and the longer there would be no further delays in payments<br />
<br />
and payment defaults. The age of the claim or the<br />
<br />
The time when the final default of the claim is determined<br />
The timing of any repayments and the “good behavior” since then would be included<br />
<br />
the weighing up is of crucial importance.<br />
<br />
As a guideline, how long payment history data is used to assess creditworthiness<br />
(potential) debtors are suitable, observation or<br />
<br />
Deletion periods in the provisions serving to protect creditors<br />
<br />
are used that meet the requirements of a suitable one<br />
Creditworthiness assessment should be specified in more detail, such as the provisions of the<br />
<br />
Regulation (EU) No 575/2013 of the European Parliament and of the Council<br />
of June 26, 2013 on supervisory requirements for credit institutions and<br />
<br />
Investment firms and amending Regulation (EU) No 646/2012<br />
(Capital Adequacy Ordinance). These obliged credit institutions under<br />
<br />
among other things, for customer assessment and risk assessment of their claims. For<br />
credit or retail claims against natural persons<br />
<br />
Credit institutions that calculate their risk-weighted position amounts based on a<br />
based on internal assessments<br />
<br />
(Art. 143 Para. 1), in accordance with Art. 151 Para. 6 in conjunction with Art. 180 Para. 2 lit. a<br />
and e Capital Adequacy Ordinance the probability of default<br />
<br />
Requirement based, among other things, on the long-term averages of the annual<br />
<br />
Estimate the failure rate. This is a historical observation period for<br />
at least one data source, which could also be external, from at least<br />
<br />
to be taken as a basis for five years. Also the estimate to be carried out<br />
The loss rate in the event of a default is in accordance with Article 151 paragraph 7<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
4 out of 26<br />
<br />
<br />
<br />
<br />
<br />
In conjunction with Article 181 Paragraph 2 Letter c of the Capital Adequacy Ordinance, it is generally based on one<br />
for a period of at least five years.<br />
<br />
<br />
The EU regulator therefore assumes that for the assessment of the<br />
Creditworthiness of (potential) debtors and the risk<br />
<br />
a claim data on any payment defaults over a period of<br />
be relevant for at least five years.<br />
<br />
<br />
If credit institutions are potential business partners of the party involved<br />
are legally obliged to report their claims based on default rates<br />
<br />
at least for the last five years, and the credit rating database<br />
The party involved should also serve to provide data to credit institutions,<br />
<br />
that they would need for their mandatory assessment violates the<br />
Processing the insolvency data of the appeal applicant does not violate the principle<br />
<br />
data minimization or storage limitation if the payment plan for<br />
The time of the deletion request on May 23, 2018 was less than<br />
<br />
three months, or at the time of the administrative court's decision<br />
<br />
was fulfilled a little over two years ago. This also applies to<br />
Receivables that were already defaulted more than five years ago<br />
<br />
only, as in the present case, a little more than two years ago through the fulfillment of the<br />
The payment plan was finally paid off because only with the successful payment<br />
<br />
The specific amount of the default can be determined when the payment plan is fulfilled<br />
could.<br />
<br />
<br />
As part of the balancing of interests in accordance with Article 6 Paragraph 1 Letter f of the GDPR<br />
on the one hand, the interests of the person responsible and of third parties (possible<br />
<br />
business partners of the party involved) and, on the other hand, the interests,<br />
The rights and expectations of the data subject must be taken into account.<br />
<br />
The party involved and their customers would have a comprehensible one<br />
<br />
Interested in assessing credit risk. The processing of data<br />
<br />
about insolvencies and payment defaults to protect potential successes<br />
Contractual partner of the data subject, the third party within the meaning of Art. 6<br />
<br />
Paragraph 1 lit. f GDPR. This data processing also serves<br />
Support of credit institutions, the regulations of the<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
5 out of 26<br />
<br />
<br />
<br />
<br />
<br />
to comply with the capital adequacy regulation. For assessing credit risk<br />
by the party involved is the observation of the historical<br />
<br />
Payment behavior of potential debtors is essential and the<br />
<br />
Processing data about a little over two years ago<br />
Fulfillment of a payment plan finally concluded insolvency proceedings<br />
<br />
necessary.<br />
<br />
This interest of the party involved and their business partners outweighs this<br />
the interest of the appeal applicant, not from economic disadvantages<br />
<br />
Data processing to be affected because the amount of liabilities of the<br />
<br />
Insolvency proceedings amounted to approximately €215,000. Furthermore, the person involved<br />
Only one party has this payment experience data of the appeal applicant<br />
<br />
limited public who has an interest to be taken into account<br />
Credit check is available.<br />
<br />
In contrast to the credit rating database of the party involved, the<br />
<br />
data protection law admissibility of maintaining the insolvency file<br />
<br />
§ 256 Insolvency Code (IO), a legal obligation within the meaning of Art. 6<br />
Paragraph 1 lit. c GDPR. It cannot be deduced from Section 256 IO that<br />
<br />
Insolvency data (at all) also based on other permitted circumstances<br />
Art. 6 GDPR may no longer be processed if they come from the<br />
<br />
Insolvency file had been deleted. Such a restriction would<br />
at least with regard to the present relevant permit<br />
<br />
Art. 6 Para. 1 lit. f GDPR contradicts EU secondary law.<br />
<br />
As far as the appeal applicant in his letter of request dated<br />
<br />
May 29, 2018 to object to the use of your data<br />
21 GDPR, he did not explain to what extent the<br />
<br />
Data processing based on Article 6 Paragraph 1 Letter f of the GDPR<br />
is nevertheless not permissible in a special situation. The contradiction is<br />
<br />
therefore inadmissible.<br />
<br />
By claiming that the stored data is old and incomplete because<br />
<br />
the appeal applicant has been successfully active again in business since 2016 and<br />
This data is only suitable for his economic advancement<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
<br />
6 of 26<br />
<br />
<br />
<br />
<br />
The appeal applicant is doing something to hinder and cause damage<br />
<br />
Violation of the general processing principles of the<br />
Data minimization and data economy according to Art. 5 GDPR and one<br />
<br />
inadequate balancing of interests within the framework of Article 6 GDPR, but none<br />
<br />
reasons arising from a special situation affecting him<br />
would result.<br />
<br />
<br />
The “processing of data on historical bankruptcies and<br />
“Payment defaults” by the appeal applicant by the co-involved party are therefore<br />
<br />
necessary and lawful. The objection raised by the appeal applicant<br />
could not justify his request for deletion.<br />
<br />
<br />
7 The administrative court based its decision on admissibility on the grounds that it was missing<br />
Jurisprudence of the Administrative Court on the question of which principles<br />
<br />
a balancing of interests in accordance with Article 6 Paragraph 1 Letter f of the GDPR must be sufficient;<br />
in particular, whether and under what conditions the regulations of the<br />
<br />
Capital Adequacy Ordinance as a guideline for determining the permissible<br />
<br />
Storage period of creditworthiness data can be used.<br />
<br />
8 The present ordinary revision is directed against this with the application<br />
<br />
Repeal of the contested finding against reimbursement of expenses.<br />
<br />
9 The authority concerned requested this in its response to the appeal<br />
<br />
Dismissal of the appeal against reimbursement of expenses. The participating party<br />
did not submit an appeal response.<br />
<br />
10 By resolution of December 23, 2021, 6 K 441/21.WI, and resolution of<br />
<br />
January 31, 2022, 6 K 1052/21.WI, was ruled by the Wiesbaden Administrative Court<br />
<br />
(Germany) asked, among other things, the following questions to the ECJ (there<br />
pending C-26/22 and C-64/22) for a preliminary ruling:<br />
<br />
“...<br />
<br />
2. Is data storage at a private credit reporting agency<br />
personal data from a public register, such as the 'national<br />
Databases' within the meaning of Article 79 Paragraphs 4 and 5 of the<br />
<br />
Regulation (EU) 2015/848 [Regulation of the European Parliament and the<br />
Council of May 20, 2015 on insolvency proceedings], without any specific reason<br />
<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
<br />
7 out of 26<br />
<br />
<br />
<br />
<br />
stored in order to provide information in the event of an inquiry<br />
can, with Articles 7 and 8 of the Charter of Fundamental Rights of the European Union<br />
compatible?<br />
<br />
3. a) Are private parallel databases (especially databases of a<br />
Credit agencies) that are set up alongside the state databases and<br />
in which the data from the state databases (here<br />
Insolvency notices) are stored longer than in the narrow one<br />
<br />
Framework of Regulation 2015/848 in conjunction with the national one<br />
Regulated by law, generally permissible?<br />
<br />
b) If question 3 a) is answered in the affirmative, this results in the right to be forgotten<br />
in accordance with Art. 17 Paragraph 1 Letter d) GDPR, this data must be deleted,<br />
if the processing time envisaged for the public register<br />
has expired?<br />
<br />
4. Insofar as Article 6 Paragraph 1 Subparagraph 1 letter f) GDPR as the sole one<br />
Legal basis for data storage for private individuals<br />
Credit reporting agencies also appear in public registers<br />
Stored data comes into consideration is a legitimate interest<br />
<br />
Credit reporting agency is to be affirmed if this credit reporting agency has the data<br />
from the public directory without any specific reason<br />
Is this data then available when a request is made?<br />
<br />
..."<br />
<br />
11 By resolution of June 10, 2023, Ro 2020/04/0031, the<br />
Administrative Court continues the appeal process until the<br />
<br />
Decision of the ECJ in the above two<br />
<br />
Request for a preliminary ruling from the Wiesbaden Administrative Court is pending<br />
Proceedings suspended because answering these questions is also for the<br />
<br />
treatment of the present revision is important.<br />
<br />
12 With judgment of December 7, 2023, C-26/22 and C-64/22, SCHUFA Holding<br />
<br />
(discharge of residual debt), the ECJ has decided on the request for a preliminary ruling from<br />
Wiesbaden Administrative Court decided.<br />
<br />
The Administrative Court considered:<br />
<br />
<br />
admissibility<br />
<br />
13 The appeal turns out to be in line with the separate admissibility submissions made by the<br />
<br />
Revision clarified the legal question as to whether EU regulations, such as the one in this case<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
8 out of 26<br />
<br />
<br />
<br />
<br />
<br />
Capital Adequacy Ordinance applicable to credit institutions and investment firms<br />
are addressed and contain regulations for internal credit checks, as<br />
<br />
Guideline for determining the permissible storage period of not for<br />
<br />
internal use of certain creditworthiness data by credit reporting agencies<br />
can be used as permissible. She is also entitled.<br />
<br />
Relevant legal situation<br />
<br />
<br />
Union law<br />
<br />
14 The relevant recitals and provisions of the<br />
<br />
Regulation (EU) 2016/679 of the European Parliament and of the Council of<br />
April 27, 2016 on the protection of natural persons during processing<br />
<br />
personal data, the free movement of data and the abolition of the<br />
Directive 95/46/EC (General Data Protection Regulation; GDPR), OJ L 119<br />
<br />
dated May 4, 2016, excerpts read:<br />
<br />
“Article 6<br />
Lawfulness of processing<br />
<br />
(1) Processing is only lawful if at least one of the<br />
the following conditions are met:<br />
<br />
...<br />
<br />
f) the processing is to protect the legitimate interests of the<br />
responsible person or a third party, unless the<br />
interests or fundamental rights and freedoms of the person concerned,<br />
which require the protection of personal data, predominate<br />
especially if the person concerned is a child<br />
<br />
acts.<br />
Subparagraph 1(f) does not apply to those carried out by public authorities<br />
processing carried out in their tasks.<br />
<br />
...<br />
<br />
Article 17<br />
Right to deletion (“right to be forgotten”)<br />
<br />
(1) The data subject has the right to obtain information from the person responsible<br />
request that personal data concerning you be deleted immediately<br />
<br />
and the person responsible is obliged to provide personal data<br />
deleted immediately if one of the following reasons applies:<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
9 out of 26<br />
<br />
<br />
<br />
<br />
<br />
a) The personal data are for the purposes for which they were collected<br />
or processed in any other way is no longer necessary.<br />
...<br />
<br />
c) The data subject objects in accordance with Article 21(1).<br />
processing and there are no overriding legitimate reasons<br />
for processing, or the data subject submits in accordance with Article 21<br />
<br />
Paragraph 2 objection to the processing.<br />
d) The personal data was processed unlawfully.<br />
<br />
..."<br />
<br />
15 The relevant recitals and provisions of the<br />
<br />
Directive 2008/48/EC of the European Parliament and of the Council of<br />
April 23, 2008 on consumer credit agreements and the cancellation of the<br />
<br />
Council Directive 87/102/EEC, OJ L 133 of 22.5.2008<br />
excerpts:<br />
<br />
“(26) ... Particularly in the expanding credit market, it is important that<br />
Lenders do not act irresponsibly in granting loans or<br />
<br />
Granting loans without prior assessment of creditworthiness, and the<br />
Member States should carry out the necessary checks to prevent such<br />
Behaviors should be stopped and they should be the necessary ones<br />
Determine sanctions for those lenders who behave in this way.<br />
Without prejudice to the provisions of Directive 2006/48/EC of the European<br />
Parliament and of the Council of 14 June 2006 on the inclusion and<br />
<br />
The activities of credit institutions should be controlled by credit risk<br />
Lenders are responsible for evaluating the loan in each individual case<br />
Check the consumer's creditworthiness. ...<br />
<br />
...<br />
(28) To assess the consumer's credit situation, the creditor should:<br />
<br />
also consult the relevant databases; due to legal and<br />
Factual circumstances may require such<br />
Consultations vary in scope. So that the competition between<br />
Lenders should not be distorted, lenders should choose from others<br />
Member States access to private or public databases<br />
concerning consumers in a Member State in which they are not established<br />
<br />
are granted under non-discriminatory conditions<br />
the creditors of that Member State.<br />
<br />
...<br />
<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
10 out of 26<br />
<br />
<br />
<br />
<br />
<br />
Article 8<br />
Obligation to assess the consumer's creditworthiness<br />
<br />
(1) Member States shall ensure that before the credit agreement is concluded<br />
the lender assesses the consumer's creditworthiness based on sufficient creditworthiness<br />
evaluates information that he may collect from the consumer and<br />
if necessary, based on information from the relevant company<br />
<br />
Database. Those Member States that require lenders to do so by law<br />
oblige to check your creditworthiness based on a corresponding query<br />
database can maintain this requirement.”<br />
<br />
16 The relevant recitals and provisions of the<br />
<br />
Directive 2014/17/EU of the European Parliament and of the Council of<br />
February 4, 2014 on residential real estate credit agreements for consumers and for<br />
<br />
Amendments to Directives 2008/48/EC and 2013/36/EU and the<br />
Regulation (EU) No. 1093/2010, OJ L 60 of February 28, 2014<br />
<br />
excerpts:<br />
<br />
“(55) Before concluding a credit agreement, it is essential to have the ability and<br />
Evaluate and evaluate the consumer's propensity to repay the loan<br />
check. During this credit check, everyone should<br />
necessary and relevant factors are taken into account that determine the capability<br />
of a consumer to repayments due over the term of the loan<br />
<br />
could achieve, influence. ...<br />
...<br />
<br />
(59) Querying a credit database is a useful element in the<br />
Credit check. ...<br />
<br />
...<br />
<br />
Article 18<br />
Obligation to check the consumer's creditworthiness<br />
<br />
1. Member States shall ensure that the creditor before concluding a<br />
Credit agreement requires a thorough check of the consumer's creditworthiness<br />
carries out. When checking your creditworthiness, the factors that determine the...<br />
<br />
Examination of the prospects that are relevant to the consumer<br />
fulfills obligations under the loan agreement in an appropriate manner<br />
taken into account.<br />
<br />
...<br />
<br />
<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
11 of 26<br />
<br />
<br />
<br />
<br />
<br />
Article 21<br />
Access to databases<br />
<br />
(1) Each Member State shall ensure that all creditors from all<br />
Member States have access to the assessment within their territory<br />
the consumer's creditworthiness databases used<br />
Use should only be monitored to what extent consumers<br />
<br />
fulfill their loan obligations during the term of a loan agreement.<br />
Access must be granted without discrimination.<br />
<br />
(2) Paragraph 1 applies to both private credit bureaus and credit reporting agencies<br />
operated databases as well as for public registers.<br />
..."<br />
<br />
17 The relevant recitals and provisions of the<br />
<br />
Regulation (EU) No 575/2013 of the European Parliament and of the Council<br />
<br />
of June 26, 2013 on supervisory requirements for credit institutions and<br />
Investment firms and amending Regulation (EU) No 646/2012<br />
<br />
(Capital Adequacy Regulation), OJ L 176 of June 27, 2013<br />
excerpts:<br />
<br />
“(42) It is essential to take into account the diversity of institutions in the Union<br />
is, should be used when calculating the own funds requirements for the<br />
There are different approaches to credit risk with varying degrees of severity<br />
<br />
Risk sensitivity and sophistication should be provided. Through the<br />
Use of external credit assessments and those from the institutions themselves<br />
The estimates made of individual credit risk parameters win<br />
Credit risk provisions significantly increase risk sensitivity and<br />
regulatory soundness. Institutes should switch to approaches<br />
<br />
with higher risk sensitivity. If institutes are to<br />
Apply the investigation approaches provided for in this Regulation<br />
They should provide the estimates needed to assess credit risk if they submit their procedures<br />
for credit risk measurement and credit risk management, so that for the<br />
Determination of regulatory capital requirements methods for<br />
are available that match the type, scope and complexity of the<br />
<br />
take into account the procedures of the individual institutes. In this regard, the<br />
Data processing in connection with procurement and administration<br />
of loans to customers also the development and validation of systems<br />
for credit risk management and credit risk measurement. This<br />
not only serves the legitimate interests of institutions, but also the goal<br />
<br />
this regulation, better methods for risk measurement and management<br />
apply and these methods also with regard to the prescribed ones<br />
to use own resources. Regardless, higher-level approaches require<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
12 of 26<br />
<br />
<br />
<br />
<br />
<br />
Risk sensitivity significant expertise and resources as well as qualitative<br />
high-quality and sufficient data. ...<br />
...<br />
<br />
Article 135<br />
<br />
Use of ECAI credit ratings<br />
<br />
(1) An external credit assessment may only be used to determine the<br />
risk weight of a claim according to this chapter can be used,<br />
if it comes from an ECAI or from an ECAI in accordance with the<br />
Regulation (EC) No. 1060/2009 was confirmed.<br />
<br />
...<br />
Article 171<br />
<br />
Assignment to rating levels or risk pools<br />
<br />
...<br />
<br />
(2) When assigning debtors and facilities to a rating level<br />
or a risk pool, an institution carries all relevant information<br />
Invoice. The information is up-to-date and enables the institute to<br />
Forecast of the future development of the risk position. The less<br />
The more information an institution has available, the more conservative it is<br />
The procedure for assigning risk positions to debtor<br />
<br />
or facility rating levels or risk pools. Does an institute support the<br />
Determination of an internal assessment mainly to an external one<br />
Credit rating, it ensures that other relevant ones are also relevant<br />
information is taken into account.<br />
<br />
...<br />
<br />
Article 180<br />
Special requirements for PD estimates<br />
<br />
(1) When quantifying the risk parameters for certain creditworthiness levels<br />
or pools are used by the institutions when estimating PD for receivables<br />
Companies, institutions, central governments and central banks as well as for<br />
Investment positions for which they apply the PD/LGD approach in accordance with Article 155<br />
<br />
Apply paragraph 3, the following specific requirements:<br />
...<br />
<br />
f) to the extent that an institution compares its internal creditworthiness levels with the creditworthiness scale of a<br />
ECAI or comparable institutions linked or one of such<br />
scale and then the external creditworthiness levels<br />
<br />
assigns default rates recorded by the organization to its internal levels,<br />
This assignment is made based on a comparison between the internal ones<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
1. February 2024<br />
<br />
13 of 26<br />
<br />
<br />
<br />
<br />
Assessment criteria and the criteria of the external organization and<br />
a comparison between internal and external assessments of any<br />
joint debtor. Distortions or inconsistencies in<br />
Assignment procedures or the underlying data are included<br />
<br />
avoided. The criteria of the external organization that is responsible for the<br />
The data used for quantification are based<br />
exclusively focused on the risk of default and do not reflect any<br />
transaction characteristics. ..."<br />
<br />
National law<br />
<br />
<br />
18 Section 7 Paragraph 1 of the Consumer Credit Act (VKrG), Federal Law Gazette I No. 28/2010 as amended<br />
Federal Law Gazette I No. 135/2015 reads:<br />
<br />
“Checking the consumer’s creditworthiness<br />
<br />
§ 7. (1) Before concluding the loan agreement, the lender has the<br />
The consumer's creditworthiness based on sufficient information<br />
check that he - if necessary - requests from the consumer;<br />
If necessary, he also has information from one available<br />
<br />
database.”<br />
<br />
19 § 9 Mortgage and Real Estate Loan Act - HIKrG, Federal Law Gazette I No. 135/2015,<br />
reads in part:<br />
<br />
“Checking the consumer’s creditworthiness<br />
<br />
§ 9. (1) Before concluding a credit agreement, the lender has a<br />
carry out a thorough check of the consumer's creditworthiness. At<br />
The creditworthiness check are the factors that are used to check the<br />
<br />
Prospects are relevant that the consumer fulfills his obligations<br />
the credit agreement must be taken into account in an appropriate manner.<br />
(2) The creditworthiness check is based on necessary,<br />
<br />
sufficient and appropriate information on income, expenses<br />
and other financial and economic circumstances of the consumer<br />
to be carried out. The lender has the information from relevant<br />
internal or external sources, including the consumer.<br />
..."<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
<br />
14 of 26<br />
<br />
<br />
<br />
<br />
20 § 256 Insolvency Code (IO), Federal Law Gazette No. 337/1914 as amended by Federal Law Gazette I No. 122/2017,<br />
<br />
reads in part:<br />
<br />
“Bankruptcy file<br />
§ 256. (1) Data must be included in the edict file according to this<br />
<br />
Federal law must be made public (insolvency file).<br />
(2) Access to the insolvency file is no longer permitted if a<br />
year has passed since<br />
<br />
...<br />
<br />
4. Expiry of the payment period provided for in the payment plan or<br />
<br />
...<br />
(3) At the debtor's request, the insolvency file can already be viewed<br />
<br />
will no longer be granted if the restructuring plan has been legally confirmed<br />
or payment plan has been fulfilled. The debtor has fulfillment<br />
to be documented. The court can examine compliance<br />
Hire an expert to cover the costs of the debtor<br />
are. The court will make a decision on the inspection that cannot be postponed<br />
<br />
Decision.<br />
..."<br />
<br />
Legality of storing data from the insolvency file<br />
<br />
Credit reporting agencies<br />
<br />
21 In the present case, the applicant for appeal is requesting the deletion of an entry in the<br />
<br />
With regard to his insolvency proceedings in the database of those involved<br />
Credit reporting agency after the bankruptcy court in its<br />
<br />
Debt settlement procedure involves the “deletion of entries from the<br />
Insolvency file” in accordance with Section 256 Paragraph 3 IO. It is therefore necessary to check<br />
<br />
Permissibility of storing this data by the participating party also<br />
<br />
still in the period after the decision of the insolvency court approved it<br />
Failure to grant access to the insolvency file in accordance with Section 256 Paragraph 3 IO.<br />
<br />
22 The ECJ in its judgment of December 7, 2023, C-26/22 and C-64/22,<br />
<br />
SCHUFA Holding (remaining debt discharge), the key questions at hand<br />
<br />
the request for a preliminary ruling from the Wiesbaden Administrative Court<br />
answered that Art. 5 Para. 1 lit. a GDPR in conjunction with Art. 6 Para. 1 lit. f GDPR<br />
<br />
should be interpreted as belonging to the practice of “private credit reporting agencies”.<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
<br />
15 of 26<br />
<br />
<br />
<br />
<br />
<br />
which consists in having one in their own databases<br />
information about the granting of a certificate from the public register<br />
<br />
Discharge of residual debt in favor of natural persons for the purpose of delivery<br />
of information about the creditworthiness of these people for a period of time<br />
<br />
to store the duration of the data storage in the public register<br />
goes out. He essentially justified this as follows:<br />
<br />
“...<br />
<br />
74 In the present case, it is clear that the lawfulness of the processing<br />
personal data that is at issue in the main proceedings, solely in<br />
Light of Article 6 paragraph 1 subparagraph. 1 letter f GDPR is to be assessed. After<br />
This provision is for the processing of personal data only<br />
<br />
lawful if the processing is carried out to protect legitimate interests<br />
of the person responsible or a third party is necessary, unless the<br />
interests or fundamental rights and freedoms of the data subject<br />
require the protection of personal data, in particular<br />
if the person concerned is a child.<br />
<br />
75 The processing of personal data is therefore subject to this<br />
Determination lawful under three cumulative conditions: First<br />
must be from the controller or a third party<br />
a legitimate interest must be perceived; secondly, the<br />
<br />
Processing of personal data to achieve this<br />
legitimate interest may be necessary, and thirdly, the interests or<br />
Fundamental rights and freedoms of the person whose data is protected<br />
should not outweigh (judgment of July 4, 2023, Meta Platforms et al.<br />
[General conditions of use of a social network], C-252/21,<br />
EU:C:2023:537, paragraph 106 and the case law cited there).<br />
<br />
76 Firstly, what is the requirement for safeguarding a 'legitimate interest'?<br />
concerns, is in the absence of a definition of this term by the GDPR<br />
highlighted, as the Advocate General did in point 61 of his Opinion<br />
<br />
has stated that a wide range of interests are fundamentally considered<br />
can be considered justified.<br />
77 Secondly, what is the requirement that the processing is necessary?<br />
<br />
personal data to realize the perceived<br />
As far as legitimate interest is concerned, this requires the referring court to do so<br />
check whether the legitimate interest in processing the data is not in<br />
can reasonably be achieved just as effectively by other means,<br />
which have less impact on the fundamental rights and freedoms of those affected<br />
Persons, in particular those guaranteed by Articles 7 and 8 of the Charter<br />
<br />
Rights to respect for private life and protection of personal data,<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
<br />
16 of 26<br />
<br />
<br />
<br />
<br />
intervene (judgment of July 4, 2023, Meta Platforms et al. [General<br />
<br />
Terms of use of a social network], C-252/21, EU:C:2023:537,<br />
108 and the case law cited there).<br />
78 In this context it should also be noted that the<br />
<br />
Requirement of the necessity of data processing together with the<br />
The so-called principle of 'data minimization' must be examined, which is set out in Article 5<br />
Paragraph 1 letter c GDPR is anchored and requires that personal data<br />
Data 'adequate and relevant to the purpose and relevant to the purposes<br />
processing is limited to the extent necessary (judgment of July 4, 2023,<br />
Meta Platforms et al. [General terms and conditions of use of a social<br />
<br />
Network], C-252/21, EU:C:2023:537, paragraph 109 and the one cited there<br />
case law).<br />
79 Thirdly, as regards the requirement that the interests or<br />
<br />
Fundamental freedoms and rights of the person whose data is protected<br />
should, against the legitimate interest of the person responsible or one<br />
third parties do not predominate, the Court has already decided that these<br />
The prerequisite is a balancing of the respective conflicting factors<br />
Rights and interests that fundamentally depend on the specific<br />
circumstances of the individual case and that it is therefore a matter for the submitter<br />
<br />
The court is to weigh this up taking this specific into account<br />
circumstances (judgment of July 4, 2023, Meta Platforms et al.<br />
[General conditions of use of a social network], C-252/21,<br />
EU:C:2023:537, paragraph 110 and the case law cited there).<br />
<br />
80 Furthermore, as can be seen from recital 47 of the GDPR<br />
results, the interests and fundamental rights of the data subject are in the interest of the<br />
Those responsible predominate, especially when personal data are involved<br />
Data is processed in situations where a data subject<br />
cannot reasonably expect such processing (judgment of<br />
July 4, 2023, Meta Platforms et al. [General Terms and Conditions of Use a<br />
<br />
social network], C-252/21, EU:C:2023:537, paragraph 112).<br />
81 Ultimately, it is for the referring court to decide whether<br />
with regard to the processing of personal data involved in the<br />
<br />
The main proceedings concern the three referred to in paragraph 75 of this judgment<br />
requirements are met; the Court may order the national court to do so<br />
however, its request for a preliminary ruling provides relevant information for<br />
give this test (see in this sense judgment of October 20, 2022, Digi,<br />
C-77/21, EU:C:2022:805, paragraph 39 and the case law cited there).<br />
<br />
82 In the present case, SCHUFA does one thing with regard to the prosecution<br />
legitimate interest applies that the credit reporting agencies data<br />
processed to assess the creditworthiness of people or companies<br />
are necessary to provide this information to their contractual partners<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
<br />
17 of 26<br />
<br />
<br />
<br />
<br />
to be able to provide. This activity not only protects them<br />
<br />
economic interests of the companies that have credit-related contracts<br />
wanted to enter into the determination of creditworthiness and the granting of credit<br />
Credit reports also form a foundation of the credit system and the<br />
functionality of the economy. The activities of credit reporting agencies help<br />
also, the business wishes of those interested in credit-relevant transactions<br />
realize this, as the information allows for a quick and unbureaucratic check<br />
<br />
made business possible.<br />
83 In this respect, the processing of personal data serves as that in the<br />
The main proceedings in question do indeed represent the economic interests of the<br />
<br />
SCHUFA, but this processing also serves to protect the legitimate interests<br />
Interest of SCHUFA's contractual partners who have credit-relevant contracts<br />
people want to take part in assessing their creditworthiness<br />
people and thus the socio-economic interests of the credit sector.<br />
<br />
84 With regard to consumer credit agreements, Article 8 of the<br />
Directive 2008/48, in the light of its 28th recital, highlights that<br />
The lender is obliged to do so before the loan agreement is concluded<br />
creditworthiness of the consumer based on sufficient information,<br />
if necessary, also based on public and private information<br />
<br />
Databases to evaluate.<br />
85 Furthermore, in relation to consumer residential property credit agreements<br />
Article 18(1) and Article 21(1) of Directive 2014/17 in conjunction with<br />
<br />
Recitals 55 and 59 of this Directive indicate that:<br />
Lenders carry out a thorough check of the consumer's creditworthiness<br />
has to make and has access to credit databases, whereby the query<br />
such databases is a useful element in this examination.<br />
<br />
86 It should be added that the obligation to evaluate the<br />
Consumer creditworthiness as defined in Directives 2008/48 and<br />
2014/17 is intended not only to protect the loan applicant, but also<br />
also, as highlighted in recital 26 of Directive 2008/48,<br />
to ensure the smooth functioning of the entire credit system.<br />
<br />
87 However, data processing must also be carried out to achieve the<br />
legitimate interests of the controller or a third party<br />
and the interests or fundamental rights and freedoms of those affected<br />
person must not outweigh this interest. At the<br />
<br />
appropriate balancing of the respective conflicting rights<br />
and interests, i.e. H. that of the person responsible and those involved<br />
Third parties on the one hand and the data subject on the other hand, as in paragraph 80<br />
of the present judgment, in particular the reasonable expectations<br />
the data subject and the scope of the processing in question and<br />
to take into account their effects on this person (cf. judgment of<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
<br />
18 of 26<br />
<br />
<br />
<br />
<br />
July 4, 2023, Meta Platforms et al. [General Terms and Conditions of Use a<br />
<br />
social network], C-252/21, EU:C:2023:537, paragraph 116).<br />
88 Regarding Article 6 Paragraph 1 Subparagraph The Court of Justice has 1 letter f of the GDPR<br />
decided that this provision should be interpreted as meaning that a<br />
<br />
Processing only if it is necessary to protect the legitimate interests of the<br />
responsible party or a third party required within the meaning of this regulation<br />
can be considered if this processing is within the limits<br />
what is done to realize this legitimate interest<br />
is absolutely necessary and if it results from a consideration of each other<br />
conflicting interests, taking into account all relevant circumstances<br />
<br />
shows that the interests or fundamental rights and freedoms of the<br />
Processing of data subjects against the legitimate interest of the data subject<br />
those responsible or a third party do not prevail (cf. in this sense<br />
Judgments of May 4, 2017, Rīgas satiksme, C-13/16, EU:C:2017:336, paragraph 30,<br />
and dated July 4, 2023, Meta Platforms et al. [Terms and conditions<br />
a social network], C-252/21, EU:C:2023:537, paragraph 126).<br />
<br />
89 In this context, the referring court points out<br />
two aspects of the processing at issue in the main proceedings<br />
personal data. Firstly, this processing implies a<br />
<br />
diverse storage of data, i.e. H. not just in a public one<br />
Register, but also in the databases of the credit reporting agencies<br />
these companies do not carry out this storage for a specific reason,<br />
but in the event that their contractual partners requested information from them.<br />
Second, these companies stored this data for three years<br />
Basis of rules of conduct within the meaning of Art. 40 GDPR, while the<br />
National legislation for the public register requires a storage period<br />
<br />
of just six months.<br />
...<br />
<br />
92 With regard to the duration of data storage, it can be assumed that<br />
The examination of the second and third is in paragraph 75 of the present judgment<br />
the above-mentioned requirement overlaps in that the assessment of the<br />
Question whether in the present case the legitimate interests that are related to the<br />
<br />
processing of personal data at issue in the main proceedings<br />
cannot reasonably be perceived by a shorter duration of the<br />
Storage of data can be achieved by balancing each other<br />
conflicting rights and interests.<br />
<br />
93 When weighing up the legitimate interests pursued, it should be noted that<br />
the analysis of a credit reporting agency insofar as it provides an objective and<br />
reliable assessment of the creditworthiness of potential customers<br />
Contractual partner of the credit reporting agency enables<br />
<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
<br />
19 of 26<br />
<br />
<br />
<br />
<br />
Compensate for information differences and thus fraud risks and others<br />
<br />
can reduce uncertainties.<br />
94 However, as far as the rights and interests of the data subject are concerned,<br />
represents the processing of data regarding the granting of a discharge of residual debt,<br />
<br />
such as storing, analyzing and sharing this data with you<br />
Third parties, through a credit reporting agency, a serious interference in the<br />
Articles 7 and 8 of the Charter represent the fundamental rights of the data subject.<br />
Such data serves as a negative factor when assessing the<br />
Creditworthiness of the person concerned and are therefore sensitive<br />
information about her private life (cf. in this sense judgment of<br />
<br />
13 May 2014, Google Spain and Google, C-131/12, EU:C:2014:317, paragraph 98).<br />
Their processing may significantly jeopardize the interests of the data subject<br />
harm, as this disclosure is likely to interfere with the exercise of their freedoms<br />
significantly more difficult, especially when it comes to basic needs<br />
cover up.<br />
<br />
95 Furthermore, as the Commission has pointed out, the consequences for the<br />
The interests and private life of the person concerned are even greater<br />
Requirements regarding the lawfulness of storing this information<br />
the higher the longer the data in question has been kept by credit reporting agencies<br />
<br />
get saved.<br />
96 It should also be noted that the aim of a public<br />
Insolvency register, as can be seen from recital 76 of the<br />
<br />
Regulation 2015/848 is to provide better information<br />
affected creditors and courts. In this<br />
In this context, Article 79 (5) of this regulation simply provides that<br />
Member States inform data subjects for what period of time their<br />
personal data stored in insolvency registers are accessible,<br />
without specifying a storage period for this data. On the other hand, it follows from<br />
Article 79(4) of this Regulation states that Member States may, in accordance with this<br />
<br />
Article is responsible for collecting data and storing it in national databases.<br />
The period for storing this data must therefore take this into account<br />
regulation to be established.<br />
<br />
97 In the present case, the German legislature provides that<br />
Information about the granting of a discharge of residual debts in the insolvency register<br />
is only stored for six months. He therefore assumes that after<br />
After a period of six months, the rights and interests of the<br />
affected person to those of the public about this information<br />
have, predominate.<br />
<br />
98 Furthermore, as the Advocate General stated in point 75 of his Opinion<br />
has stated that the granted exemption from residual debts enables the beneficiary to<br />
to participate in economic life again, and therefore has for this person<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
20 out of 26<br />
<br />
<br />
<br />
<br />
<br />
generally existential meaning. The realization of this goal would be<br />
However, it is at risk if credit reporting agencies are used to assess the<br />
economic situation of a person, data about a discharge of residual debt<br />
store and could use such data after it has been removed from the<br />
public insolvency register has been deleted because this data is with the<br />
Assessing the creditworthiness of such a person is always a negative factor<br />
<br />
be used.<br />
99 Under these circumstances, the interests of the credit sector, over<br />
<br />
There is no information regarding a discharge of residual debt<br />
Processing of personal data such as that in legal disputes<br />
The main proceedings in question after the expiry of the storage period<br />
Data in the public insolvency register justify storage<br />
of this data by a credit reporting agency in relation to the period<br />
the deletion of this data from a public insolvency register does not apply<br />
<br />
Article 6 paragraph 1 subparagraph 1 letter f GDPR can be supported.<br />
...<br />
<br />
106 Finally, the referring court essentially asks which<br />
Obligations to a credit reporting agency in accordance with Art. 17 GDPR.<br />
<br />
...<br />
<br />
108 Should the referring court, after its assessment of legality<br />
the processing at issue in the main proceedings<br />
personal data comes to the conclusion that this processing<br />
is therefore not lawful, according to the clear wording of this provision<br />
the person responsible, in this case SCHUFA, is obliged to do so<br />
delete the relevant data immediately. This would be as in paragraph 99 of<br />
<br />
found in this judgment when processing the data in question<br />
personal data that is received after the expiry of the six-month period for the<br />
The data is stored in the public insolvency register.<br />
<br />
..."<br />
<br />
23 Based on this case law of the ECJ, the legality of the<br />
Processing of personal data from the insolvency file by the<br />
<br />
co-involved party solely in the light of Article 6 Paragraph 1 Letter f GDPR<br />
judge. According to this provision, the processing is personal<br />
<br />
Data is lawful under three cumulative conditions: firstly, from<br />
the controller or a third party<br />
<br />
legitimate interest must be exercised; secondly, the processing must be carried out<br />
<br />
personal data to achieve legitimate interest<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
<br />
21 of 26<br />
<br />
<br />
<br />
<br />
be necessary, and thirdly, the interests and fundamental rights and<br />
<br />
Basic freedoms of the person whose data is to be protected are not<br />
predominate (ECJ December 7, 2023, C-26/22 and C-64/22, SCHUFA Holding<br />
<br />
[Discharge of residual debt], paragraphs 74 and 75, mwN; see also VwGH October 31, 2023,<br />
Ro 2020/04/0024, 0025, Rn. 22, mwN).<br />
<br />
<br />
24 In this case, the party involved makes a claim regarding the prosecution<br />
legitimate interest claims that they are based on the exercise of the business<br />
<br />
the credit reporting agency has a legitimate interest in the credit information agency in accordance with Section 152 GewO 1994<br />
Processing of the creditworthiness data of the appeal applicant, in particular<br />
<br />
Information about his past insolvency for the purpose of assessment<br />
<br />
his creditworthiness. This data processing therefore serves<br />
the economic interests of the party involved. The<br />
<br />
In this context, however, the administrative court also pointed out that<br />
that the processing of data about insolvencies and payment defaults<br />
<br />
Protection of potential contractual partners of the appeal applicant is achieved. The<br />
The processing of the insolvency data of the appeal applicant therefore also serves the purpose<br />
<br />
Safeguarding the legitimate interests of the contractual partners involved<br />
Party that concludes credit-relevant contracts with the appeal applicant<br />
<br />
want to estimate the associated credit risk.<br />
<br />
25 The ECJ (C-26/22 and C-64/22, paras. 83 to 86) goes in this<br />
<br />
Connection also depends on the existence of a socio-economic interest<br />
the credit sector in the processing of creditworthiness data, especially from<br />
<br />
Insolvency data. On the one hand, he refers to Article 8 of the directive<br />
<br />
2008/48/EC, which in the light of recital 28 of this Directive<br />
With regard to consumer credit agreements, the lender's obligation is clear,<br />
<br />
before concluding the credit agreement, the consumer's creditworthiness<br />
on the basis of sufficient information, if necessary also on the basis of<br />
<br />
Evaluate information from public and private databases (dem<br />
corresponds domestically to Section 7 Paragraph 1 of the Consumer Credit Act (VKrG), which means<br />
<br />
Article 8 of Directive 2008/48/EC on consumer credit agreements implemented<br />
<br />
became). On the other hand, the lender has regarding<br />
Residential real estate loan agreements for consumers in accordance with Article 18, paragraph 1 and<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
<br />
22 of 26<br />
<br />
<br />
<br />
<br />
Article 21(1) of Directive 2014/17 in conjunction with recitals 55 and 59<br />
<br />
This guideline carries out a thorough check of the creditworthiness of the<br />
Consumer to carry out the query of credit databases<br />
<br />
which the lender has access to, is a useful element in this review<br />
is (this corresponds domestically to Section 9 Paragraphs 1 and 2 Mortgage and<br />
<br />
Real Estate Loan Act - HIKrG, which means Article 18 Paragraph 1 of the<br />
Directive 2014/17/EU was implemented). Furthermore, the obligation to<br />
<br />
Assess consumers' creditworthiness as outlined in the guidelines<br />
<br />
2008/48/EC and 2014/17/EU is provided not only for the loan applicant<br />
but also, as in recital 26 of the directive<br />
<br />
2008/48/EC emphasizes the smooth functioning of the entire system<br />
Guarantee credit system.<br />
<br />
<br />
26 The administrative court refers (specifically on the question of storage duration)<br />
in particular to Regulation (EU) No. 575/2013 of the European Union<br />
<br />
Parliament and of the Council of 26 June 2013 on prudential requirements<br />
Credit institutions and investment firms and to change the<br />
<br />
Regulation (EU) No. 646/2012 (Capital Adequacy Regulation). This<br />
The regulation is based on Art. 135 Para. 1, Art. 171 Para. 2 and Art. 180 Para. 1 lit. f<br />
<br />
in conjunction with recital 42, the use of external<br />
<br />
Credit assessments, for example for the assignment of rating levels and<br />
Risk pools or for estimating the probability of default<br />
<br />
(“PD estimate”), thus for credit risk assessment. It<br />
It therefore also follows from the Capital Adequacy Ordinance that<br />
<br />
Processing of insolvency data from (potential) borrowers<br />
socio-economic interest of the credit sector in evaluating the<br />
<br />
Creditworthiness of the contractual partners of the party involved with the<br />
Applicants for an audit want to conclude credit-relevant contracts.<br />
<br />
<br />
27 Finally, the analysis of a credit reporting agency, such as the one involved<br />
party, insofar as it provides an objective and reliable assessment of the<br />
<br />
creditworthiness of potential customers of their contractual partners,<br />
<br />
Compensate for information differences and thus fraud risks and others<br />
Reduce uncertainties (cf. ECJ C-26/22 and C-64/22, para. 93).<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
<br />
23 of 26<br />
<br />
<br />
<br />
<br />
28 In this respect, there is a legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR<br />
<br />
the processing of the appeal applicant's data<br />
Debt settlement procedures.<br />
<br />
<br />
29 In contrast, the processing of this data, in particular with regard to<br />
the fulfillment of the legally confirmed payment plan, such as<br />
<br />
Storage, analysis and transfer of this data to a third party by the<br />
<br />
The party involved is a serious encroachment on the rights set out in Articles 7 and 8 GRC<br />
enshrined fundamental rights of the appeal applicant. Since such data as<br />
<br />
negative factor in assessing the creditworthiness of the<br />
To serve the appeal applicant, they provide sensitive information about it<br />
<br />
Private life. Your processing may be in the interests of the appeal applicant<br />
considerable harm because the disclosure is likely to jeopardize the exercise of his rights<br />
<br />
to make freedoms considerably more difficult, especially when it comes to<br />
<br />
to cover basic needs. The consequences for interests and private life<br />
of the appeal applicant are even greater and the requirements placed on them<br />
<br />
The lawfulness of storing this information therefore increases, the higher<br />
longer this data is stored by the participating party<br />
<br />
(see ECJ C-26/22 and C-64/22, paras. 94, 95).<br />
<br />
30 Aim of a public insolvency register, such as the insolvency file<br />
<br />
§ 256 IO is to ensure better information for those affected<br />
<br />
Creditors and courts (cf. ECJ C-26/22 and C-64/22, para. 96, as well<br />
domestically the explanations for<br />
<br />
Insolvency Law Amendment Act 1997 - IRÄG 1997 in RV 734 BlgNR<br />
20 GP, 34, 63).<br />
<br />
<br />
31 According to Section 256 Paragraph 2 Item 4 IO, the insolvency file can no longer be viewed<br />
grant if since the expiry of the period provided for in the payment plan<br />
<br />
One year has passed for the payment deadline. Inspection is possible at the request of the debtor<br />
in the insolvency file can no longer be granted if the<br />
<br />
legally confirmed payment plan has been fulfilled (Section 256 Para. 3 IO).<br />
<br />
The latter option serves to avoid disadvantages for the debtor<br />
Business transactions (see the explanations for<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
<br />
24 out of 26<br />
<br />
<br />
<br />
<br />
Insolvency Law Amendment Act 2010 -IRÄG 2010 RV 612 BlgNR 24. GP 3,<br />
<br />
35).<br />
<br />
32 The legislature therefore assumes that with the fulfillment of the<br />
<br />
legally confirmed payment plan, but at the latest upon expiry of a deadline<br />
of one year since the expiry of the payment period provided for in the payment plan<br />
<br />
the rights and interests of the data subject, as in this case<br />
The appeal applicant, those of the public, have access to this information<br />
<br />
have, predominate (cf. RV 734 BlgNR 20. GP, 63). After all, that's the goal<br />
of the payment plan, the economic recovery of the debtor<br />
<br />
(cf. OGH August 18, 2010, 8 Ob 146/09t). In this sense, a “deletion” should occur<br />
<br />
the insolvency file is impaired as a result of fulfilling the payment plan<br />
of the debtor in business transactions through public announcement of a<br />
<br />
Avoid previous insolvency proceedings (see explanations in<br />
RV 612 BlgNR 24. GP, 3, 35).<br />
<br />
<br />
33 However, the realization of this goal would be jeopardized if those involved<br />
Party as a credit reporting agency to assess the economic situation of the<br />
<br />
Store the appeal applicant's data about his insolvency proceedings and such<br />
Data could be used after viewing the insolvency file<br />
<br />
§ 256 paragraph 2 and paragraph 3 IO can no longer be granted because this data is included<br />
the assessment of the creditworthiness of the audit applicant is always negative<br />
<br />
factor can be used. Under these circumstances, those entitled to<br />
Interests of the credit sector, about information regarding the fulfillment<br />
<br />
the legally confirmed payment plan ended the insolvency proceedings<br />
<br />
of the appeal applicant to order the processing of this previously in the<br />
Personal data can no longer be publicly viewed in the insolvency file<br />
<br />
justify. The storage of this data by the participating party<br />
Reference to the period after the decision of the<br />
<br />
Insolvency court about the “deletion of the entries from the<br />
Insolvency file” in accordance with Section 256 Paragraph 3 IO cannot therefore be based on Art. 6<br />
<br />
Paragraph 1 lit. f GDPR is supported. The storage of the<br />
<br />
data relating to the debt settlement procedure of the appeal applicant<br />
the insolvency file by the party involved about the time of<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
<br />
25 out of 26<br />
<br />
<br />
<br />
<br />
The decision of the insolvency court has legal force in accordance with Section 256 (3) IO<br />
<br />
This proves to be contrary to the legal opinion of the authority concerned and the<br />
Administrative court - as not legal (cf. again ECJ C-26/22 and<br />
<br />
C-64/22, paragraphs 98 and 99).<br />
<br />
Request for deletion according to Art. 17 GDPR<br />
<br />
<br />
34 Due to the lack of lawfulness of the processing from the insolvency file<br />
deleted data of the appeal applicant regarding his insolvency proceedings<br />
<br />
The party involved is obliged to provide the relevant data immediately<br />
<br />
to be deleted in accordance with Art. 17 Para. 1 lit. d GDPR (cf. again ECJ C-26/22<br />
and C-64/22, paragraph 108).<br />
<br />
35 In contrast to this, in the VwGH decision May 9, 2023, Ro 2020/04/0037,<br />
<br />
that asserted by the appeal applicant against a credit institution<br />
<br />
Right to deletion in accordance with Art. 17 GDPR in relation to you<br />
relevant entry of payment experience data in a jointly with<br />
<br />
database operated by other credit institutions (bank warning list).<br />
This entry did not concern the processing of personal data<br />
<br />
Applicant from the insolvency file. Rather, they were in the<br />
<br />
Payment history data of the audit applicant stored on the bank warning list<br />
by the credit institution in connection with the existing one<br />
<br />
Current account details of the appeal applicant are collected<br />
(see VwGH Ro 2020/04/0037, paragraph 57, last sentence). So much for this one<br />
<br />
Knowledge taking into account the Capital Adequacy Ordinance<br />
Storage period of at least five years in relation to the storage of<br />
<br />
Payment experience data in the bank warning list is generally considered legitimate<br />
<br />
was considered, it should be noted that the Capital Adequacy Ordinance<br />
in accordance with Article 1, the general supervisory requirements for<br />
<br />
Credit institutions regulate specific areas and are therefore not applicable<br />
Credit reporting agencies, such as the party involved in this case, apply.<br />
<br />
<br />
Result<br />
<br />
36 In this respect, the administrative court is of the legality of storing the data<br />
<br />
Insolvency data relating to the appeal applicant is provided by the co-participant<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
<br />
26 of 26<br />
<br />
<br />
<br />
<br />
Credit reporting agency in accordance with Article 6 Paragraph 1 Letter f of the GDPR and that from<br />
<br />
If the right to deletion asserted by the appeal applicant is denied, it has that<br />
contested finding is burdened with illegality of the content. The<br />
<br />
The contested finding therefore had to be repealed in accordance with Section 42 Paragraph 2 Z 1 VwGG.<br />
<br />
37 From the conduct of the requested hearing before<br />
<br />
The Administrative Court was able to distance itself in accordance with Section 39 Para. 2 Z 6 VwGG<br />
<br />
be taken because the present case does not involve questions of<br />
assessment of evidence or disputed findings of fact, but in the<br />
<br />
Revision legal questions were raised that were not complex in nature<br />
have, especially since the central legal question already refers to the case law of the ECJ<br />
<br />
could be referred (see VwGH August 3, 2023, Ro 2020/04/0035,<br />
Rn. 35, mwN), and to solve them in the sense of the judicature of the ECHR<br />
<br />
an oral hearing is not required (cf. VwGH May 9, 2023,<br />
<br />
Ro 2020/04/0037, Rn. 81, mwN).<br />
<br />
38 The decision on reimbursement of expenses is based on Sections 47 ff VwGG<br />
<br />
in particular Section 1 Paragraph 1 Letter a VwGH Expense Reimbursement Ordinance, according to which<br />
the flat rate amount for the filing costs for the submission of the<br />
<br />
Revision contrary to the recorded flat rate of € 2,180.-- only<br />
€ 1,106.40. Sales tax is not separate according to Section 47 Paragraph 1 VwGG<br />
<br />
to be awarded because this is already included in the flat-rate written expenses<br />
<br />
is included (see on the latter VwGH April 10, 2020, Ra 2018/04/0154 to 0155,<br />
34).<br />
<br />
Vienna, February 1, 2024<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at<br />
</pre></div>Echttps://gdprhub.eu/index.php?title=CJEU_-_C-46/23_-_Budapest_F%C5%91v%C3%A1ros_IV._Ker%C3%BClet_%C3%9Ajpest_%C3%96nkorm%C3%A1nyzat_Polg%C3%A1rmesteri_Hivatala_v._Nemzeti_Adatv%C3%A9delmi_%C3%A9s_Inform%C3%A1ci%C3%B3szabads%C3%A1g_Hat%C3%B3s%C3%A1gCJEU - C-46/23 - Budapest Főváros IV. Kerület Újpest Önkormányzat Polgármesteri Hivatala v. Nemzeti Adatvédelmi és Információszabadság Hatóság2024-03-18T14:02:32Z<p>Lm: altered title to shorten</p>
<hr />
<div>{{CJEUdecisionBOX<br />
<br />
|Case_Number_Name=C-46/23 Budapest Főváros IV. Kerület Újpest Önkormányzat Polgármesteri Hivatala v. Nemzeti Adatvédelmi és Információszabadság Hatóság<br />
|ECLI=ECLI:EU:C:2024:239<br />
<br />
|Opinion_Link=<br />
|Judgement_Link=https://curia.europa.eu/juris/document/document.jsf?text=2016%252F679&docid=283833&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=2140435#ctx1<br />
<br />
|Date_Decided=14.03.2024<br />
|Year=2024<br />
<br />
|GDPR_Article_1=Article 17 GDPR<br />
|GDPR_Article_Link_1=Article 17 GDPR<br />
|GDPR_Article_2=Article 58(2)(d) GDPR<br />
|GDPR_Article_Link_2=Article 58 GDPR#2d<br />
|GDPR_Article_3=Article 58(2)(g) GDPR<br />
|GDPR_Article_Link_3=Article 58 GDPR#2g<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Budapest Főváros IV. Kerület Újpest Önkormányzat Polgármesteri Hivatala<br />
|Party_Link_1=https://ujpest.hu/<br />
|Party_Name_2=Nemzeti Adatvédelmi és Információszabadság Hatóság<br />
|Party_Link_2=https://www.naih.hu/<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Reference_Body=Alkotmánybíróság (Hungary Constitutional Court)<br />
|Reference_Case_Number_Name=<br />
<br />
|Initial_Contributor=lm<br />
|<br />
}}<br />
<br />
The CJEU held that DPAs can exercise corrective powers under Article 58(2)(d) and (g) GDPR to order erasure of personal data by their own motion, regardless of where the data originated or whether the data subject requested its erasure. <br />
<br />
==English Summary==<br />
<br />
=== Facts ===<br />
In February 2020, the Újpest administration (the controller) obtained personal data about Hungarian residents from the Hungarian Treasury and Budapest district office. The intent was to determine eligibility for a program seeking to provide financial supports to residents made vulnerable by the COVID-19 pandemic. <br />
<br />
The Hungarian DPA initiated an investigation after a report alerted it of the processing. The DPA determined that the controller failed to timely inform data subjects of the categories of personal data processed, the purposes of processing, or how they could exercise their rights in relation to the processing. On 22 April 2021, it found that the controller violated Articles 5, 14, and 12(1) GDPR. <br />
<br />
Pursuant to Article 58(2)(d), the DPA ordered the controller to erase the personal data of data subjects who were entitled to the right to erasure but had not requested it. <br />
<br />
The controller challenged the DPA’s order before the Fővárosi Törvényszék (Budapest High Court), arguing that [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]] does not empower the DPA to order the erasure of personal data in the absence of an [[Article 17 GDPR]] request from the data subject.<br />
<br />
On appeal, the Alkotmánybíróság (Hungarian Constitutional Court) held that the DPA is empowered to order erasure of unlawfully processed personal data of its own motion, regardless of whether a request has been made by the data subject. In doing so, it set aside a prior judgment by the Kúria (Hungary Supreme Court).<br />
<br />
Seeking clarification on the interpretation of Article 17 and 58(2) GDPR, the Constitutional Court referred two questions to the CJEU: <br />
<br />
# Can a DPA order a controller or processor to erase unlawfully processed personal data despite the absence of a request from the data subject?<br />
# If the DPA can exercise such corrective power, is that so whether or not the personal data were obtained from the data subject?<br />
<br />
=== Holding ===<br />
In deciding the first question, the Court held that some corrective powers under [[Article 58 GDPR#2|Article 58(2) GDPR]], namely [[Article 58 GDPR#2d|58(2)(d)]] and [[Article 58 GDPR#2g|(g) GDPR]], may be exercised by the DPA on its own motion. [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]], on the other hand, does require a prior data subject request. <br />
<br />
The Court noted that the plain language of [[Article 58 GDPR#2d|Article 58(2)(d)]] and [[Article 58 GDPR#2g|(g) GDPR]] does not require a data subject request to authorize the DPA’s corrective power. [[Article 58 GDPR]] uses different wording to distinguish between corrective measures that may only be adopted following a data subject request, such as [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]], and corrective measures that may be ordered by an authority of its own motion, such as [[Article 58 GDPR#2d|Article 58(2)(d)]] and [[Article 58 GDPR#2g|(g) GDPR]]. In addition, the Court found that [[Article 17 GDPR#1|Article 17(1) GDPR]] distinguishes between the right of the data subject to obtain erasure of their data and the obligation of the controller to erase such personal data without undue delay. The controller’s obligation thus attaches regardless of whether the data subject requests erasure. <br />
<br />
With regard to the second question, the Court concluded that the DPA’s power to order erasure of unlawfully processed data applies both to data collected from the data subject and to data originating from another source. It noted that the text of the provisions does not suggest that a DPA's corrective powers are contingent on the origin of the data.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''</div>Lmhttps://gdprhub.eu/index.php?title=VwGH_-_VwGH_Ro_2021/04/0010-11VwGH - VwGH Ro 2021/04/0010-112024-03-18T08:43:16Z<p>Ec: </p>
<hr />
<div>{{DISPLAYTITLE:VwGH - Ro 2021/04/0010-11}}<br />
{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Austria<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=VwGH<br />
|Court_Original_Name=Verwaltungsgerichtshof<br />
|Court_English_Name=Austrian Administrative Supreme Court<br />
|Court_With_Country=VwGH (Austria)<br />
<br />
|Case_Number_Name=Ro 2021/04/0010-11<br />
|ECLI=ECLI:AT:VWGH:2023:RO2021040010.J09<br />
<br />
|Original_Source_Name_1=VwGH<br />
|Original_Source_Link_1=https://www.vwgh.gv.at/medien/mitteilungen/Ro_2021040010.pdf?9g4sif<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Date_Decided=21.12.2023<br />
|Date_Published=20.02.2024<br />
|Year=2023<br />
<br />
|GDPR_Article_1=Article 4(4) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#4<br />
|GDPR_Article_2=Article 9(2)(g) GDPR<br />
|GDPR_Article_Link_2=Article 9 GDPR#2g<br />
|GDPR_Article_3=Article 22 GDPR<br />
|GDPR_Article_Link_3=Article 22 GDPR<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=Article 1 §2 DSG<br />
|National_Law_Link_1=https://www.ris.bka.gv.at/eli/bgbl/i/1999/165/A1P2/NOR40139563<br />
|National_Law_Name_2=§25(1) AMSG<br />
|National_Law_Link_2=https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10008905&Artikel=&Paragraf=25&Anlage=&Uebergangsrecht=<br />
|National_Law_Name_3=§38(c) AMSG<br />
|National_Law_Link_3=https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10008905&FassungVom=2017-05-16&Artikel=&Paragraf=38c&Anlage=&Uebergangsrecht=<br />
|National_Law_Name_4=<br />
|National_Law_Link_4=<br />
|National_Law_Name_5=<br />
|National_Law_Link_5=<br />
<br />
|Party_Name_1=Austrian Data Protection Authority<br />
|Party_Link_1=https://www.data-protection-authority.gv.at/<br />
|Party_Name_2=Public Employment Service Austria<br />
|Party_Link_2=https://www.ams.at/organisation/public-employment-service-austria<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_From_Body=BVwG<br />
|Appeal_From_Case_Number_Name=W256 2235360-1<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=https://www.ris.bka.gv.at/JudikaturEntscheidung.wxe?Abfrage=Bvwg&Dokumentnummer=BVWGT_20201218_W256_2235360_1_00<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=ec<br />
|<br />
}}<br />
<br />
The Austrian Supreme Administrative Court held that an algorithm in itself is an automated decision even if the final decision is made by a human who was provided instructions and training to question the algorithm’s decision-making.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Austrian Data Protection Authority (DSB) issued a ban against the processing of data by the Public Employment Service in Austria.<br />
The controller, the Public Employment Service in Austria, supports workers in (re)integrating into the labour market by offering various services, including a counsellor that discusses labour market opportunities with the jobseeker.<br />
<br />
In order to assess the jobseeker’s labour market opportunities, the controller used an algorithm to calculate the degree of probability for jobseekers to be employed for a certain number of days, based on: (1) age group, (2) gender, (3) country group, (4) education, (5) health impairment, (6) care responsibilities, (7) occupational group, (8) career history and (9) the regional labour market situation and the duration of cases at the controller.<br />
<br />
It did not include motivation, self-help potential of the jobseeker, addiction, debt or housing situation.<br />
Based on this, the algorithm divided jobseekers into the following three groups:<br />
(1) Service jobseekers with high labour market opportunities<br />
(2) Care jobseekers with low labour market opportunities<br />
(3) Consultancy jobseekers with medium labour market opportunities<br />
<br />
The result was used as a starting point for counsellors to work with jobseekers to assess their potential and any obstacles in the labour market integration. The algorithm itself was not used for a job placement, but only for targeted support and assistance, meaning, choosing the right support strategy based on which group the jobseeker was divided into. <br />
<br />
The controller claimed it had a legal basis under Austrian national law (the Arbeitsmarktservicegezetz, AMSG) to process data with the help of an algorithm. According to [[Article 4 GDPR#4|Article 4(4) GDPR]], this processing of data is considered profiling. However, the DPA found that a legal authorisation for this processing was lacking in the AMSG, which is necessary under Austrian data protection law (see&nbsp;[https://www.ris.bka.gv.at/eli/bgbl/i/1999/165/A1P1/NOR40139563 Article&nbsp;1&nbsp;§2&nbsp;DSG]).<br />
<br />
The DPA also found there was a case of automated individual decision-making under [[Article 22 GDPR|Article 22 GDPR]]. Although the results of the algorithm are not binding as the final decision lies with the counsellor, the DPA contested that it cannot be ruled out that in individual cases, the decision will be based exclusively on profiling. <br />
<br />
Therefore, the DPA issued a ban due to lack of a sufficient legal basis for the processing.<br />
<br />
The controller appealed this decision at the Bundesverwaltungsgerichts (the Federal Administrative Court).<br />
<br />
The Federal Administrative Court upheld the controller’s appeal against the decision of the DPA. In its reasoning, the Court stated that the controller should ensure there is a support plan between the counsellor and jobseeker. Moreover, the controller should provide counsellors with instructions and training to ensure they do not accept the result of the algorithm unquestioningly. <br />
<br />
The Court held that the controller is allowed to carry out an assessment of personal data in accordance with national law (see [https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10008905&Artikel=&Paragraf=25&Anlage=&Uebergangsrecht= &nbsp;§25(1)&nbsp;AMSG&nbsp;]). Moreover, it cannot be assumed that the mere use of automated processing already results in “informational added value”. Moreover, [[Article 22 GDPR|Article 22 GDPR]] does not apply, as the final decision lies with the counsellors and therefore the decision-making is not based solely on automated processing. The Court concluded that the DPA decision should be annulled due to the lack of violation of the principle of lawful data processing under [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]].<br />
<br />
The DPA appealed the decision before the Verwaltungsgerichtshof (Supreme Administrative Court).<br />
<br />
=== Holding ===<br />
The Supreme Administrative Court found that the lawfulness of the data processing at issue in the proceeding must be examined, because under Austrian national law (see [https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10008905&FassungVom=2017-05-16&Artikel=&Paragraf=38c&Anlage=&Uebergangsrecht= §38c AMSG]) the data processing in question is a private-sector activity and not a public service task. <br />
<br />
The DPA argued that the Federal Administrative Court did not take into account the character of profiling as a special processing procedure and challenged the lawfulness of the processing under [[Article 22 GDPR|Article 22 GDPR]]. <br />
<br />
The Court found that the controller’s algorithm in itself is an automated decision under [[Article 22 GDPR#1|Article 22(1) GDPR]] based on the recent CJEU decision [[CJEU - C‑634/21 - SCHUFA|C-634/21 - Schufa]]. The Court explained that the algorithm decides on the allocation of jobseeker’s group and thus has a legal effect on the jobseekers concerned or similarly significantly affects them. The fact that the final decision on the jobseeker’s group assignment lies with the counsellor, does not prevent the algorithm from being classified as an automated decision under [[Article 22 GDPR#1|Article 22(1) GDPR]]. The CJEU decision is also based on the fact that the controller makes the final decision. The Supreme Administrative Court found that the instructions and trainings that were provided to ensure counsellors would not accept the algorithm’s results unquestioningly could not exclude the possibility that the algorithm is ultimately decisive for the allocation. <br />
<br />
The Court further held that the algorithm did not fall under the exceptions of [[Article 22 GDPR#2|Article 22(2) GDPR]]. Therefore, the Court concluded that the appeal had to be upheld and that the decision of the Federal Administrative Court needed to be set aside.<br />
<br />
== Comment ==<br />
In paragraph 15 and 20 of the decision, the Supreme Administrative Court refers to [[Article 9 GDPR#2d|Article 9(2)(d) GDPR]], which is incorrect. It should be [[Article 9 GDPR#2g|Article 9(2)(g) GDPR]], which is about the substantial public interest.<br />
<br />
Moreover, it seems that the Supreme Administrative Court interprets [[Article 22 GDPR#1|Article 22(1) GDPR]] very broadly. The Court does not substantiate how the algorithm produces legal effects for the data subject or similarly significantly affects the data subject. It merely states it does in paragraph 79 of the decision. This is interesting, because it does state that the algorithm cannot be used for a job placement itself, but only for choosing the right support strategy for the jobseeker. Moreover, according to paragraph 7 of the decision, the jobseeker can have a different assessment of the labour market opportunities than the counsellor, which will be then be documented in the support agreement that is made between the counsellor and jobseeker.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
<br />
<br />
<br />
<br />
<br />
I M N A M E N D E R R E P U B L I K!<br />
<br />
The Administrative Court has through the presiding Senate President<br />
<br />
Dr. Kleiser, Councilor Dr. Mayr, court councilor Mag. Hainz-Sator and the court councilors<br />
<br />
Dr. Pürgy and Mag. Brandl as judges, with the participation of the secretary<br />
Mag. Vonier, about the data protection authority's appeal against the finding<br />
<br />
of the Federal Administrative Court of December 18, 2020,<br />
Zl. W256 2235360-1/5E, concerning a data protection matter<br />
<br />
(Participating party: Employment Service, represented by Brauneis Klauser<br />
Prändl Rechtsanwälte GmbH in 1010 Vienna, Bauernmarkt 2;<br />
<br />
other party: Federal Minister of Justice), rightly recognized:<br />
<br />
The contested finding is due to illegality of the content<br />
<br />
lifted.<br />
<br />
Reasons for the decision:<br />
<br />
<br />
1 1. The contested finding is based on the following undisputed facts<br />
remove:<br />
<br />
2 The co-participating party (hereinafter: mP), in the proceedings before the<br />
<br />
Administrative Court regularly referred to as the “Austrian Labor Market Service”<br />
<br />
referred to, is responsible according to Section 1 Paragraph 1 of the Employment Services Act (AMSG).<br />
Implementation of the federal labor market policy” and it is referred to as “a<br />
<br />
Service companies under public law with their own<br />
Legal personality” is defined.<br />
<br />
<br />
3 To help workers (re)integrate into the labor market<br />
To support this, the mP offers various services. The<br />
<br />
The detailed procedure of the consultants employed for this purpose can be found in the<br />
“Federal Guideline” of the Labor Market Service “Core Process Workers<br />
<br />
support”. This states that consultants in the process<br />
a consultation with job seekers<br />
<br />
Wishes/expectations, their previous life course and the reasons for their<br />
<br />
have to explain unemployment. The labor market opportunities of<br />
Job seekers should be addressed and discussed.<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
2 of 53<br />
<br />
<br />
<br />
<br />
4 To help the consultants assess the labor market opportunities of the<br />
<br />
The mP has been developing a concept to support job seekers since 2016<br />
for calculating labor market opportunities<br />
<br />
Labor Market Opportunities Assistance System (AMAS). This model should be from<br />
<br />
mP consultants will be mandatory from January 1, 2021.<br />
<br />
5 This statistical model uses an algorithm to determine the degree of<br />
<br />
Probability for job seekers automatically calculated,<br />
a certain number within a certain period of time in the future<br />
<br />
to be busy for days. Specifically, this is based on the following<br />
Data an “IC” is calculated:<br />
<br />
age group,<br />
<br />
Gender,<br />
<br />
group of states,<br />
<br />
Education,<br />
health impairment,<br />
<br />
care obligations,<br />
<br />
professional group,<br />
<br />
pre-career,<br />
regional labor market events as well<br />
<br />
Duration of the business case at mP.<br />
<br />
6 Based on the “IC”, job seekers are divided into the following<br />
<br />
three groups:<br />
<br />
Service customers with job market opportunities are high<br />
Care customers with labor market prospects low<br />
<br />
Advice clients with medium labor market prospects.<br />
<br />
7 The results of the AMAS should be used in the consultation process and for<br />
<br />
The consultants can be a starting point to work together with the customers<br />
Assessment of the respective potential and, if necessary, the obstacles<br />
<br />
of labor market integration. Based on these<br />
<br />
The aim is to define the optimal care strategy. Has he<br />
<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
3 out of 53<br />
<br />
<br />
<br />
<br />
Job seekers expressly have a different assessment of the<br />
<br />
Labor market opportunities than the consultants, this is in the<br />
Document care agreement.<br />
<br />
<br />
8 AMAS does not take into account criteria such as motivation, self-help potential<br />
Customers, addiction, debts, housing situation, etc.<br />
<br />
<br />
9 2. After the initiation of an ex officio examination procedure in accordance with<br />
Art. 57 Para. 1 lit. h in conjunction with Art. 58 Para. 1 lit. b and Para. 2 lit. a GDPR in conjunction with<br />
<br />
Section 22 Paragraph 1 DSG was notified to the mP by the appeal applicant<br />
<br />
from August 16, 2020 data processing in connection with<br />
Determination of labor market opportunities for job seekers<br />
<br />
With the help of the Labor Market Opportunities Assistance System (AMAS).<br />
Effective January 1, 2021, “unless there are any by this point in time.”<br />
<br />
there is a suitable legal basis for data processing.”<br />
<br />
10 In summary, the appellant gave reasons in her decision<br />
<br />
that data processing takes place with the help of AMAS<br />
Within the framework of the exercise of the rights transferred to the mP in accordance with Section 1 Paragraph 1 AMSG<br />
<br />
public tasks. For an authority it is in accordance with Section 1 Paragraph 2 DSG<br />
<br />
it is necessary that their data processing is sufficient<br />
determined legal authorization. The § 29 mentioned by the mP<br />
<br />
and Section 31 Paragraph 5 AMSG would only generally describe the goal and the<br />
Specify the fulfillment of tasks by the mP, but not for data processing<br />
<br />
authorize. The data processing in question is the issue<br />
This is a profiling within the meaning of Art. 4 Z 4 GDPR, through which a<br />
<br />
“informational added value” comes about, which is stated in the law<br />
<br />
must be expressly referred to. The present<br />
Data processing cannot be based on a suitable legal basis<br />
<br />
support. In addition, there is a case of Art. 22 GDPR, namely an automated one<br />
individual decision. It should be admitted that the final decision<br />
<br />
due to internal guidelines lies with the mP consultants. This<br />
<br />
However, internal instructions for action would not bind the mP<br />
unfold and are therefore not subject to any verification controls. In addition<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
4 out of 53<br />
<br />
<br />
<br />
<br />
It cannot be ruled out that in individual cases the decision will be made exclusively<br />
<br />
based on profiling.<br />
<br />
11 3. The Federal Administrative Court issued the contested finding<br />
<br />
(BVwG) of the mP's complaint against the appeal applicant's decision<br />
<br />
Followed and repealed the contested decision without replacement. The audit explained it<br />
below one for permissible.<br />
<br />
<br />
12 In addition to the findings already presented at the beginning, the BVwG made in<br />
his reasons also include the findings that only after the<br />
<br />
Discussing the optimal support strategy with customers<br />
<br />
would be defined by the consultants based on a supervision agreement.<br />
To ensure that the consultants do not have the result of the algorithm<br />
<br />
would take over without question, have the mP in addition to those shown<br />
Guidelines also provide appropriate instructions for action<br />
<br />
Training conducted.<br />
<br />
13 In its legal assessment, the BVwG stated in an ex officio manner<br />
<br />
The appellant is responsible for the examination proceedings initiated<br />
<br />
Supervisory authority in the event of a violation of the GDPR being detected<br />
the power to order various remedial measures. Matter<br />
<br />
The complaint procedure before the BVwG can only be examined<br />
Legality of the specific order made in connection with<br />
<br />
the violation on which the supervisory authority is based. In the<br />
<br />
In the present case, it can be assumed that the appellant is<br />
Prohibition issued by official notice solely because of the lack of one<br />
<br />
sufficient legal basis for official action.<br />
A legality assessed in the contested decision<br />
<br />
The BVwG is prohibited from further checking data processing.<br />
<br />
14 Art. 9 Paragraph 2 Letter h GDPR refers, according to its wording, to one<br />
<br />
Data processing for health-related purposes. In the present case be<br />
<br />
this provision cannot therefore be relied upon without further ado.<br />
<br />
15 It follows from Art. 6 Para. 1 lit. e GDPR and Art. 9 Para. 2 lit. d GDPR that<br />
<br />
the processing of personal data can be lawful if<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
5 out of 53<br />
<br />
<br />
<br />
<br />
<br />
the processing for a sovereign or other public interest<br />
underlying task or in the case of processing special categories<br />
<br />
personal data due to significant public interest<br />
<br />
was required. In this context it is according to the provisions of<br />
GDPR is irrelevant whether the person responsible is an authority or<br />
<br />
a private body and in which - sovereign or<br />
private sector - form the controller may take action if necessary.<br />
<br />
What is more important is whether a matter is public<br />
or significant public interest is required and a legal requirement<br />
<br />
regulated data processing is carried out. Art. 6 Paragraph 3 GDPR<br />
specifies content requirements for an appropriate legal basis,<br />
<br />
which are clear and precise in the context of recital 41 of the GDPR<br />
and should be predictable for those subject to the law. Related<br />
<br />
Art. 9 Para. 2 lit. g GDPR also stipulates that the corresponding<br />
Legal basis appropriate and specific measures to safeguard the<br />
<br />
should provide for the fundamental rights and interests of the persons concerned. Nothing<br />
<br />
otherwise see § 1 Para. 2 DSG, Federal Law Gazette I No. 165/1999 as amended by Federal Law Gazette I No. 14/2019,<br />
provided that the data processing is carried out by the state authorities. The<br />
<br />
Union law provisions - Art. 6 and Art. 9 GDPR - would generally<br />
a task in the considerable public interest and - accordingly<br />
<br />
not limited to sovereign activities - one is sufficient<br />
Demand a specific legal basis for data processing. It<br />
<br />
It can therefore remain open in the present case whether the mP<br />
procedural data processing in sovereign or<br />
<br />
in a private law form. Rather, it comes because of the<br />
data processing that is the subject of the procedure also includes health data and<br />
<br />
thus special categories of data within the meaning of Art. 9 Para. 1 GDPR<br />
are included, depends on whether the data processing that is the subject of the procedure<br />
<br />
on an appropriate legal basis and for a task by the MP<br />
<br />
is necessary in the significant public interest.<br />
<br />
16 The mP is a service company under public law with its own<br />
Legal personality, which is responsible for the implementation of the labor market policy of the<br />
<br />
federal responsibility. According to Section 29 Paragraph 1 AMSG, the mP has a<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
6 out of 53<br />
<br />
<br />
<br />
<br />
as complete, economically sensible and sustainable as possible<br />
<br />
Bringing together labor supply and labor demand<br />
to work towards supplying the economy with workers and the<br />
<br />
Employment of all people available on the labor market<br />
to secure it as best as possible. The mP is held in accordance with Section 29 Paragraph 2 AMSG<br />
<br />
efficient placement of suitable workers<br />
To create jobs that, as far as possible, correspond to the placement wishes<br />
<br />
provide the job seeker with appropriate employment and the<br />
<br />
Effect of circumstances that have a direct mediation in this<br />
to help overcome the senses. The principles are:<br />
<br />
Economy, economy and practicality must be taken into account and it is<br />
It is also important to ensure that groups of people who are particularly affected by<br />
<br />
If people are threatened with unemployment, appropriate support services are offered<br />
would.<br />
<br />
<br />
17 Section 25 Paragraph 2 AMSG expressly authorizes the mP to do so<br />
Processing of those involved in the proceedings<br />
<br />
personal data, provided this is necessary to fulfill legal requirements<br />
Task is an essential prerequisite. That of the mP is therefore legal<br />
<br />
The task of ensuring an orderly system assigned by Section 29 AMSG<br />
<br />
and well-functioning labor market is undoubtedly a significant one<br />
public interest within the meaning of Art. 9 Para. 2 lit. g GDPR.<br />
<br />
18 In addition, it is undisputed that it is also necessary to take into account personal characteristics<br />
<br />
of job seekers in combination with the general<br />
<br />
Labor market events and the resulting application opportunities<br />
of job seekers on the labor market to take into account the<br />
<br />
The task of optimally supplying the economy with workers and the<br />
To secure employment for job seekers in the best possible way<br />
<br />
can. The relevance of the procedural subject matter in data processing<br />
The personal data included cannot be disputed<br />
<br />
become. There are therefore no concerns that the MP should be used to “ensure<br />
<br />
“Ordinary labor market policy” is the subject matter of the proceedings<br />
may use personal data to ensure a “proper<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
7 out of 53<br />
<br />
<br />
<br />
<br />
to secure labor market policy”. § 25 Para. 10 AMSG meets before the<br />
<br />
Background to the requirements of the GDPR and the DSG<br />
Related comprehensive appropriate technical and<br />
<br />
organizational measures to ensure compliance with the principles of<br />
<br />
GDPR and processing in accordance with the DSG. About the of<br />
In addition to the measures mentioned in recital 78, see Section 25 (10) AMSG<br />
<br />
additional specific requirements to ensure the<br />
Data security.<br />
<br />
<br />
19 The fundamental right of the mP to evaluate the<br />
Labor market opportunities for job seekers based on certain personal characteristics<br />
<br />
The appellant does not doubt that data should be provided<br />
pulled. An “informational” accepted by the appeal applicant<br />
<br />
Added value” of one based on the same personal data<br />
<br />
Assessment of labor market opportunities can - whether the assessment is not<br />
automated or based on profiling - for data protection reasons<br />
<br />
View cannot be recognized because each evaluation is also weighted<br />
the evaluator is based on.<br />
<br />
<br />
20 In addition, a different assessment could affect the legality of a<br />
Data processing relating to Article 6 Paragraph 1 Letter e or Article 9<br />
<br />
Paragraph 2 lit. d GDPR cannot be derived because these provisions do not<br />
<br />
distinguish between automated and non-automated processing<br />
would only focus on the concept of processing in general<br />
<br />
would. Art. 4 Z 1 GDPR in turn defines using an example<br />
List the processes there in connection with personal data<br />
<br />
Data as processing, regardless of whether this is done with or without help<br />
automated procedures are carried out. That Art. 4 Z 4 GDPR<br />
<br />
I exclusively refer to automated processing separately as profiling,<br />
<br />
highlight this significant use case and make it clear that these<br />
Form of processing falls within the scope of application of the GDPR and the<br />
<br />
must meet the general criteria there.<br />
<br />
21 Art. 22 GDPR in turn states that a data subject has the right<br />
<br />
should have no decision to evaluate aspects that concern them<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
8 out of 53<br />
<br />
<br />
<br />
<br />
<br />
to be subjected exclusively to an automated<br />
Processing would be based and legal effect for the data subject<br />
<br />
develop or significantly impair them in a similar way. Art. 22 GDPR<br />
<br />
I therefore only aim at decisions that are devoid of any human touch<br />
intervention would take place. However, this provision limits profiling<br />
<br />
not as such in its legal admissibility as part of a<br />
Decision support. As stated, they should<br />
<br />
algorithm used in the procedure and those calculated from it<br />
Labor market opportunities merely as a source of information for a decision<br />
<br />
of the mP consultants can be used. The final decision<br />
about the job seekers' labor market opportunities should be with the consultants<br />
<br />
remain. In this regard, internal guidelines and guidelines would be issued by the mP<br />
Instructions for action exist and training courses are carried out. The according to § 4<br />
<br />
Paragraph 2 Z 2 AMSG guidelines are for the fulfillment of the tasks<br />
the mP is binding for all bodies and institutions. In the federal guidelines<br />
<br />
“Supporting the workforce as a core process” is the exact process in relation to<br />
<br />
the assessment of labor market opportunities is specified and explicit<br />
stipulated that the mP consultants would use the calculated labor market opportunities<br />
<br />
to be discussed with the person concerned during a consultation<br />
would have to document a contrary view of the person concerned and<br />
<br />
ultimately have to decide about it. Given these clear guidelines<br />
There would be no reasons for this to be a completely automated decision<br />
<br />
within the meaning of Art. 22 GDPR. With the argument of<br />
Appellant, it was not due to the shortened consultation times<br />
<br />
to rule out that ultimately a completely automated decision<br />
would be available because the mP consultants calculated it from AMAS<br />
<br />
would routinely adopt this value, overlooking the fact that the assessment,<br />
whether data processing is lawful in accordance with Art. 5 Para. 1 lit. a GDPR<br />
<br />
is, from the assessment of whether the person responsible is the legality of a<br />
<br />
to ensure such data processing. At the<br />
Assessment of the lawfulness of data processing is based on the actual<br />
<br />
Processing process and possible violations by third parties do not apply<br />
enter into. Whether the MP ultimately fulfills its obligation in accordance with Article 5<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
9 out of 53<br />
<br />
<br />
<br />
<br />
Paragraph 1 lit. f GDPR adequately and unauthorized use<br />
<br />
excludes the data processing in question<br />
The subject of the complaint procedure at issue. Ultimately<br />
<br />
In this context, it should be noted that the applicant for appeal in<br />
<br />
contested decision itself assumes that the mP<br />
Appropriate measures “internal to the organization” to protect the<br />
<br />
Job seekers hit and thus an abusive use<br />
data processing by their employees is appropriately excluded<br />
<br />
have.<br />
<br />
22 In summary, it should be noted that the mP according to Section 25 Paragraph 1 AMSG<br />
<br />
is fundamentally entitled to evaluate personal data<br />
to be carried out. That from the mere use of an automated<br />
<br />
Processing does not result in “informational added value”.<br />
<br />
to accept. The case frowned upon in Article 22 of the GDPR is just on one<br />
The decision based on automated data processing does not lie here<br />
<br />
because - as shown - the final decision lies with the consultants.<br />
Whether the mP fulfills its obligation under the GDPR to prevent an unauthorized person<br />
<br />
Excluding use by taking appropriate measures is sufficient<br />
<br />
has complied with is not the subject of the assessment of the<br />
Legality of limited present proceedings. Since the present one<br />
<br />
Data processing can therefore rightly be based on Section 25 Paragraph 1 AMSG<br />
can, the contested decision is due to a lack of violation of the provisions of Article 5<br />
<br />
Paragraph 1 lit. a GDPR standardized principle of a lawful<br />
to cancel data processing.<br />
<br />
<br />
23 The appeal is admissible because (among other things) it comes to the highest court<br />
Case law on Articles 6, 9 and 22 GDPR in connection with profiling<br />
<br />
missing.<br />
<br />
24 4. The ordinary appeal of the defendant is directed against this decision<br />
<br />
authority before the administrative court.<br />
<br />
25 The mP filed a complaint in the preliminary proceedings before the BVwG<br />
<br />
Revision response.<br />
<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
10 out of 53<br />
<br />
<br />
<br />
<br />
5. The Administrative Court considered:<br />
<br />
<br />
26 The revision refers to the statements of the BVwG regarding<br />
Admissibility of the appeal and that the highest court case law<br />
<br />
on the requirement of certainty of legal regulations against the background of<br />
GDPR and the question of the interpretation of the criterion of “similar<br />
<br />
“significant impairments” within the meaning of Article 22 GDPR are missing.<br />
<br />
27 For these reasons, the appeal is admissible and ultimately justified.<br />
<br />
<br />
28 5.1. The legal basis:<br />
<br />
29 5.1.1. The case-specific relevant recitals and provisions of the<br />
<br />
Regulation (EU) 2016/679 of the European Parliament and of the Council of<br />
April 27, 2016 on the protection of natural persons during processing<br />
<br />
personal data, the free movement of data and the abolition of the<br />
Directive 95/46/EC (General Data Protection Regulation - GDPR), OJ L 119<br />
<br />
dated May 4, 2016, p. 1, are as follows:<br />
<br />
“(10) In order to ensure a uniform and high level of data protection for natural persons<br />
to ensure people and the barriers to traffic<br />
to eliminate personal data in the Union, the level of protection should be increased<br />
<br />
for the rights and freedoms of natural persons during processing<br />
this data must be equivalent in all Member States. The regulations for<br />
Protection of the fundamental rights and freedoms of natural persons<br />
Processing of personal data should be uniform and uniform across the Union<br />
<br />
be applied uniformly. Regarding processing<br />
personal data to fulfill a legal obligation or<br />
to carry out a task that is in the public interest or in<br />
The exercise of public authority is carried out and is transferred to the person responsible<br />
Member States should have the possibility to adopt national ones<br />
<br />
Provisions ensuring the application of the provisions of this Regulation<br />
to be maintained or introduced in more detail. Combined with<br />
the general and horizontal legislation on data protection<br />
There are several implementations of Directive 95/46/EC in the Member States<br />
sector-specific legislation in areas that are more specific<br />
<br />
regulations require. This regulation also offers Member States<br />
a scope for the specification of their regulations, including for the<br />
Processing of special categories of personal data (in<br />
“Sensitive Data” below). This regulation is not exclusive in this regard<br />
<br />
Legislation of Member States where the circumstances are particular<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
11 of 53<br />
<br />
<br />
<br />
<br />
Processing situations can be determined, including a more precise one<br />
<br />
Determination of the conditions under which the processing<br />
personal data is lawful.<br />
(...)<br />
<br />
(40) For the processing to be lawful, personal data must<br />
with the consent of the data subject or otherwise permitted<br />
The legal basis for processing is this regulation<br />
<br />
or - whenever referred to in this Regulation<br />
other Union law or the law of the Member States, as follows<br />
other things on the basis that they comply with legal requirements<br />
Obligation to which the controller is subject or to fulfill one<br />
Contract to which the data subject is a party, or for which<br />
Implementation of pre-contractual measures at the request of those affected<br />
<br />
person is required.<br />
(41) If this Regulation refers to a legal basis or a<br />
Legislative measure referred to does not require this<br />
<br />
necessarily one adopted by a parliament<br />
legislative act; Requirements in accordance with the remain unaffected<br />
Constitutional system of the Member State concerned. The corresponding<br />
However, the legal basis or legislative measure should be clear and precise<br />
and their application should be for those subject to the law in accordance with<br />
Case law of the Court of Justice of the European Union (hereinafter<br />
<br />
‘Court of Justice’) and the European Court of Human Rights<br />
be predictable.<br />
(...)<br />
<br />
(45) If the processing is carried out by the person responsible on the basis of a request to him<br />
applicable legal obligation or is the processing for<br />
Carrying out a task in the public interest or in exercise<br />
<br />
If public authority is required, there must be a basis for this in Union law<br />
or exist in the law of a Member State. This regulation will not<br />
a specific law requires each individual processing. A law as<br />
Basis for multiple processing operations may be sufficient if<br />
the processing is based on a legal obligation incumbent on the person responsible<br />
Obligation takes place or if the processing is carried out for the purpose of carrying out an obligation<br />
Task in the public interest or in the exercise of official authority<br />
<br />
is required. The same should be done in Union law or in the law of the<br />
Member States regulate the purposes for which the data is processed<br />
may be. Furthermore, the general conditions could be included in this law<br />
this regulation regulating the lawfulness of processing<br />
personal data would be clarified and it could specify how<br />
the person responsible must determine what type of personal data<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
12 of 53<br />
<br />
<br />
<br />
<br />
Data is processed, which people are affected, which ones<br />
<br />
Institutions disclose the personal data and for what purposes<br />
and how long they may be stored and what other measures<br />
be taken to ensure that the processing is lawful and<br />
carried out in good faith. The same should be done in Union law or in<br />
The law of the Member States determines whether this is the case<br />
Responsible person who carries out a task that is in the public interest<br />
<br />
lies or takes place in the exercise of official authority, to an authority or to<br />
another natural or legal entity covered by public law<br />
Person or, if this is justified by the public interest including<br />
health purposes, such as public health or social<br />
security or the administration of health care services,<br />
is justified, a natural or legal person under private law, such as<br />
<br />
for example a professional association, should act.<br />
(...)<br />
<br />
(71) The data subject should have the right not to decide what<br />
a measure may include - to evaluate what affects it<br />
to be subjected to personal aspects that are exclusively based on one<br />
is based on automated processing and the legal effect for that<br />
<br />
the person concerned develops or significantly affects them in a similar way,<br />
such as the automatic rejection of an online loan application or<br />
Online recruitment process without any human intervention. To a<br />
Such processing also includes 'profiling' in any form<br />
automated processing of personal data under assessment of the<br />
personal aspects exist in relation to a natural person, in particular<br />
to analyze or predict aspects related to work performance,<br />
<br />
economic situation, health, personal preferences or interests,<br />
Reliability or behavior, whereabouts or change of location<br />
data subject, insofar as this has legal effect for the data subject<br />
unfolds or significantly affects them in a similar way. One on one<br />
such processing, including profiling<br />
However, decision-making should be allowed if this is according to the<br />
<br />
Union law or the law of the Member States responsible for the processing<br />
Controller is subject to, is expressly permitted, also in accordance with<br />
the regulations, standards and recommendations of the institutions<br />
[European] Union or national supervisory bodies fraud and<br />
to monitor and prevent tax evasion and security and<br />
Reliability of a service provided by the person responsible<br />
<br />
guarantee, or if this is necessary for the conclusion or fulfillment of a<br />
Contract between the data subject and a controller<br />
is necessary or if the data subject expressly expresses their consent<br />
has given consent to this. In any case, such processing should<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
13 out of 53<br />
<br />
<br />
<br />
<br />
<br />
be accompanied by appropriate guarantees, including specific ones<br />
Informing the person concerned and the right to direct action<br />
Intervention by a person to present their own point of view<br />
Explanation of the decisions taken after an appropriate assessment<br />
decision and the right to challenge the decision. This<br />
Measure should not affect any child. In order to take into account the<br />
<br />
special circumstances and framework conditions under which the<br />
personal data processed is that of the data subject<br />
To ensure fair and transparent processing, the<br />
suitable mathematical or statistical data controllers<br />
Use procedures for profiling, technical and organizational<br />
<br />
Take measures to ensure appropriate security in particular<br />
that factors that lead to inaccurate personal data<br />
be corrected and the risk of errors is minimized, and<br />
secure personal data in such a way that the potential<br />
Threats to the interests and rights of the data subject<br />
is worn and, among other things, prevent it from becoming natural<br />
<br />
people based on race, ethnic origin, political opinion,<br />
Religion or belief, trade union membership, genetic<br />
Dispositions or health status as well as sexual orientation<br />
discriminatory effects or processing that occurs<br />
has such an effect. Automated decision making and profiling<br />
<br />
on the basis of special categories of personal data<br />
only be allowed under certain conditions.<br />
(...)<br />
<br />
Article 4<br />
<br />
Definitions<br />
(1) For the purposes of this Regulation, the term means:<br />
<br />
(...)<br />
<br />
4. 'Profiling' any type of automated processing of personal data<br />
Data that consists of using personal data<br />
be to certain personal aspects that relate to a natural<br />
person, to evaluate, especially aspects relating to<br />
<br />
work performance, economic situation, health, personal preferences,<br />
Interests, reliability, behavior, location or change of location<br />
to analyze or predict that natural person;<br />
<br />
(...)<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
14 out of 53<br />
<br />
<br />
<br />
<br />
<br />
Article 5<br />
Principles for processing personal data<br />
<br />
(1) Personal data must<br />
<br />
a) in a lawful manner, in good faith and in a manner for which<br />
data subject are processed in a comprehensible manner<br />
(“Legality, fair processing, transparency”);<br />
<br />
(...)<br />
c) appropriate and relevant to the purpose and relevant to the purposes of the<br />
<br />
Processing must be limited to the extent necessary ('data minimization');<br />
(...)<br />
<br />
Article 6<br />
<br />
Lawfulness of processing<br />
(1) Processing is only lawful if at least one of the<br />
<br />
the following conditions are met:<br />
(...)<br />
<br />
c) the processing is to fulfill a legal obligation<br />
required to which the controller is subject;<br />
<br />
(...)<br />
e) the processing is necessary for the performance of a task that<br />
<br />
is in the public interest or in the exercise of official authority<br />
carried out, which was transferred to the person responsible;<br />
<br />
(...)<br />
(2) Member States may provide more specific adaptation provisions<br />
the application of the provisions of this Regulation in relation to<br />
<br />
Processing to comply with paragraph 1 letters c and e maintained or<br />
introduce specific requirements for processing as well<br />
determine other measures more precisely in order to ensure a lawful and faithful action<br />
and to ensure processing carried out in faith, including for<br />
other special processing situations in accordance with Chapter IX.<br />
<br />
(3) The legal basis for the processing pursuant to paragraph 1 letter c<br />
and e is determined by<br />
<br />
a) Union law or<br />
<br />
b) the law of the Member States to which the controller is subject.<br />
The purpose of the processing must be specified in this legal basis or<br />
with regard to the processing referred to in paragraph 1 letter e for fulfillment<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
15 out of 53<br />
<br />
<br />
<br />
<br />
be necessary for a task that is in the public interest or in<br />
<br />
The exercise of public authority is carried out and is transferred to the person responsible<br />
became. This legal basis may contain specific provisions for adaptation<br />
the application of the provisions of this Regulation, among others<br />
Provisions on what general conditions govern the<br />
The lawfulness of the processing by the controller applies<br />
Types of data processed determine which individuals are affected<br />
<br />
which facilities and for what purposes the personal data<br />
may be disclosed, what purpose they are subject to and for how long<br />
they may be stored and which processing operations<br />
and procedures may be applied, including measures to<br />
Ensuring that the service is carried out lawfully and in good faith<br />
Processing, such as those for other special processing situations<br />
<br />
according to Chapter IX. Union law or the law of the Member States must<br />
pursue a goal that is in the public interest and in one<br />
be proportionate to the legitimate purpose pursued.<br />
<br />
(4) If the processing is based on a purpose other than that of<br />
which the personal data was collected, not on the consent<br />
the data subject or on a law of the Union or the<br />
Member States that have a necessary and<br />
proportionate measure to protect the persons referred to in Article 23(1).<br />
represents goals, the person responsible takes them into account - to determine whether the<br />
<br />
Processing for a purpose other than that for which the<br />
personal data was originally collected is compatible - under<br />
other<br />
a) any connection between the purposes for which the personal data<br />
<br />
Data was collected and the purposes intended<br />
further processing,<br />
b) the context in which the personal data was collected<br />
<br />
were, particularly with regard to the relationship between the<br />
affected persons and the person responsible,<br />
c) the type of personal data, in particular whether special<br />
<br />
Categories of personal data are processed in accordance with Article 9<br />
or whether personal data about criminal convictions and<br />
offenses are processed in accordance with Article 10,<br />
<br />
d) the possible consequences of the intended further processing for the<br />
affected persons,<br />
e) the existence of appropriate guarantees, including encryption or<br />
<br />
Pseudonymization can include.<br />
(...)<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
16 of 53<br />
<br />
<br />
<br />
<br />
<br />
Article 9<br />
Processing of special categories of personal data<br />
<br />
(1) The processing of personal data from which the racial and<br />
ethnic origin, political opinions, religious or ideological<br />
beliefs or union membership, as well as the<br />
Processing of genetic data, biometric data for unique purposes<br />
<br />
Identification of a natural person, health data or data on<br />
sex life or sexual orientation of a natural person<br />
prohibited.<br />
<br />
(2) Paragraph 1 does not apply in the following cases:<br />
(...)<br />
<br />
g) the processing is based on Union law or law<br />
of a Member State that is proportionate to the one being prosecuted<br />
The aim is to preserve the essence of the right to data protection and<br />
<br />
appropriate and specific measures to safeguard fundamental rights<br />
and interests of the data subject, for reasons of one<br />
significant public interest required,<br />
<br />
h) the processing is for health care purposes or<br />
Occupational medicine, for assessing the employee's ability to work,<br />
for medical diagnostics, care or treatment in<br />
Health or social sector or for the administration of systems<br />
and health or social services based on the<br />
<br />
Union law or the law of a Member State or based on one<br />
Contract with a healthcare professional and<br />
subject to the conditions and guarantees set out in paragraph 3<br />
necessary,<br />
<br />
(...)<br />
<br />
(3) The personal data mentioned in paragraph 1 may be included in<br />
Paragraph 2 letter h are processed if these<br />
<br />
Data is processed by or under the responsibility of specialist personnel<br />
and these professionals in accordance with Union law or the law of a<br />
Member State or the regulations of national competent bodies<br />
is subject to professional secrecy, or if the processing is carried out by another party<br />
Person who is also under Union law or the law of a<br />
Member State or the regulations of national competent bodies<br />
<br />
subject to confidentiality.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
17 of 53<br />
<br />
<br />
<br />
<br />
<br />
(4) Member States may impose additional conditions, including<br />
introduce or maintain restrictions insofar as the processing of<br />
genetic, biometric or health data is affected.<br />
<br />
(...)<br />
Article 22<br />
<br />
Automated decisions in individual cases including profiling<br />
<br />
(1) The data subject has the right not to rely solely on one<br />
automated processing - including profiling<br />
to be subjected to the decision, which has legal effect on it<br />
unfolds or significantly affects them in a similar way.<br />
<br />
(2) Paragraph 1 does not apply if the decision<br />
<br />
a) for the conclusion or fulfillment of a contract between the<br />
the person concerned and the person responsible is required to<br />
<br />
b) under Union or Member State law,<br />
which the person responsible is subject to, is permissible and this<br />
Legislation appropriate measures to safeguard rights and<br />
freedoms and the legitimate interests of the data subject<br />
contain or<br />
<br />
c) takes place with the express consent of the data subject.<br />
<br />
(3) In the cases mentioned in paragraph 2 letters a and c<br />
Responsible for taking appropriate measures to protect rights and freedoms<br />
as well as to protect the legitimate interests of the data subject, for what purpose<br />
at least the right to obtain human intervention on the part of the<br />
those responsible, to present their own point of view and to contest it<br />
<br />
belongs to the decision.<br />
(4) Decisions under paragraph 2 may not be based on special categories<br />
personal data pursuant to Article 9 paragraph 1, unless<br />
<br />
Article 9(2)(a) or (g) applies and appropriate measures to be taken<br />
Protection of the rights and freedoms as well as the legitimate interests of the<br />
affected person.”<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
18 of 53<br />
<br />
<br />
<br />
<br />
30 5.1.2. § 1 of the Federal Act for the Protection of Natural Persons<br />
<br />
Processing of personal data (Data Protection Act - DSG),<br />
Federal Law Gazette I No. 165/1999 as amended by Federal Law Gazette I No. 51/2012 reads in part:<br />
<br />
“Article 1 (constitutional provision)<br />
<br />
Basic right to data protection<br />
<br />
§ 1. (1) Everyone has, especially with regard to respect for their own<br />
Private and family life, right to secrecy of those concerning him<br />
personal data to the extent that there is a legitimate interest in doing so.<br />
The existence of such an interest is excluded if data as a result<br />
their general availability or because of their lack of traceability<br />
<br />
are not accessible to those affected by a claim of confidentiality.<br />
(2) To the extent that the use of personal data is not permitted<br />
<br />
vital interest of the person concerned or with his consent,<br />
are restrictions on the right to confidentiality only for reasons of protection<br />
overriding legitimate interests of another are permissible, namely at<br />
Intervention by a state authority only on the basis of laws arising from the<br />
in Article 8 paragraph 2 of the European Convention for the Protection of the<br />
<br />
Human rights and fundamental freedoms (ECHR), Federal Law Gazette No. 210/1958,<br />
reasons mentioned are necessary. Such laws permit the use<br />
of data that is particularly worthy of protection due to its nature, only for preservation purposes<br />
important public interests and must be provided for at the same time<br />
appropriate guarantees to protect the confidentiality interests of the<br />
<br />
Determine those affected. Even in the case of permissible restrictions, the<br />
Interference with fundamental rights only in the slightest way that achieves the desired result<br />
type.<br />
<br />
(...)"<br />
<br />
31 5.1.3. The relevant provisions of the Federal Law on<br />
Labor Market Service (Labor Market Service Act - AMSG),<br />
<br />
Federal Law Gazette No. 313/1994, namely § 1, § 25 and § 27 as amended by Federal Law Gazette I No. 32/2018,<br />
§ 29 as amended by Federal Law Gazette I No. 3/2013, § 31 as amended by Federal Law Gazette I No. 90/2009, § 32 as amended<br />
<br />
Federal Law Gazette I No. 71/2005 and § 38c as amended by Federal Law Gazette I No. 77/2004 read in extracts:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
19 of 53<br />
<br />
<br />
<br />
<br />
“Labor market service<br />
<br />
§ 1. (1) The implementation of the federal labor market policy is the responsibility of the<br />
'Labour market service'. The employment service is one<br />
Service companies under public law with their own<br />
<br />
Legal personality.<br />
(...)<br />
<br />
Data processing<br />
<br />
§ 25. (1) The employment service, the Federal Administrative Court and the<br />
Federal Ministry of Labor, Social Affairs, Health and Consumer Protection<br />
are for the processing of personal data within the meaning of<br />
Data Protection Act, Federal Law Gazette I No. 165/1999, insofar as this is authorized<br />
Fulfillment of legal tasks is an essential prerequisite. The<br />
The types of data in question are:<br />
<br />
(...)<br />
<br />
(2) The labor market service or the Federal Ministry of Labor,<br />
Social, health and consumer protection data processed in accordance with<br />
Paragraph 1, with the exception of health data in accordance with Paragraph 1 Item 4, may<br />
other authorities, courts, social security institutions and the<br />
Federal Statistical Institute Austria by means of automation-supported<br />
<br />
Data processing will be disclosed to the extent that the relevant data is for<br />
the execution of the respective legally assigned tasks<br />
form an essential prerequisite. Other authorities, courts and the carriers<br />
The social security authorities may process data they process in accordance with paragraph 1<br />
Exception of health data in accordance with paragraph 1 item 4, the employment service<br />
and the Federal Ministry of Labor, Social Affairs, Health and<br />
<br />
Consumer protection through automated data processing<br />
disclose to the extent that this data is necessary for the execution of the<br />
Employment Service and the Federal Ministry of Labor, Social Affairs,<br />
tasks assigned by law to health and consumer protection<br />
form an essential prerequisite. From the social security providers<br />
Data transmitted in accordance with Paragraph 1 Z 9 may be used by the employment service and by<br />
<br />
Federal Ministry of Labor, Social Affairs, Health and Consumer Protection<br />
personally for the purposes of sustainable labor market integration<br />
group of people are processed.<br />
<br />
(...)<br />
(4) The data processed by the employment service in accordance with paragraph 1 may be sent to<br />
the Bundesrechenzentrum GmbH and to institutions that are responsible for the tasks of the<br />
<br />
are transferred to the Labor Market Service (§ 30 para. 3 and § 32 para. 3), within the framework<br />
the services to be provided by them by way of<br />
automated data processing.<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
20 out of 53<br />
<br />
<br />
<br />
<br />
(5) The Labor Market Service and the Federal Ministry of Labor, Social Affairs,<br />
<br />
Health and consumer protection may use the data they process<br />
in accordance with paragraph 1, with the exception of health data in accordance with paragraph 1 item 4<br />
commissioned legal entities by means of automated support<br />
Transmit data processing to the extent that the relevant data is a<br />
an indispensable prerequisite for the fulfillment of an assessment requirement<br />
Services, aid and other financial benefits<br />
<br />
research contracts awarded by the Labor Market Service. For in public<br />
Interested scientific and statistical studies may be carried out<br />
the Federal Ministry of Labor, Social Affairs, Health and<br />
Consumer protection and the employment service provide the necessary support<br />
Data in accordance with paragraph 1 (except Z 1 lit. a and e to h), linked to the<br />
encrypted bPK AS, the Austrian Federal Statistical Institute for the purpose of<br />
<br />
Merging with indirectly personal data from others<br />
Authorities or social security institutions or at the Federal Agency<br />
transmit existing data on the working population. These are also allowed<br />
other authorities or social insurance providers in accordance with legal regulations<br />
Data processed in accordance with the regulations of the state's own area of activity,<br />
linked to the encrypted bPK AS, transmitted to the Federal Agency.<br />
<br />
A return transfer of merged data or the enabling of this<br />
Restoring a direct personal connection is not permitted. The<br />
The Federal Institute prepares the scientific or statistical evaluations<br />
after commissioning by the Federal Minister of Labor, Social Affairs and Health<br />
and consumer protection. The federal agency provides its services<br />
this federal law against reimbursement of costs in accordance with Section 32 Paragraph 4 Z 2 of<br />
Federal Statistics Act 2000. The merged data is as soon as it is<br />
<br />
are no longer needed for the purpose of the investigation, at the latest<br />
three years to delete.<br />
(6) The Austrian Federal Statistical Institute may process master data<br />
<br />
the employer in accordance with paragraph 1 item 6 and data on training in accordance with paragraph 1<br />
Z 2 lit. b and Z 7 lit. b to the employment service and the Federal Ministry<br />
for work, social affairs, health and consumer protection through the<br />
disclose automated data processing, insofar as this data is for<br />
Scientific purposes that fall within their legal area of responsibility<br />
or labor market statistical studies that are not personal<br />
<br />
Aiming to achieve results (§ 7 DSG) is an essential prerequisite.<br />
(7) If this is necessary for the fulfillment of legal tasks,<br />
Health data (paragraph 1 no. 4) may be disclosed by the employment service to the<br />
<br />
responsible social security institutions, the Ministry of Social Affairs,<br />
the responsible social assistance providers and institutions that carry out their tasks<br />
are transferred to the employment service (§ 30 para. 3 and § 32 para. 3) as well<br />
must be disclosed by them to the employment service.<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
21 of 53<br />
<br />
<br />
<br />
<br />
(8) Employers may only disclose data in accordance with paragraph 1<br />
<br />
for the establishment of an employment relationship and the assessment<br />
the professional suitability of the job seekers are needed.<br />
Health data may not be disclosed to employers.<br />
<br />
(9) The data according to paragraph 1 is seven years after the end of the respective period<br />
business case. The retention period is extended by<br />
Periods in which the data is used to assert, exercise or<br />
Defense of legal claims are still needed or others<br />
Legal regulations provide for longer deadlines. The deletion of data is<br />
for economic and technical reasons on one or two dates<br />
<br />
year to focus. Until then, there is no entitlement to early payment<br />
Deletion.<br />
(10) The employment service has to take into account the economic<br />
<br />
Justifiable and the state of the art adequate precautions for the<br />
Ensuring data security within the meaning of Articles 24, 25 and 32 of the<br />
Regulation (EU) No. 2016/679 on the protection of natural persons<br />
Processing of personal data, free movement of data and<br />
Repeal of Directive 95/46/EC (General Data Protection Regulation),<br />
OJ No. L 119 of May 4, 2016 p. 1, (hereinafter: GDPR) and Section 6 DSG<br />
<br />
hold true. In particular, recordings or changes are personal<br />
Data only by the responsible organizational units<br />
(employees) permitted. When transmitting<br />
of personal data to third parties is due to technical or organizational reasons<br />
Measures to ensure that only the intended recipients<br />
Recipients gain access to the data. Access and reading rights are<br />
according to the tasks (roles) of the respective organizational units and<br />
<br />
to design servants. Access to personal data as well as any<br />
Transmission of health data must be recorded. Log data<br />
may not be used for personal purposes unless this is necessary<br />
Enforcement or defense of legally asserted claims<br />
Ensuring the lawful use of data processing or<br />
necessary for technical reasons.<br />
<br />
(11) Based on paragraphs 1 to 10, Section 69 AlVG and Sections 27 and<br />
27a AuslBG, the data processing to be carried out meets the requirements<br />
Requirements of Art. 35 Para. 10 GDPR for the omission of the<br />
<br />
Data protection impact assessment.<br />
(...)<br />
<br />
Obligation of confidentiality<br />
<br />
§ 27. (1) The bodies of the employment service are, to the extent not permitted by law<br />
otherwise is intended to maintain confidentiality about all of them from their official position<br />
Facts that have become known during the activity are obliged to keep them confidential<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
22 of 53<br />
<br />
<br />
<br />
<br />
<br />
interest in maintaining public peace, order and<br />
Security, comprehensive national defense, foreign<br />
Relationships, in the economic interest of the employment service, to<br />
Preparation of a decision or in the overriding interests of the parties<br />
is required. The responsible supervisor has to waive this obligation<br />
To release the request of a court or an administrative authority if<br />
<br />
this is in the interests of justice or in other public interests<br />
lies.<br />
<br />
(2) The obligation of confidentiality in accordance with paragraph 1 also applies after<br />
Leaving the position and after termination of the employment relationship.<br />
The obligation of confidentiality in accordance with paragraph 1 also applies to persons<br />
a committee of the board of directors, the state directorate or the<br />
Member of the regional advisory board.<br />
<br />
(...)<br />
<br />
Goal and task fulfillment<br />
§ 29. (1) The aim of the employment service is, within the framework of<br />
<br />
The federal government's full employment policy for prevention and elimination<br />
of unemployment while maintaining social and economic principles<br />
In the sense of an active labor market policy, the most complete,<br />
economically sensible and sustainable merging<br />
supply and demand for labor, and thereby the supply<br />
the economy with workers and the employment of all people who<br />
<br />
are available to the Austrian labor market in the best possible way<br />
to back up. This includes securing economic existence during the<br />
Unemployment within the framework of the legal provisions.<br />
<br />
(2) In order to achieve this goal, the labor market service has to do so within the framework of<br />
legal provisions to provide services aimed at:<br />
<br />
1. the placement of suitable workers in an efficient manner<br />
To create jobs that are as close as possible<br />
Employment appropriate to the job seeker's placement wishes<br />
offer,<br />
<br />
2. the effects of circumstances that require direct mediation<br />
hinder the senses of Z 1, to help overcome them,<br />
<br />
3. to counteract the confusion of the labor market,<br />
4. quantitative or qualitative imbalances between<br />
reduce labor supply and demand,<br />
<br />
5. the preservation of jobs if this makes sense within the meaning of paragraph 1<br />
is to enable and<br />
<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
23 out of 53<br />
<br />
<br />
<br />
<br />
6. to secure the economic existence of the unemployed.<br />
<br />
(3) The tasks of the employment service include in particular:<br />
Ensuring vocational training opportunities for young people<br />
through placement of suitable apprenticeships and additional measures such as<br />
<br />
the commissioning of training institutions for inter-company purposes<br />
Apprenticeship training in accordance with Section 30b of the Vocational Training Act (BAG),<br />
Federal Law Gazette No. 142/1969, or from training institutions in accordance with Section 2 Paragraph 4 of<br />
Agricultural and Forestry Vocational Training Act,<br />
Federal Law Gazette I No. 298/1990.<br />
<br />
(4) The tasks of the employment service also include:<br />
Promoting the re-employment of those with health impairments<br />
people through placement in suitable jobs and supplementary ones<br />
or preparatory measures. Particular attention is paid to the individual<br />
<br />
Performance, the development and expansion of on the labor market<br />
usable qualifications and securing economic existence<br />
to pay attention.<br />
<br />
(...)<br />
Principles in the performance of tasks<br />
<br />
§ 31. (1) The services of the employment service that are not covered by the authorities<br />
Procedures can be carried out by anyone at all branches and<br />
Make use of the employment service facilities that provide this<br />
Offer services unless the principles stated in paragraph 5 are met<br />
<br />
oppose.<br />
(2) If there is no legal entitlement to benefits from the employment service<br />
exists, the choice, type and, if necessary, combination of the<br />
<br />
services used according to the requirements of the individual case<br />
from the point of view that they achieve the aim stated in § 29 as best as possible<br />
are equivalent to. When fulfilling its tasks, the employment service has to<br />
an appropriate balance between the interests of employers and<br />
respect employees.<br />
<br />
(3) For people who either because of their personal circumstances or<br />
their belonging to a group that is disadvantaged in the labor market<br />
particular difficulties in obtaining or maintaining a job<br />
the services of the employment service within the meaning of paragraph 2 are as follows<br />
<br />
design and, if necessary, use it more intensively so that a<br />
The greatest possible equality of opportunity with other workers is achieved<br />
becomes. In particular, through appropriate use of the services<br />
gender-specific division of the labor market and discrimination<br />
of women in the labor market.<br />
<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
24 out of 53<br />
<br />
<br />
<br />
<br />
(4) The activity of the employment service is, as far as it is<br />
<br />
- ensuring compliance with and implementation of labor market policy<br />
the federal government,<br />
<br />
- the equal treatment of similar matters,<br />
<br />
- the necessary uniformity of approach and<br />
- achieving the highest possible efficiency and practicality<br />
performance<br />
<br />
allow to be carried out decentrally. The services of the employment service<br />
are, unless expressly stated otherwise, by the<br />
regional organizations.<br />
<br />
(5) In all activities, the public employment service adheres to the principles of<br />
Economy, economy and practicality from the point of view<br />
the best possible achievement of the goal stated in § 29<br />
<br />
take. To assess the efficiency of the activities of the labor market service<br />
to set up internal controlling.<br />
(6) The employment service has particular responsibility for projects relating to:<br />
<br />
Ensuring vocational training opportunities for young people<br />
in accordance with Section 29 Paragraph 3 to the different needs of each individual<br />
Federal states should be taken into account and fulfilled in the best possible way<br />
Tasks require the participation and appropriate financial participation of the<br />
to strive for in the respective federal state.<br />
<br />
(7) When planning measures, the employment service must ensure that<br />
that for groups of people who are particularly at risk of unemployment,<br />
appropriate support services are offered.<br />
<br />
(8) The measures are intended in particular to maintain and expand<br />
promote marketable skills among employees. The<br />
The labor market service can participate in measures taken by other legal entities<br />
Improving the framework conditions for long-term maintenance<br />
<br />
participate in health.<br />
(...)<br />
<br />
Services<br />
<br />
§ 32. (1) The employment service has its services in the form of<br />
to provide services whose purpose is to provide<br />
Job seekers on vacancies, job security and the<br />
Securing one's existence within the meaning of Section 29 is.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
25 out of 53<br />
<br />
<br />
<br />
<br />
<br />
(2) Services to prepare, enable or facilitate a<br />
such placement or job security are particularly important<br />
1. Information about the labor market and the professional world,<br />
<br />
2. Advice on choosing a career,<br />
<br />
3. Assistance in the production or maintenance of the<br />
ability to place workers,<br />
<br />
4. Supporting the qualification of workers and<br />
5. Supporting companies in finding and selecting suitable ones<br />
<br />
workforce and the design of the internal company<br />
workforce planning,<br />
6. Assisting job seekers in searching and choosing one<br />
<br />
workplace and<br />
7. Supporting businesses and workers to create and<br />
<br />
Preservation of jobs.<br />
(3) To the extent that the employment service does not provide services within the meaning of paragraph 2<br />
can provide itself or its provision is inappropriate or<br />
<br />
If it were uneconomical, it must ensure that such services are provided<br />
based on contractual agreements, e.g. through transfer to suitable persons<br />
Facilities may be provided by other means. Allowed to do so<br />
third party interests worthy of protection within the meaning of Section 1 Paragraph 1 of<br />
Data protection law is not violated.<br />
<br />
(4) Services are generally free of charge. For special ones<br />
Services such as testing and pre-selection of applicants or special ones<br />
Advertising measures and personnel consulting measures for companies can<br />
<br />
the board of directors shall set an appropriate remuneration that corresponds to the<br />
to the labor market service. Services for employees, unemployed people<br />
and jobseekers must in any case be provided free of charge.<br />
<br />
(5) If services of the employment service are covered by the provisions<br />
of Section 2 of the Labor Market Promotion Act (AMFG), Federal Law Gazette No. 31/1969,<br />
the provisions of Sections 3 to 7 AMFG apply to them.<br />
<br />
(...)<br />
Care plan<br />
<br />
§ 38c. The regional office has one for every unemployed person<br />
Create a care plan based on what is expected<br />
Care needs in particular the type of care and the in<br />
<br />
Measures taken and a justification for them<br />
contains the intended procedure. In particular, the care plan includes:<br />
the relevant aspects in accordance with Section 9 Paragraphs 1 to 3 AlVG are taken into account<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
26 of 53<br />
<br />
<br />
<br />
<br />
take. When communicating and taking measures to improve the<br />
Placement opportunities are those that can be exploited on the labor market<br />
Qualifications (professional and technical knowledge and skills<br />
Nature) of the unemployed person and these are to be taken into account if possible<br />
<br />
maintained or expanded if necessary. When changing the for incorporation<br />
Circumstances significant in the labor market is the care plan<br />
adjust accordingly. The regional office has an agreement<br />
with the unemployed person via the care plan. Can one<br />
If agreement is not reached, the care plan is from the regional<br />
<br />
Office with the greatest possible consideration of the interests of the<br />
unemployed person unilaterally. The care plan is this<br />
brought to the attention of the unemployed person. To a specific one<br />
Care plan or measures planned in the care plan<br />
taken, there is no legal claim. The board of directors has one<br />
<br />
Guideline to ensure a consistent approach to the<br />
Creation and adjustment of care plans.<br />
(...)"<br />
<br />
32 5.2. To assess the relevant action of the AMS as sovereign or<br />
<br />
private sector and on the question of the applicability of Section 1 Paragraph 2 DSG<br />
<br />
the present facts<br />
<br />
33 5.2.1. The revision argues that the data processing in question is carried out<br />
<br />
the mP takes place within the framework of sovereign administration. Nobody spoke<br />
understandable reasons for the processing to be in the area of<br />
<br />
To be attributed to private sector administration, especially since Section 29 AMSG covers the mediation<br />
of suitable workers for jobs as the goal and task of the mP<br />
<br />
statue. However, the task of providing employment is one<br />
inseparable connection with the Unemployment Insurance Act<br />
<br />
(AlVG). AMAS cannot be separated from official activities according to the<br />
AlVG are considered because this data processing is ultimately considered<br />
<br />
Basis for decision-making for job placement and thus<br />
<br />
serve in conjunction with unemployment insurance claims.<br />
Since the data processing in question takes place within the framework of sovereign administration<br />
<br />
is carried out, Section 1 Paragraph 2 DSG requires the respective legislator<br />
Matter-specific regulations in the sense that the cases are more admissible<br />
<br />
Interventions in the fundamental right to data protection are specified and limited<br />
would.<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
27 of 53<br />
<br />
<br />
<br />
<br />
34 The response to the appeal counters that the AMSG regulates the same<br />
<br />
Essentially the “services” of the employment service (AMS) and<br />
thus the private sector tasks of the mP, in particular their<br />
<br />
Employment placement activities including organization and<br />
Carrying out training and awarding aid. The<br />
<br />
Procedural processing - AMAS - is used for activities of the<br />
mP used in the private sector. These in Sections 29 ff AMSG<br />
<br />
The tasks envisaged by the mP would be carried out using the means of private law<br />
<br />
carried out, the basis for the procedure essentially being:<br />
Supervision agreement in accordance with Section 38c AMSG. On any possible<br />
<br />
There is no entitlement to services. See Section 32 AMSG in this sense<br />
suggests that the MPs describe their services in more detail<br />
<br />
have to provide services to which expressly no reference is made<br />
legal claim exists. This also applies to the awarding of aid. The<br />
<br />
The appellant herself assumes that the matter at issue in the proceedings<br />
<br />
Data processing for the purposes of job placement in accordance with<br />
§§ 29 ff AMSG is used. It should be noted that AMAS is not for<br />
<br />
the job placement itself, but only for the targeted person<br />
Support and support can be used. The program<br />
<br />
serve to choose the right care strategy. The employment agency itself<br />
success regardless of the calculated opportunities on the labor market. From all<br />
<br />
The result is that the requirement of Section 1 Paragraph 2 DSG, according to which an intervention in the<br />
Basic right to data protection by a state authority only on the basis<br />
<br />
should be made on a qualified legal basis, this is not the case<br />
<br />
application succeed.<br />
<br />
35 5.2.2. The balancing of interests stipulated in Section 1 Paragraph 2 DSG requires:<br />
Admissibility of official interventions in data protection secrecy<br />
<br />
an (express) legal regulation resulting from the provisions set out in Article 8 Para. 2 ECHR<br />
<br />
reasons mentioned is necessary. The explanations for this provision<br />
understand authorities as state bodies acting sovereignly; that is what is meant<br />
<br />
sovereign action by administrative authorities (cf. Pürgy/Zavadil,<br />
The state authority within the meaning of Section 1 Paragraph 2 DSG 2000 in Bauer/Reimer,<br />
<br />
Handbook on data protection law [2009], 141 ff [147], with reference to<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
28 out of 53<br />
<br />
<br />
<br />
<br />
ErlRV on the StF of § 1 DSG 2000, 1613 BlgNR 20. GP 34 f; Eberhard in<br />
<br />
Korinek/Holoubek, B-VG, 12th Lfg [2016], § 1 DSG, Rn. 58, mwN).<br />
<br />
36 5.2.3. Sovereign administration occurs when the administrative bodies<br />
<br />
“Empire”, i.e. using specific state command and control<br />
Coercive force occurs. They act in those legal sentence forms that...<br />
<br />
public law for the exercise of official powers<br />
<br />
(cf. VfGH March 3, 2001, KI-2/99).<br />
<br />
37 The determination that an administrative body is an act of society<br />
<br />
services of general interest, thus a public administrative task,<br />
excludes the qualification of such an activity as<br />
<br />
Private sector administration not out. For the delimitation of the area<br />
Private sector administration from that of the sovereign administration it depends on the<br />
<br />
motives and the purpose of the activity, what is more important is<br />
what legal technical means the legislation can use to implement the<br />
<br />
fulfilling tasks. Does the legislature have the administrative authority?<br />
<br />
not endowed with coercive powers, there is no sovereign administration,<br />
but rather private sector administration (see VfGH October 18, 1957, KI-1/57;<br />
6<br />
see also the comments in Raschauer, General Administrative Law,<br />
2021, paragraph 694 ff).<br />
<br />
<br />
38 According to the statements in - the still relevant<br />
“leading case” - VfSlg. 3262/1957 it is official for qualification<br />
<br />
Acting as a sovereign administration, it is irrelevant whether the authority in question has one<br />
performs a “public task” because not everything “public” is sovereign<br />
<br />
is carried out. Furthermore, it is not decisive that it is one<br />
<br />
regulation in the field of public law. Not everyone is either<br />
Act of a body endowed with official powers is an act of sovereignty.<br />
<br />
The fact that the relevant authority in connection with the<br />
Works with public funds to fulfill the task does not make a decision either<br />
<br />
about the questions of sovereign action, because also within the framework of<br />
<br />
Private sector administration the state deals with public funds.<br />
The only decisive factor is what legal means the legislature uses<br />
<br />
has provided, i.e. whether there is a legal authorization to do something sovereign<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
29 of 53<br />
<br />
<br />
<br />
<br />
action is given and whether such action is used in the specific case<br />
<br />
is made (cf. on all the Raschauer, ibid).<br />
<br />
39 The term “simple sovereign administration” refers to administrative action<br />
<br />
recorded, which is not of a private economic nature, but rather belongs to the area of<br />
sovereign administration, even if in the specific case there is no sovereign act<br />
<br />
is set. In the simple sovereign administration the<br />
Administrative bodies not in the forms of action of the decision<br />
<br />
direct administrative command and coercive power as well as the<br />
Regulation acts, although this limits its power to order and enforce<br />
<br />
is present in the background. In this sense it is simple<br />
<br />
Sovereign administration a potentially sovereign administration that can be achieved through deployment<br />
can go from empire to current sovereign administration; it deals<br />
<br />
It is therefore a matter of “different intensity” of an administrative activity<br />
overall belongs to the area of sovereign administration (cf. VwGH April 15, 2016,<br />
<br />
Ra 2016/02/0028). There may be administrative acts that are not<br />
have independent normativity, but undoubtedly - preparatory,<br />
<br />
accompanying, implementing - within the framework of the sovereign administration.<br />
In some cases it is even expressly provided that the refusal<br />
<br />
Such an (actual) performance should be made with a notice, which is probably the case<br />
<br />
The clearest indication of this is also the case of positive approval<br />
or fulfillment can be qualified as sovereign action. The simple one<br />
<br />
Sovereign administration can no longer be based solely on the limited<br />
Number of typified forms of sovereign acts can be determined.<br />
<br />
What is crucial is that certain actions are taken that both<br />
in the area of sovereign administration as well as in the area of<br />
<br />
Private sector administration can be found. To act sovereignly<br />
this action the context in which they are placed<br />
<br />
(cf. again Raschauer, ibid).<br />
<br />
40 5.2.4. It is undisputed that the mP has both private and sovereign interests<br />
<br />
To fulfill tasks (see Section 31 Paragraph 1 AMSG) because they<br />
<br />
Job seekers both as a (contractual) partner and as a sponsor<br />
confronted with state sovereignty.<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
30 out of 53<br />
<br />
<br />
<br />
<br />
41 5.2.4.1. The mP acts in the area of sovereign administration, provided that it has<br />
<br />
Benefits to which there is a legal claim - for example under the AlVG - are decided<br />
<br />
consists. The care activity in question including that in this context<br />
the planned creation of a care plan/a care agreement<br />
<br />
but takes place without the law granting the mP coercive powers or<br />
the job seeker has a legal right to what is considered expedient there<br />
<br />
The prospect of supporting measures opens up. Rather, the mP<br />
<br />
theirs in the service of “the federal government’s full employment policy<br />
Preventing and eliminating unemployment while preserving social and<br />
<br />
“Economic Principles” fulfillment of tasks<br />
<br />
(see Section 29 Paragraph 1 AMSG) to be provided in the form of services,<br />
which anyone can take advantage of (Section 31 Paragraph 1 AMSG). The<br />
<br />
Case-related relevant activity of the MP is therefore not considered a sovereign activity<br />
in a narrower sense.<br />
<br />
<br />
42 5.2.4.2. The possibility of this happening simply needs to be questioned<br />
sovereign action because - as the appeal argues - the<br />
<br />
Employment placement in an “inseparable connection with the AlVG”<br />
<br />
stand.<br />
<br />
43 According to the undisputed findings, the results of the AMAS should be<br />
<br />
Consultation process can be used and a starting point for the consultants<br />
be in order to make an assessment together with the job seeker<br />
<br />
Potentials and, if necessary, obstacles to labor market integration<br />
to determine. Because of this dispute, the optimal one is<br />
<br />
Care strategy - funding and care services<br />
<br />
define. The final decision about assignment to one of the<br />
The consultant meets customer groups. Does the job seeker have a dedicated one?<br />
<br />
different assessment of the labor market opportunities than the consultant<br />
document this in the supervision agreement.<br />
<br />
<br />
44 Based on this, the following should be considered:<br />
<br />
45 Against the background of the AMSG, the task of the mP is the prevention and<br />
<br />
Elimination of unemployment while preserving social and economic<br />
<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
31 out of 53<br />
<br />
<br />
<br />
<br />
Principles in the sense of an active labor market policy (Section 29 Paragraph 1 AMSG).<br />
<br />
According to the materials on the AMSG (RV 1468 BlgNR 18. GP, 32; AB 1555<br />
BlgNR 18. GP) the sole purpose of the law is reform<br />
<br />
the labor market administration and the associated re-achievement of the<br />
Full employment and the participation of job seekers in working life<br />
<br />
The central aim of the provisions of the AMSG is to achieve one<br />
the highest possible level of employment through the organization of the mP<br />
<br />
should be achieved, for whose services the rapid placement of a<br />
<br />
Productive and individually satisfying employment is the top priority.<br />
According to Section 29 AMSG, the economic existence should be maintained during the period of<br />
<br />
Job search is guaranteed, securing a living in form<br />
Recurring benefits to job seekers are therefore part of the<br />
<br />
Labor market policy. This is the basic idea of active labor market policy<br />
through specific measures tailored to the individual case and under<br />
<br />
Consideration of the greatest possible compatibility of full employment<br />
<br />
and achieve economic growth. From this objective<br />
The AMSG shows that, on the one hand, the AMS unites the job seeker<br />
<br />
Overview of the domestic labor market and orientation towards it<br />
enable, on the other hand, through targeted advice and assistance<br />
<br />
Identify a position that is appropriate to the individual's individual abilities<br />
should do (see OGH January 30, 2001, 1 Ob 257/00a).<br />
<br />
<br />
46 The entitlement to unemployment benefit (§ 47 para. 1 AlVG) is of a sovereign nature;<br />
when deciding whether you are entitled to unemployment benefit<br />
<br />
official tasks are fulfilled. The placement of job seekers<br />
However, as can be seen from Section 31 Paragraph 1 AMSG, it is in any case not sovereign<br />
<br />
(see OGH November 24, 2015, 1 Ob 208/15t, mwN).<br />
<br />
47 The relevant advice according to the findings, within the framework of which this<br />
<br />
The data processing in question is carried out - regardless of the narrow subject matter<br />
Context - intentionally not about the preparation of the agreement<br />
<br />
Claims from unemployment insurance, but rather the purpose of the<br />
<br />
Bringing together supply and demand in the labor market. The<br />
Legally designed advisory process as a service, which is in accordance with<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
32 out of 53<br />
<br />
<br />
<br />
<br />
<br />
Section 31 Paragraph 1 AMSG is also open to job seekers who are not recipients of<br />
Unemployment benefits are not provided through sovereign means<br />
<br />
carried out this still ends - given the lack of reciprocal<br />
<br />
Rights and obligations - in a sovereign act. The purely objective one<br />
Connection between unemployment and possible support<br />
<br />
According to the AlVG, in the event of an unsuccessful job search, advice is provided<br />
Reintegration into the labor market itself is not one<br />
<br />
Preparatory act for official activities at the<br />
Granting support, namely in the absence of a sufficient normative one<br />
<br />
Connexes does not apply even if it is made to people who are already in the<br />
Receipt of benefits according to the AlVG.<br />
<br />
<br />
48 This also applies to the “care plan”: according to the<br />
The Labor Market Reform Act 2004, BGBl. I No. 77, inserted Section 38c AMSG has this<br />
<br />
AMS to create a care plan for every unemployed person<br />
“Based on the expected need for care, in particular the type and<br />
<br />
Type of care and the measures envisaged as well as a<br />
Justification for the intended course of action”. The explanations<br />
<br />
of the legislature, ErlRV 464 BlgNR 22. GP 9, excerpts read:<br />
<br />
“The basic principles of the employment service have already been good so far<br />
Experiences in the care plan used should now be expressly legal<br />
be anchored. The care plan is not the sovereign administration<br />
to be attributed, but should only be the framework conditions for which the<br />
<br />
Mediation and placement services associated with the private sector administration<br />
the employment service's placement-supporting activities.<br />
The care plan should provide a consistent, meaningful, predictable and<br />
Proceedings in accordance with the principle of trust in the care and<br />
Placement of the unemployed must be ensured. Depending on the to<br />
Part of very different conditions for success<br />
<br />
Reintegration into the labor market involves different requirements<br />
to provide care for the unemployed. This results in tiered ones<br />
Requirements for the care plan. Discussions to clarify the situation<br />
and the care process will usually take this into account<br />
(must) whether the unemployment is only temporary and expected<br />
<br />
appears to be remediable in the foreseeable future without special measures or<br />
With regard to age, lack of qualifications, health, for example<br />
Restrictions, care obligations or structural problems on the<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
33 out of 53<br />
<br />
<br />
<br />
<br />
<br />
Special efforts are required in the labor market. (...) The<br />
Agreement on the care plan is within the framework of the existing one<br />
discretion. If the ideas of the (des)<br />
Unemployed people are not in compliance with the applicable regulations<br />
clarification in this regard should be provided. Still can't agree<br />
achieved, the care plan is one-sided from the regional one<br />
<br />
Establish office. The care plan is for the unemployed person<br />
in any case in an appropriate manner, for example by handing it over or sending it<br />
to bring knowledge. The care plan should define the framework,<br />
within which placement efforts and qualification or other<br />
to improve employment opportunities on the labor market<br />
<br />
necessary measures should be taken. In the agreements should<br />
also the planned personal activities of the unemployed<br />
be held. The care plan is for the actions of the<br />
Labor market service as well as the unemployed as long as he<br />
not changed - usually after a new consultation<br />
became. (...) On the one hand, the support plan is intended to provide for the unemployed<br />
<br />
higher degree of personal action orientation as well<br />
Predictability of the actions of the employment service and on the other hand<br />
Overall, it is even more planned, easier to understand and, if necessary, targeted<br />
changeable approach of the employment service can be guaranteed. The<br />
The tried and tested 'agreement culture' should be continued and expanded. (...)"<br />
<br />
49 According to the declared will of the legislature, the mP is given the task<br />
<br />
the creation of the care plan/care agreement within the framework<br />
the private sector administration. This corresponds to the explicit one<br />
<br />
Exclusion of a legal right to a specific care plan or<br />
<br />
on measures that are envisaged in the care plan<br />
(see also Julcher in AlV-Komm § 9 AlVG Rz 79). Furthermore is<br />
<br />
decisive for the classification of the relevant cases<br />
mP's advisory activity as a private sector activity that<br />
<br />
Creation of the care plan in accordance with the reasonableness criteria<br />
Section 9 paragraphs 1 to 3 AlVG must be taken into account; one from the<br />
<br />
Binding terms that can be derived directly from the care plan/care agreement<br />
Determination of the limits of the reasonableness of employment in the sense of<br />
<br />
§ 9 AlVG or just a binding definition of the individual case-related criteria<br />
However, the law does not provide for the assessment of these limits,<br />
<br />
so that the care plan, against this background, limits the<br />
<br />
Reasonableness of employment - especially in connection with<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
34 out of 53<br />
<br />
<br />
<br />
<br />
possible sanctions according to § 10 AlVG - neither expand nor restrict<br />
<br />
can. There can also be no sanction directly following the care plan<br />
§ 10 AlVG. Section 9 (8) AlVG also changes this consequence<br />
<br />
nothing, because the provision there does reduce the justification effort of the mP for<br />
<br />
Reintegration measures for the job seeker - under<br />
certain requirements - in connection with an existing one<br />
<br />
Care plan modified, but which itself does not develop any bond and the<br />
Authority is also not relieved of its obligation to present one<br />
<br />
comprehensible - and in this sense independent - justification<br />
<br />
which is subject to verification (cf. in this direction<br />
pointing VwGH March 28, 2012, 2010/08/0250).<br />
<br />
50 From what has been said above it follows that neither the advice<br />
<br />
as part of the job placement itself, the creation of the<br />
<br />
Care plan (a care agreement) within the meaning of Section 38c AMSG<br />
to be attributed to the (even if simply) sovereign area of activity of the mP<br />
<br />
is. Rather, this is part of the private sector<br />
actions of the mP, against the background of the functional concept of authority<br />
<br />
Section 1 Paragraph 2 DSG does not correspond to this in terms of data protection law<br />
<br />
determinate standard for encroachments on fundamental rights<br />
Personal data is subject to confidentiality in accordance with Section 1 Paragraph 1 DSG.<br />
<br />
<br />
51 For this reason alone, the controversial legality of the<br />
data processing that is the subject of the procedure using the<br />
<br />
to examine the relevant provisions of the GDPR without the standard of<br />
Section 1 Paragraph 2 DSG must be taken into account.<br />
<br />
<br />
52 5.3. On the question of the existence of sufficient justification reasons<br />
Articles 6 and 9 GDPR<br />
<br />
<br />
53 5.3.1. The BVwG supported its argument regarding legality<br />
the processing in question is based on the conclusion in accordance with Article 6<br />
<br />
Paragraph 1 lit. e GDPR and Art. 9 para. 2 lit. g GDPR can be processed<br />
personal data or special categories of personal data<br />
<br />
Data will be lawful if this processing is based on the law of<br />
<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
35 out of 53<br />
<br />
<br />
<br />
<br />
<br />
Member State of the person responsible for a matter in the public interest<br />
underlying task or with regard to the processing of special categories<br />
<br />
personal data based on significant public interest<br />
<br />
was required. The legal basis corresponding to Art. 6 Para. 3 GDPR<br />
according to Recital 41 of the GDPR, I have made it clear and precise and for the<br />
<br />
to be predictable for those subject to the law. Art. 9 paragraph 2 lit. g GDPR requires<br />
additional appropriate and specific measures to safeguard the<br />
<br />
Fundamental rights and interests of the persons concerned. Summarized<br />
The BVwG believes that the mP has the right to it in accordance with Section 29 Paragraph 1 AMSG<br />
<br />
assigned tasks in accordance with Section 31 Paragraph 5 AMSG<br />
required principles of thrift, economy and<br />
<br />
expediency must be met. Section 25 Paragraph 2 AMSG grants the mP one<br />
Authorization to process personal data, insofar as this<br />
<br />
are an essential prerequisite for fulfilling legal tasks.<br />
The task assigned to the mP in accordance with Section 29 AMSG is undoubtedly one of<br />
<br />
significant public interest. In order to achieve the set goal of optimal<br />
<br />
Supplying the economy with workers and employing everyone<br />
In order to secure people in the best possible way, it is undeniably necessary to focus on the<br />
<br />
personal characteristics of the job seekers in combination with the<br />
Labor market events to be taken into account. That those brought in<br />
<br />
personal data of job seekers for the assessment of the job seekers<br />
Labor market opportunities can be relevant, also from the appeal applicant<br />
<br />
not been disputed. There are none in this case<br />
Concerns that the mP is intended to ensure a “proper<br />
<br />
Labor market policy” the personal data in accordance with Section 25 Paragraph 1 AMSG<br />
may use. There are indications that such data processing is carried out in<br />
<br />
§ 25 AMSG is not sufficiently clearly expressed<br />
recognizable. Section 25 Paragraph 10 AMSG takes precautions to ensure that the<br />
<br />
Processing and warranty in accordance with the principles of the GDPR<br />
<br />
data security.<br />
<br />
54 5.3.2. In order to answer the appeal's submissions, we must first look at the<br />
The question of whether the requirements of Articles 6 and 9 of the GDPR are met will be addressed<br />
<br />
and to say in advance that the question of the legality of the<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
36 out of 53<br />
<br />
<br />
<br />
<br />
Processing against the background of these provisions is one of the questions<br />
<br />
the ban on automated decisions in accordance with Art. 22 GDPR<br />
represents a dividing legal question.<br />
<br />
<br />
55 5.3.2.1. The processing of personal data is in accordance with<br />
Art. 6 Para. 1 lit. e GDPR - among other things - lawful if the<br />
<br />
Processing is necessary for the performance of a task that is...<br />
<br />
is in the public interest or is carried out in the exercise of official authority<br />
was transferred to the person responsible.<br />
<br />
<br />
56 Art. 6 Para. 1 lit. e GDPR is closely related to Art. 6<br />
Paragraphs 2 and 3, which contain more detailed requirements for the legal basis.<br />
<br />
The legal basis for the processing is in accordance with Article 6 Paragraph 1 Letter e of the GDPR<br />
may in accordance with Art. 6 para. 3 leg. cit. by Union law or the law of the<br />
<br />
Member States to which the controller is subject must be determined. The<br />
The purpose of the processing must - unlike the processing according to<br />
<br />
Art. 6 Para. 1 lit. c GDPR - not necessarily in a legal basis<br />
<br />
be expressly provided for. According to Art. 6 Para. 3 Sentence 2 GDPR, it is sufficient<br />
if the purpose of the processing is necessary to complete a task<br />
<br />
fulfill which is in the public interest or in the exercise of a public purpose<br />
Violence occurs.<br />
<br />
<br />
57 Recital 41 of the GDPR again provides that the corresponding<br />
Legal basis or legislative measure clear and precise and their<br />
<br />
Application should be predictable for those subject to the law. However<br />
Recital 45 of the GDPR expressly does not require each individual<br />
<br />
Processing a specific law. Rather, a law can serve as a basis<br />
<br />
be sufficient for multiple processing operations when processing<br />
is necessary to carry out a task in the public interest.<br />
<br />
<br />
58 In light of the wording of these relevant provisions<br />
It cannot be assumed that the national legislature is responsible for fulfilling the<br />
<br />
Justification of Article 6 Paragraph 1 Letter e GDPR with regard to a<br />
certain data processing is in any case held, the data processing<br />
<br />
to determine themselves in the law. Rather, it is the justification fact<br />
<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
37 out of 53<br />
<br />
<br />
<br />
<br />
fulfilled if the task to be performed is in the legal basis<br />
<br />
is adequately described and the relevant data processing<br />
the purpose of fulfilling this task. However, this assumes that<br />
<br />
such a task is sufficiently clear and defined by the law<br />
is described. The legal basis in question may be more specific<br />
<br />
Regulations are included, but this is not mandatory (arg.: “can”<br />
in Art. 6 Para. 3 third sentence GDPR). Ultimately sees<br />
<br />
Art. 6 Para. 3 fourth sentence GDPR also applies to processing<br />
<br />
Art. 6 Para. 1 lit. e leg. cit. proposes that the legislation be a public one<br />
Pursue a goal that is of interest and in an appropriate proportion<br />
<br />
must be consistent with the legitimate purpose pursued (see also this view<br />
supporting Kastelitz/Hötzendorfer/Tschohl in Knyrim, the DatKomm, 2020,<br />
<br />
Art. 6 para. 47; see also Buchner/Petri in Kühling/Buchner, DS-GVO, BDSG,<br />
3rd edition, 2020, Art. 6 GDPR, paragraph 120 f).<br />
<br />
<br />
59 5.3.2.2. The purpose of the provisions of Article 9 Paragraph 1 GDPR is to provide a<br />
to ensure increased protection against such data processing<br />
<br />
a particularly difficult one due to the particular sensitivity of this data<br />
Interference with the fundamental rights guaranteed by Articles 7 and 8 of the Charter<br />
<br />
Respect for private life and protection of personal data<br />
<br />
can (cf. the comments of the ECJ on the purpose of protection in the judgment of<br />
September 24, 2019, C-136/17, GC and others, paragraph 44).<br />
<br />
60 Core of - Art. 6 Paragraph 1 Letter e GDPR<br />
<br />
reproduced - legality of Article 9 Para. 2 lit. g GDPR<br />
<br />
is that the processing is carried out for reasons of significant public concern<br />
interest must be required. While accordingly for processing<br />
<br />
personal data is generally in the public interest<br />
(Art. 6 Para. 1 lit. e GDPR), the processing of sensitive data is required<br />
<br />
Within the meaning of Article 9 Para. 1 GDPR - according to its wording - such<br />
considerable interest. This means that specific consideration is required<br />
<br />
a special legitimation for the use of such data (cf. to<br />
<br />
Interpretation of the corresponding legal situation in Germany<br />
Explanations in Kühling/Buchner, DS-GVO, BDSG, 3rd edition, Art. 9 Rz. 91,<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
38 out of 53<br />
<br />
<br />
<br />
<br />
<br />
cf. on Art. 9 Para. 2 lit. g GDPR also already ECJ September 24, 2019, C-136/17,<br />
GC et al. [Delisting of sensitive data], paragraph 61).<br />
<br />
<br />
61 The requirements for the legal basis are not specified in more detail<br />
Art. 9 GDPR. Art. 9 Para. 2 lit. g GDPR refers as well as Art. 6<br />
<br />
Paragraph 1 lit. e leg. cit. as a justification for the requirement of<br />
Processing for reasons of - in connection with Art. 9 Para. 2 lit. g<br />
<br />
considerable - public interest. With regard to the structural<br />
What these two justification facts have in common and the respective one<br />
<br />
Reference to Union law or the law of a Member State as well<br />
<br />
In the absence of an order to the contrary, this is also necessary to justify the<br />
Processing of special categories of personal data within the meaning of<br />
<br />
Art. 9 Para. 2 lit. g GDPR assumes that - just like with<br />
Justification for Article 6 Paragraph 1 Letter e - the sufficiently clear definition<br />
<br />
the task to be performed with the processing - which is related<br />
This data must have a special quality (arg.: “significant<br />
<br />
public interest”) - is necessary but also sufficient (cf. the<br />
Statements by Schörghofer/Warter, The legal basis of a<br />
<br />
Data processing in FS Pfeil, 2022, 721ff [734]). This view corresponds<br />
the opinion of the ECJ in C-136/17, according to which Art. 9 Para. 2 lit. g GDPR<br />
<br />
Processing of the special categories of data referred to in Article 9 is permitted,<br />
if it is necessary for reasons of significant public interest,<br />
<br />
on the basis of Union law or the law of a third party<br />
<br />
Member State that is proportionate to the objective pursued,<br />
preserves the essence of the right to data protection and appropriate and<br />
<br />
specific measures to safeguard the fundamental rights and interests of the<br />
data subject, whereby the ECJ in the manner provided for by Article 11 of the Charter<br />
<br />
protected right to free information a possible justification<br />
The legal basis for the data processing in dispute there is (cf. ECJ ibid.,<br />
<br />
61, 66 and 68). In this examination, the ECJ in no way relies on<br />
whether the justifying legal basis is the disputed data processing itself<br />
<br />
designated.<br />
<br />
<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
39 out of 53<br />
<br />
<br />
<br />
<br />
62 5.3.2.3. Case-related arises against the background of this legal situation<br />
<br />
the following:<br />
<br />
First of all, it should be noted that the question of the existence of a public one<br />
<br />
Interest in the assets transferred to mP by Sections 29 ff AMSG<br />
Tasks - including those of the audit department - are not disputed.<br />
<br />
63 Section 29 Paragraph 1 AMSG defines the task of the mP; Section 29 Paragraph 2 AMSG mentions this<br />
<br />
The goals to be achieved in connection with the fulfillment of this task<br />
<br />
Activity of the mP. Section 30 Paragraph 2 AMSG also explicitly norms this<br />
Commitment of the mP to labor market monitoring and statistics<br />
<br />
care for. By detailing the principles governing task fulfillment<br />
must be taken as a basis; Section 31 AMSG also states which<br />
<br />
Demands must be met when fulfilling tasks. Section 25 Paragraph 1 AMSG<br />
limits the authorization for processing to the statutory task and<br />
<br />
to such processing that is essential for the fulfillment of the task<br />
<br />
are prerequisites. This is done by listing the data and the<br />
direct connection between the same and the permitted processing purpose<br />
<br />
It regulates in a predictable manner for the data subject which data and for what purpose<br />
may be processed. There is no doubt that this violates §§ 29<br />
<br />
up to 31 AMSG the task in connection with which the mP is to be processed<br />
the data listed in Section 25 Paragraph 1 AMSG is authorized, and thus the<br />
<br />
Framework for the permitted purpose of data processing is sufficiently clear and<br />
describe precisely. That the assessment of the labor market opportunities of one<br />
<br />
a relevant parameter for an efficient person looking for work<br />
<br />
Employment placement is obvious. It can therefore be assumed<br />
that a subject to the law is given in view of the mP<br />
<br />
Task and the services to be provided - in particular the<br />
The care plan to be drawn up in accordance with Section 38c AMSG - is sufficiently clear<br />
<br />
It is clear that processing in accordance with Section 25 Paragraph 1 AMSG<br />
The data listed also helps to assess the positioning of each<br />
<br />
relevant job seekers on the labor market and thus for<br />
<br />
this purpose, which is necessary for the fulfillment of the public task,<br />
can be used.<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
40 out of 53<br />
<br />
<br />
<br />
<br />
64 Furthermore, with regard to the health data affected on a case-by-case basis,<br />
<br />
the special categories of personal data within the meaning of<br />
Art. 9 Para. 1 GDPR must be counted, it should be noted that it is in accordance with the requirements<br />
<br />
There is no doubt about the case law of the ECJ cited above<br />
<br />
can ensure the best possible integration of job seekers<br />
The legislative objective applicable to the national labor market is significant<br />
<br />
pursues public interest within the meaning of Article 9 Paragraph 2 Letter g GDPR<br />
but this objective in connection with efficient use<br />
<br />
state support resources and optimization of social satisfaction<br />
<br />
job-seekers on the one hand and the best possible care for the<br />
labor market on the other hand. That case-related data processing in one<br />
<br />
appropriate relationship to the task assigned by law<br />
pursued goals is not and is not in dispute<br />
<br />
visible. This is particularly because, according to the findings in<br />
According to the contested finding, only those health data are processed<br />
<br />
which restrict the exercise of activities in the labor market and therefore<br />
<br />
are directly related to the employment placement.<br />
<br />
65 The provisions regarding the duty of confidentiality of the bodies of the mP in<br />
<br />
§ 27 AMSG and the detailed provisions on disclosure and<br />
Storage of the data in Section 25 Paragraphs 2 to 11 AMSG leaves no room for doubt<br />
<br />
to fulfill the measures required by Art. 9 Para. 2 lit. g GDPR<br />
Preservation of the essence of the fundamental right enshrined in Article 8 GRC<br />
<br />
Protection of personal data (see the concept of the essential content guarantee<br />
ECJ April 8, 2014, Digital Rights Irefond et al., C‑293/12 and C‑594/12, para. 40;<br />
<br />
see also bakers in Kühling/Buchner, DSG-VO, BDSG, comment,<br />
<br />
3rd edition, 2020, Art. 23 Rn. 57) as well as the fundamental rights and interests of the<br />
affected persons. The revision does not bring forward anything concrete,<br />
<br />
which calls this view into question.<br />
<br />
66 Insofar as the appeal repeatedly points out that the BVwG has the<br />
<br />
Character of profiling as a special processing procedure<br />
There is no connection with the requirements of Articles 6 and 9 GDPR<br />
<br />
observed, it is not clear from the statements to what extent the mentioned<br />
<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
41 out of 53<br />
<br />
<br />
<br />
<br />
There are other requirements for this form of processing<br />
<br />
should provide a justifying legal basis, especially since neither Article 6 nor<br />
Art. 9 GDPR refer to Art. 4 Z 4 GDPR. That of revision in it<br />
<br />
It may be agreed that profiling is a special form of processing<br />
does not change this view per se. The peculiarity of the<br />
<br />
Rather, profiling is taken into account in Art. 22 GDPR, whereby the<br />
Dangerous nature of this form of processing as formulated there<br />
<br />
prohibition or in the reasons for justification there<br />
<br />
Precipitation finds.<br />
<br />
In this respect, the revision - including in this context - is based on the<br />
<br />
Requirements of Section 1 Paragraph 2 DSG, the case law of<br />
Constitutional Court on the legality principle of Article 18 B-VG and the<br />
<br />
insufficient legal basis of the federal directive because of it<br />
refers to insufficient commitment, please refer to the comments on point<br />
<br />
5.2. to point out.<br />
<br />
67 Does the revision point out that in order to exercise the rights concerned,<br />
<br />
It is necessary that “the data collection is carried out in a way that is suitable for those affected by it<br />
[...] foreseeable manner and in a manner that is at most contestable<br />
<br />
“duly verifiable form”, it should be noted that the<br />
Data collection itself is not even an issue in this case.<br />
<br />
The subject of the appeal proceedings is rather that of the<br />
Prohibition issued by the appellant regarding the appeal<br />
<br />
Processing of data. The data to be collected itself is also set out in Section 25<br />
<br />
Paragraph 1 AMSG is listed in detail so that there is no doubt about it<br />
There is predictability about the type of data to be collected.<br />
<br />
68 If the appeal further refers to this, it follows from<br />
<br />
Recital 41 second sentence GDPR that from the legal basis itself<br />
<br />
It must be clear and predictable which data processing will take place<br />
carried out, this is not reflected in the wording of the recital<br />
<br />
to bring harmony. This states that “the corresponding legal basis<br />
or legislative measure [...] should be clear and precise and their<br />
<br />
Application [...] for those subject to the law in accordance with the jurisprudence of<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
42 out of 53<br />
<br />
<br />
<br />
<br />
Court of Justice of the European Union and the European Court of Justice for<br />
<br />
“Human rights [should] be predictable.” To what extent this recital<br />
the order of Article 6 Paragraph 1 Letter e GDPR, according to which the purpose of the<br />
<br />
Processing may be necessary for the performance of a public task<br />
<br />
It is not clear that the content should be determined in more detail.<br />
Art. 6 Para. 3 GDPR, on the other hand, expressly speaks of the need for one<br />
<br />
Legal basis from which the purpose of the processing can be derived<br />
must, or the relevant task in the public interest to which the<br />
<br />
data processing must be attributed. In this respect, the revision in this<br />
<br />
In this context, the second sentence of Section 1 (2) of the DSG is repeatedly referred to<br />
these in turn refer to the statements under point 5.2. to refer to what<br />
<br />
this legal provision does not apply in each case.<br />
<br />
69 This is used by the revision as a yardstick for the sufficient specification of a<br />
<br />
The legal basis for the decision of the ECJ of October 6, 2020,<br />
C-511/18, C-512/18 and C-520/18, were issued on the interpretation of Article 15(1).<br />
<br />
Directive 2002/58/EC of the European Parliament and of the Council of<br />
July 12, 2002 on personal data processing and protection<br />
<br />
privacy in electronic communications (Privacy Policy<br />
<br />
for electronic communications, OJ 2002, L 201, p. 37). This into the meeting<br />
The judgment of the ECJ is not relevant because it violates the principle of<br />
<br />
Data minimization is treated in accordance with Art. 5 lit. c GDPR. On this<br />
The appellant's decision was not supported in principle.<br />
<br />
<br />
70 The appeal must be agreed that when processing special data<br />
Categories of personal data within the meaning of Article 9 Paragraph 1 GDPR<br />
<br />
special intervention circumstances of Art. 9 Para. 2 GDPR are relevant. She<br />
In this context, criticizes the reasoning of the BVwG, according to which a<br />
<br />
Review of Section 25 Paragraph 10 AMSG to ensure compliance with the requirements<br />
<br />
necessary data security measures did not have to be taken,<br />
because this is not the subject of the review by the appeal applicant<br />
<br />
has been.<br />
<br />
71 However, even if this view of the BVwG were not correct, the appeal<br />
<br />
does not show to what extent the guarantees for data security in this case<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
43 out of 53<br />
<br />
<br />
<br />
<br />
Case - different from that under 5.3.2.1. shown<br />
<br />
assessment - would be inadequate. So nothing comes of the appeal applicant<br />
brought forward, which would lead to the assumption that with the<br />
<br />
Obligations of confidentiality of the organs and in particular with the prohibition of<br />
<br />
Disclosure of health data in accordance with Section 25 Paragraph 8 AMSG<br />
employers and the legal precautions regarding storage<br />
<br />
and ensuring data security on a case-by-case basis is not for one in mind<br />
Sufficient data protection is ensured in accordance with the provisions of the GDPR<br />
<br />
be.<br />
<br />
5.4. On the question of the existence of an automated decision within the meaning of<br />
<br />
Art. 22 Para. 1 GDPR<br />
<br />
72 The appeal repeatedly points out that the BVwG has the character of<br />
<br />
Profiling is not taken into account as a special processing procedure. It will happen<br />
from Recital 41, second sentence of the GDPR, that from the<br />
<br />
The legal basis itself must be clearly visible and predictable<br />
<br />
Data processing is carried out. The job seekers also ran<br />
There is a risk that AMAS' assumptions will be changed without further processing<br />
<br />
could be taken over.<br />
<br />
73 With this argument, the appeal concerns the legality of the<br />
<br />
processing that is the subject of the proceedings against the background of<br />
Art. 22 GDPR.<br />
<br />
<br />
74 5.4.1. The ECJ has in its - for the present appeal decision<br />
to be seen - recent judgment of December 7, 2023, C-634/21,<br />
<br />
SCHUFA Holding [Scoring] on the request for a preliminary ruling<br />
Art. 267 TFEU, submitted by the Wiesbaden Administrative Court<br />
<br />
(Germany) by decision of October 1, 2021, submitted question<br />
<br />
regarding the interpretation of Article 22 Para. 1 GDPR as follows:<br />
<br />
“40 With its first question, the referring court essentially wants:<br />
know whether Article 22 Para. 1 GDPR is to be interpreted as meaning that a<br />
“automated decision in individual cases” within the meaning of this provision<br />
exists if a claim is based on personal data about a person<br />
Probability value in relation to their ability to fulfill future requirements<br />
<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
44 out of 53<br />
<br />
<br />
<br />
<br />
Payment obligations are created automatically by a credit reporting agency<br />
<br />
will, provided that this probability value significantly determines whether a<br />
Third party to whom this probability value is transmitted<br />
The contractual relationship with this person is established, executed or terminated.<br />
<br />
41 To answer this question, it should first be noted that:<br />
the interpretation of a provision of Union law not only its wording,<br />
but also the context in which it stands, as well as the purposes and<br />
objectives pursued by the legal act to which it is a part<br />
must be taken into account (judgment of June 22, 2023, Pankki S, C‑579/21,<br />
EU:C:2023:501, paragraph 38 and the case law cited therein).<br />
<br />
42 As far as the wording of Article 22 Para. 1 GDPR is concerned, this is what it looks like<br />
Provision stipulates that a data subject has the right, not one<br />
solely based on automated processing - including<br />
<br />
Profiling - to be subjected to decision based on it<br />
has legal effect or is similarly significant<br />
impaired.<br />
<br />
43 The applicability of this provision therefore depends on three cumulative factors<br />
prerequisites, namely that, firstly, a 'decision'<br />
must be available, secondly, this decision 'exclusively on one<br />
automated processing, including profiling, must be based on and<br />
thirdly, they have ‘legal effect vis-à-vis [the person concerned]’<br />
or must affect it ‘in a similar significant way’.<br />
<br />
44 As regards, first, the requirement for the existence of a decision,<br />
It should be noted that the term 'decision' within the meaning of Article 22<br />
Paragraph 1 GDPR is not defined in this regulation. Already from the<br />
<br />
However, the wording of this provision shows that this term does not apply<br />
only refers to actions that have legal effect on the person concerned<br />
person develop, but also on actions that this person is similar to<br />
significantly affect.<br />
<br />
45 The broad meaning of the term 'decision' is defined by the<br />
Recital 71 of the GDPR confirms that a decision on<br />
Assessment of personal aspects that affect a person, 'a measure<br />
[may] include', which either has 'legal effect for the person concerned<br />
Person' develops or 'significantly affects him in a similar way', whereby<br />
the data subject should have the right not to make such a decision<br />
<br />
to be subjugated. According to this recital, the<br />
The term 'decision', for example, means the automatic rejection of a decision<br />
Online loan application or online hiring process without any<br />
human intervention.<br />
<br />
46 Since the term 'decision' within the meaning of Article 22 Paragraph 1 GDPR,<br />
as the Advocate General pointed out in point 38 of his Opinion, several<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
45 out of 53<br />
<br />
<br />
<br />
<br />
Actions can involve the affected person in many ways<br />
<br />
can affect, this term is broad enough to cover the result of the<br />
Calculation of a person's ability to fulfill future needs<br />
Payment obligations in the form of a probability value<br />
to include.<br />
<br />
47 Secondly, as regards the requirement that the decision in the sense<br />
of Art. 22 Para. 1 GDPR 'exclusively on an automated basis<br />
Processing, - including profiling - [must be based]', it says<br />
Advocate General stated in point 33 of his Opinion that one<br />
Activity like that of SCHUFA in the definition of 'profiling'<br />
<br />
Art. 4 No. 4 GDPR corresponds and that this requirement is therefore in place<br />
present case is fulfilled; the wording of the first question refers<br />
Furthermore, we expressly refer to the automated creation of one<br />
personal data about a person based probability value<br />
regarding their ability to service a loan in the future.<br />
<br />
48 Thirdly, as regards the requirement that the decision against<br />
the data subject has 'legal effect' or it has 'a similar effect'<br />
The content of the document must have a significant impact on it<br />
first question that the actions of the third party, the<br />
<br />
Probability value is transmitted, 'relevant' from this value<br />
is directed. According to the facts of the case submitted by the presenter<br />
Court in a case addressed to a bank by a consumer<br />
Loan application has an insufficient probability value in almost all<br />
In some cases, the bank may refuse to grant the requested loan.<br />
<br />
49 Consequently, it can be assumed that the third requirement, of which<br />
the application of Art. 22 Para. 1 GDPR depends, is fulfilled because a<br />
Probability value like that at issue in the main proceedings<br />
affected person is at least significantly impaired.<br />
<br />
50 Therefore, in circumstances such as those in the main proceedings, in which<br />
that determined by a credit reporting agency and reported to a bank<br />
Probability value plays a significant role in granting a<br />
Credit plays, the determination of this value as such is a decision<br />
<br />
to be classified as a person within the meaning of Article 22 Paragraph 1 GDPR<br />
data subject has legal effect or in a similar way<br />
significantly impaired'.<br />
<br />
51 This interpretation is influenced by the context in which Article 22<br />
Paragraph 1 GDPR stands, as well as the purposes and objectives associated with it<br />
Regulation to be pursued is supported.<br />
<br />
52 In this regard, it should be noted that, as the Advocate General stated in point 31<br />
in its Opinion stated that Art. 22 Para. 1 GDPR was the data subject<br />
Person who gives the 'right', not one solely based on an automated one<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
46 out of 53<br />
<br />
<br />
<br />
<br />
Processing - including profiling - subject to decision<br />
<br />
to become. This provision imposes a fundamental ban on<br />
Violation cannot be claimed individually by such a person<br />
are needed.<br />
<br />
53 As can be seen from Article 22 Para. 2 GDPR in conjunction with<br />
As can be seen from recital 71 of this regulation, the adoption of a<br />
based exclusively on automated processing<br />
Decision only permissible in the cases mentioned in Article 22 paragraph 2, i.e. H.,<br />
if they are necessary for the conclusion or performance of a contract between the<br />
the person concerned and the person responsible is required (letter a),<br />
<br />
if they are based on Union or Member State law,<br />
which the controller is subject to, is permissible (letter b) or if they are with<br />
express consent of the data subject (letter c).<br />
<br />
54 Furthermore, Article 22 Paragraph 2 Letter b and Paragraph 3 GDPR provides that<br />
appropriate measures to safeguard rights and freedoms as well as the<br />
legitimate interests of the data subject must be taken into account. In<br />
the cases referred to in Article 22(2)(a) and (c) of this Regulation<br />
the person responsible grants the data subject at least the right to<br />
Obtaining the intervention of a person upon presentation of one's own<br />
<br />
position and to challenge the decision.<br />
55 Furthermore, according to Art. 22 Para. 4 GDPR, automated decisions may be made<br />
in individual cases within the meaning of this Article 22 only in certain special cases<br />
<br />
special categories of personal data in accordance with Article 9 Paragraph 1 of this<br />
Regulation based.<br />
56 In addition, in the case of an automated<br />
<br />
Decision-making such as that within the meaning of Art. 22 Para. 1 GDPR<br />
one of the persons responsible has additional information obligations in accordance with Article 13<br />
Paragraph 2(f) and Article 14(2)(g) of this Regulation. On the other hand<br />
is the responsibility of the data subject in accordance with Article 15 Paragraph 1 Letter h GDPR<br />
Right to information to the person responsible for processing<br />
in particular 'meaningful information about the logic involved as well<br />
the scope and intended effects of such<br />
<br />
Processing for the data subject concerns.<br />
57 These higher requirements for the legality of an automated<br />
Decision-making and the additional information obligations of the<br />
<br />
Those responsible and the associated additional information rights<br />
The data subject explains the purpose pursued by Article 22 of the GDPR<br />
and which consists in protecting people from the particular risks to their rights and<br />
Protect freedoms associated with automated processing<br />
personal data - including profiling.<br />
<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
47 out of 53<br />
<br />
<br />
<br />
<br />
58 This processing requires, as follows from<br />
<br />
Recital 71 of the GDPR results in the assessment of personal aspects<br />
in relation to the natural person affected by this processing,<br />
especially for analyzing or predicting aspects related to them<br />
work performance, economic situation, health, preferences or interests,<br />
Reliability or their behavior, their location or change of location.<br />
<br />
59 These particular risks are, according to this recital, capable of:<br />
to impair the interests and rights of the data subject, in particular<br />
with regard to any discriminatory effects compared to natural ones<br />
people based on race, ethnic origin, political opinion,<br />
<br />
Religion or belief, trade union membership, genetic<br />
Dispositions or health status as well as sexual orientation. Therefore should<br />
According to this recital, fair and fair treatment to the data subject<br />
transparent processing can be guaranteed, in particular by the<br />
Use of suitable mathematical or statistical methods for this<br />
Profiling and through technical and organizational measures with which in<br />
<br />
appropriately ensuring that the risk of errors is minimized<br />
becomes.<br />
60 The interpretation set out in paragraphs 42 to 50 of this judgment and<br />
<br />
in particular the broad meaning of the term 'decision' in the sense of<br />
Art. 22 Para. 1 GDPR strengthens the effective protection to which this is based<br />
purpose.<br />
<br />
61 However, in circumstances such as those in the main proceedings, this would be the case<br />
involving three actors, there is a risk of circumvention<br />
Art. 22 GDPR and consequently a gap in legal protection if a narrow one<br />
Interpretation of this provision would be given preference according to which the<br />
Determination of the probability value only as a preparatory action<br />
and only the action taken by the third party<br />
if applicable, as a “decision” within the meaning of Article 22 Paragraph 1 of this<br />
<br />
Regulation can be classified.<br />
62 In this case, the determination of a<br />
probability value such as that at issue in the main proceedings<br />
<br />
does not meet the special requirements of Article 22 Paragraphs 2 to 4 GDPR<br />
are subject to, although this procedure is based on automated processing<br />
is based and has effects that have a significant impact on the person concerned<br />
affect the actions of the third party to which this<br />
Probability value is transmitted, is largely guided by this.<br />
<br />
63 Furthermore, the data subject could, as the Advocate General did in point 48<br />
in his opinion, on the one hand with the credit reporting agency,<br />
which determines the probability value that concerns them, their right to<br />
Information about the specific ones mentioned in Article 15 Paragraph 1 Letter h GDPR<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
48 out of 53<br />
<br />
<br />
<br />
<br />
Do not claim information if not automated<br />
<br />
decision-making by this company. On the other hand it would be<br />
the third party - assuming that the action taken by him<br />
would fall under Art. 22 Para. 1 GDPR, as it meets the requirements for the<br />
Application of this provision met - unable to comply with this specific<br />
to provide information because he generally does not have it.<br />
<br />
64 That the determination of a probability value like that in<br />
The main proceedings in question are covered by Article 22 (1) GDPR,<br />
has the effect, as stated in paragraphs 53 to 55 of this judgment,<br />
that it is prohibited, unless one of the things mentioned in Art. 22 Para. 2 GDPR<br />
<br />
Exceptions is applicable and the special requirements of Article 22<br />
Paragraphs 3 and 4 GDPR are fulfilled.<br />
65 What concerns in particular Article 22 Paragraph 2 Letter b GDPR, to which the<br />
<br />
The reference to the referring court is clear from the wording of that court<br />
Provision that national legislation authorizing the adoption of a<br />
allow automated decision-making in individual cases<br />
Measures to safeguard the rights and freedoms of those entitled to them<br />
must contain the interests of the person concerned.<br />
<br />
66 In the light of recital 71 of the GDPR, such<br />
Measures include in particular the obligation of the person responsible to<br />
to use appropriate mathematical or statistical methods, technical<br />
and to take organizational measures in an appropriate manner<br />
<br />
ensures that the risk of errors and errors is minimized<br />
be corrected, and to secure personal data in a way that<br />
the potential threats to the interests and rights of those affected<br />
Person is taken into account and in particular to prevent it from happening to her<br />
discriminatory effects occur. These measures<br />
also include at least the right of the data subject<br />
Obtaining the intervention of a person on the part of the person responsible<br />
<br />
Presenting your own point of view and challenging those against it<br />
issued decision.<br />
67 It should also be noted that, according to settled case law<br />
<br />
Court of Justice any processing of personal data with the in<br />
Art. 5 GDPR stipulated principles for processing<br />
personal data are consistent and in view of the provisions of Article 5<br />
Paragraph 1 letter a of the principle of legality of the<br />
Processing one of the conditions listed in Article 6 of this Regulation<br />
for the lawfulness of the processing (judgment of<br />
<br />
October 20, 2022, Digi, C‑77/21, EU:C:2022:805, paragraph 49 and there<br />
cited case law). The person responsible must ensure compliance with this<br />
Principles in accordance with the principle laid down in Article 5 Para. 2 GDPR<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
49 out of 53<br />
<br />
<br />
<br />
<br />
be able to demonstrate accountability (cf. in this sense judgment of<br />
<br />
October 20, 2022, Digi, C‑77/21, EU:C:2022:805, paragraph 24).<br />
68 Is required by the legislation of a Member State in accordance with Article 22<br />
Paragraph 2 letter b GDPR the issuance of an exclusively on one<br />
<br />
Decision based on automated processing is permitted, this must be the case<br />
Processing therefore not only those in the last-mentioned provision and in<br />
22 Paragraph 4 GDPR, but also<br />
the requirements in Articles 5 and 6 of this Regulation. Consequently, they may<br />
Member States do not have legislation under Article 22<br />
Paragraph 2 letter b GDPR enacted, according to which profiling is disregarded<br />
<br />
the requirements of these Articles 5 and 6 as interpreted by the<br />
The case law of the Court of Justice is admissible.<br />
69 What in particular is that in Article 6 Paragraph 1 Letters a, b and f GDPR<br />
<br />
the conditions for legality provided for in a case<br />
like that in the main proceedings can apply<br />
Member States are not authorized to apply additional rules<br />
of these conditions, since such a power is provided for in Article 6<br />
Paragraph 3 GDPR refers to those in Article 6 Paragraph 1 Letters c and e of this Regulation<br />
reasons mentioned is limited.<br />
<br />
70 What also concerns Article 6 Paragraph 1 Letter f GDPR in detail, may<br />
the Member States are not affected by the GDPR in accordance with Article 22 Paragraph 2 Letter b of the GDPR<br />
Requirements differ from the case law of the Court<br />
<br />
according to the judgment of December 7, 2023, SCHUFA Holding<br />
(Residual debt discharge) (C‑26/22 and C‑64/22, EU:C:2023:XXX), result,<br />
especially not because they are the result of weighing each other up<br />
conclusively prescribe conflicting rights and interests (cf. in<br />
to this effect, judgment of October 19, 2016, Breyer, C‑582/14, EU:C:2016:779,<br />
62).<br />
<br />
71 In the present case, the referring court points out that only<br />
§ 31 BDSG is a national legal basis within the meaning of Article 22 Paragraph 2<br />
Letter b GDPR could represent. Regarding the compatibility of this<br />
However, § 31 BDSG with Union law applies to this court<br />
<br />
profound concerns. This provision should be considered consistent with Union law<br />
are viewed as incompatible, SCHUFA would not only be without it<br />
legal basis, but would ipso iure violate the provisions of Article 22<br />
Paragraph 1 of the GDPR.<br />
<br />
72 In this respect, it is for the referring court to examine whether Section 31 BDSG<br />
qualifies as a legal basis within the meaning of Article 22 Paragraph 2 Letter b GDPR<br />
according to which it would be permissible to use one exclusively on one<br />
to adopt a decision based on automated processing. should that<br />
The referring court comes to the conclusion that Section 31 is such<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
50 out of 53<br />
<br />
<br />
<br />
<br />
legal basis, it would still have to examine whether the provisions in Article 22<br />
Paragraph 2 letter b and paragraph 4 GDPR and in Articles 5 and 6 GDPR<br />
requirements are met in this case.<br />
<br />
73 In view of the foregoing, the answer to the first question is that Article 22<br />
Paragraph 1 of the GDPR must be interpreted as meaning that an “automated decision”.<br />
in individual cases' within the meaning of this provision if a<br />
personal data about a person based probability value in<br />
<br />
Regarding their ability to meet future payment obligations<br />
is created automatically by a credit reporting agency, provided that it does so<br />
The probability value depends significantly on whether a third party is responsible for this<br />
Probability value is transmitted, a contractual relationship with this<br />
Person establishes, carries out or terminates.”<br />
<br />
<br />
75 5.4.2. From the reasons for the judgment given above<br />
of the ECJ it can be concluded that the application of an automated<br />
<br />
Processing - such as AMAS - as such already constitutes a decision<br />
of Art. 22 Para. 1 GDPR can represent, without justification<br />
<br />
legal basis within the meaning of Article 22 Paragraph 2 Letter b GDPR - the<br />
Justifications for the necessity of automated<br />
<br />
Decision to conclude a contract within the meaning of Article 22<br />
Paragraph 2 lit. a GDPR or the existence of consent within the meaning of<br />
<br />
Article 22 Paragraph 2 Letter c GDPR is not at issue on a case-by-case basis - the ban<br />
<br />
of Article 22 Paragraph 1 GDPR. Is there such an automated one?<br />
Before making a decision, the relevant national legislation must comply with the<br />
<br />
Allow the automated decision to be made in individual cases and also<br />
appropriate measures to safeguard rights and freedoms as well as the<br />
<br />
legitimate interests of the data subject (cf. the<br />
Statements by the ECJ in C-634/21, paragraph 65).<br />
<br />
<br />
76 According to the statements in the ECJ judgment cited, one<br />
Automated data processing - such as profiling - itself an “automated<br />
<br />
Decision in individual cases” within the meaning of Article 22 Paragraph 1 GDPR if<br />
the result of this automated processing for a<br />
<br />
certain - further - decision is decisive insofar as the action<br />
<br />
of the third party is “significantly guided” by the profiling in question, and so on<br />
significantly affects those affected (cf. the statements of the ECJ in<br />
<br />
C-634/21, paragraphs 48 and 73).<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
51 out of 53<br />
<br />
<br />
<br />
<br />
77 5.4.3. Depending on the case, this results in the following:<br />
<br />
<br />
78 5.4.3.1. First of all, it should be noted that the classification of the<br />
mP applied automated, based on a mathematical-statistical<br />
<br />
program processing of personal data<br />
affected job seekers (in AMAS) as “profiling” in the sense<br />
<br />
of Art. 4 Z 4 GDPR in accordance with the case law of the ECJ<br />
<br />
in C-634/21 cannot be doubted.<br />
<br />
79 According to the ECJ, this is already automated<br />
<br />
Processing - here the determination of the IC value, which is the probability<br />
integration into the labor market - itself (already) identified as one<br />
<br />
“automated decision” within the meaning of Article 22 Paragraph 1 GDPR,<br />
provided that this probability value determines the allocation to the<br />
<br />
intended customer groups, and thus those affected<br />
legal effect towards job seekers or similar<br />
<br />
Significantly impaired.<br />
<br />
80 That the final decision on the customer group allocation lies with the<br />
<br />
Consultants of the mP are able to qualify the AMAS as one<br />
<br />
automated decision within the meaning of Art. 22 Para. 1 GDPR is not applicable<br />
prevent, the judgment of the ECJ is based on the facts that<br />
<br />
Ultimately, the potential lender decides on the question of how the loan comes about<br />
the credit agreement in question there. The - possibly - pure<br />
<br />
formal separation of data processing from automated data processing is crucial<br />
decision influenced by the automated data processing itself,<br />
<br />
prevents the latter from being classified against the background of Art. 22 GDPR<br />
<br />
This is a fundamentally forbidden decision (cf. again<br />
ECJ C-634/21, paragraph 73). The finding of the BVwG that through<br />
<br />
Instructions and training ensured that the<br />
mP consultants do not question the result of the algorithm unconditionally<br />
<br />
would take over, may now justify the assumption that<br />
<br />
Classification into the respective customer group is not exclusive<br />
due to the AMAS. However, this finding does not rule out that<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
52 out of 53<br />
<br />
<br />
<br />
<br />
AMAS - as an automated decision - is ultimately decisive for this<br />
<br />
Classification is.<br />
<br />
81 Since the BVwG based on its - against the background of the judgment of<br />
<br />
ECJ does not make any findings on the legal opinion that is to be regarded as incorrect<br />
<br />
precise use of the AMAS - especially not specific ones<br />
Findings on the question of which other parameters and to what extent<br />
<br />
Take into account, or what procedure to use the<br />
AMAS is provided - has already taken the question of<br />
<br />
Automated processing is not relevant in this case<br />
<br />
be assessed exhaustively legally.<br />
<br />
82 5.4.3.2. Should the use of AMAS fall within the scope of Article 22<br />
<br />
Paragraph 1 of the GDPR would result in it being prohibited unless<br />
one of the exceptions mentioned in Article 22 Paragraph 2 GDPR is applicable and<br />
<br />
the special requirements of Article 22 Paragraphs 3 and 4 GDPR are met.<br />
<br />
83 Art. 22 Paragraph 2 Letter b GDPR contains an opening clause that allows the Union<br />
<br />
and the Member States open up legislation for automated<br />
<br />
to create decisions. The relevant - justifying - national ones<br />
However, legislation would need to allow for the adoption of the automated<br />
<br />
Allow decisions to be made in individual cases and also take appropriate measures<br />
Safeguarding the rights and freedoms as well as the legitimate interests of the<br />
<br />
the person concerned (cf. the ECJ's comments in C-634/21,<br />
<br />
65). Furthermore, these would have to comply with the requirements of Articles 5 and 6 of the GDPR<br />
the interpretation of which is sufficed by the case law of the Court of Justice<br />
<br />
(cf. again ECJ C-634/21, para. 68).<br />
<br />
84 The AMSG now obviously does not contain any provision with regard to the<br />
<br />
case-related processing - the AMAS - the justification of the<br />
Article 22 Paragraph 2 Letter b GDPR would be fulfilled.<br />
<br />
<br />
85 The GDPR understands “legal basis” - and therefore also under<br />
“Legal provision” in Article 22 Paragraph 2 Letter b GDPR - Recital 41<br />
<br />
not necessarily one “adopted by a parliament”.<br />
<br />
legislative act”. However, whether this is the case for the application of AMAS<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
53 out of 53<br />
<br />
<br />
<br />
<br />
<br />
profiling, the claims of recital 41<br />
legal requirements sufficient in terms of clarity, precision and predictability<br />
<br />
A basis exists that meets the ECJ's requirements for the opening clause<br />
<br />
(cf. again C-634/21, paras. 65 and 68), was by<br />
BVwG - based on the legal opinion that AMAS does not constitute an automated system<br />
<br />
Decision within the meaning of Article 22 Paragraph 1 GDPR - not examined.<br />
<br />
86 5.5. According to the above, the appeal was ultimately upheld<br />
<br />
and the contested finding as a result of the existence of the provisions under point 5.4.<br />
secondary deficiencies in the findings due to the illegality of the<br />
<br />
content in accordance with Section 42 Paragraph 2 Z 1 VwGG.<br />
<br />
<br />
87 The BVwG will continue the proceedings as part of an oral hearing<br />
Negotiation against the background of point 5.4. shown<br />
<br />
Legal situation to discuss the legal situation with the parties and take this opportunity<br />
to provide a statement or additional facts.<br />
<br />
<br />
Vienna, December 21, 2023<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at<br />
</pre><br />
{{DEFAULTSORT:VwGH_-_Ro_2021/04/0010-11}}</div>Echttps://gdprhub.eu/index.php?title=Kammarr%C3%A4tten_i_Stockholm_-_6027-23Kammarrätten i Stockholm - 6027-232024-03-15T17:03:59Z<p>Johan90: Created page with "{{COURTdecisionBOX |Jurisdiction=Sweden |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=Kammarrätten i Stockholm |Court_Original_Name=Kammarrätten i Stockholm |Court_English_Name=Stockholms administrativ courts of Appel |Court_With_Country=Kammarrätten i Stockholm (Sweden) |Case_Number_Name=6027-23 |ECLI= |Original_Source_Name_1=Allmanhandling.se |Original_Source_Link_1=https://allmanhandling.se/wp-content/uploads/2024/03/KR_Stockholm_6027_23.pdf |..."</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Sweden<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=Kammarrätten i Stockholm<br />
|Court_Original_Name=Kammarrätten i Stockholm<br />
|Court_English_Name=Stockholms administrativ courts of Appel<br />
|Court_With_Country=Kammarrätten i Stockholm (Sweden)<br />
<br />
|Case_Number_Name=6027-23<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Allmanhandling.se <br />
|Original_Source_Link_1=https://allmanhandling.se/wp-content/uploads/2024/03/KR_Stockholm_6027_23.pdf<br />
|Original_Source_Language_1=Swedish<br />
|Original_Source_Language__Code_1=SV<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Date_Decided=13.03.2024<br />
|Date_Published=<br />
|Year=2024<br />
<br />
|GDPR_Article_1=Article 10 GDPR<br />
|GDPR_Article_Link_1=Article 10 GDPR<br />
|GDPR_Article_2=Article 85(1) GDPR<br />
|GDPR_Article_Link_2=Article 85 GDPR#1<br />
|GDPR_Article_3=Article 85(2) GDPR<br />
|GDPR_Article_Link_3=Article 85 GDPR#2<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=1 kap. 20 § Fundamental Law on Freedom of Expression<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=1 kap. 4 § Fundamental Law on Freedom of Expression<br />
|National_Law_Link_2=<br />
|National_Law_Name_3=21 kap. 7 § Public Access to Information and Secrecy Act<br />
|National_Law_Link_3=<br />
|National_Law_Name_4=<br />
|National_Law_Link_4=<br />
|National_Law_Name_5=<br />
|National_Law_Link_5=<br />
<br />
|Party_Name_1=Prolegia Research AB<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_From_Body=Swedish Prosecution Authority<br />
|Appeal_From_Case_Number_Name=ÅM2023-1596<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Johan90<br />
|<br />
}}<br />
<br />
The case concerns the demarcation of the Swedish system with a media license that gives the database constitutional protection (freedom of expression) and the demarcation between the right to take part in public documents and use them in one's corporate activities. The Court of Appeal finds that the company's use of obtaining the documents for background checks because the priority of EU law means that the Swedish regulation should not be applied, and therefore the Public Prosecutor's Office cannot interpret it.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A company Prolegia Research AB has request to take part in records in a criminal case by the constitutional right to access public records in sweden. The company is sericeprovider in are like background checks and consultancy in recruitment. The company has during the process to get access applied for a voluntary certificate of publication that give the entity the same constituinal cover as pappers and TV by the constutition. <br />
<br />
The company has calmes that the by the voluntary certificate of publication is useing the data in the records for prupes of journalism and by that not is obligated to enforce the GDPR. The question in the case are if the EU-law by GDPR are to be enforced before the swedish constition and if the the company are processing with the records are for journalism purpes or more for a bussiness purpes.<br />
<br />
=== Holding ===<br />
The DPA has in a memorandum, IMYRS 2022:2 sayed following as a summery. <br />
<br />
According to Article 85 of the Data Protection Regulation, Member States are obliged to national legislation the right to protection of personal integrity and the right to freedom of expression and information. In Sweden, this has taken place through the regulation in ch. 1. Section 7 of the law (2018:218) with provisions adapting to the EU's data protection regulation (data protection act). The first paragraph of the section states that personal data processing that is covered by the constitutional protection in the Freedom of the Press Ordinance (TF) and the freedom of expression fundamental law (YGL) are exempted from the requirements and the data protection regulation if the application of the regulation would come into conflict with<br />
the constitutions. In c h. 1 Section 7, second paragraph, exceptions are made with regard to opinion and freedom of information. The exception covers treatments that take place for journalistic purposes purposes or for academic, artistic or literary creation. If the exception is applicable, most provisions of the data protection regulation do not apply.<br />
<br />
In the legal position, the following questions concerning concepts are dealt with "journalistic purposes" based on, among other things, case law from the European Court of Justice and Swedish courts. The position statement also contains a number of examples such as guidance for the application.<br />
<br />
== Comment ==<br />
This is a question many lawyers in Sweden have seen as a problem where the question has been if the Swedish system is compliant with the EU law. The judgment is the first, but the Supreme Administrative Court of Apple has granted dispensation review in a case in the same ground question (case 4588-23) and also has Attunda District Court in Mars requested a preliminary ruling from the court of justice in the same area (district courts nr T 3743-23).<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.<br />
<br />
<pre><br />
BACKGROUND<br />
The Swedish Prosecution Authority decided on 13 July 2023 to reject Prolegia Research AB's request to take part records in criminal case AM-73270-17 and AM-98355-09. As the basis for the decision, it was stated that it could be assumed that the requested data in the records would be processed after disclosure in violation of the EU's data protection regulation 2016/679 (the data protection regulation) and law (2018:218) with supplementary provisions to the EU's data protection regulation (the data protection law ) and that confidentiality according to ch. 21 Section 7 of the Public Access to Information and Secrecy Act (2009:400), OSL, therefore prevented disclosure.<br />
<br />
Prolegia appealed to the Court of Appeal in Stockholm, which on 19 September 2023 (case no. 4653-23) remanded the case as the company had brought forward that the company would conduct journalistic activities and the Public Prosecutor's Office had not taken a position on whether this meant that the company's processing of the personal data contained in the requested documents were exempt from the data protection regulation.<br />
<br />
In the now appealed decision, the Swedish Prosecution Authority, after taking into account the submitted voluntary release certificate, again rejected Prolegia's request to take part in of records in criminal cases AM-73270-17 and AM-98355-09. The Swedish Prosecution Authority stated in the decision that the journalistic purpose must be the main purpose of the processing of personal data so that the exception for journalistic activities must be applicable when assessing whether the data after disclosure can be assumed to be processed in violation of the EU's data protection regulation or the data protection act. Since it had not emerged that Prolegia, which mainly engages in background checks and consultancy in recruitment, had started any journalistic activities, the requested information was covered according to the Prosecutor's Office by confidentiality according to ch. 21. Section 7 OSL.<br />
<br />
CLAIMS, M.M.<br />
Prolegia stands by its request and puts forward, among other things, following. The company has, through a granted publication certificate, a constitutionally protected right to publish its database. The EU's data protection regulation with supplementary Swedish regulations shall not be applied to this part of the company's operations. For the same reason, the data cannot be covered by confidentiality according to ch. 21. Section 7 OSL. The company intends to carry out journalistic activities. It is not a question of maintaining a legal database with search services that contains personal data about individuals. It is not the task of the Swedish Prosecution Authority to assess whether the company's operations are sufficiently journalistic. It is also neither appropriate nor in accordance with current law to give an authority the opportunity to preview and accept, or reject, the explanation provided regarding the relevance of the requested information to the public debate, investigative journalism or broader journalistic purposes. The actions of the Swedish Prosecution Authority involve a circumvention of the rights that follow from a certificate of issuance. The public prosecutor's office has also investigated who requested some of the documents in question and therefore did not carry out the exercise of authority in an objective and impartial manner.<br />
<br />
REASONS FOR THE COURT OF COURT'S DECISION<br />
<br />
Swedish Prosecution Authority procedure <br />
The Court of Appeal does not supervise the <br />
Swedish Prosecution Authority. What Prolegia has brought forward about the authority's proecedure of the case therefore does not entail any action on the part of the Court of Appeal.<br />
<br />
Right to take part in public records<br />
<br />
The issue in the case Similar to the Swedish Prosecution Authority, the Court of Appeal considers that the requested documents are public records. The question in the case therefore becomes whether there is any provision in OSL, primarily ch. 21. Section 7, which means that the records must not be disclosed to Prolegia anyway. As it has emerged in the case that Prolegia has been granted a so-called voluntary certificate of publication and therefore covered by the same constitutional protection as the traditional mass media, the question arises of the relationship between the data protection regulation and the constitutional protection of freedom of expression in the form of publication of information about prosecution on websites. There are no guiding rulings on the issue.<br />
<br />
Legal starting points<br />
<br />
EU law<br />
<br />
Article 10 of the data protection regulation states, among other things, that the processing of personal data relating to convictions in criminal cases and offenses involving crimes may only be carried out under the control of an authority or when processing is permitted under Union law or the national law of the Member States, where appropriate protective measures for the rights and freedoms of the data subjects are established.<br />
<br />
According to Article 85(1) point one of the data protection regulation, the member states must by law combine the right to privacy in accordance with the regulation with the freedom of expression and information, including processing that takes place for e.g. journalistic purposes. From the second point of the article, it appears that the member states, when processing for journalistic purposes, must determine exceptions or deviations from some of the regulation's provisions, if these are necessary to combine the right to privacy with freedom of expression and information. In Article 86, the possibility of exceptions to the publicity of documents is given in order to balance this right with the right to protection of personal data.<br />
<br />
In a ruling on 22 June 2021 (Latvijkas Republikas Saeima, C-439/19, EU:C:2021:504), the European Court of Justice has found that the provisions of the Data Protection Regulation may constitute an obstacle to certain national legislation which means that an authority transfers information about offences, covered by Article 10, to economic operators for further exploitation. The Court recalled that the purpose of Article 10 is to ensure enhanced protection against such processing which, by reason of the particular sensitivity of the data, may constitute a particularly serious interference with the fundamental right to respect for private life and protection of personal data in accordance with the Articles 7 and 8 of the EU Charter of Rights. The Court also stated that Union law takes precedence over national provisions, including the Constitution (paragraphs 74, 126 and 135).<br />
<br />
The Swedish constitutional protection and the relationship to the data protection regulation<br />
<br />
When introducing the Data Protection Act, the legislator considered that the EU data protection regulations continued to provide scope for the provisions on freedom of press and expression in the Swedish constitutions. A disclosure provision was therefore introduced through ch. 1. Section 7 first paragraph of the Data Protection Act, which makes it clear that the Freedom of the Press Act, TF, and the Fundamental Law on Freedom of Expression, YGL, take precedence over the provisions of the Data Protection Ordinance and the Act. From the provision's second paragraph, which has its basis in Article 85(2) of the data protection regulation, it appears that i.a. Article 10 of the Data Protection Regulation shall not be applied to the processing of personal data for journalistic purposes or for academic, artistic or literary creation.<br />
<br />
In the so-called the database rule in ch. 1 § 4 YGL is regulated under which conditions provision of information from a database over the internet is covered by YGL. An actor can, upon application, be granted a certificate of issuance and thereby be covered by constitutional protection. This means according to ch. 1 § 7 first paragraph of the Data Protection Act that the Data Protection Ordinance with supplementary Swedish regulations shall not be applied to the constitutionally protected part of the operator's activities, to the extent that it would conflict with TF or YGL.<br />
<br />
In the preparatory work for the regulations on certificates of issue, it was established that free access to information as rich as possible and to varying opinions is a prerequisite for the citizens themselves to be able to take a stand on various issues that concern them. Among the civil liberties and rights, freedom of expression therefore occupies a central position which, together with freedom of information, has received specific protection in Swedish law through TF and YGL. When introducing the so-called voluntary issuance certificates, the legislator noted that a risk with having to apply for and be granted such a certificate is that the person who wants constitutional protection must turn to an authority. It was stated that it could not be ruled out that there is a risk that the authority in a tense social situation applies the application rules in such a way that constitutional protection is denied with regard to the expected content of the database. The risk was eliminated by stating the conditions for constitutional protection directly in the constitution, current chapter 1. § 5 YGL (government bill prop. 2001/02:74 pp. 36 and 49).<br />
<br />
On January 1, 2019, the possibility was introduced to limit constitutional protection by law regarding certain search services that contain data of a particularly privacy-sensitive nature, e.g. information about sexual orientation and health, with the support of ch. 1 Section 20 YGL. Proposals for corresponding provisions regarding legal violations have been presented on two occasions but not adopted by the Riksdag (Committee terms of reference Dir. 2023:145, pp. 6–7). The Swedish legislation thus lacks the possibility to limit the constitutional protection according to YGL with regard to information about violations of the law through domestic law.<br />
<br />
The Court of Appeal's assessment<br />
<br />
Prolegia has requested access to certain documents in two criminal cases and stated that they are to be used in journalistic activities and that it is not a question of maintaining a legal database with search services that contain personal data about individuals. Since the processing of the requested documents involves the processing of personal data, including information about violations of the law that include crimes, the processing falls under Article 10 of the Data Protection Regulation.<br />
<br />
Such a strict approach as follows from ch. 1. Section 7 first paragraph of the Swedish Data Protection Act, i.e. that the Swedish constitutional protection must always take precedence over the data protection regulation for the holder of a voluntary issuance certificate, is not compatible with the principle of the primacy of Union law. This is especially true in light of the fact that the constitutionally protected part of the business is, according to Swedish law, completely exempt from the provisions of the data protection regulation and that no proportionality assessment is made between, on the one hand, the right to protection of personal data and, on the other hand, the right to protection of freedom of expression and information (Latvijkas Republikas Saeima, p. 105). Taking into account the principle of the primacy of Union law and the practice of the European Court of Justice, the Court of Appeal considers that a balance must be made in each individual case between the privacy protection interest that is expressed by the data protection regulation and the constitutionally protected rights that apply to holders of voluntary issuance certificates and that are found in TF and YGL .<br />
<br />
In this context, it can be stated that the examination carried out when issuing voluntary certificates of issue is of a formal nature. There is also no requirement that any actual journalistic activity, regardless of content, must have begun. In addition, it can be noted that Prolegia already operates an established business in recruitment and that information has previously been requested from the Public Prosecutor's Office in order to carry out background checks in recruitment procedures. It was only after Prolegia had been denied access to certain documents that the company came in with a release certificate and stated that it wished to access the information for journalistic purposes. It has not emerged that Prolegia has started any journalistic activities.<br />
<br />
Denying an actor who has been granted a release certificate access to documents on the grounds that constitutional protection must give way in favor of the Data Protection Regulation must be done with great care. At the same time, the data protection regulation places clear requirements on the member states to establish appropriate safeguards for the rights and freedoms of the data subjects when it comes to personal data relating to convictions in criminal cases and offenses involving crimes, when the processing of such data is carried out by someone other than an authority. When it comes to the proportionality balance between different interests that must be made, the European Court of Justice has stated that data falling under Article 10 of the Data Protection Regulation relates to behavior that society disapproves of, and that granting access to such data may therefore stigmatize the person concerned and constitute a serious interference in his or her private or professional life (Latvijkas Republikas Saeima p. 75).<br />
<br />
Against this background, automatically completely exempting Prolegia from the provisions of the data protection regulation is not compatible with the proportionality assessment that must be made between freedom of expression, public actions and the protection of personal data. The Data Protection Ordinance must therefore be applied when assessing whether Prolegia has the right to access requested documents, despite what is prescribed in the Data Protection Act regarding the primacy of constitutional protection.<br />
<br />
The Data Protection Regulation allows certain exceptions to the protection of personal data for activities that have journalistic purposes. The concept of journalistic purposes must be given a broad interpretation, including activities aimed at disseminating information, opinions or ideas to the public, and is applied to all persons engaged in journalistic activities (Satakunnan Markkinapörssi and Satamedia, C-73/07, EU:C:2008 :727 pp. 56, 58 and 61).<br />
<br />
In a balance between the data subjects' interest in the protection of their personal data and Prolegia's interest in accessing the current data with the intention of being able to carry out journalistic activities in the future, the data subjects' rights weigh more heavily. In making this assessment, the Court of Appeal has taken into account in particular that the information relates to violations of the law and that disclosure could constitute a serious interference in the individual's private or professional life. Prolegia also has, with regard to its already established recruitment activities, an interest in obtaining the data, which currently appears to be the actual purpose of the processing of the requested personal data.<br />
<br />
Against this background, it can be assumed that the information in the requested documents will, after disclosure, be processed in violation of the data protection regulation. The information is therefore covered by confidentiality according to ch. 21 Section 7 OSL. The appeal must therefore be dismissed<br />
</pre></div>Johan90https://gdprhub.eu/index.php?title=NAIH_(Hungary)_-_7286-1/2023NAIH (Hungary) - 7286-1/20232024-03-15T13:37:36Z<p>Im: Created page with "{{DPAdecisionBOX |Jurisdiction=Hungary |DPA-BG-Color=background-color:#7f0037; |DPAlogo=LogoHU.jpg |DPA_Abbrevation=NAIH |DPA_With_Country=NAIH (Hungary) |Case_Number_Name=7286-1/2023 |ECLI= |Original_Source_Name_1=NAIH homepage |Original_Source_Link_1=https://gdprhub.eu/images/5/56/NAIH-7286-2023-hatarozat.pdf |Original_Source_Language_1=Hungarian |Original_Source_Language__Code_1=HU |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Orig..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Hungary<br />
|DPA-BG-Color=background-color:#7f0037;<br />
|DPAlogo=LogoHU.jpg<br />
|DPA_Abbrevation=NAIH<br />
|DPA_With_Country=NAIH (Hungary)<br />
<br />
|Case_Number_Name=7286-1/2023<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=NAIH homepage<br />
|Original_Source_Link_1=https://gdprhub.eu/images/5/56/NAIH-7286-2023-hatarozat.pdf<br />
|Original_Source_Language_1=Hungarian<br />
|Original_Source_Language__Code_1=HU<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Partly Upheld<br />
|Date_Started=15.06.2022<br />
|Date_Decided=02.08.2023<br />
|Date_Published=07.03.2024<br />
|Year=2023<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 4(7) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#7<br />
|GDPR_Article_2=Article 15 GDPR<br />
|GDPR_Article_Link_2=Article 15 GDPR<br />
|GDPR_Article_3=Article 15(1) GDPR<br />
|GDPR_Article_Link_3=Article 15 GDPR#1<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=im<br />
|<br />
}}<br />
<br />
The DPA issued a reprimand to controller for responding to an access request after the deadline and to a misspelled e-mail address violating [[Article 15 GDPR|Article 15 GDPR]].<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
On 07 April 2022, the data subject received an e-mail from a recruiter, the controller, mentioning the data subject’s standout resume among job seekers’ profiles. It was unclear to the data subject how the controller obtained access to his contact information as he never disclosed it on the jobseeker’ website which is generally used by the recruiters to directly contact the candidates. Therefore, data subject asked the controller for an explanation based on [[Article 15 GDPR|Article 15 GDPR]]. Despite reminders, no response was received. <br />
<br />
The data subject requested the DPA to investigate the controller’s conduct and compel them to respond. Additionally, the data subject requested to investigate the relationship between the website operator and the recruiter and whether a joint liability could be established.<br />
<br />
The data controller declared to the DPA that he is registered on the jobseekers’ website as an independent data controller to carry out recruitment activities. Additionally, the data subject provided his consent to be contacted for recruitment purposes. The controller, therefore, had an access to his e-mail address as a subscriber to the website. <br />
<br />
The controller attributed the lack of response to the data subject's request to an administrative error, specifically, the misspelling of their email address in the response sent on 17 May 2022. This oversight came to light subsequent to the order from the Data Protection Authority to address the allegations.<br />
<br />
=== Holding ===<br />
The DPA held that the controller’s argument does not relieve them of their liability as a controller as per [[Article 4 GDPR#7|Article 4(7) GDPR]]. Despite the fact that controller intended to comply with the data subject’s access request under [[Article 15 GDPR|Article 15 GDPR]], the DPA observed two things. First, the controller sent the reply on 12 May 2022 which is exceeding the one-month deadline (on 7 May 2022) under [[Article 12 GDPR#3|Article 12(3) GDPR]]. <br />
<br />
Second, the DPA highlighted that the most important characteristic of a controller is that they have substantive decision-making power and responsibility for compliance with all the obligations of the processing laid down in the GDPR.<br />
<br />
Lastly, the DPA rejected an argument that the website owner qualifies as a controller in this case where the recruiter organised the process and created the conditions for the data processing. <br />
<br />
For the reasons set out above, the DPA found that the controller has infringed [[Article 15 GDPR#1|Article 15(1) GDPR]] and ordered them to comply with the data subject’s access request.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.<br />
<br />
<pre><br />
Case number: NAIH-7286-1/2023.<br />
<br />
History: NAIH-5460/2022. Subject: decision partially granting the request<br />
<br />
<br />
DECISION<br />
<br />
<br />
<br />
The National Data Protection and Freedom of Information Authority (hereinafter: Authority) [...]<br />
applicant (hereinafter: Applicant) 06.15.2022 on the basis of the application submitted on<br />
regarding the non-fulfillment of the request with [...] represented by a lawyer (hereinafter: Lawyer).<br />
(hereinafter: Applicant 1) and with [...] (hereinafter: Applicant 2) (hereinafter<br />
<br />
together with: Respondents) the following decisions in the official data protection proceedings against<br />
brings:<br />
<br />
I. 1. The Authority in its decision to the Applicant's request<br />
<br />
<br />
<br />
partially correct and<br />
<br />
I.2. finds that Respondent 2 has violated it<br />
<br />
- to natural persons regarding the management of personal data<br />
protection and the free flow of such data, as well as the 95/46/EC Directive<br />
<br />
Regulation 2016/679 (EU) on its exclusion (hereinafter: GDPR or general<br />
data protection regulation) Article 15 (1), as it was submitted based on the right of access<br />
he did not fulfill his request, furthermore<br />
<br />
II. obligates Respondent 2 to within 15 days of the decision becoming final<br />
provide information to the Applicant about the fulfillment of the request submitted under Article 15 of the GDPR<br />
<br />
regarding.<br />
<br />
<br />
III. The Authority, in its decision, regarding Respondent 1, the Applicant's request<br />
<br />
<br />
rejects.<br />
<br />
The II. the fulfillment of the obligation of the Respondent 2 from taking the measure<br />
must be in writing within 15 days - the supporting evidence, i.e. written to the Applicant<br />
together with the submission of a copy of the letter and the document certifying its dispatch - to be verified by the Authority<br />
towards. In case of non-fulfilment of the obligation, the Authority orders the execution of the decision.<br />
<br />
<br />
During the official procedure, no procedural costs were incurred, so there was no provision to bear them<br />
the Authority.<br />
<br />
* * *<br />
<br />
<br />
There is no place for administrative appeal against this decision, but from the announcement<br />
within 30 days with a claim addressed to the Capital Tribunal in a public administrative case<br />
can be attacked. The statement of claim must be submitted electronically to the Authority, which is the case<br />
<br />
1 The NAIH_KO1 form is used to initiate an administrative lawsuit: NAIH KO1 form (16.09.2019) The<br />
the form can be filled out using the general form filling program (ÁNYK program) and forwarded to the court together with its documents. The request to hold the hearing must be indicated in the statement of claim<br />
must For those who do not benefit from the full personal tax exemption, the administrative court fee<br />
<br />
HUF 30,000, the lawsuit is subject to the right to record the levy. In the proceedings before the Metropolitan Court, the legal<br />
representation is mandatory.<br />
<br />
<br />
JUSTIFICATION<br />
<br />
I. Procedure of the procedure<br />
<br />
<br />
(1) At the request of the Applicant, on the right to self-determination of information and freedom of information<br />
CXII of 2011 Act (hereinafter: Infotv.) on the basis of Section 60 (1) - a<br />
After fulfilling the applicant's obligation to make up the gap - on June 15, 2022<br />
official data protection procedure has been initiated.<br />
<br />
(2) In its order, the Authority invited the Respondents to make a statement to clarify the facts<br />
<br />
order, with reference to the 2016 CL.<br />
Act (hereinafter: Act) to § 63, to which the Respondents' answers within the deadline<br />
they arrived at the Authority.<br />
<br />
(3) The Authority notified the Applicant and the Respondents that the evidence procedure<br />
has been completed and has drawn their attention to the fact that they may make a statement or comment. THE<br />
Applicant 2 exercised his right to inspect documents. With their right to make a statement, the Applicant and<br />
<br />
The applicants were not alive either.<br />
<br />
<br />
II. Clarification of facts<br />
<br />
II.1. Request of the Applicant (NAIH-5460-1/2022.)<br />
<br />
<br />
(4) In his application submitted to the Authority on May 21, 2022, the Applicant submitted that the<br />
received a letter from [...] e-mail address on April 7, 2022, in which […] wrote that "the<br />
browsing the profiles of job seekers, your profile stood out to me.” THE<br />
letter […], as signed by the head of the office of the Respondent 2, and also reports as part of the signature<br />
and the information that Respondent 2 is a member of Respondent 1's network.<br />
<br />
(5) Since the Applicant never gave his contact information to the letter writer ([…] and<br />
<br />
He applied for 2), and since he did not know what data sheet he was referring to, therefore the<br />
in the reply message sent to [...] that day, he asked to be informed how he got to the<br />
The applicant's address and what other data was given to him. Because he didn't get an answer<br />
the Applicant therefore wrote to Respondent 2 again on May 11, 2022, mentioning that<br />
that if he does not answer, he will file a report with the Authority. Nor to this letter from the Applicant<br />
received an answer according to what was submitted in his application of May 21, 2022.<br />
<br />
<br />
(6) The Authority called on the Applicant to fill in the gaps, to which the Applicant responded<br />
submitted his definite request regarding the procedure, received on June 14, 2022<br />
with his statement.<br />
<br />
(7) The Applicant requested the following from the Authority in filling the gaps (NAIH-5460-3/2022.):<br />
<br />
- examine the relationship between Applicant 1 and Applicant 2, who<br />
<br />
responsible for the management of your data, whether there has been a violation due to the failure to respond and<br />
if so, determine that it was not properly performed based on your right of access<br />
submitted application,<br />
- in the event of a legal violation, oblige the data controller to respond.<br />
<br />
II.2. Statement of Applicant 1 (NAIH-5460-6/2022.)(8) Applicant 1 operates the national real estate brokerage franchise network. In [...] - a<br />
Franchise partner businesses in a franchise relationship with the applicant 1 is the trademark<br />
<br />
under, but they carry out their economic activities independently. Respondent 1 is […]<br />
as an operator with some businesses for the benefit of franchise partner customers<br />
can enter into framework contracts. For this reason, Respondent 1 is in a framework contract<br />
[...] Kft. The Authority sent 1 copy of the referenced contract to the Applicant<br />
for.<br />
<br />
(9) Based on the referenced framework agreement, to the database of jobseekers registered on the [...] website<br />
<br />
it is accessed by the franchise partner who uses this service of […]. THE […]<br />
service to the Applicant 2 indicated in the order as the franchise partner of the Applicant 1<br />
uses. The individual franchise partners receive the online directly from […] Kft<br />
access to the database. Each franchise partner business is recruiting<br />
they perform their activities independently, thus as independent data controllers.<br />
<br />
(10) To the knowledge of Respondent 1, the franchise partners are connected to the database<br />
<br />
if they have access, they can contact the data subject. Respondent 1's assumption<br />
According to Respondent 2, by using this service, he could have come into contact with a<br />
With an applicant.<br />
<br />
(11) The Applicant's data is not managed by the Applicant 1. Respondent 1 also does not know about it<br />
to state whether Respondent 2 or the franchise partner office manager received [….].<br />
request from the Applicant and whether he has responded to it.<br />
<br />
<br />
II.3. Statement of Respondent 2 (NAIH-5460-7/2022.)<br />
<br />
(12) The Applicant 2 uses the service provided by [….] Kft. to the partners of […]<br />
Based on the framework agreement between [...] Kft. and Applicant 1, which operates […].<br />
<br />
(13) As a customer of the service, Respondent 2 has access to the […] website<br />
<br />
to the database in which the jobseekers - with their consent -<br />
can be contacted for recruitment purposes. The legal basis for data management is on the website concerned […]<br />
his voluntary consent to the fact that those offering him the job - in this case a<br />
Applicant 2 - can be contacted.<br />
<br />
(14) At the Applicant's stakeholder request, due to an administrative error, the substantive action was not taken<br />
answering. According to the statement of the Respondent 2, this omission is the result of the order of the Authority<br />
<br />
detected after receipt.<br />
<br />
(15) Respondent 2 using the [...] database service of the Applicant's data<br />
became its manager, to which the voluntary consent given by the Applicant on the […] website<br />
on the basis of which Respondent 2 could access it. The Respondent 2 the Applicant's name and e-mail<br />
you used your address when you made the inquiry, it does not process your other data. The referred call was issued by<br />
It was sent by the manager of the real estate office operated by Respondent 2 for recruitment purposes.<br />
<br />
<br />
(16) The Respondent sent it to the Authority in 2 copies to the Applicant - at [...]<br />
a copy of the electronic letter you sent, which you declared in paragraph (14).<br />
as explained, that after receiving the order of the Authority, he noticed that<br />
an administrative error occurred. In the letter, it can be discovered that […], under the name of the sender<br />
12.05.2022 date is included, and the e-mail address was misspelled, as it was not […],<br />
but it was sent to […] email address.<br />
<br />
<br />
The text of the letter is as follows:<br />
<br />
"Dear […]!<br />
<br />
Our company is a subscriber to the [...] job search portal, whose database contains your e-<br />
email address as a current job seeker. If you are not currently looking for a job, please complete your profile on […]<br />
permanent deletion, which can be found in the settings menu after logging in.<br />
<br />
We only received your e-mail address, we do not store any other data about you<br />
we don't have any information.<br />
<br />
At the same time, we declare that we have deleted it from our address list!<br />
<br />
Best regards:<br />
<br />
<br />
[...]"<br />
<br />
<br />
III. Applicable legal provisions<br />
<br />
(17) The GDPR must be applied to personal data in a partially or fully automated manner<br />
processing, as well as those personal data in a non-automated manner<br />
<br />
which are part of a registration system or which<br />
they want to make it part of a registration system. Subject to the GDPR<br />
for data management by Infotv. According to Section 2 (2), the GDPR is indicated there<br />
must be applied with supplements.<br />
<br />
(18) Based on points 1, 2, 7 of Article 4 of the GDPR:<br />
1. "personal data": for an identified or identifiable natural person ("data subject")<br />
<br />
any information relating to; the natural person who is directly you can be identified<br />
indirectly, in particular an identifier such as name, number, location data,<br />
online identifier or physical, physiological, genetic, mental, economic,<br />
based on one or more factors related to your cultural or social identity<br />
identifiable;<br />
2. "data management": automated or not on personal data or data files<br />
any operation or set of operations performed in an automated manner, such as collection,<br />
<br />
recording, organizing, categorizing, storing, transforming or changing, querying,<br />
viewing, use, communication, transmission, distribution or otherwise<br />
by making it available, coordinating or connecting, limiting, deleting, or<br />
destruction;<br />
7. "data controller": the natural or legal person, public authority, agency or<br />
any other body that independently manages the purposes and means of personal data<br />
or determines with others; if the purposes and means of data management are defined by the EU or<br />
<br />
determined by the law of the Member State, concerning the data controller or the designation of the data controller<br />
special aspects may also be determined by EU or member state law;<br />
<br />
(19) Based on paragraphs (1)-(6) of Article 12 of the GDPR:<br />
<br />
(1) The data controller shall take appropriate measures in order to ensure that the data subject a<br />
all those referred to in Articles 13 and 14 relating to the management of personal data<br />
<br />
information and 15-22. and each piece of information according to Article 34 is concise, transparent,<br />
in an understandable and easily accessible form, clearly and intelligibly formulated<br />
provide, especially for any information directed at children. The information<br />
must be given in writing or in another way - including, where applicable, the electronic way. The<br />
at the request of the data subject, oral information can also be provided, provided that the data subject has confirmed otherwise<br />
identity.<br />
(2) The data controller facilitates the relevant 15-22. the exercise of his rights according to art. Article 11<br />
<br />
In the cases referred to in paragraph (2), the data controller is the data subject concerned in Articles 15-22. your rights under Art<br />
may not refuse to fulfill your request for exercise, unless you prove that<br />
that the person concerned cannot be identified.<br />
(3) The data controller without undue delay, but in any case the request<br />
within one month of its receipt, informs the person concerned of the 15-22 according to article<br />
on measures taken following a request. If necessary, taking into account the request<br />
complexity and the number of applications, this deadline can be extended by another two months. Regarding the extension of the deadline, the data controller explains the reasons for the delay<br />
indicating within one month from the receipt of the request<br />
<br />
concerned. If the person concerned submitted the request electronically, the information is possible<br />
must be provided electronically, unless the data subject requests otherwise.<br />
<br />
(20) Pursuant to Article 15 (1) of the GDPR:<br />
(1) The data subject is entitled to receive feedback from the data controller regarding<br />
whether your personal data is being processed and if such data is being processed<br />
is entitled to access to personal data and the following information<br />
<br />
get:<br />
a) the purposes of data management;<br />
b) categories of personal data concerned;<br />
c) recipients or categories of recipients with whom or with which the personal<br />
data has been disclosed or will be disclosed, including in particular third-country recipients,<br />
and international organizations;<br />
d) where appropriate, the planned period of storage of personal data, or if this is not the case<br />
<br />
possible aspects of determining this period;<br />
e) the right of the data subject to request from the data controller the personal data relating to him<br />
rectification, deletion or restriction of processing of data, and may object to such<br />
against the processing of personal data;<br />
f) the right to submit a complaint addressed to a supervisory authority;<br />
g) if the data were not collected from the data subject, everything about their source is available<br />
information;<br />
<br />
h) the fact of automated decision-making referred to in paragraphs (1) and (4) of Article 22, including<br />
also profiling, and at least in these cases to the applied logic and that<br />
comprehensible information about the significance of such data management and that<br />
what are the expected consequences for the person concerned.<br />
<br />
(21) Pursuant to points b) and d) of Article 58 (2) of the GDPR, the supervisory authority<br />
acting within its competence:<br />
<br />
b) condemns the data manager or the data processor if its data management activities<br />
violated the provisions of this regulation.<br />
d) instructs the data manager or the data processor that its data management operations - given<br />
in a specified manner and within a specified period of time - harmonized by this decree<br />
with its provisions.<br />
<br />
<br />
(22) Pursuant to Article 77 (1) of the GDPR, other administrative or judicial remedies<br />
without prejudice, all data subjects are entitled to lodge a complaint with a supervisory authority<br />
- in particular your usual place of residence, place of work or the place of the alleged infringement<br />
in the Member State of origin - if, according to the judgment of the data subject, the personal data relating to him<br />
handling violates this regulation.<br />
<br />
<br />
(23) Infotv. § 60 (1) In order to assert the right to the protection of personal data a<br />
At the request of the data subject, the authority initiates official data protection proceedings ex officio<br />
may initiate a data protection official procedure.<br />
<br />
(24) Infotv. On the basis of § 71, paragraph (1) during the Authority's procedure - for its conduct<br />
to the necessary extent and for the duration - can manage all personal data, as well as the law<br />
<br />
data classified as secrets protected by and secrets bound to the exercise of a profession, which are<br />
are related to the procedure, and the management of which is the successful completion of the procedure<br />
necessary for<br />
<br />
(25) Pursuant to Section 46 (1) of the Ákr, the authority shall reject the application if<br />
<br />
<br />
a) the legally defined condition for the initiation of the procedure is missing, and this law<br />
it does not attach any other legal consequences. (26) Pursuant to § 47, subsection (1) of the Ákr, the authority terminates the procedure if<br />
a) the request should have been rejected, but the reason for that was the initiation of the procedure<br />
<br />
came to the attention of the authorities.<br />
<br />
<br />
ARC. Decision:<br />
<br />
<br />
IV.1. Personal data of the Applicant, quality of data management<br />
<br />
<br />
(27) According to Article 4, Point 1 of the General Data Protection Regulation, the contact details of the Applicant,<br />
surname, first name, e-mail address are the personal data of the Applicant,<br />
the storage of which data is in accordance with Article 4, Point 2 of the General Data Protection Regulation<br />
is considered data management.<br />
<br />
(28) The Respondents declared to the Authority that Respondent 2 is the data controller<br />
<br />
determines its purpose and means independently, therefore it is an independent data controller, since it was taken over from […]<br />
personal data of job seekers, including the management of the Applicant's personal data<br />
has independent decision-making authority.<br />
<br />
(29) Due to the above, Respondent 2, as a data controller, was obliged to respond to the Applicant's data subject request<br />
fulfill and provide information to him in connection with the data subject's request.<br />
<br />
<br />
(30) The subject of the present proceedings was only the examination of whether the Applicant is a personal person<br />
data subject's request to those written in the general data protection regulation<br />
has been properly fulfilled, i.e. the Authority's handling of the Applicant's personal data,<br />
did not examine the data management conditions of their receipt from […].<br />
<br />
IV.2. Completing an access request and the related obligation to provide information<br />
<br />
<br />
(31) The data subject's right of access is regulated by Article 15 of the GDPR. Based on this, the data subject is entitled<br />
to receive feedback on the data management that it is personal<br />
whether your data is being processed, and if such data processing is underway, you are entitled<br />
to receive information about the purpose of data management, the personal data concerned<br />
categories, the recipients to whom your personal data was (will be) disclosed, a<br />
the duration of their storage, the source of the data, the exercise of the data subject's rights, and a<br />
On the right to appeal to the authorities.<br />
<br />
<br />
(32) On April 7, 2022, the Applicant turned to Respondent 2 with its access request. THE<br />
Respondent 2 as detailed in paragraph (14) only of the order of the Authority<br />
after receiving it, he noticed that this did not happen due to an administrative error.<br />
<br />
(33) Pursuant to Article 12 (3) of the GDPR, the Respondent 2 from the receipt of the request<br />
should have informed the Applicant about the access within one month<br />
<br />
regarding your request. Based on this, the access letter sent to Respondent 2 by the Applicant<br />
the one-month deadline for responding to your request was May 7, 2022<br />
down, so Respondent 2 should have informed the Applicant by this deadline. THE<br />
However, Respondent 2 failed to inform the Applicant within this deadline,<br />
According to his statement sent to the authorities, the reason for this was an administrative error. His statement<br />
according to the attached e-mail copy, the Applicant's e-mail address was typed,<br />
so that was the reason why he did not receive Respondent 2's reply letter. The buckled<br />
<br />
according to a copy, on May 12, 2022, i.e. the Applicant's reminder e-mail (in which again<br />
requested access, on the other hand, he claimed that he would turn to the Authority if they did not comply<br />
the request) would have sent the response of the Respondent 2, so Article 12 (3) of the GDPR<br />
exceeding the one-month deadline according to paragraph<br />
<br />
(34) Respondent 2 claimed that due to an administrative error, he did not answer a<br />
At the request of the applicant's stakeholders. According to this, it was unintentional behavior that caused Respondent 2 not to fulfill the stakeholder request at all. According to the position of the Authority<br />
this argument does not exempt Respondent 2 from data controller responsibility, given<br />
<br />
to the fact that, pursuant to Article 4, point 7 of the GDPR, Respondent 2 is considered a data controller. THE<br />
Respondent 2 is the one who organizes and develops the data management process<br />
circumstances. The most important feature of the data controller is that it is a substantive decision-maker<br />
has authority and is responsible for all data management, the general<br />
for fulfilling the obligation stipulated in the data protection decree. Because of the above, the Authority<br />
found that Respondent 2 violated Article 15 (1) of the GDPR.<br />
<br />
<br />
(35) The European Data Protection Board on the concept of data processor and data controller according to the GDPR<br />
07/2020 (hereinafter: Guideline)<br />
according to "Sometimes companies and public bodies appoint a separate person for data management<br />
to carry out an activity. Even though sometimes a specific natural<br />
a person is appointed to ensure compliance with data protection rules,<br />
this person will not be a data controller, but for that legal entity (or company<br />
public law body) acts on its behalf, which is the data controller in case of violation of the rules<br />
<br />
is ultimately responsible for its quality. In the same way, even if you are a specific class<br />
organizational unit is operative with regard to certain data management activities<br />
is also responsible for ensuring compliance, this does not mean that it is<br />
department or unit will be the data controller (rather than the organization as a whole).” The Guidelines<br />
In addition, his summary notes in this regard that "As a general rule, there is none<br />
restriction on the type of organization that can fulfill the role of data controller,<br />
however, in practice it is usually the organization itself, rather than those within the organization<br />
<br />
a person (such as a CEO, employee, or board member) that<br />
act as a data controller."<br />
<br />
(36) Based on all of this, the violation related to the case is also the Respondent 2, as a data controller<br />
falls under his responsibility. Article 25 of the GDPR requires that the controller is the controller<br />
implement appropriate technical and organizational measures throughout its entire process<br />
to ensure that you respond to data subject requests in a timely manner<br />
<br />
be fulfilled.<br />
<br />
ARC. 3. Request related to obliging the Respondent to fulfill 2 stakeholder requests<br />
<br />
(37) Considering that the Respondent 2 established in paragraph (34) of this decision<br />
did not comply with the Applicant's access request, therefore the Authority approved the<br />
Petitioner's request and obliged Respondent 2 to comply with it.<br />
<br />
<br />
IV.4. Request related to obliging Respondent 1 to fulfill the stakeholder request<br />
<br />
(38) Since Respondent 1 was not qualified for the data management complained about in the application<br />
decision IV.1. because of what was written in point, namely with the examined data management<br />
in this context, the Applicant 2 is qualified as a data controller, therefore the Authority is the Applicant<br />
He rejected his request for Respondent 1.<br />
<br />
<br />
IV.5. Legal consequences<br />
<br />
(39) The Authority convicts Respondent 2 on the basis of GDPR Article 58 (2) point b),<br />
because it violated Article 15 (1) of the GDPR.<br />
<br />
(40) In accordance with Article 58 (2) point d) of the GDPR, the Authority ordered that the<br />
<br />
Respondent 2 fulfill the Requester's access request.<br />
<br />
(41) The Authority exceeded Infotv. administrative deadline according to § 60/A. (1), therefore<br />
HUF 10,000, i.e. ten thousand forints, is due to the Applicant - according to his choice - to a bank account<br />
by money order or postal order Based on point b) of paragraph (1) of § 51.V. Other questions:<br />
<br />
<br />
(42) The competence of the Authority is defined by Infotv. Paragraphs (2) and (2a) of § 38 define it, and its competence is<br />
covers the entire territory of the country.<br />
<br />
(43) The decision in Art. 80-81 § and Infotv. It is based on paragraph (1) of § 61. The decision is<br />
Acr. Based on § 82, paragraph (1), it becomes final upon its publication. The Akr. § 112 and § 116<br />
(1) and on the basis of § 114, paragraph (1) administrative against the decision<br />
there is room for legal redress through a lawsuit.<br />
<br />
* * *<br />
(44) The rules of administrative proceedings are laid down in Act I of 2017 on Administrative Procedures (the<br />
hereinafter: Kp.) is defined. The Kp. Based on § 12, paragraph (1), by decision of the Authority<br />
the administrative lawsuit against falls within the jurisdiction of the court, the lawsuit is referred to in the Kp. Section 13 (3)<br />
Based on subparagraph a) point aa), the Metropolitan Court is exclusively competent. The Kp.<br />
Pursuant to § 27, paragraph (1) point b) in a lawsuit within the jurisdiction of the court, the legal<br />
representation is mandatory. The Kp. According to paragraph (6) of § 39, the submission of the statement of claim a<br />
<br />
does not have the effect of postponing the entry into force of an administrative act.<br />
<br />
(45) The Kp. Paragraph (1) of § 29 and, in view of this, Pp. According to § 604, it is applicable<br />
of 2015 on the general rules of electronic administration and trust services<br />
CCXXII. Act (hereinafter: E-Administration Act) according to Section 9 (1) point b) of the<br />
the client's legal representative is obliged to maintain electronic contact.<br />
<br />
<br />
(46) The time and place of filing the statement of claim is determined by Kp. It is defined by § 39, paragraph (1). THE<br />
information on the possibility of a request to hold a hearing in Kp. Section 77 (1)-(2)<br />
based on paragraph The amount of the administrative lawsuit fee is determined by the 1990 Law on Fees<br />
XCIII. Act (hereinafter: Itv.) 45/A. Section (1) defines. The fee is in advance<br />
from the payment of the Itv. Paragraph (1) of § 59 and point h) of § 62 (1) exempt it<br />
party initiating the procedure.<br />
<br />
<br />
(47) If the Respondent 2 does not adequately certify the fulfillment of the prescribed obligation, a<br />
The authority considers that the obligation was not fulfilled within the deadline. The Akr. § 132<br />
according to, if the obligee has not complied with the obligation contained in the final decision of the authority,<br />
is enforceable. The Authority's decision in Art. According to § 82, paragraph (1), with the communication<br />
becomes permanent. The Akr. Pursuant to § 133, enforcement - if you are a law<br />
government decree does not provide otherwise - it is ordered by the decision-making authority. The Akr. 134.<br />
pursuant to § the execution - if it is a law, government decree or municipal authority<br />
<br />
the decree of the local government does not provide otherwise - the state tax authority<br />
undertakes.<br />
<br />
(48) During the procedure, the Authority exceeded Infotv. One hundred and fifty days according to paragraph (1) of § 60/A<br />
administrative deadline, therefore the Ákr. Based on point b) of § 51, he pays ten thousand forints a<br />
To the applicant.<br />
<br />
<br />
dated: Budapest, according to the electronic signature<br />
<br />
Dr. Habil. Attila Péterfalvi<br />
president<br />
c. professor<br />
</pre></div>Imhttps://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_40/2024APD/GBA (Belgium) - 40/20242024-03-14T07:32:08Z<p>Nzm: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Belgium<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoBE.png<br />
|DPA_Abbrevation=APD/GBA<br />
|DPA_With_Country=APD/GBA (Belgium)<br />
<br />
|Case_Number_Name=40/2024<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=GBA<br />
|Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/bevel-nr.-40-2024.pdf<br />
|Original_Source_Language_1=Dutch<br />
|Original_Source_Language__Code_1=NL<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Other Outcome<br />
|Date_Started=24.01.2024<br />
|Date_Decided=23.02.2024<br />
|Date_Published=<br />
|Year=2024<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 12(3) GDPR<br />
|GDPR_Article_Link_1=Article 12 GDPR#3<br />
|GDPR_Article_2=Article 12(4) GDPR<br />
|GDPR_Article_Link_2=Article 12 GDPR#4<br />
|GDPR_Article_3=Article 17(1) GDPR<br />
|GDPR_Article_Link_3=Article 17 GDPR#1<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=nzm<br />
|<br />
}}<br />
<br />
The DPA ordered a controller who sent unsolicited letters to a data subject to erase their data after the latter had made an erasure request, to which the controller failed to respond.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The data subject received unsolicited letters from the controller on a regular basis. On 27 July 2023, the data subject requested the controller that his data be deleted and to stop the communications. The data subject alleged that the influx of letters increased after these communications. The data subject lodged a complaint with the Belgian DPA (“APD”) asking them to force the controller to delete their data.<br />
<br />
=== Holding ===<br />
[[Article 17 GDPR#1|Article 17(1) GDPR]] establishes that under certain conditions, a data subject may obtain the erasure of personal data without undue delay. [[Article 12 GDPR#3|Article 12(3) GDPR]] specifies this period by indicating that the controller provides information on action taken under a request regarding the data subject’s rights, without undue delay and in any event within one month of receipt of the request. This period may be extended by two months if necessary. [[Article 12 GDPR#4|Article 12(4) GDPR]] adds that if the controller does not take action, it must inform the data subject without delay and at the latest within one month of receiving the request of the reasons for not taking action and on the possibility of lodging a complaint with the DPA.<br />
<br />
In the present case, the APD found that the controller did not respond to the erasure request. Therefore, the DPA concluded that there was a breach of [[Article 12 GDPR#3|Articles 12(3)]], [[Article 12 GDPR#4|12(4)]] and [[Article 17 GDPR#1|17(1) GDPR]] and ordered the controller to proceed with the deletion of the data subject’s data.<br />
<br />
== Comment ==<br />
As this was a prima facie decision, if the controller does not agree with the contents of the decision or believes that it has factual and/or legal arguments that could lead to a different decision, it may submit a request for a hearing to the APD within 30 days of the notification of the decision.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.<br />
<br />
<pre><br />
1/6<br />
<br />
<br />
<br />
Dispute Chamber<br />
<br />
<br />
Decision 40/2024 of February 23, 2024<br />
<br />
<br />
File number: DOS-2024-00171<br />
<br />
<br />
Subject: complaint for failure to respond to a request for data erasure<br />
<br />
<br />
<br />
The Disputes Chamber of the Data Protection Authority, composed of Mr<br />
<br />
Hielke HIJMANS, sole chairman;<br />
<br />
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016<br />
<br />
on the protection of natural persons with regard to the processing of<br />
<br />
personal data and regarding the free movement of such data and to the revocation of<br />
<br />
Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;<br />
<br />
<br />
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,<br />
<br />
hereinafter “WOG”;<br />
<br />
In view of the internal rules of order, as approved by the House of Representatives<br />
<br />
Representatives on December 20, 2018 and published in the Belgian Official Gazette on<br />
<br />
January 15, 2019;<br />
<br />
<br />
Considering the documents in the file;<br />
<br />
<br />
Has made the following decision regarding:<br />
<br />
<br />
Complainant: Mr and Mrs X, hereinafter “the complainant”<br />
<br />
<br />
<br />
The defendant: Y, hereinafter “the defendant” Decision 40/2024 — 2/6<br />
<br />
<br />
<br />
I. Facts and procedure<br />
<br />
1. The subject of the complaint concerns the failure to respond to the complainant's request<br />
<br />
to delete data so that it no longer receives written communication from the<br />
<br />
defendant, being a non-profit organization.<br />
<br />
<br />
2. On January 11, 2024, the complainant submits a complaint to the Data Protection Authority<br />
<br />
against the defendant.<br />
<br />
In the complaint, the complainant states that he receives unsolicited letters on a very regular basis<br />
<br />
of the defendant. On July 27, 2023, the complainant wrote to the chairman<br />
<br />
from the defendant asking him to delete his data in order to make these communications<br />
<br />
fuses. The complainant states that the influx of letters continues after this communication<br />
<br />
increased, which is also demonstrated by copies of communications from the<br />
<br />
defendant on dates of August 11, 2023, September 4, 2023, October 18, 2023, 9<br />
<br />
November 2023, December 4, 2023 and December 12, 2023. The complainant asks the GBA between<br />
<br />
to force the defendant to erase his data.<br />
<br />
3. On January 24, 2024, the complaint will be declared admissible by the First Line Service on<br />
<br />
on the basis of articles 58 and 60 of the WOG and the complaint is filed on the basis of article 62, § 1<br />
2<br />
of the WOG transferred to the Disputes Chamber.<br />
<br />
4. In accordance with Article 95, § 2, 3° of the WOG as well as Article 47 of the internal regulations<br />
<br />
order of the GBA, the parties can request a copy of the file. If one<br />
<br />
both parties wish to make use of the opportunity to consult and<br />
<br />
copying the file, he or she must contact the secretariat of the<br />
<br />
Disputes Chamber, preferably via litigationchamber@apd-gba.be.<br />
<br />
<br />
<br />
II. Justification<br />
<br />
<br />
5. Article 17.1 GDPR provides that the data subject of the controller without<br />
<br />
can obtain the deletion of personal data relating to him without unreasonable delay. The<br />
<br />
controller is obliged to process personal data without unreasonable<br />
<br />
delay to erase when the personal data is no longer necessary for the<br />
purposes for which they were collected or otherwise processed.<br />
<br />
<br />
6. In accordance with Article 12.3 GDPR, the controller shall provide the<br />
<br />
person concerned without delay and in any case within one month of receipt of the request<br />
<br />
pursuant to Articles 15 to 22 GDPR information about the outcome of the request<br />
<br />
<br />
<br />
1In accordance with Article 61 of the WOG, the Disputes Chamber hereby informs the parties that the complaint is admissible<br />
declared.<br />
2In accordance with Article 95, § 2 of the WOG, the Disputes Chamber hereby informs the parties that the file will be sent to<br />
has been transferred to her as a result of this complaint. Decision 40/2024 — 3/6<br />
<br />
<br />
is given. Depending on the complexity of the requests and the number of requests<br />
<br />
that period may be extended by a further two months if necessary. The<br />
<br />
the controller shall inform the data subject within one month of receipt of the<br />
<br />
<br />
request of such extension.<br />
<br />
7. The Disputes Chamber determines that the complainant is on the basis of the documents supporting the complaint<br />
<br />
exercised the right to erasure of data on July 27, 2023. The Disputes Chamber can<br />
<br />
<br />
However, it cannot be determined on the basis of the complaint that the complainant has received an answer. The inde<br />
<br />
documents attached communication from the defendant on the date of August 11, 2023, 4<br />
<br />
September 2023, October 18, 2023, November 9, 2023, December 4, 2023 and December 12<br />
<br />
2023, however, the Disputes Chamber suspects that there has been an infringement against it<br />
<br />
Articles 12.3 and 12.4 GDPR, as well as Article 17.1 GDPR. 4<br />
<br />
<br />
8. Based on the above analysis, it could be concluded that the defendant<br />
<br />
has committed an infringement of the provisions of the GDPR, which justifies this in this case<br />
<br />
a decision will be taken on the basis of Article 95, § 1, 5° of the<br />
<br />
WOG, in particular to order the defendant to comply with the exercise by<br />
<br />
the complainant of his right to erasure (Article 17.1 GDPR) and this in particular in view<br />
<br />
on the documents that the complainant has provided showing that the complainant is the defendant<br />
<br />
has requested that his data be deleted.<br />
<br />
<br />
9. This decision is a prima facie decision taken by the Disputes Chamber<br />
<br />
in accordance with Article 95 of the WOG on the basis of the complaint submitted by the complainant,<br />
<br />
<br />
<br />
<br />
3Article 12 GDPR<br />
<br />
[…]<br />
3. The controller shall provide the data subject without undue delay and in any case within one month of receipt<br />
the request pursuant to Articles 15 to 22 information about the consequence that has been given to the request.Depending on<br />
the complexity of the requests and the number of requests may extend this period by another two months if necessary<br />
<br />
be extended. The controller shall notify the data subject within one month of receiving the request<br />
notice of such extension. When the data subject submits his request electronically, the information is if<br />
may be provided electronically, unless the data subject requests otherwise. 4. When the controller does not<br />
responds to the data subject's request, he shall communicate the latter without delay and at the latest within one month of receipt<br />
of the request why the request was unsuccessful and informs him of the possibility to file a complaint<br />
to a supervisory authority and to appeal to the courts. […]<br />
4<br />
Article 17 GDPR<br />
1. The data subject has the right to have his or her data erased without undue delay by the controller<br />
concerning personal data and the controller is obliged to obtain personal data without<br />
<br />
unreasonable delay where one of the following applies:<br />
a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;<br />
<br />
(b) the data subject withdraws consent to which processing is carried out in accordance with Article 6(1)(a) or Article 9(2)(a)<br />
is based on, and there is no other legal basis for, the processing;<br />
c) the data subject objects to the processing in accordance with Article 21(1), and there are no mandatory<br />
<br />
legitimate grounds for the processing, or the data subject objects to the processing in accordance with Article<br />
21(2);<br />
d) the personal data have been processed unlawfully;<br />
<br />
(e)the personal data must be erased in order to comply with a requirement laid down in Union or Member State law<br />
legal obligation incumbent on the controller;<br />
f) the personal data have been collected in connection with an offer of information society services as referred to<br />
<br />
in Article 8(1). Decision 40/2024 — 4/6<br />
<br />
<br />
in the context of the “procedure prior to the decision on the merits” 5 and none<br />
<br />
decision on the merits of the Disputes Chamber within the meaning of Article 100 of the WOG.<br />
<br />
<br />
The Disputes Chamber has thus decided, on the basis of Article 58.2.c) GDPR and<br />
<br />
Article 95, § 1, 5° of the WOG, to order the defendant to comply with the request<br />
<br />
of the data subject to exercise his rights, in particular the right to<br />
<br />
erasure (“right to be forgotten”) as provided for in Article 17 GDPR.<br />
<br />
<br />
10. The purpose of this decision is to inform the defendant of the fact that this<br />
<br />
has committed an infringement of the provisions of the GDPR and has the opportunity to do so<br />
<br />
still agree to comply with the aforementioned provisions.<br />
<br />
<br />
11. If the defendant does not agree with the content of the present primafacie<br />
<br />
decision and is of the opinion that it can apply factual and/or legal arguments<br />
<br />
that could lead to a different decision, this can be done via the e-mail address<br />
<br />
litigationchamber@apd-gba.be send a request to hear the merits of the case<br />
<br />
to the Disputes Chamber within 30 days after notification of this<br />
<br />
decision. The implementation of this decision will, if necessary, continue for a period of time<br />
<br />
suspended for the aforementioned period.<br />
<br />
<br />
12. In the event of a continuation of the merits of the case, the<br />
<br />
Dispute Chamber the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 WOG<br />
<br />
invite them to submit their defenses as well as any documents they consider useful in the case<br />
<br />
file to add. If necessary, the present decision will be permanently suspended.<br />
<br />
13. Finally, for the sake of completeness, the Disputes Chamber points out that a hearing on the merits<br />
<br />
6<br />
of the case may lead to the imposition of the measures stated in Article 100 of the WOG.<br />
<br />
<br />
<br />
<br />
<br />
<br />
5Section 3, Subsection 2 of the WOG (Articles 94 to 97).<br />
<br />
6Article 100. § 1. The Disputes Chamber has the authority to:<br />
1° to dismiss a complaint;<br />
2° to order the dismissal of prosecution;<br />
3° order the suspension of the ruling;<br />
4° to propose a settlement;<br />
5° formulate warnings and reprimands;<br />
6° order that the data subject's requests to exercise his rights be complied with;<br />
<br />
7° to order that the person concerned is informed of the security problem;<br />
8° order that processing be temporarily or permanently frozen, restricted or prohibited;<br />
9° to order that the processing be brought into compliance;<br />
10°the rectification, limitation or deletion of data and its notification to the recipients of the data<br />
recommend data;<br />
11° order the withdrawal of the recognition of certification bodies;<br />
12° to impose penalty payments;<br />
13° to impose administrative fines;<br />
14° the suspension of cross-border data flows to another State or an international institution<br />
command;<br />
<br />
15° to transfer the file to the public prosecutor's office in Brussels, who will inform it of the<br />
follow-up given to the file;<br />
16° decide on a case-by-case basis to publish its decisions on the website of the<br />
Data Protection Authority. Decision 40/2024 — 6/6<br />
<br />
<br />
an objection petition must be submitted to the registry of the Market Court<br />
<br />
in accordance with Article 1034quinquies of the Dutch Civil Code. .8 or via e-Deposit<br />
<br />
IT system of Justice (Article 32ter of the Judicial Code).<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
(get). HielkeIJMANS<br />
<br />
<br />
Chairman of the Disputes Chamber<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
8<br />
The petition with its attachment will be sent by registered letter, in as many copies as there are parties involved.<br />
deposited with the clerk of the court or at the registry.<br />
</pre></div>Nzmhttps://gdprhub.eu/index.php?title=CJEU_-_C-604/22_-_IAB_EuropeCJEU - C-604/22 - IAB Europe2024-03-13T12:59:55Z<p>Mg: /* Facts */</p>
<hr />
<div>{{CJEUdecisionBOX<br />
<br />
|Case_Number_Name=C-604/22 IAB Europe<br />
|ECLI=ECLI:EU:C:2024:214<br />
<br />
|Opinion_Link=<br />
|Judgement_Link=https://curia.europa.eu/juris/document/document.jsf;jsessionid=1B4AC3B3DAD65A64738F60FD0CB27C49?text=&docid=283529&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=1356998<br />
<br />
|Date_Decided=07.03.2024<br />
|Year=2024<br />
<br />
|GDPR_Article_1=Article 4(1) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#1<br />
|GDPR_Article_2=Article 4(7) GDPR<br />
|GDPR_Article_Link_2=Article 4 GDPR#7<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Reference_Body=Court of Appeal, Brussels<br />
|Reference_Case_Number_Name=<br />
<br />
|Initial_Contributor=mg<br />
|<br />
}}<br />
<br />
The CJEU held that a string used to inform advertisers of a user’s consent preferences is personal data and IAB Europe - the entity providing the framework for the use of such a string – controller under the GDPR. However, controllership does not extend to advertising processing activities that take place on the basis of the consent collected through the string.<br />
<br />
==English Summary==<br />
<br />
=== Facts ===<br />
IAB Europe (‘IAB’) is an association of undertakings active in the field of digital advertising. IAB developed the “Transparency & Consent Framework” (“the TCF”) which provides a set of rules and technical standards for firms operating in this sector. The purpose is to make processing of personal data for online advertising compliant with the GDPR.<br />
<br />
In particular, the TCF specifies how those operators should use the OpenRTB protocol, a widely used Real Time Bidding (‘RTB’) system. RTB consists in an instant and automated online auction of users profiles for the purpose of selling and purchasing advertising space online. When an internet user visits a webpage where advertising space is available, the server sends the user’s data to a platform where advertisers representing thousands of brands can bid in order to win a spot to display their advertisements. Advertisement is personalised in the sense that advertisers bid not only on the available space, but also on the basis of the features of the user visiting the page (such as location, marketing profiles, browsing history etc.).<br />
<br />
As the bid entails processing of personal data, for this operation to be possible users are asked to give their consent when they first visit the publisher’s website through a Consent Management Platform (‘CMP’). Consent preferences are stored in a Transparency and Consent String (‘TC String’) that is subsequently shared with advertisers and data brokers, in order to show whether a user has given consent to the processing of personal data. In parallel, the CMP places a cookie – euconsent-v2 – on the user’s device. Importantly, the combination of a TC String and the euconsent-v2 cookie can reveal the user’s IP address.<br />
<br />
On 2 February 2022, the Belgian DPA, acting as a LSA, found that TC Strings are personal data and IAB controller pursuant to the GDPR. The DPA found GDPR violations and imposed an administrative fine.<br />
<br />
The IAB appealed the decision before the Court of Appeal of Brussels. They claimed that the TC String is not personal data pursuant to [[Article 4 GDPR#1|Article 4(1) GDPR]] and that IAB is not controller under [[Article 4 GDPR#7|Article 4(7) GDPR]].<br />
<br />
The court referred some preliminary questions to the CJEU. In particular, the referring court asked whether the TC String can be considered personal data and whether IAB was joint controller with its members with regard to the processing of such a string.<br />
<br />
=== Holding ===<br />
Concerning the first question, the CJEU highlighted that personal data under [[Article 4 GDPR#1|Article 4(1) GDPR]] is any information related to an identified or an identifiable person. A person can identifiable both directly and indirectly. With that, the CJEU means that it is not necessary that information alone allows the data subject to be identified. Personal is also data that can be attributed to a person by means of additional information. According to Recital 26 GDPR, identifiability is linked to the concept of reasonable means, in the sense that a controller does not need to have all the information that is necessary to identify: it is rather sufficient that the controller is in the position to retrieve such an identifying information without a disproportionate effort. <br />
<br />
In the present case, the Court noted that a TC String, despite not containing elements that enable the identification of the data subject, still contains preferences that are specific to a single user. If the TC String is linked to an identifier, such as (but not only) an IP address, a specific user can be singled out and identified. <br />
<br />
The Court stressed that the fact that IAB could not directly combine TC String with additional identifiers, nor have direct access to such identifiers, is irrelevant, as IAB was entitled to require this data through “external contributions” from its adhering members. This element was considered sufficient by the CJEU to meet the ‘reasonable means’ requirement for the identification of a person. <br />
<br />
Concerning the second question, the Court reminded how the GDPR aims at guaranteeing a high level of protection of the fundamental rights and freedoms of natural persons, in particular as enshrined in Article 8(1) of the Charter. Therefore, the scope of [[Article 4 GDPR#7|Article 4(7) GDPR]] on the notion of controller shall be interpreted broadly. <br />
<br />
To answer the question of controllership with regard to IAB, the Court then assessed whether the latter exerted influence over the processing for its own purposes and determined, jointly with others, purposes and means of the processing. <br />
<br />
With regard to the purpose of the processing, the CJEU found that the TCF aimed at promoting and enabling the sale and purchase of advertising space on the internet by making such an activity compliant with the GDPR. In this context, IAB undoubtedly exerted an influence over a personal data processing data was undertaken for a purpose that belonged, among others, to IAB.<br />
<br />
With regard to the means of the processing, the CJEU held that the members of IAB were supposed to accept IAB’s rules and technical standards. If they did not, IAB could suspend their participation in the TCF, making compliance with the GDPR in the context of RTB more complex. Moreover, IAB technical specifications included detailed rules on how to generate and store the TC String. Thus, IAB also largely determined the means of the processing.<br />
<br />
However, the CJEU distinguished between certain processing operation for which IAB Europe actually determined purposes and means – e.g. the creation, sharing and storage of the TC String – and subsequent processing operations that are made possible by the TC String, but on which IAB did not exert any influence – such as the advertising operations (sharing, targeting) undertaken by entities on the basis of the user’s preferences stored on the TC String. The Court held that IAB was joint controller with its members only with regard to the first group of processing activities.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''</div>Mghttps://gdprhub.eu/index.php?title=BGH_-_VI_ZR_15/23BGH - VI ZR 15/232024-03-13T10:34:43Z<p>Ec: </p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Germany<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=BGH<br />
|Court_Original_Name=Bundesgerichtshof<br />
|Court_English_Name=German Supreme Court<br />
|Court_With_Country=BGH (Germany)<br />
<br />
|Case_Number_Name=VI ZR 15/23<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=BGH<br />
|Original_Source_Link_1=http://juris.bundesgerichtshof.de/cgi-bin/rechtsprechung/document.py?Gericht=bgh&Art=en&az=VI%2520ZR%252015/23&nr=136781<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Date_Decided=06.02.2024<br />
|Date_Published=<br />
|Year=2024<br />
<br />
|GDPR_Article_1=Article 15(1) GDPR<br />
|GDPR_Article_Link_1=Article 15 GDPR#1<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_From_Body=OLG Celle<br />
|Appeal_From_Case_Number_Name=8 U 165/22<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=https://openjur.de/u/2460453.html<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=ec<br />
|<br />
}}<br />
<br />
The Supreme Court found that a data subject has no right to a copy of documents justifying premium increases in an insurance contract, unless they show how these documents are necessary to contextualise and ensure the comprehensibility of their personal data.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The data subject has private health and long-term care insurance with the controller. The controller increased the contributions in 2018 and 2020. The data subject considers the premium increases to be unlawful. Consequently, in civil court, the data subject requested information on the basis of [[Article 15 GDPR#1|Article 15(1) GDPR]] from the controller about premium increases starting from 2016, including justifications for the premium adjustment and supplements to the insurance policy. <br />
<br />
The Landsgericht Verden (Regional Court of Verden) upheld the action. <br />
<br />
The controller appealed the decision to the Oberlandesgerichts Celle (Higher Regional Court of Celle). However, the Court of Appeal held that the data subject is entitled to the asserted right to information under [[Article 15 GDPR#1|Article 15(1) GDPR]]. It found that letters from the controller to the data subject, even standard letters sent to a large number of recipients with the same content, are subject to the right to information as they contain information about the data subject. <br />
<br />
The controller appealed to the Bundesgerichtshof (German Supreme Court).<br />
<br />
=== Holding ===<br />
The Supreme Court held that the access request by the data subject cannot be affirmed based on the reasoning of the Court of Appeal.<br />
<br />
[[Article 15 GDPR]] and the GDPR as such are applicable, even if the processing occurred before the GDPR came into force in 2018. This is because the request was submitted after 2018. The CJEU previously ruled that “it is applicable to a request for access to the information referred to in that provision where the processing operations which that request concerns were carried out before the date on which that regulation became applicable, but the request was submitted after that date.” (see [https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62021CJ0579 CJEU Case C-579/21], para 36).<br />
<br />
However, [[Article 15 GDPR]] cannot be used in the case at issue, because of the following reasons:<br />
<br />
Firstly, in light of the broad scope of personal data under [[Article 4 GDPR#1|Article 4(1) GDPR]], letters from the data subject to the controller are to be classified as personal data in their entirety. However, letters from the controller to the data subject are only personal data if they contain information about the data subject in accordance with the criteria in [[Article 4 GDPR#1|Article 4(1) GDPR]]. Therefore, only the personal data of an insurance policy falls under [[Article 15 GDPR#1|Article 15(1) GDPR]]. <br />
<br />
Secondly, the data subject’s request was for a copy of the controller’s entire letter justifying the premium increase in 2016 including the attachments. However, the letters and attached annexes of the controller as a whole do not contain personal data. <br />
Thirdly, the data subject does not have any right under [[Article 15 GDPR#3|Article 15(3) GDPR]] to a copy of the explanatory letter and attachments. The term “copy” in [[Article 15 GDPR#3|Article 15(3) GDPR]] refers to the personal data it contains and not a document as such. Therefore, the copy must contain all personal data that is the subject of the processing. The CJEU previously ruled that the reproduction of excerpts from documents or even entire documents or excerpts from databases may be indispensable if the contextualisation of the processed data is necessary to ensure their comprehensibility and to guarantee the data subject the effective exercise of their rights (see [https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62021CJ0487 CJEU C-487/21] para 31-41 and 45, [https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62021CJ0579 CJEU C-579/21] para 66 and [https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62022CJ0307 CJEU C-307/22] para 74). However, this does not apply in this case, because the data subject did not argue why the complete letter of justification including attachments would be necessary and it was also not apparent why this otherwise would be necessary.<br />
<br />
The Supreme Court concluded that the case must be referred back to the Court of Appeal because of an unresolved issue under national law.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
From Article 15 Paragraph 1 and 3 GDPR there is generally no entitlement to copies of the letters of justification including attachments to premium adjustments in private health insurance (connection to BGH, judgment of September 27, 2023 - IV ZR 177/22, NJW 2023, 3490 Rn. 45 ff.).<br />
tenor<br />
<br />
Upon the defendant's appeal, the judgment of the 8th Civil Senate of the Celle Higher Regional Court of December 15, 2022 is overturned in terms of costs and to the extent that the defendant's appeal against the judgment of the 8th Civil Chamber of the Verden Regional Court of January 12, 2022 with regard to the request for information is rejected has been.<br />
<br />
To the extent of the annulment, the matter will be referred back to the appeal court for a new hearing and decision, including on the costs of the appeal proceedings.<br />
<br />
By law<br />
Facts of the case<br />
<br />
The plaintiff has private health and nursing care insurance with the defendant. The defendant increased the contributions in 2018 and 2020. The plaintiff considers the premium increases to be unlawful and, to the extent relevant to the appeal proceedings, calls on the defendant to provide him with information about further premium increases that took place in 2016 and to provide him with the cover letters, justifications and supplementary sheets on the premium adjustment as well as the addenda to the insurance certificate To make available. He did not have the relevant documents.<br />
<br />
The regional court upheld the lawsuit in this respect. The higher regional court rejected the defendant's appeal. With the appeal approved by the appeal court regarding the right to information, the defendant is continuing to pursue its motion to dismiss the lawsuit in this regard.<br />
reasons<br />
<br />
I<br />
<br />
In the opinion of the appeal court, the plaintiff is entitled to the asserted right to information under Article 15 GDPR. The adjustment notifications are personal data within the meaning of Article 4 No. 1 GDPR. The term should be understood broadly. Letters from the defendant to the plaintiff were subject to the right to information insofar as they contained information about the plaintiff. Even if the defendant's letters were probably standard letters that were sent to a large number of recipients with the same content, they were at least related to the plaintiff's specific contract. Even if the plaintiff still has some of the disputed documents, the right to information is neither excessive nor abusive in any other way.<br />
<br />
II.<br />
<br />
These considerations do not stand up to legal scrutiny. Based on the reasons given by the appeal court, the claim to information asserted by the plaintiff cannot be affirmed.<br />
<br />
1. As the Federal Court of Justice decided after issuing the appeal judgment (judgment of September 27, 2023 - IV ZR 177/22, NJW 2023, 3490 Rn. 45 ff.), the asserted claim cannot be based on Art. 15 para. 1 and paragraph 3 GDPR.<br />
<br />
a) However, contrary to the opinion of the revision, Article 15 GDPR is applicable in the event of a dispute in terms of time, although the processing operations to which the request for information relates took place in 2016 and thus before May 25, 2018 as the application date of the General Data Protection Regulation ( Art. 99 Para. 2 GDPR) were carried out. The disputed request for information itself was only submitted after this date (cf. ECJ, judgment of June 22, 2023 - C-579/21, NJW 2023, 2555 Rn. 36).<br />
<br />
b) Article 15 Para. 1 GDPR gives the data subject a right to information about the processing of personal data to the person responsible for data protection (Article 4 No. 7 GDPR). According to Art. 4 No. 1 GDPR, personal data is all information that relates to an identified or identifiable natural person (“data subject”). According to the case law of the Court of Justice of the European Union, the term is to be understood broadly. It is not limited to sensitive or private information, but potentially includes all types of information, both objective and subjective, provided that it is information about the person in question. The latter requirement is met if the information is linked to a specific person due to its content, purpose or effects (cf. ECJ, judgment of May 4, 2023 - C-487/21, NJW 2023, 2253 para. 23 f .; see also Senate, judgment of June 15, 2021 - VI ZR 576/19, NJW 2021, 2726 Rn. 22 with further references).<br />
<br />
According to these principles, letters from the data subject to the person responsible are to be classified as personal data based on their entire content, since the personal information already consists of the fact that the person concerned has expressed themselves in accordance with the letter, but vice versa - as is relevant here - letters to the person responsible the data subject only to the extent that they contain information about the data subject according to the criteria mentioned above. Accordingly, only the personal data of an insurance certificate are not categorically excluded from the scope of application of Article 15 Para. 1 GDPR (BGH, judgment of September 27, 2023 - IV ZR 177/22, NJW 2023, 3490 Rn. 48; see also Senate , judgment of June 15, 2021 - VI ZR 576/19, NJW 2021, 2726 Rn. 25).<br />
<br />
c) The plaintiff's application aims to submit a copy of the defendant's entire letter of justification for the contribution increase in 2016, including attachments. Although individual parts of these letters and attachments contain individual personal data of the plaintiff as the defendant's policyholder, neither the letters from the defendant themselves nor the attached attachments (additional sheets, addendum to the insurance certificate) in their entirety constitute personal data of the plaintiff. However, the plaintiff did not limit the asserted claim and his application to the personal data contained in the letters (cf. BGH, judgment of September 27, 2023 - IV ZR 177/22, NJW 2023, 3490 Rn.46 ff. ).<br />
<br />
d) The plaintiff cannot derive any right to receive a copy of the justification letter including attachments from Art. 15 Para. 3 GDPR. Art. 15 Para. 3 GDPR sets out the practical modalities for fulfilling the claim under Art. 15 Para. 1 GDPR, but does not grant any further claim of its own. The term “copy” in Article 15 (3) GDPR does not refer to a document as such, but to the personal data it contains. The copy must therefore contain all the personal data that are the subject of the processing. However, the reproduction of extracts from documents or even entire documents or even extracts from databases can prove to be essential when the contextualization of the data processed is necessary to ensure their comprehensibility and to ensure that the data subject can effectively exercise their rights (cf. ECJ, judgments of May 4, 2023 - C-487/21, NJW 2023, 2253 Rn. 31 f., 41, 45; of June 22, 2023 - C-579/21, NJW 2023, 2555 Rn. 66; of October 26, 2023 - C-307/22, NJW 2023, 3481 Rn. 74 f.; BGH, judgment of September 27, 2023 - IV ZR 177/22, NJW 2023, 3490 Rn. 51 ff.).<br />
<br />
This exception does not apply in this case. The plaintiff has neither stated nor is it otherwise apparent that the contextualization of the processed data would be necessary to ensure their comprehensibility, so that, in exceptional cases, it would be necessary to send a copy of the respective complete letter of justification including attachments (cf. BGH, judgment of 27. September 2023 - IV ZR 177/22, NJW 2023, 3490 Rn. 55).<br />
<br />
2. The decision on the request for information does not prove to be correct for other reasons (§ 561 ZPO).<br />
<br />
a) A right to information does not arise from Section 3 Paragraph 3 VVG. According to this provision, the policyholder can request that the insurer issue a new insurance policy if an insurance policy is lost or destroyed. The cover letters, reasons and supplements requested with the request for information are not covered by this anyway. But even to the extent that the plaintiff requested that the supplements to the insurance certificate from 2016 be made available to him, this cannot be based on Section 3 (3) VVG. The insurance certificate has an information, legitimation and proof function. So that the policyholder can inform himself about the rights and obligations under the contract and provide evidence of these, Section 3 Paragraph 3 VVG gives him the right to have the insurance certificate issued as a replacement. This therefore only covers the insurance certificate including those addenda that reflect the currently valid contract content, not addendums that are already outdated (BGH, judgment of September 27, 2023 - IV ZR 177/22, NJW 2023, 3490 Rn. 42 with further references).<br />
<br />
b) Section 3 Paragraph 4 Sentence 1 VVG only refers to the policyholder's own declarations, not those of the insurer, and is therefore also excluded as the basis for a claim (BGH, ibid. para. 43 with further references).<br />
<br />
c) The claim cannot be based on Section 810 of the German Civil Code (BGB) either, since it only allows the inspection of a document in someone else's possession (BGH, ibid. para. 44 with further references).<br />
<br />
d) Based on the findings made so far, the plaintiff cannot base his disputed request for information on good faith according to Section 242 of the German Civil Code (BGB).<br />
<br />
aa) According to Section 242 of the German Civil Code (BGB), the debtor is exceptionally obliged to provide information within the framework of a legal relationship if the entitled party is excusably uncertain about the existence and scope of his right and the obligated party can easily provide the information necessary to eliminate the uncertainty. The approval of the right to information must take into account the respective circumstances of the individual case and in compliance with the principle of proportionality. Within contractual relationships - as here - the right to information can also have the function of providing the entitled person with information about the existence of the claim. There must then be sufficient evidence for the existence of a main claim that is to be asserted with the help of the information (BGH, judgment of September 27, 2023 - IV ZR 177/22, NJW 2023, 3490 Rn. 30 ff. mwN).<br />
<br />
In addition, findings must be made that the authorized person no longer has the documents specified in the request for information. Only then can it be certain that he is uncertain about the existence and scope of his rights and cannot reasonably obtain the necessary information himself. Good faith does not require that the person seeking information be spared effort at the expense of the person obliged to provide the information (BGH, ibid. para. 38 with further references).<br />
<br />
Finally, the reasons for the loss need to be determined. The policyholder cannot be excused from being uncertain about his rights if he no longer has the documents regarding the premium adjustments and does not provide any further explanation of the reasons for the loss. Only the explanation of the reasons for the loss by the policyholder makes it possible to assess whether the policyholder is exceptionally entitled to a right to information in accordance with Section 242 of the German Civil Code, taking into account the respective circumstances of the individual case and while respecting the principle of proportionality (BGH, ibid. para. 40 with further references).<br />
<br />
bb) The appeal court made findings - consistent from its point of view - neither on the fact of the loss of the documents as such - which was disputed by the defendant - nor on the reasons for this loss.<br />
<br />
III.<br />
<br />
The matter is therefore to be referred back to the appeal court to the extent of the annulment in accordance with Section 563 Paragraph 1 Sentence 1 ZPO so that it can make the findings necessary to examine the claim under Section 242 of the German Civil Code (BGB).<br />
<br />
Pagers<br />
<br />
by Pentz<br />
<br />
Small<br />
<br />
Allgayer<br />
<br />
Linder<br />
</pre></div>Echttps://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9991020Garante per la protezione dei dati personali (Italy) - 99910202024-03-13T10:25:03Z<p>Lm: updating links</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Italy<br />
|DPA-BG-Color=background-color:#095d7e;<br />
|DPAlogo=LogoIT.png<br />
|DPA_Abbrevation=Garante per la protezione dei dati personali<br />
|DPA_With_Country=Garante per la protezione dei dati personali (Italy)<br />
<br />
|Case_Number_Name=9991020<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Garante per la protezione dei dati personali<br />
|Original_Source_Link_1=https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9991020<br />
|Original_Source_Language_1=Italian<br />
|Original_Source_Language__Code_1=IT<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=22.10.2022<br />
|Date_Decided=08.02.2024<br />
|Date_Published=08.03.2024<br />
|Year=2024<br />
|Fine=2,800,000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(f) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1f<br />
|GDPR_Article_2=Article 32(1) GDPR<br />
|GDPR_Article_Link_2=Article 32 GDPR#1<br />
|GDPR_Article_3=Article 32(2) GDPR<br />
|GDPR_Article_Link_3=Article 32 GDPR#2<br />
|GDPR_Article_4=Article 34 GDPR<br />
|GDPR_Article_Link_4=Article 34 GDPR<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
|GDPR_Article_6=<br />
|GDPR_Article_Link_6=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=UniCredit S.p.A. <br />
|Party_Link_1=https://www.unicreditgroup.eu/en.html<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Pending appeal<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=lm<br />
|<br />
}}<br />
<br />
The DPA fined a controller € 2.8 million for making personal data available in responses to all authentication attempts, including unsuccessful ones, and failing to prevent customer use of simple PINs.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
On 22 October 2018, UniCredit S.p.A. ("controller") notified the Italian DPA of a personal data breach that occurred on 21 October 2018. The breach occurred due to a cyberattack on the controller’s mobile banking portal for customers. Third parties tried to access customer accounts by attempting automatically-generated simple PINs. <br />
<br />
The mobile banking portal had two vulnerabilities that facilitated the breach. First, the portal made customers’ personal data (first name, surname, tax code, and internal bank identification code) available in HTML responses to authentication attempts, including where attempts were unsuccessful. Second, the controller did not limit the use of simple PINs, making accounts vulnerable to cyberattacks aimed at identifying customer login information (brute force attacks). <br />
<br />
Due to the HTML response vulnerability, every login attempt gave cyber attackers access to the names, tax codes, and internal bank identification codes of 777,765 present and former customers. In the case of 6,959 of those customers, the cyber attackers also successfully identified the portal PINs. The controller subsequently blocked the identified PINs. The breach did not include the data subjects’ banking data.<br />
<br />
The controller did not consider the breach high-risk pursuant to [[Article 34 GDPR]]. It posted a general notice on its website and gave direct notice only to the 6,959 data subjects whose passwords were identified. The DPA disagreed, finding the breach likely to present a high risk to data subject rights after a preliminary investigation. On 13 December 2018, it enjoined the controller to communicate the personal data breach to all data subjects. The controller subsequently prepared differentiated notices, which the DPA found complied with [[Article 34 GDPR#2|Article 34(2) GDPR]]. <br />
<br />
In a defense brief, the controller argued that it took preventive measures and mitigating controls which exceeded market standards at the time of the breach. Additionally, the controller argued that the breach occurred as a result of its data processor’s negligence. The processor was charged with carrying out vulnerability tests on the controller’s mobile webpage and application. Though it became aware of the mobile portal’s vulnerabilities on 19 October 2018 and identified them as high-level, the processor did not report these to the controller until 22 October 2018.<br />
<br />
=== Holding ===<br />
The DPA rejected the controller’s defense and found that it infringed [[Article 5 GDPR#1f|Articles 5(1)(f)]], [[Article 32 GDPR#1|32(1)]] and [[Article 32 GDPR#2|32(2)]] GDPR. First, it noted that making personal data available to anyone attempting authentication regardless of success is intrinsically risky in the banking sector, where identified customers may be targeted in phishing attempts or similar attacks. Second, the DPA found that the controller’s failure to prevent simple PINs was a high-risk oversight given the frequency of simple brute force cyberattacks in the financial system. The DPA did not consider the processor’s actions in determining that the controller violated Article [[Article 5 GDPR#1f|5(1)(f)]], [[Article 32 GDPR#1|32(1)]], and [[Article 32 GDPR#2|32(2)]] GDPR. <br />
<br />
The DPA issued a € 2,800,000 fine. In doing so, it balanced the large number of data subjects, previous DPA measures resulting from a prior data breach by the controller, and the loss of confidentiality with the controller’s cooperation during the DPA’s investigation, the exclusion of bank data from the breach, and the steps taken to mitigate the breach. <br />
<br />
The DPA did not issue other corrective measures, taking into account the controller’s mitigations immediately after the breach and the lack of consumer complaints pursuant to [[Article 77 GDPR]].<br />
<br />
== Comment ==<br />
The DPA did not consider the processor’s actions in determining that the controller violated [[Article 5 GDPR#1f|Article 5(1)(f)]] and [[Article 32 GDPR|Article 32 GDPR]]. However, the processor, NTT Data Italia S.p.A. was the subject of a [https://www.dataguidance.com/news/italy-garante-fines-ntt-data-italia-800000-violation separate ruling] by the DPA and was fined € 800,000 for violations of [[Article 28 GDPR#2|Articles 28(2)]] and [[Article 33 GDPR#2|33(2)]] GDPR.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.<br />
<br />
<pre><br />
Provision of 8 February 2024<br />
<br />
Register of measures<br />
n. 65 of 8 February 2024<br />
<br />
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA<br />
<br />
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, the lawyer. Guido Scorza and Dr. Agostino Ghiglia, members, and Dr. Claudio Filippi, deputy general secretary;<br />
<br />
HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the “Regulation”);<br />
<br />
HAVING REGARD to the Code regarding the protection of personal data, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter “Code”);<br />
<br />
GIVEN the violation of personal data notified to the Authority on 22 October 2018, pursuant to art. 33 of the Regulation, by UniCredit S.p.a. relating to a cyber attack on the online banking system for the mobile web channel;<br />
<br />
EXAMINED the documentation in the documents;<br />
<br />
GIVEN the observations made by the deputy general secretary pursuant to art. 15 of the Guarantor's regulation no. 1/2000;<br />
<br />
SPEAKER Dr. Agostino Ghiglia;<br />
<br />
PREMISE<br />
<br />
1. Violation of personal data and investigative activity.<br />
<br />
1.1. The investigation against UniCredit S.p.a.<br />
<br />
On 22 October 2018, UniCredit S.p.a. (hereinafter “UniCredit” or “the Bank”) has notified the Guarantor, pursuant to art. 33 of the Regulation, the violation of personal data occurred following a cyber attack on the online banking system for the mobile web channel (hereinafter "Mobile Banking Portal") which resulted in the illicit acquisition of some personal data of customers (in particular, name, surname, tax code and internal identification code of the bank, with the exclusion of their bank details).<br />
<br />
In particular, the Bank represented that the first attempts at unauthorized access were carried out in the period between 11 and 20 October 2018 and that the cyber attack took place on a massive scale on 21 October 2018, the date on which the Bank, having detected a large number of login attempts to the mobile banking site, it immediately proceeded with the notification pursuant to art. 33 of the Regulation, specifying that:<br />
<br />
“the attack was implemented through the massive use of sequential codes to identify which of them corresponded to actually existing REB codes (personal identification code for access to the online banking system)”;<br />
<br />
the violation involved "731,519 REB codes, of which [...] 6,859 are those blocked by the bank because the password had been identified";<br />
<br />
"some personal data of customers (only name, surname, tax code and bank identification code) were visible in the response code to the query, while it does not appear that there was access to the customers' banking data nor that any operations were carried out" .<br />
<br />
With a subsequent note dated 16 November 2018, the Bank, in response to a request for information formulated by the Office on 9 November 2018, also specified that:<br />
<br />
“the attack, coming from an anonymized network (TOR), with the aim of masking the real IP address of the attacker, had the objective of enumerating a series of customers using a fixed password”;<br />
<br />
"an application condition allowed the return of information even in the event of failed authentication, and therefore when the REB Code entered corresponded to a customer, regardless of whether the password was the correct one, name and surname, tax code and NDG were returned, which is an internal identification code, assigned to each customer when it is entered into the [...] IT systems [of UniCredit S.p.a.]. For the 6,859 customers, who had a "weak" password used by the attackers [...], the "password" was also identified;<br />
<br />
“the immediate technological response, which occurred following the identification that gave rise to the security incident, consisted of blocking individual connections coming from an anonymized network (TOR) and having the characteristics of the cyber attack”; in addition to this, a quantitative blocking of connections that exceed a critical threshold for a defined time interval has been implemented and an IT mechanism (captcha) aimed at human identification of the user who carries out the Login request, with the aim of blocking connections automatic or computer scripts". [...] a mechanism is being implemented to force the use of complex passwords by users, which will be available in production starting from November 23rd and which with subsequent releases will cover the entire bank's customers";<br />
<br />
in the case in question the Bank, "not recognizing the "high risk" referred to in the art. 34 of the Regulation and in consideration of the large number of interested parties, published a press release on its website" and "instead, notified those customers whose password had been blocked because it had been identified by the attackers, and which amounted to 6,859".<br />
<br />
In light of an overall examination of the circumstances represented by the Bank, the Authority considered that the violation of the personal data in question, unlike the assessment carried out by the Bank, was likely to present a high risk for the rights and freedoms of natural persons ( condition for which communication to interested parties is required) and, therefore, with provision no. 499 of 13 December 2018 (web doc. no. 9076378) ordered UniCredit, pursuant to art. 58, par. 2, letter. e), of the Regulation, to communicate the violation of personal data to all interested parties who have not already been recipients of the communication itself, inviting them to provide adequately motivated feedback regarding the initiatives taken for this purpose as well as regarding the measures adopted to mitigate the negative effects of the violation of personal data on the interested parties.<br />
<br />
With a note dated 25 January 2019, the Bank, in describing the methods and timing with which it implemented the provisions issued with the aforementioned provision no. 499, specified that it had prepared differentiated communications for customers and former customers (a copy of which it attached) whose content was found to comply with the provisions of the art. 34, par. 2, of the Regulation.<br />
<br />
With the same note, UniCredit also communicated that, following further analyzes carried out in order to identify the interested parties to whom notification of the violation had occurred, it emerged that the number of subjects involved was higher than that initially identified (for a total number of 777,765 customers and former customers); the Bank also specified that it had introduced an enforcement mechanism for passwords used by users, initially aimed at customers involved in the violation of personal data and progressively extended to all customers by March 2019.<br />
<br />
Following subsequent in-depth investigations (see request for information dated 1 February and 12 April 2019), the Bank provided further clarification elements (see notes dated 26 February and 3 May 2019) based on which, also in light of of the documentation acquired in the documents, it was found that:<br />
<br />
a) at the time of the violation of personal data, with regard to the security of processing within the mobile banking portal, the technical and organizational measures referred to in art. 32 of the Regulation consisted of:<br />
<br />
1. “login protected by username and password delivered separately to the customer in the branch;<br />
<br />
2. account blocking after entering three incorrect passwords;<br />
<br />
3. blocking of credentials identified in online data leaks by […] intelligence/anti-fraud services;<br />
<br />
4. possibility for the customer to subscribe to a service via SMS (premium SMS) for notification of activities such as online accesses, changes in PIN and personal data carried out by the Bank via the internet;<br />
<br />
5. protection of sensitive transactions and activities (e.g. modification of personal data) by requesting an additional One Time Password (OTP);<br />
<br />
6. behavioral analysis and transaction monitoring to identify fraud to the detriment of customers;<br />
<br />
7. execution of periodic VA/PT […] on the internet/banking infrastructure and application;<br />
<br />
8. web application firewall (WAF) to protect against possible web attacks (e.g. sql injection)” (see note dated 26 February 2019, pp.1-2);<br />
<br />
b) in the period between "1 October 2018 and 22 October 2018, a Penetration Test was underway on the Mobile Site system (site and APP for mobile devices)" whose execution had been entrusted to the company NTT Data Italia S.P.A. (hereinafter “NTT Data”) on the basis of an agreement stipulated on 5 June 2017 with UniCredit Business Integrated Solutions S.c.p.a. (now UniCredit Services S.c.p.a., hereinafter “UBIS”) having as its object the provision of “Banking Application Penetration Test & Vulnerability Assessment” services. As part of this agreement, NTT Data was designated by UniCredit as data controller - pursuant to the then current art. 29 of the Code - receiving precise instructions from the same to follow, including:<br />
<br />
the express prohibition on entrusting the partial or total execution of vulnerability assessment and penetration testing activities to third parties (see paragraph 14 of the agreement);<br />
<br />
where, for the execution of certain activities, the use of a third party is necessary, the obligation to inform the owner so that the same can, after evaluating his experience, skills and reliability, designate him as responsible of the treatment;<br />
<br />
the obligation, in the event of detection of vulnerabilities with critical or high level severity, to immediately inform the owner in order to allow the same to quickly remove such vulnerabilities (see Annex 3 of the agreement);<br />
<br />
c) NTT Data, in carrying out the above activities, deemed it necessary to avail itself of the collaboration of another entity, Truel IT S.r.l. (hereinafter "Truel IT"), which, with a deed of appointment dated 17 September 2018, was designated as sub-processor, in the absence, however, of prior written authorization from UniCredit;<br />
<br />
d) on 19 October 2018 NTT Data became aware of two vulnerabilities with high level severity (“User Data disclosure” and “Lack of Reverse Bruteforce Protection”) through Truel IT – which sent it the draft report containing the results of the Vulnerability Assessment and Penetration Testing activities - and informed UniCredit only on 22 October 2018.<br />
<br />
1.2. The investigation against NTT Data Italia S.p.a..<br />
<br />
With a note dated 15 May 2019, the Authority formulated a request for information from NTT Data which, with communications dated 24 and 27 May 2019, specified that "the Penetration Test and Vulnerability Assessment activities were conducted from 1 to 26 October 2018 according to the following timing:<br />
<br />
the execution of the tests [...] was carried out from 1 to 12 October 2018;<br />
<br />
the analysis of the results, the removal of false positives, the assessment and classification of vulnerabilities, the drafting of the technical report and sending the same draft report to the customer from 13 to 22 October 2018;<br />
<br />
further refinements to the technical document regarding the vulnerabilities detected from 22 to 26 October 2018, with the final report being sent to the customer on 26 October 2018".<br />
<br />
NTT Data also provided a copy of the technical reports containing the results of the aforementioned vulnerability assessment and penetration testing activities (both in the draft and final versions) which illustrate ten vulnerabilities detected by Truel IT, including two vulnerabilities with severity of high level:<br />
<br />
the first vulnerability, of the "User Data Disclosure" type, allowed the enumeration of all the valid User IDs (consisting of 8 decimal digits) for accessing the mobile banking portal and the acquisition of some personal data (such as the name, surname and the tax code) associated with these User IDs even without knowing the relevant PIN (consisting of 8 decimal digits);<br />
<br />
the second vulnerability, of the "Lack of Reverse Bruteforce Protection" type, allowed an unlimited number of authentication attempts to be made to the mobile banking portal with always different User IDs, without being blocked; in this scenario, an attacker could try to identify valid User ID / PIN pairs, for example trying particularly "weak" PINs such as "00000000" or "12345678".<br />
<br />
NTT Data also stated that it "became aware of the "User Data disclosure" vulnerability on 19 October 2018 with the sending of the draft report by Truel IT S.r.l." which, for its part, had identified the two vulnerabilities described respectively on 10 October 2018 (the first) and the immediately following day (the second); in the same note NTT Data also highlighted how "typically the potential vulnerabilities of a system are detected during the Penetration Test activities" and that "this detection, however, requires, for the purposes of a risk assessment of the same and, therefore, of timely communication to the customer, the execution of further analysis activities (elimination of false positives) and classification (high, medium and low) and suggested remediation".<br />
<br />
For this reason, it carried out, "as per practice, its own analysis of the data received and a further evaluation of the classifications of all 10 vulnerabilities detected" and, only upon completion, did it communicate this to UniCredit "on 22 October 2018 at 10:00 CEST”.<br />
<br />
Lastly, NTT Data specified that "the detection [...] of the vulnerabilities in question could not and did not determine the knowledge/detection by NTT DATA Italia of the violation of personal data".<br />
<br />
2. The initiation of the procedure for the adoption of corrective and sanctioning measures and the deductions of UniCredit S.p.a.<br />
<br />
As a result of the in-depth investigations described above, characterized by a high complexity of the technological profiles (see technical report of 10 December 2019), the Office highlighted the critical issues encountered, regarding compliance, by the owner and of the data controller, of the obligations regarding the protection of personal data.<br />
<br />
In particular, from the analysis of the documentation acquired in the documents and of the declarations made by the data controller (for which the same is responsible pursuant to art. 168 of the Code, "Falseness in declarations to the Guarantor and interruption of the execution of the tasks or of the 'exercise of the powers of the Guarantor") it was ascertained that the technical and organizational measures referred to in art. 32 of the Regulation adopted by UniCredit within the mobile banking portal (see par. 1.1) presented the following critical issues:<br />
<br />
the mobile banking portal, due to a so-called "application condition", made available within the returned HTML code, even in the event of failed authentication attempts, some personal data (name, surname, tax code, NDG) of UniCredit customers and former customers who, therefore, they were capable of being freely consulted and acquired by anyone;<br />
<br />
As part of the IT authentication procedure for users of the aforementioned portal, no mechanism capable of effectively countering brute force attacks conducted through the use of the so-called. bots (computer programs that access websites through the same channel used by human users, simulating their operations).<br />
<br />
Taking the above into account, the Office, with a note dated 5 February 2020, notified UniCredit S.p.a., data controller, of the start of the procedure for the adoption of the measures referred to in the articles. 58, par. 2, and 83 of the Regulation, in compliance with the provisions of the art. 166, paragraph 5, of the Code, in relation to the alleged violation of the principle of integrity and confidentiality and of the processing security obligations referred to in the articles. 5, par. 1, letter. f), and 32, pars. 1 and 2 of the Regulation.<br />
<br />
With the same note, UniCredit was invited to produce defensive writings or documents or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, law no. 689 of November 24, 1981).<br />
<br />
On 5 March 2020, the Bank sent a detailed defense statement (accompanied by annexes), which is referred to in its entirety here, with which, in formulating a request for a hearing, it asked the Authority to evaluate "how in light of the conducted [...] before and immediately after the data breach, [...] a possible sanction would appear to be completely unjustified", especially since "no evidence was provided of any damage suffered by the interested parties whose personal data were subject of the violation".<br />
<br />
In particular, the Bank highlighted that:<br />
<br />
a) “on 21 October 2018, UniCredit's internal control systems detected a cyber attack perpetrated by unidentified third parties (the "Hackers") [...] which resulted in the possibility of viewing, in relation to some users, some data [...] without there having been any evidence of actual viewing, much less of collection, extraction or copying of the same by hackers"; […] “following the attack, the Company promptly took measures to block the violation of personal data and the following day sent a specific notification of the data breach to the Guarantor, providing details on the incident and informing the Guarantor to be about to communicate the violation of personal data to the interested parties whose account had been blocked"; on the following 16 November 2018, the Bank provided further details regarding the violation that occurred as well as regarding the measures adopted in order to mitigate the risk for the interested parties;<br />
<br />
b) “UniCredit represents one of the largest banking groups operating at a European level. […] In light of the important position held and with a view to responsible corporate management, the protection and security of its customers' data are an absolute priority for UniCredit [...] as proven by the circumstance that in the context of the recent plan industrial Transform 2019 the group has invested 2.3 billion euros to further improve and make its IT systems increasingly secure [...]. However, the financial system's exposure to risks is such that even the most advanced security measures are not able to exclude any and all hypotheses of cyber attacks in any case. In particular, as widely represented by the most authoritative sources on cyber security, in 2018 there was a notable increase in terms of the evolution of "cyber" threats and the related impacts from both a quantitative and qualitative point of view [...]. The statistics also show how 2018 was the year in which there was a significant evolution linked to APT (Advanced Persistent Threat) type attacks. These attacks, aimed at specific subjects, are becoming increasingly more advanced and sophisticated and extensively use massive techniques which inevitably lead to the manifestation of system weaknesses. Therefore, even the most advanced security systems, despite being constantly updated, are not immune from the risk of being the subject of attacks because the sophistication and sudden evolution of the ways in which they are executed makes it effectively impossible to adopt measures that are able to protect against every possible type of cyber attack. This is absolutely relevant in the present case: the occurrence of a data breach does not in itself prove the violation tout court of the principle of integrity and confidentiality pursuant to art. 5, par. 1 letter f) of the Regulation, nor the failure to adopt security measures appropriate to the risk pursuant to art. 32 of the Regulation. In fact, as noted by authoritative doctrine, the guarantee of adequate safety can be interpreted not only as a preventive measure with respect to any harmful events, but also as an ex post intervention to remedy the anomalies found. In fact, it will be demonstrated below that the measures adopted by UniCredit at the time the data breach occurred, together with those adopted promptly following its occurrence, were adequate for the level of risk and the state of the art at the time of the data breach. breach and therefore compliant with the provisions of the legislation on the protection of personal data. On the contrary, it is not possible to dispute with respect to events that occurred in 2018, the lack of security measures that would be adequate in 2020 because in the IT security sector two years of difference represent a huge change in the applicable standards";<br />
<br />
c) as regards the "critical issues" identified by the Guarantor, it was further clarified (also through documentary attachments) that "at the time of the attack, UniCredit adopted the following security measures:<br />
<br />
automatic blocking of the user account after entering four incorrect passwords;<br />
<br />
adoption of protected log-in via access credentials delivered separately to users in the branch;<br />
<br />
blocking of compromised credentials identified in online data leaks by intelligence/anti-fraud services;<br />
<br />
availability of a notification service via SMS of activities such as online accesses to your account, changes to your PIN and personal data made by the bank or via the Internet;<br />
<br />
protection of sensitive transactions and activities such as modifications of personal data via double authentication mechanism (One Time Password);<br />
<br />
adoption of monitoring tools to identify fraud attempts to the detriment of customers;<br />
<br />
execution of periodic vulnerability assessments and penetration tests (“VA-PT”), at least annually, on assets identified as critical, including the internet banking infrastructure and applications through certified market-leading third parties, on a rotational basis to guarantee the maximum effectiveness and impartiality of the tests and following a methodology for carrying out the security assessment tests of IT assets [...] which required compliance with certain international standards in their execution, such as the OWASP standard, recognized as the state of sector art by the National Cybersecurity Laboratory, and the carrying out of scans of the IT infrastructure and further testing techniques in case of VA-PT based on potential vulnerabilities identified, such as password cracking and social engineering;<br />
<br />
execution of periodic vulnerability assessments through automatic scanning tools on assets exposed on the Internet, Extranet and Intranet, and processing of the related reports;<br />
<br />
carrying out vulnerability tests on payment systems through ad hoc red teams;<br />
<br />
implementation of web application firewalls to protect against possible web attacks, such as injections of SQL code.<br />
<br />
In addition to the above [...] the fraud prevention and fraud detection systems adopted at the time of the facts were statistically among the best performing and most effective on the market, with a percentage of prevented frauds equal to 98.6% (compared to 96% 5% of the market) as clarified by the Italian Financial CERT […]. Furthermore, each IT vulnerability identified was managed in accordance with a procedure (Security Vulnerability Management [...]) which required the observance of certified processes pursuant to the international standard ISAE 3402 and the use of the risk control system referred to in the international standard ISO 27001. Furthermore, in October 2017, UniCredit had already introduced a system for collecting and managing identified vulnerabilities, similar to that used by the audit functions, with constant risk monitoring carried out by the various corporate functions in charge. Furthermore, in 2018 with the beginning of the full applicability of the Regulation, UniCredit further strengthened its procedures by introducing an immediate reporting obligation in the event of High and Critical vulnerabilities identified, with evidence management in the field of security incidents for which, in in more serious cases, in order to safeguard data and infrastructure, the preventive closure of the system involved was envisaged until the identified problem was resolved. Therefore, the system of security measures already adopted by UniCredit at the time of the data breach consisted of a series of preventive measures aimed at avoiding violations and a series of checks aimed at identifying any vulnerabilities of the company's IT systems which, in the opinion of the bank, represents the only approach capable of effectively reducing the risk of cyber attacks”.<br />
<br />
The Bank also represented that the adequacy of the preventive measures compared to the state of the art at the time of the occurrence of the personal data breach was "confirmed by the technical report on security measures [...] produced by the company Reply S.r.l, a leading company in the IT security consultancy sector [...]" according to which the same measures were "substantially in line with what is commonly practiced by other credit institutions for the protection of login functions. In fact, the report highlights that solutions such as two factor authentication or CAPTCHA on login functions were not adopted by the majority of Italian credit institutions to protect login procedures at the time of the violation. Two factor authentication became a standardized and recognized authentication method only starting from 14 September 2019 following the entry into force of the European Payment Services Directive (PSD2), but - in anticipation of the regulatory obligation - UniCredit was already working since July 2017, with the actual rollout taking place between March and May 2019 and therefore a good 4 months before the legal obligation came into force. Compared to the CAPTCHA, it would not have allowed us to completely limit the risk of the attack since, as demonstrated by researchers at Columbia University, even such systems can be circumvented";<br />
<br />
d) the Bank therefore highlighted how "carrying out checks aimed at identifying any vulnerabilities is the only solution that allows minimizing the risk of cyber attacks, taking into account that there is no software without bugs. Application bugs are part of the natural life cycle of IT development and their onset is proportionate to the level of complexity of the application's structure. In fact, the process of testing applications for identifying bugs is a dynamic activity that lasts over time and is linked to the evolution of the software, in relation to which bugs could also arise due to use by users" . It follows that "The presence of an application bug in the Portal does not in itself constitute a violation of the principle of integrity and confidentiality and does not demonstrate the absence, nor proof of the inadequacy of the security measures adopted by UniCredit because the presence of Bugs are an intrinsic characteristic of any software and the only way to identify and correct them is to carry out tests such as those carried out by UniCredit. As proof of the awareness of the importance of controls, UniCredit invested over 2 million euros in vulnerability assessment and penetration test activities in the three-year period 2017-2019, with the carrying out of over 500 penetration tests and 1000 vulnerability assessments, while for the An investment of over 3.8 million euros is planned for 2020. The correctness of this approach is confirmed by the fact that the application condition from which the data breach arose was identified during the checks carried out in 2018, but the reason why the data breach was not blocked is due to the late notification of the application condition to UniCredit by NTT DATA Italia S.p.A. who carried out the tests." In particular, "NTT Data - despite having been commissioned by UniCredit during the month of September 2018 to carry out a penetration test and a vulnerability assessment on the Portal - and despite being bound to immediately inform UniCredit in the event of detection of vulnerabilities with severity of critical or high level, acted in violation of its obligations, as expressly regulated in the service contract already produced to the Guarantor [...], failing to immediately transmit the news regarding the detection of the application condition, despite NTT Data having already classified this vulnerability as high on 16 October 2018 […] and therefore 5 days before the attack occurred. In 5 days, UniCredit would have had plenty of time to adopt urgent corrective measures aimed at avoiding the violation of personal data". Therefore, “[…] UniCredit adopted preventive measures and controls that were in line with the state of the art at the time of the data breach, but was the victim of the negligent conduct of NTT Data for which it cannot be held responsible”;<br />
<br />
e) as regards the application condition of the Portal (see par. 2, point 1), the same, "unlike what was claimed by the Guarantor, did not make the data "susceptible to being freely consulted and acquired by anyone". In fact, the bug was not visible to anyone who tried to authenticate on the Portal and was only identified following a preliminary phase in which the hackers developed the attack technique through repeated complex access attempts. The attack method adopted by the hackers was characterized by a high degree of sophistication [...] as:<br />
<br />
access attempts were conducted using special software aimed at preventing the interception of the origin of communications by inhibiting the analysis of incoming traffic. In fact, such software allows communications to be routed (i.e. attempts to access the Portal) by bypassing the normal transit from client to server and rerouting the connection onto a virtual circuit of layered encrypted routers (so-called onion routers). The use of this technique allows anonymous outgoing traffic and the creation of anonymous services, furthermore the encryption guarantees the so-called perfect forward secrecy, i.e. the total confidentiality of communications even if they are compromised;<br />
<br />
the quantity of access attempts carried out starting from 16 October 2018 has been specifically calibrated so as not to exceed ordinary traffic thresholds and avoid being intercepted by UniCredit control systems. In fact, the attackers only made direct access attempts to the page's login "form", avoiding downloading the objects that normally make up the web page (e.g. CSS image, etc.), greatly reducing the overall traffic conveyed by malicious connections. ;<br />
<br />
only after having identified the Portal bug through a bug hunting strategy, the hackers launched a massive attack, using specific software capable of allowing the adoption of the reverse brute force method to carry out access attempts, of which however only a small percentage (i.e. less than 16%) allowed potential exposure of customer data;<br />
<br />
the hackers also inserted the wrong characters in the access requests forwarded to avoid being intercepted by the application monitoring tool, which in any case led to the detection of the accesses;<br />
<br />
the timing chosen denotes a particular malicious intention and confirms the habitual nature of such behavior by hackers; the massive attack was in fact carried out during a public holiday (Sunday 21 October 2018) starting at 06:15 in the morning. Therefore, the scale of the attack, the timing chosen, the software used and the techniques adopted clearly denote that the hackers had huge computational resources at their disposal as well as being equipped with a very advanced level of specialized IT skills. These conditions are not at all common and it therefore appears clear that [...] the bug did not allow free and indiscriminate access to UniCredit customer data, but rather such action could not ignore the availability of complex and advanced skills and resources. This conclusion is confirmed by the Reply report according to which "the security problem is part of a series of vulnerabilities that are difficult to identify by automatic tools, and which are typically identified through manual analyzes conducted by personnel specialized in the security analysis of web applications";<br />
<br />
f) in relation to the further criticality identified by the Authority (see par. 2, point 2), the Bank highlighted that, "already before the data breach, it had adopted a prevention system from brute force attacks in the scope of the IT authentication procedure for users of the Portal, i.e. regarding the process of entering the password to perform authentication. The system in fact guaranteed effective protection from attacks conducted by so-called automatic bots because, after four incorrect login attempts, the user was blocked and the attack prevented. Therefore - unlike what the Guarantor believed - the measures adopted by UniCredit made it possible to protect company IT systems from brute force attacks. The type of attack conducted against the Portal cannot be classified as brute force, which as demonstrated above, referring to authentication, was adequately protected, but more precisely as "reverse brute force" since the hackers did not try to identify the password of the users tried as many combinations as possible, but at most they tried to enumerate users' authentication usernames using a trivial fixed password (12*****89). In this context, the adoption of further contrast systems useful to limit or prevent access, or access attempts, coming from the same IP address would not have been effective or practicable considering in particular the peculiar characteristics and habits of UniCredit customers. In fact, there is a high number of customers who use Internet-Mobile banking systems on a daily basis for which the use of the same IP addresses for access is noticeable, also due to the widespread use of so-called carrier grade nat (CGN) due to the known saturation of IPv4 addresses. This is confirmed by the Reply report according to which "this technique has been progressively abandoned due to the increasing use of NAT by mobile and fixed operators (e.g., CGN - Carrier Grade NAT): this tool would therefore risk inhibiting the access to the system to many legitimate users coming from the same public IP used by an attacker”.<br />
<br />
Furthermore, "as indicated above, other possible solutions such as two-factor authentication and CAPTCHA were not adopted by the majority of credit institutions at the time of the data breach. In any case, UniCredit had equipped itself with an anti-DDOS (Denial Of Services) protection system which was activated in the event of attacks coming from multiple IP addresses (so-called Botnets or bot networks). However, the sophistication of the methods of exploitation of the Portal bug by hackers made it possible to reduce the total traffic carried, effectively keeping it below the mitigation threshold of the technological solution used, called Akamai Prolexic, inhibiting its ability to detect a volume of traffic and attack characteristics such as to activate mitigation. This further confirms that if the attack had been perpetrated by hackers with a less advanced level of sophistication, it would have been identified and blocked by UniCredit's security systems [...]; what in any case must be underlined is that "the security and risk mitigation measures adopted by UniCredit have proven effective as following the Company's immediate technological response [...] the hackers were unable to continue the attack nor to access the accounts of the interested parties, much less to carry out transactions. The attack merely allowed the possibility of viewing a limited number of personal data, not containing bank data, not belonging to particular categories pursuant to art. 9 or data referred to in art. 10 of the Regulation, and there is no evidence that the Data has been in any way collected, copied or stored by Hackers [...]; […] this shows that – thanks to the measures adopted by UniCredit – the attack did not lead to any theft of personal data”.<br />
<br />
In summary, according to Unicredit, the objections raised by the Authority could not have been considered founded, as "UniCredit had adopted adequate security measures in line with market standards in order to effectively counter brute force attacks in scope of the IT authentication procedure for users of the Portal. These measures meant that, even with reference to a reverse brute force attack, the incidence of the same was limited to the maximum, taking into account that in any case if NTT Data had promptly notified the application condition, the attack would have been avoided by All";<br />
<br />
g) both immediately after the attack and also in the following days, UniCredit represented that it had implemented security measures and "additional measures largely suitable for further mitigating the risk for the protection of personal data caused by the data breach", including which in particular:<br />
<br />
“make a handbook available to all customers for the secure management of access credentials and forward recommendations to the network of branch managers to encourage the dissemination of the indications contained in the handbook;<br />
<br />
implement a quantitative blocking of connections beyond the critical threshold and a CAPTCHA, as a further temporary measure in view of the next implementation of two factor authentication;<br />
<br />
adopt a mechanism to force the use of complex passwords during sign-in across the entire customer network;<br />
<br />
communicate, following the request of the Guarantor, to all interested parties the violation of personal data, including adequate security indications for the management of credentials, also on other sites".<br />
<br />
During the hearing, held on 29 September 2020, UniCredit S.p.a., referring to what had already been argued in the defense briefs, requested the dismissal of the sanctioning proceedings, reiterating that:<br />
<br />
a) "the security measures adopted by the bank at the time the cyber attack occurred - which can be identified in prevention measures and control measures - were in line with the market standards of the time" and, differently from what the Guarantor believed, "they were able to counter a possible brute force attack";<br />
<br />
b) “the analysis conducted following the attack highlighted how the risk of illicit use of the breached data was only potential, considering that the storage of the data was not ascertained [...] nor were unauthorized accesses detected current accounts of the customers involved. Among other things, [...] the personal data subject to the violation concerned name and surname, tax code and NDG code, which in themselves do not allow login to online banking systems or other types of operations";<br />
<br />
c) “UniCredit's monitoring systems promptly detected the cyber attack [...] and despite the delay of NTT Data which, in violation of its contractual obligations, did not immediately communicate the vulnerability as soon as it became aware of it, which he then allowed the attack. This delay is due to an acknowledged error on the part of NTT Data in qualifying the severity of the vulnerability and communicating it once correctly qualified, as declared by NTT Data itself [...]. NTT Data had in fact identified the vulnerability 5 days before the attack but notified it to UniCredit only after the incident and following an express request from the Bank. If the vulnerability had been notified promptly, UniCredit would have had time to eliminate it and the incident would not have occurred. Vulnerability assessments carried out through primary suppliers such as NTT Data are among the adequate security measures adopted by UniCredit because there is no bug-free software. The fact that the Vulnerability assessments carried out via NTT Data detected the vulnerability and that the contract with the supplier provided for immediate notification of the same further confirms the adequacy of the security measures adopted by UniCredit";<br />
<br />
d) "with respect to the violation of personal data in question, no complaints and/or compensation actions have been received from the interested parties involved".<br />
<br />
3. The relevant provisions in relation to the specific case.<br />
<br />
The art. 5, par. 1, letter. f), of the Regulation establishes, among the general principles that govern the processing of personal data, that personal data must be "processed in a way that guarantees adequate security of personal data, including protection, through adequate technical and organizational measures, from unauthorized or unlawful processing and from accidental loss, destruction or damage (“integrity and confidentiality”).<br />
<br />
The art. 32 of the Regulation (“Security of processing”) also provides, in par. 1, that "taking into account the state of the art and the costs of implementation, as well as the nature, object, context and purposes of the processing, as well as the risk of varying probability and severity for the rights and freedoms of individuals physical, the data controller and the data processor implement appropriate technical and organizational measures to guarantee a level of security appropriate to the risk [...]"; the next par. 2 also establishes that "in evaluating the adequate level of security, special account shall be taken of the risks presented by the processing which derive in particular from destruction, loss, modification, unauthorized disclosure or access, in an accidental manner". or illegal, to personal data transmitted, stored or otherwise processed".<br />
<br />
4. The Authority's assessments and the outcome of the investigation.<br />
<br />
Upon examination of the documentation produced and the declarations made by the data controller during the proceedings, given that, unless the fact constitutes a more serious crime, anyone who, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code, this Authority formulates the following conclusive considerations.<br />
<br />
In particular, with reference to the technical and organizational measures referred to in art. 32, par. 1, of the Regulation adopted by UniCredit within the mobile banking portal (see par. 1.1, letter a)) and to the objections raised on this point by the Authority (see par. 2, points 1 and 2), in taking note of what was widely illustrated by the credit institute in the defense brief and during the hearing, this Authority notes that:<br />
<br />
a) compared to the “so-called application condition which made available within the HTTP (HyperText Transfer Protocol) response, even in the event of failed authentication attempts, some personal data (name, surname, tax code, NDG) of UniCredit customers and former customers who therefore were capable of being freely consulted and acquired by anyone" (see par. 2, point 1), it is clear how to allow access to some personal data of customers and former customers, even without passing an IT authentication procedure , does not comply with the regulations on the protection of personal data.<br />
<br />
UniCredit's failure to adopt technical measures capable of limiting access to personal data only to authorized personnel or to the interested party, resulted in the possibility that the personal data were freely accessible by anyone. In fact, such data was made available within the HTTP (HyperText Transfer Protocol) response provided by the Bank's IT systems to the browser of anyone who attempted, even unsuccessfully, to overcome the IT authentication procedure which at the time was present in the Portal. mobile banking.<br />
<br />
Without prejudice to the fact that the term "anyone" is intended to indicate any person other than authorized personnel and the interested party, this Authority believes that the considerations made by UniCredit regarding the alleged high technical capabilities necessary to exploit the vulnerability present in the Portal of mobile banking, rather than proving the adequacy of the technical measures adopted by the institution, demonstrate an underestimation of the risks associated with the provision of online banking services. In fact, the financial sector has always represented a primary target for cyber criminals, as also indicated in a document called "Cyber security: the contribution of the Bank of Italy and Ivass", published in August 2018, prepared by the Group of coordination on cyber security (GCSC) of the Bank of Italy and IVASS, which highlights how "already in 2014 a coordinated attack against numerous US banks led, among other things, to the theft of the personal data of 80 million banking customers JP Morgan Chase. In the following years, similar episodes multiplied; almost none of the large private financial institutions remained immune and some central banks were also affected. Attacks on the financial system are sometimes conducted with very simple methods, such as the theft of account access credentials through phishing, or denial of service, which, by overloading servers with millions of simultaneous data requests, makes banking services unusable delivered via network. Other times the intrusions are conducted using complex methods and lead to the theft of funds or data on a large scale. The defense of the financial system is very complex: the sector is highly digitalised, it is interconnected at a global level through a small number of infrastructures that may present vulnerabilities, it is susceptible to attack through possible imprudent behavior of hundreds of millions of users of online financial services";<br />
<br />
b) as regards the second aspect under dispute, i.e. the failure to adopt, within the IT authentication procedure of users of the mobile banking portal, any mechanism capable of effectively counteracting brute force attacks conducted through the use of CD. bots (computer programs that access websites through the same channel used by human users, simulating their operations) (see par. 2, point 2), the Authority notes that the IT authentication system adopted by UniCredit at the time – which involved the use of authentication credentials consisting only of a User ID and a PIN, both made up of 8 decimal digits - was open to being the subject of brute force attacks, i.e. cyber attacks with the aim of identifying credentials IT authentication cards valid for access to a specific online system or service. This is also in consideration of the fact that, at the time of the violation, UniCredit had not adopted any technical measure that prevented users from using simple PINs, such as, for example, those composed of repetitions or sequences of numbers or coinciding with the date of birth or with the User ID.<br />
<br />
In this regard, it should be highlighted that there are various brute force cyber attacks, such as, for example, simple brute force attacks (aimed at identifying the password or PIN used by a specific user, verifying all possible combinations of letters and numbers) , dictionary attacks (aimed at identifying the password or PIN used by a specific user, verifying the possible combinations present in dictionaries composed of the most common passwords or PINs or of passwords or PINs compromised in the context of other cyber attacks), credential stuffing attacks (aimed at verifying the validity of authentication credentials acquired as part of other cyber attacks), reverse brute force attacks (aimed at identifying users who use a specific password or PIN, often very common or simple) or even a combination of them. In the case in question, an adequate assessment of the risks presented by the processing carried out within the mobile banking portal would have allowed UniCredit to correctly analyze the characteristics of the IT authentication system, to identify the weaknesses likely to compromise the security of the processing and , consequently, to adopt measures to manage and mitigate the risks associated with these weaknesses, including those for proactive defense against reverse brute force cyber attacks.<br />
<br />
5. Conclusions: declaration of unlawfulness of the processing. Corrective measures pursuant to art. 58, par. 2, of the Regulation.<br />
<br />
For the above reasons, the Authority believes that the declarations made by the data controller in the defense briefs - the truthfulness of which may be called upon to respond pursuant to the aforementioned art. 168 of the Code - although worthy of consideration, do not allow us to overcome the findings notified by the Office with the act of initiating the procedure and are insufficient to allow its dismissal, as, moreover, none of the cases provided for by the art. 11 of the Guarantor's regulation no. 1/2019, concerning the internal procedures of the Authority with external relevance.<br />
<br />
In particular, the critical issues presented have highlighted that the violations of personal data which occurred - alongside the considerations regarding the liability profiles of NTT Data, responsible for the processing, which are the subject of a distinct and separate provision of this Authority - were verified as UniCredit S.p.a., data controller to whom "general responsibility" is attributed for the processing of personal data directly carried out or that others have carried out on its behalf - has failed to verify, in relation to the nature, context, purposes and the risks of the processing carried out within the home banking portal, their effective compliance with the principles of integrity and confidentiality referred to in art. 5, par. 1, letter. f), of the Regulation and of the obligations regarding the security of processing referred to in the art. 32, par. 1 and 2 of the Regulation.<br />
<br />
However, taking into account what was declared by the Bank during the proceedings, regarding the implementation, immediately after the violation, of security measures and "additional measures largely suitable for further mitigating the risk for the protection of personal data caused from the data breach” (see par. 1.1, letter g)) as well as the fact that, following the event, no complaints were received pursuant to art. 77 of the Regulation by subjects affected by the violation, this Authority, in exercising the corrective powers attributed by the art. 58, par. 2 of the Regulation, believes it is not necessary to order corrective measures pursuant to art. 58, par. 2, letter. d), and provides for a pecuniary administrative sanction pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (art. 58, par. 2, letter i)).<br />
<br />
6. Injunction order.<br />
<br />
Violation of the provisions mentioned above entails the application of the administrative sanction provided for by the art. 83, par. 4, letter. a), and 5, letter. a), of the Regulation.<br />
<br />
In this regard, it is noted that the violation of art. 32 of the Regulation, as it refers to the failure to adopt safety measures implementing a principle included in the provision, of general scope, referred to in art. 5 of the Regulation and concerning the "integrity and confidentiality" of the data being processed (art. 5, par. 1, letter f), of the Regulation) will be assessed overall in the context of the violation of the aforementioned regulatory provision with consequent application of the only sanction provided for in the art. 83, par. 5, letter. a), of the Regulation.<br />
<br />
This provision, in setting the statutory maximum in the sum of 20 million euros or, for companies, in 4% of the annual worldwide turnover of the previous financial year whichever is higher, specifies the methods for quantifying the aforementioned sanction, which must "in any case [be] effective, proportionate and dissuasive" (art. 83, par. 1 of the Regulation), identifying, for this purpose, a series of elements, listed in the art. 83, par. 2 of the Regulation, to be assessed when quantifying the relevant amount; in fulfillment of this provision, in this case, the circumstances reported below are relevant:<br />
<br />
a) with reference to the nature, severity and duration of the violation (art. 83, par. 2, letter a), of the Regulation) the loss of confidentiality that occurred due to a data violation was taken into consideration personal data determined by the failure to comply with general principles relating to security measures (art. 5, par. 1, letter f), and 32 of the Regulation), as well as the circumstance that the violation affected an extremely significant number of interested parties;<br />
<br />
b) with reference to the intentional or negligent nature of the violations and the degree of responsibility of the owner (art. 83, par. 2, letters b) and d), of the Regulation), the behavior of the data controller who has not complied with the regulations on the protection of personal data in relation to the general principles regarding security measures for processing;<br />
<br />
c) with reference to the adoption, by the owner, of measures aimed at mitigating the damage suffered by the interested parties (art. 83, par. 2, letter c), of the Regulation), the various information initiatives were considered positively and support provided to customers affected by the violation of personal data from the day the incident was detected, also in compliance with the Authority's provision no. 499 of 13 December 2018; the implementations of the security measures adopted immediately after the event must be evaluated equally positively (see point 1.1, letter g));<br />
<br />
d) the existence of previous measures by the Authority against the owner adopted also following another violation of personal data (art. 83, par. 2, letter e), of the Regulation);<br />
<br />
e) active collaboration with the Authority, also with regard to the reconstruction of events and relations with the data controller (art. 83, par. 2, letter f), of the Regulation);<br />
<br />
f) with reference to the categories of personal data affected by the violation (art. 83, par. 2, letter g) of the Regulation), it was considered that the common data of the interested parties were subject to the violation, with the exclusion of banking data.<br />
<br />
In consideration of the aforementioned principles of effectiveness, proportionality and dissuasiveness (art. 83, paragraph 1, of the Regulation) which the Authority must comply with in determining the amount of the sanction, the economic conditions of the offender were taken into consideration, determined based on the revenues achieved referring to the financial statements for the year 2022.<br />
<br />
On the basis of the aforementioned elements, evaluated as a whole, it is considered to determine the amount of the pecuniary sanction in the amount of 2,800,000 euros (two million eight hundred thousand) for the violation of the articles. 5, par. 1, letter. f), and 32, par. 1 and 2 of the Regulation.<br />
<br />
In this framework, also in consideration of the type of violation ascertained, which concerned the principles of protection of personal data, it is believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's regulation no. 1/2019, this provision must be published on the Guarantor's website.<br />
<br />
Finally, it is noted that the conditions set out in art. 17 of regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.<br />
<br />
ALL THE WHEREAS, THE GUARANTOR<br />
<br />
declares, pursuant to articles. 57, par. 1, letter. f), and 83 of the Regulation, the illegality of the processing carried out, within the terms set out in the motivation, for the violation of the articles. 5, par. 1, letter. f), and 32, par. 1 and 2 of the Regulation.<br />
<br />
ORDER<br />
<br />
to UniCredit S.p.a., with registered office in Milan, Piazza Gae Aulenti, 3, C.F./P.I. 00348170101, pursuant to art. 58, par. 2, letter. i), of the Regulation, to pay the sum of 2,800,000 (two million eight hundred thousand) euros as a pecuniary administrative sanction for the violations indicated in this provision;<br />
<br />
ORDERS<br />
<br />
to the same UniCredit S.p.a. to pay the sum of 2,800,000 (two million eight hundred thousand) euros according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of law no. 689/1981.<br />
<br />
We represent that pursuant to art. 166, paragraph 8, of the Code, the right remains for the violator to settle the dispute through the payment - always according to the methods indicated in the annex - of an amount equal to half of the sanction imposed within the deadline referred to in the art. 10, paragraph 3, of Legislative Decree no. 150 of 1 September 2011 provided for the filing of the appeal as indicated below.<br />
<br />
HAS<br />
<br />
pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019, the publication of this provision on the Guarantor's website and believes that the conditions set out in the art. 17 of regulation no. 1/2019.<br />
<br />
Pursuant to art. 78 of the Regulation, as well as articles. 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.<br />
<br />
Rome, 8 February 2024<br />
<br />
PRESIDENT<br />
Stantion<br />
<br />
THE SPEAKER<br />
Ghiglia<br />
<br />
THE DEPUTY SECRETARY GENERAL<br />
Philippi<br />
</pre></div>Lmhttps://gdprhub.eu/index.php?title=LG_Augsburg_-_022_O_2669/22LG Augsburg - 022 O 2669/222024-03-13T10:24:07Z<p>Ludwigederle: Created page with "{{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=LG Augsburg |Court_Original_Name=Landgericht Augsburg |Court_English_Name=Regional Court Augsburg |Court_With_Country=LG Augsburg (Germany) |Case_Number_Name=022 O 2669/22 |ECLI= |Original_Source_Name_1=Bayern.Recht |Original_Source_Link_1=https://www.gesetze-bayern.de/Content/Document/Y-300-Z-GRURRS-B-2023-N-13763?hl=true |Original_Source_Language_1=German |Origin..."</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Germany<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=LG Augsburg<br />
|Court_Original_Name=Landgericht Augsburg<br />
|Court_English_Name=Regional Court Augsburg<br />
|Court_With_Country=LG Augsburg (Germany)<br />
<br />
|Case_Number_Name=022 O 2669/22<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Bayern.Recht<br />
|Original_Source_Link_1=https://www.gesetze-bayern.de/Content/Document/Y-300-Z-GRURRS-B-2023-N-13763?hl=true<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Date_Decided=09.06.1923<br />
|Date_Published=<br />
|Year=1923<br />
<br />
|GDPR_Article_1=Article 5(1)(f) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1f<br />
|GDPR_Article_2=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1a<br />
|GDPR_Article_3=Article 6(1) GDPR<br />
|GDPR_Article_Link_3=Article 6 GDPR#1<br />
|GDPR_Article_4=Article 13 GDPR<br />
|GDPR_Article_Link_4=Article 13 GDPR<br />
|GDPR_Article_5=Article 14 GDPR<br />
|GDPR_Article_Link_5=Article 14 GDPR<br />
|GDPR_Article_6=Article 17 GDPR<br />
|GDPR_Article_Link_6=Article 17 GDPR<br />
|GDPR_Article_7=Article 25(2) GDPR<br />
|GDPR_Article_Link_7=Article 25 GDPR#2<br />
|GDPR_Article_8=Article 82(1) GDPR<br />
|GDPR_Article_Link_8=Article 82 GDPR#1<br />
|GDPR_Article_9=<br />
|GDPR_Article_Link_9=<br />
|GDPR_Article_10=<br />
|GDPR_Article_Link_10=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=§ 1004 Abs. 1 S. 2 BGB<br />
|National_Law_Link_1=https://www.gesetze-im-internet.de/bgb/<br />
|National_Law_Name_2=§ 823 Abs. 2 BGB<br />
|National_Law_Link_2=https://www.gesetze-im-internet.de/bgb/<br />
|National_Law_Name_3=Art. 1 Abs. 1 GG<br />
|National_Law_Link_3=https://www.bundestag.de/gg<br />
|National_Law_Name_4=Art. 2 Abs. 1 GG<br />
|National_Law_Link_4=https://www.bundestag.de/gg<br />
|National_Law_Name_5=<br />
|National_Law_Link_5=<br />
|National_Law_Name_6=<br />
|National_Law_Link_6=<br />
<br />
|Party_Name_1=Facebook<br />
|Party_Link_1=https://facebook.com<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Ludwig Ederle<br />
|<br />
}}<br />
<br />
No obligation for a social media platform under GDPR to set the default setting such that the search function for users' telephone numbers is blocked.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The plaintiff was a user of the defendant's social media plattform. He registered his profile with his phone number and didn't change the preset visibility option to "not visible". This option is set to "visible" in order to get found by phone number, the users get informed about this during registration.<br />
Business Insider on 4/3/2021 published an article reporting about scraping of phone numbers from the defendant's platform by unknown third parties.<br />
On July 2, 2021, The plaintiff sent a letter to the defendant demanding payment of damages and a cease and desist order, the defendant responded to the plaintiff's letter on September 30, 2021. On November 25, 2022, The Irish Data Protection Commission fined the defendant for violating the GDPR with €265 million for violating the GDPR and ordered the defendant to take remedial action. The plaintiff has not yet been the victim of identity theft; her account at the defendant's platform has also not been taken over by unknown third parties. The plaintiff has since changed the settings in her account so that her telephone number can no longer be accessed via the contact import tool. The plaintiff argues that she has been victim of a data breach, received (but did not answer) several calls from outside the country, that she lost control over her data and was in big worries about misuse of her data. She mentioned that she's getting a lot of strange short messages with apparent fraud attempts. This was due to missing security controls on the defendant's platform.<br />
The defendant argues, that the claim was to dismiss as the claims were too vague and the claim for a declaratory judgment lacked interest. The requirements for a claim for damages under [[Article 82 GDPR|Article 82 GDPR]] were not met since scraping was not hacking. In addition the defendant argued the loss of control alleged by the plaintiff was not sufficient.<br />
<br />
=== Holding ===<br />
The claim is inconcise: text messages and calls from the beginning to mid-2019 described by the plaintiff are not necessarily causally attributable to the data scraping before September 2019. The scraped data from the defendant's platform got published on the internet by unknown third parties only from April 2021, as the plaintiff itself stated in her claim. Any calls and text messages in early to mid-2019 as submitted by the plaintiff could therefore not be based on the mentioned incident. However, the plaintiff wouldn't be entitled to claim non-material damages from the defendant: this would have to be based on [[Article 82 GDPR|Article 82 GDPR]]. Since GDPR was not applicable in the first place, no damages can be claimed. The court argues: there has not been a breach of transparency obligations Articles 5, 13, 14 GDPR), also the defendant clearly and in ease language pointed to the default settings, so no breach of [[Article 25 GDPR|Article 25 GDPR]] or [[Article 32 GDPR|Article 32 GDPR]] either. This was not a incident subject to notification to the supervising authority and the defendant informed the plaintiff according to Article 15 with a letter on Sept 9 2021. Hence, there can't be a claim for non material damages according to [[Article 82 GDPR|Article 82 GDPR]].<br />
<br />
The scope of application of the GDPR has not been opened.<br />
<br />
Translated with DeepL.com (free version)<br />
<br />
== Comment ==<br />
The CJEU has ruled (e.g. C-300/21 and C340/21): not every breach of an obligation of the GDPR automatically constitutes damage eligible for compensation under GDPR. Rather, material or immaterial damage based on a GDPR infringement must be established and proven.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
Title:<br />
No user claims against Facebook operators due to scraping incident<br />
Norm chains:<br />
GDPR Art. 5 Para. 1 lit. a and lit. f, Art. 6 Para. 1, Art. 13, Art. 14, Art. 17, Art. 25 Para<br />
BGB § 823 paragraph 2, § 1004 paragraph 1 sentence 2<br />
GG Art. 1 Para. 1, Art. 2 Para. 1<br />
Guiding principles:<br />
1. A social media platform whose aim is to search for and find contacts is not obliged in accordance with Article 25 Para. 2 GDPR to set the default settings in such a way that the searchability function is blocked for users' telephone numbers is. (Rn. 36) (editorial principle)<br />
2. A scraping incident does not constitute a reportable violation under Article 33 of the GDPR. (No. 37) (editorial principle)<br />
3. Non-material damage that can be compensated for under Article 82 (1) of the GDPR must at least constitute real and certain emotional damage and not just an annoyance or other inconvenience. (Rn. 40) (editorial principle)<br />
Tags:<br />
Data protection default, data protection violation<br />
Locations:<br />
LSK 2023, 13763<br />
ZD 2024, 118<br />
GRUR-RS 2023, 13763<br />
<br />
<br />
tenor<br />
<br />
1. The lawsuit is dismissed.<br />
<br />
2. The plaintiff must bear the costs of the legal dispute.<br />
<br />
3. The judgment is provisionally enforceable. The plaintiff can avert the defendant's enforcement by providing security in the amount of 110% of the amount enforceable on the basis of the judgment, unless the defendant provides security in the amount of 110% of the amount to be enforced before enforcement.<br />
<br />
Facts of the case<br />
<br />
1<br />
The plaintiff is demanding damages, injunctive relief and information from the defendant due to violations of the General Data Protection Regulation.<br />
<br />
2<br />
The defendant is the provider of the F. platform on the territory of the European Union. The plaintiff is a German user of this platform; she logs in with her email address…. Your name, gender and user ID were publicly visible on the user account (Appendix B 1 5), because this information is always public user information. The visibility of the plaintiff's other data (telephone number, email address, place of residence, date of birth, city, relationship status) depended on the plaintiff's target group selection. The data “country”, “state”, “place of birth” and “other correlating data” do not correspond to any profile fields on the F. platform.<br />
<br />
3<br />
When registering for the first time, the user enters their personal data, specifically first and last name, mobile phone number or email address, gender and date of birth, into the registration mask. The user's attention is drawn to the terms of use and, after registration, to a wealth of settings and sub-settings. In this respect, the defendant has made default settings.<br />
<br />
4<br />
The telephone number can be used for a security query (password reset). In the plaintiff's profile, the telephone number used in this regard was publicly shared with her friends and was therefore partially publicly viewable. In addition, the plaintiff could be found via her telephone number. This setting was predetermined, but could be changed so that the user could not be found using their phone number. The defendant uses a contact importer (contact import tool; Cl T). This is used to synchronize the personal contacts stored in a user's smartphone with users on F.; This is done via the stored mobile phone number. The F. Messenger app operated by the defendant works in the same way. Any automated collection of data (scraping) without permission was prohibited by the defendant's terms of use.<br />
<br />
5<br />
Before September 2019, unknown persons generated telephone numbers and synchronized them with profiles of F. users via the contact importer or the F. messenger app. The data publicly stored there was subsequently scraped and merged with the cell phone numbers (Appendix B 11).<br />
<br />
6<br />
On April 3, 2021, Business Insider published an article according to which information from a large number of F. users had been made accessible on the Internet by third parties. The defendant addressed its users with an article accessible in F. on April 6, 2021 (Appendix B 10).<br />
<br />
7<br />
In a lawyer's email dated July 2, 2021, the plaintiff asked the defendant to pay damages of €500 as well as to cease and desist and provide information (Appendix K 1). The defendant responded with a lawyer's letter dated September 30, 2021 (Appendix B 16).<br />
<br />
8th<br />
In a decision dated November 25, 2022, the Irish data protection authority DPC imposed a fine of EUR 265 million on the defendants for violating Articles 25 I and 2 of the GDPR and ordered the defendant to take remedial action (Appendix K 3).<br />
<br />
9<br />
The plaintiff has not yet been a victim of identity theft; Her account with F. was also not taken over by unknown third parties. The plaintiff has since changed the settings in her account so that her phone number can no longer be accessed via the contact import tool.<br />
<br />
10<br />
The plaintiff essentially claims:<br />
<br />
11<br />
Your email address, place of residence, date of birth, city, relationship status, telephone number were included in the data retrieved through scraping.<br />
<br />
12<br />
The plaintiff further claims that she was affected by a data protection incident; the defendant made its data accessible to unauthorized third parties. A database that can be accessed by anyone on the Darknet contains your telephone number, your name, your place of residence and your email address. These data sets were made public and allowed malicious actors to carry out a wide range of criminal activities, such as identity theft, account takeover, targeted phishing messages or "sim swap" attacks to change passwords protected by phone number-based authentication.<br />
<br />
13<br />
The plaintiff further states that she suffered a significant loss of control due to the publication of the scraped data and was left in a state of great discomfort and great concern about possible misuse of her data. Since publication, she has been receiving occasional unknown contact attempts via SMS. These contained messages with obvious attempts at fraud. Specifically, since the beginning to mid-2019, she has received text messages several times a week saying, for example, that packages could not have been delivered or that something was wrong with her P. account.<br />
<br />
14<br />
She also initially received calls from abroad, which she did not accept and which quickly stopped. They assume that these are due to data scraping by the defendant. She has not suffered any damage so far.<br />
<br />
15<br />
Finally, the plaintiff claims that the defendant did not take any security precautions against the exploitation of the contact import tool, in particular did not ensure that the request for synchronization was a request from a human being and not a computer program; The plausibility of the requests was also not checked, for example by automatically rejecting an unusually large number of requests from the same IP address or with unusual telephone number sequences.<br />
<br />
16<br />
The defendant also never informed the plaintiff that her data had been stolen and published by third parties; She also did not inform the relevant data protection authority in Ireland about the incident.<br />
<br />
17<br />
The plaintiff is essentially of the opinion:<br />
<br />
18<br />
The lawsuit is admissible, in particular it is specific enough and there is an interest in declaratory judgment. The claim for damages arises from Art. 82 GDPR. The scope of protection has been opened, the defendant has violated several obligations of the GDPR (violation of the transparency obligations, violation of the obligation to ensure appropriate technical and organizational measures, violation of the obligation to provide data protection-friendly default settings, violation of the notification and reporting obligation and the obligation to provide information)<br />
<br />
19<br />
Due to the plaintiff's lack of effective consent, the defendant processed her data without a legal basis and sufficient information; The defendant bears the burden of presentation and proof.<br />
<br />
20<br />
The plaintiff requests to recognize:<br />
<br />
1. The defendant is ordered to pay the plaintiff an appropriate amount of non-pecuniary damages, the amount of which is at the discretion of the court, but at least €1,000.00 plus interest since the action was brought in the amount of five percentage points above the base interest rate.<br />
<br />
2. It is established that the defendant is obliged to compensate the plaintiff for all future damages that the plaintiff has suffered as a result of unauthorized third-party access to the defendant's data archive, which, according to the defendant's statement, occurred in 2019 and/or still will arise.<br />
<br />
3. The defendant is sentenced, if he avoids an administrative fine to be set by the court for each case of violation of up to € 250,000.00, or, alternatively, to his legal representative (director), or to his legal representative (director). To refrain from arrest for a period of up to six months, or in the event of a repeat offense up to two years,<br />
<br />
a) to make personal data of the plaintiff, namely, telephone number, F.-ID, last name, first name, gender, federal state, country, city, relationship status, accessible to unauthorized third parties via software for importing contacts, without the security measures possible according to the state of the art to prevent the use of the system for purposes other than establishing contact,<br />
<br />
b) to process the plaintiff's telephone number on the basis of consent that was obtained from the defendant because of the confusing and incomplete information, in particular without clear information that the telephone number can still be used by using the contact import tool even if it is set to "private". , unless authorization is explicitly denied for this and in the case of using the F. Messenger app, authorization is also explicitly denied here.<br />
<br />
4. The defendant is ordered to provide the plaintiff with information about personal data relating to the plaintiff that the defendant processes, namely which data could be obtained from the defendant by which recipients and at what point in time through scraping or by using the contact import tool.<br />
<br />
5. The defendant is ordered to pay the plaintiff's pre-trial legal fees amounting to €887.03, plus interest from the time of litigation amounting to five percentage points above the base interest rate.<br />
<br />
21<br />
The defendant requests<br />
<br />
22<br />
The defendant is essentially of the opinion:<br />
<br />
23<br />
The lawsuit is largely inadmissible because the claims 1) to 3) are too vague and the action for a declaratory judgment lacks the interest in declaratory judgment. The requirements for a claim for damages according to Art. 82 GDPR do not exist. Scraping is not hacking. The protection area has not been opened, nor are there any violations of the GDPR. In addition, there is no causal immaterial damage; in particular, the loss of control alleged by the plaintiff is not sufficient. The plaintiff bears the burden of presentation and proof. Furthermore, there is no fault on the part of the defendant.<br />
<br />
24<br />
For further details, reference is made to the exchanged pleadings and the minutes of the oral hearing from May 5, 2023.<br />
<br />
Reasons for the decision<br />
<br />
25<br />
I. The admissible lawsuit is unfounded.<br />
<br />
26<br />
The lawsuit is admissible.<br />
<br />
27<br />
1. The Augsburg Regional Court has international jurisdiction in accordance with Art. 79 II GDPR and Art. 18 I Alt. 2 in conjunction with Art. 17 I lit. c) Regulation (EU) 1215/2012. The plaintiff has her usual place of residence or residence in ... and therefore in the local judicial district. The defendant operates the platform commercially; the plaintiff uses the platform for private purposes and is therefore a consumer.<br />
<br />
28<br />
2. The applications are sufficiently specific within the meaning of Section 253 II No. 2 ZPO. This applies to both the application number 1 and the application numbers 3a and 3b (see: LG Kiel GRUR-RS 2023, 328 Rns. 25 to 29 and LG Aachen GRUR-RS 2023, 2621 Rns. 32 to 36 and 38 bis 40 on the identical claims as in the present case). The interest in declaratory judgment regarding application number 2 must also be affirmed (LG Kiel GRUR-RS 2023, 328 Rn. 30 and LG Aachen GRUR-RS 2023, 2621 Rn. 37).<br />
<br />
29<br />
II. The lawsuit is unsuccessful on the merits.<br />
<br />
30<br />
1. The lawsuit is already inconclusive because the text messages and calls described by the plaintiff from the beginning to mid-2019 cannot be causally traced back to the defendant's data scraping before September 2019. The data of the defendant's users - as stated by the plaintiff herself in the statement of claim - was only published on the Internet by unknown third parties from April 2021. Any calls and text messages in early to mid-2019 - as presented by the plaintiff in her informational hearing at the oral hearing - cannot therefore be based on the incident.<br />
<br />
31<br />
2. However, the plaintiff would not otherwise be entitled to payment of non-material damages against the defendant.<br />
<br />
32<br />
a) Such a claim would not arise from Art. 82 I GDPR.<br />
<br />
33<br />
aa) Based on the plaintiff's submissions, there would already be no violation of the provisions of the General Data Protection Regulation.<br />
<br />
34<br />
(1) There is no violation of the transparency obligations under Article 5 I lit. a), 13, 14 GDPR. The screenshots presented by the plaintiff of the processes and substructures of the defendant's website are sufficiently understandable and transparent. The plaintiff as a user is obliged to carefully examine the information in order to make a decision for herself as to the extent to which she will release information and how extensively she wants to use the defendant's communication platform (also: LG Aachen GRUR-RS 2023, 2621 Rn . 49 to 55 as well as LG Kiel GRUR-RS 2023, 328 paras. 37 to 41).<br />
<br />
35<br />
(2) There is also no violation of the data protection obligations under Article 5 I lit. f), 32 GDPR. Because it was expressly stated that name, profile picture, cover photo, gender, username and user ID are visible to everyone; There was therefore no reason to protect this data since it was public anyway. With regard to the plaintiff's telephone number, the defendant has adequately fulfilled its protection obligations by adequately pointing out that the plaintiff can change the searchability settings (also: LG Aachen GRUR-RS 2023, 2621 paras. 56 to 63 and LG Kiel GRUR-RS 2023, 328 Rn. 42f). In addition, the defendant's terms of use prohibited any automated collection of data (scraping) without the defendant's permission.<br />
<br />
36<br />
(3) The defendant has also not violated the obligation to provide data protection-friendly default settings in accordance with Article 25 I, II GDPR. In particular, the defendant was not obliged to set the default so that a telephone number entered by the plaintiff would not be used to find her using a search function. The platform operated by the defendant is a social media platform whose goal is to search for and find contacts. Blocking the searchability function would diametrically contradict this goal (also: LG Aachen GRUR-RS 2023, 2621 paragraph 64f and LG Kiel GRUR-RS 2023, 328 paragraphs 44 to 47). This assessment does not change because the Irish data protection authority DPC imposed a fine of EUR 265 million on the defendants in a decision dated November 25, 2022 for violating Articles 25 I and 2 of the GDPR (Appendix K 3). It remains to be seen whether this decision has a binding effect, since it is undisputed that it is not yet final (also: LG Aachen GRUR-RS 2023, 2621 paragraph 66).<br />
<br />
37<br />
(4) Finally, the defendant cannot be accused of violating the reporting obligation according to Article 33 of the GDPR, since there is already no reportable violation of the General Data Protection Regulation (also: LG Aachen GRUR-RS 2023, 2621 Rn. 67 and LG Kiel GRUR-RS 2023, 328 para. 48).<br />
<br />
38<br />
(5) Finally, there is no violation of the defendant's obligation to provide information pursuant to Article 15 GDPR. The defendant provided information to the plaintiff in a lawyer's letter dated September 30, 2021 (Appendix B 16). The defendant was not obliged to provide any additional information requested by the plaintiff; The defendant is also unable to provide any further information.<br />
<br />
39<br />
bb) Furthermore, there would be no non-material damage to the plaintiff.<br />
<br />
40<br />
(I) The eligibility requirements of Art. 82 I GDPR include, in addition to the violation of the General Data Protection Regulation, the occurrence of immaterial damage (cf. OLG Frankfurt GRUR 2022, 1252 paras. 61 to 64). In view of recitals 75, 85, 146 and 148 of the GDPR, the legislator had in mind discrimination, identity theft, identity fraud, damage to reputation, loss of confidentiality of personal data subject to professional secrecy or social disadvantages without excluding minor damage. With regard to possible future misuse of personal data, non-material damage will only be justified if it is real and certain emotional damage and not just an annoyance or inconvenience (cf. ECJ, Opinion of April 27, 2023 - C -340/21).<br />
<br />
41<br />
(2) Measured against these standards, non-material damage to the plaintiff can be denied. It is undisputed that the plaintiff has not yet been the victim of identity theft; Her account with F. was also not taken over by unknown third parties. As already stated above, the text messages and calls in 2019 cannot be attributed to data scraping. Even if any calls and text messages had only taken place in 2021, it would remain controversial and unclear whether they could be attributed to data scraping, and in particular whether there would have been a temporal connection. This is all the more true since the plaintiff publicly posted her telephone number on the Facebook page for her friends. Since identity theft is unlikely simply through the knowledge of a telephone number (see: LG Karlsruhe, ZD 2022, 55) and the plaintiff's other data is public anyway with her consent, the possibility of future misuse of the plaintiff's data only represents an inconvenience just cannot justify non-material damage. Finally, it should not be lost sight of the fact that it was not the defendant, but unknown third parties who scraped the plaintiff's data and posted it on the dark web.<br />
<br />
42<br />
b) A claim for non-material damages would also not arise from national law. This follows from the fact that, according to Section 253 Paragraph 1 of the German Civil Code (BGB), claims can only be made for damage that is not financial loss in cases determined by law. However, the exceptions mentioned in the law (Section 253 Para. 2 BGB) do not exist, nor does there be a serious violation of the plaintiff's personal rights (Articles 1 I, 2 I GG).<br />
<br />
43<br />
2. The plaintiff's request for a declaration that the defendant is obliged to compensate for all future material damage would also be unfounded. This is because there is no violation of the provisions of the General Data Protection Regulation (see Section II 2 a aa above).<br />
<br />
44<br />
3. The plaintiff would also have no claim against the defendant to stop the use of the contact importer software from §§ 1004 1 2 BGB analogously in conjunction with Art. 1 I, 2 I GG or from § 823 II BGB in conjunction with Art. 6 I, 17 GDPR. In this respect, too, there is no violation of the provisions of the General Data Protection Regulation (see Section Il 2 a aa above).<br />
<br />
45<br />
4. The plaintiff would also have no claim against the defendant to stop the processing of her telephone number from SS 1004 Para GDPR to. In this respect, too, there is no violation of the provisions of the General Data Protection Regulation (see Section Il 2 a aa above). In addition, there is no risk of repetition. The plaintiff herself states that she has now changed the settings in her account so that her telephone number can no longer be accessed by the contact import tool. There is therefore no apparent risk of recurrence.<br />
<br />
46<br />
5. Finally, the plaintiff would not be entitled to information against the defendant in accordance with Article 15 I of the GDPR. This claim has expired in accordance with Section 362 I of the German Civil Code (BGB), since the defendant provided information in this regard in a lawyer's letter dated September 30, 2021 (Appendix B 16). To the extent that the plaintiff also requests information about the extent to which their data was processed by scraping and by which third parties, the plaintiff's claim must be denied on the merits. The defendant would also not be able to provide such information.<br />
<br />
47<br />
6. Due to the lack of a main claim, the plaintiff's claim for reimbursement of pre-trial legal fees must finally be denied.<br />
<br />
48<br />
7. No other, comprehensive basis for claims is apparent.<br />
<br />
49<br />
I. The cost decision results from Section 91 I ZPO.<br />
<br />
50<br />
2. The decision on provisional enforceability is based on Sections 708 I No. 1, 71 I 1 and 2 ZPO.<br />
</pre></div>Ludwigederlehttps://gdprhub.eu/index.php?title=VGH_M%C3%BCnchen_-_6_ZB_23.530VGH München - 6 ZB 23.5302024-03-13T08:41:43Z<p>Sfl: /* Comment */ Original author wished for this section to be added.</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Germany<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=VGH München<br />
|Court_Original_Name=Bayerischer Verwaltungsgerichtshof<br />
|Court_English_Name=Superior Administrative Court München<br />
|Court_With_Country=VGH München (Germany)<br />
<br />
|Case_Number_Name=6 ZB 23.530<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Bayern.Recht<br />
|Original_Source_Link_1=https://www.gesetze-bayern.de/Content/Document/Y-300-Z-BECKRS-B-2023-N-17253?hl=true<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Date_Decided=29.06.2023<br />
|Date_Published=13.03.2024<br />
|Year=2023<br />
<br />
|GDPR_Article_1=Article 5(1) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1<br />
|GDPR_Article_2=Article 16 GDPR<br />
|GDPR_Article_Link_2=Article 16 GDPR<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1= § 124 Abs. 2 Nr. 1 VwGO<br />
|National_Law_Link_1=https://www.gesetze-im-internet.de/vwgo/<br />
|National_Law_Name_2=§ 1004 BGB<br />
|National_Law_Link_2=https://www.gesetze-im-internet.de/bgb/<br />
|National_Law_Name_3=§ 112 Abs. 1 S. 1 BBG, § 113 Abs. 1, Abs. 2 BBG<br />
|National_Law_Link_3=https://www.gesetze-im-internet.de/bbg_2009/<br />
|National_Law_Name_4=§ 16 Abs. 3 BDG<br />
|National_Law_Link_4=https://www.gesetze-im-internet.de/bdg/<br />
|National_Law_Name_5=<br />
|National_Law_Link_5=<br />
|National_Law_Name_6=<br />
|National_Law_Link_6=<br />
<br />
|Party_Name_1=A<br />
|Party_Link_1=<br />
|Party_Name_2=Bundespolizei<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_From_Body=VG Regensburg<br />
|Appeal_From_Case_Number_Name=RO 1 K 21.716<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=https://dejure.org/dienste/vernetzung/rechtsprechung?Gericht=VG%20Regensburg&Datum=25.01.2023&Aktenzeichen=RO%201%20K%2021.716<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Ludwig Ederle<br />
|<br />
}}<br />
<br />
The Administrative Court dismissed the lawsuit regarding the requests to compel the defendant to remove the entire file regarding the disciplinary proceedings of the plaintiff, as well as all documents from the plaintiff's personnel file<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A plaintiff servant who worked for the defendant sued to get his ability to work reinstated, as allowed by German law (Section 46 BBG). The lawsuit was most likely against the German government, but the court decision (which hasn't been made public yet) didn't clarify this.<br />
<br />
The dispute centered on whether certain documents should be removed from the man's personnel file and other police records. These documents included disciplinary files, a statement about a "reactivation review," and related information. Both the plaintiff and the defendant disagreed with the initial court ruling issued by the Administrative Court of Regensburg (judgment of January 25, 2023) and appealed.<br />
<br />
The plaintiff wanted more documents deleted, while the defendant appealed to keep the "reactivation review" statement.<br />
<br />
=== Holding ===<br />
The court ruled in favor of the defendant. The court found that the documents were relevant to the plaintiff's employment history and should be kept. The court also found that the plaintiff did not have a legitimate interest in having the documents removed. First there is a moot point: Even if the court ruled in the plaintiff's favor, it wouldn't change anything. The defendant already agreed to remove the documents. Also there is no legal basis: the laws cited by the plaintiff (§§ 112 & 113 BBG and GDPR) don't guarantee removal of documents unless proven false or irrelevant. Personnel files aim to present a complete picture of the employee's history, including disciplinary actions. Removing documents generally goes against this goal. There is only an exception for serious misconduct: only serious misconduct accusations might warrant removal to allow for future career advancement without the burden of past issues. <br />
In simpler terms, the court ruled that since the documents were already being removed, there was no need for a formal decision.<br />
<br />
== Comment ==<br />
German law prioritizes a complete record in personnel files, and only serious accusations might qualify for removal. Also, the decision also shows the importance of a comprehensive statement of grounds for permission to appeal. What the plaintiff and defendant don't submit doesn't get considered by the Court.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
Title:<br />
Claim for removal and destruction of documents from the personnel file - unsuccessful mutual applications for permission to appeal<br />
Norm chains:<br />
BBG § 112 Paragraph 1 Sentence 1, § 113 Paragraph 1, Paragraph 2<br />
GDPR Art. 5 Para. 1, Art. 16<br />
VwGO Section 124 Paragraph 2 No. 1<br />
BDG § 16 paragraph 3<br />
BGB § 1004<br />
Guiding principles:<br />
1. Information about health impairments does not contain any accusation and cannot be considered as the subject of the resocialization idea underlying the repayment provision in Section 112 Paragraph 1 Sentence 1 No. 2 BBG. (Rn. 9) (editorial principle)<br />
2. The data collected in the personnel file during the existence of a civil servant relationship generally remains appropriate, relevant and limited to the necessary extent within the meaning of Article 5 Paragraph 1 Letter c GDPR even if the civil servant concerned leaves the civil service relationship. (Rn. 12) (editorial principle)<br />
3. As a substantive legal protective measure in favor of the civil servant, the prohibition of exploitation (§ 16 para. 1 BDG) and the repayment requirement are intended to prevent him from being accused of a punished official offense without a time limit and from having a detrimental effect on him. (Rn. 17) (editorial principle)<br />
Tags:<br />
Federal police, reciprocal applications for admission of appeal, right to removal of documents, personnel files, factual files, principle of value-free, as complete as possible documentation of the civil service relationship, idea of rehabilitation, public law defense claim in the form of a right to disposal, ban on use and the requirement of repayment, violation of the principle of objectivity, reciprocal Applications for admission of appeal, removal of documents from the personnel file, reactivation, statement, disciplinary proceedings, interest in legal protection, right to removal and destruction, requirement for repayment<br />
Lower court:<br />
VG Regensburg, judgment of January 25, 2023 – RO 1 K 21,716<br />
Location:<br />
BeckRS 2023, 17253<br />
<br />
<br />
tenor<br />
<br />
I. The applications of the plaintiff and the defendant for admission to appeal against the ruling of the Regensburg Administrative Court of January 25, 2023 - RO 1 K 21.716 - are rejected.<br />
<br />
II. The appellants must each bear the costs of their admission procedure.<br />
<br />
III. The amount in dispute is set at €5,000 for both approval procedures.<br />
<br />
reasons<br />
<br />
1<br />
The mutual applications for admission of appeal, with which the plaintiff and the defendant challenge the administrative court judgment in the part that complains about them, are admissible. However, they are unsuccessful in this matter.<br />
<br />
2<br />
With the application for admission to appeal, the plaintiff is pursuing his lawsuit aimed at deleting documents from his personnel file or from the factual files kept at the Federal Police Directorate in M. that were before the administrative court - except for the requested removal of the statement of the plaintiff's then service group leader , EPHK S. of July 4, 2018 to reactivate the plaintiff - was unsuccessful. In contrast, with its application for permission to appeal, the defendant objects to the obligation to delete the aforementioned statement contained in the “reactivation review” procedural file.<br />
<br />
3<br />
1. The plaintiff's admissible application for leave to appeal is unfounded.<br />
<br />
4<br />
a) The administrative court has heard the lawsuit regarding the applications to oblige the defendant to review the entire process relating to the plaintiff's disciplinary proceedings specified in Annex K 3 to the lawsuit as well as all documents from the personnel file specified in Annexes K 2.1 to K 2.20 The plaintiff's request was dismissed on the following grounds: With regard to the request to remove the documents relating to the disciplinary proceedings from the personnel file, the necessary interest in a substantive decision worthy of legal protection was missing; Such an approach obviously could not bring any actual or legal advantages to the plaintiff since the documents at issue are no longer in the personnel file. In any case, as can be seen from the letters submitted by the plaintiff, the defendant was prepared to remove the documents from the personnel file, so that there was no need to file a lawsuit in this regard in order to enforce the claim. A claim to the removal of the documents contained in Annexes K 2.1 to K 2.20 arises neither from Section 112 Paragraph 1 Sentence 1 No. 1 or 2 BBG nor from Section 113 Paragraph 1 No. 1 or Paragraph 2 BBG nor from the General Data Protection Regulation or other legal bases. The provision of Section 112 BBG only grants a right to removal if the employer's assessment contained in the document in question has previously proven to be unfounded or incorrect in a procedure available for this purpose. According to the principles of completeness and truth, the personnel file must provide the most accurate, objective picture possible of the civil servant's personality and convey an accurate picture of the origins and development of the employment relationship as a historical course of events. In principle, the removal of personnel file data from the personnel file contradicts this. §§ 112,113 BBG only stipulate exceptions to the principles of completeness and/or truth. In addition, for a claim to be removed to exist, it is necessary that the complaint, allegation or assessment must contain the accusation of conduct that is at least objectively contrary to duty. Only then is it necessary to give the civil servant the opportunity for further professional development through the distance without being burdened by outdated allegations.<br />
<br />
5<br />
b) The – timely – admission submission, which is subject solely to legal review by the Senate, does not justify the sought-after admission of the appeal. The serious doubts raised as to the correctness of the contested judgment within the meaning of Section 124 Paragraph 2 No. 1 VwGO do not exist.<br />
<br />
6<br />
Such doubts would be justified if the appellant questioned a single key legal principle or a significant factual finding of the administrative court with conclusive arguments (cf. BVerfG, B.v. 23.6.2000 - 1 BvR 830/00 - NVwZ 2000, 1163/1164; B.v. 23.3 .2007 – 1 BvR 2228/02 – BayVBl 2007, 624). That's not the case.<br />
<br />
7<br />
aa) The administrative court correctly decided that the claim asserted by the plaintiff to have the entire process removed regarding the disciplinary procedure specified in Appendix K 3 lacks the necessary legal protection interest. The plaintiff's objection that, in the absence of a clear statement from the defendant, it cannot be assumed that the documents mentioned have actually already been removed from the personnel file is wrong. The defendant has already stated in its defense of May 20, 2021 that there are no disciplinary files in the plaintiff's personnel file. This is tantamount to declaring that the removal actually took place. The defendant also commented on this in its application for leave to appeal dated April 28, 2023 and expressly stated that it had observed the repayment requirement of Section 16 (3) BDG and destroyed the disciplinary file. The corresponding subfolder in the plaintiff's personal file is therefore empty. The plaintiff has not provided any evidence to suggest that this statement is incorrect and is not available.<br />
<br />
8th<br />
bb) The plaintiff also does not challenge the administrative court's finding that there is no basis for the claim to have appendices K 2.1 to K 2.20 removed from the personnel file with any conclusive arguments.<br />
<br />
9<br />
(1) The requirements of Section 112 Paragraph 1 Sentence 1 No. 2 BBG required for the removal and destruction claim are not met because the documents - as the clarification following sentence 3 shows - must contain allegations in which there are clearly missing here. What would essentially come into consideration would be allegations or assessments that contain the accusation that the official was, at least objectively, in breach of duty, including e.g. B. in the disapproving statement of a superior (cf. OVG NW, B.v. May 11, 2023 - 1 A 2432/20 - juris Rn. 11 m.w.N.). The documents in dispute mainly consist of events from the years 2004 to 2006 and 2010 to 2014, which arose as part of the assessment of the plaintiff's suitability for use in the police service and his general fitness for duty, such as medical notes, examination orders for social-medical assessments and documents for the extension of the probationary period dated November 4, 2010. The resocialization idea underlying the repayment provision in Section 112 Paragraph 1 Sentence 1 No. 2 BBG as an exception to the principle of value-free, as complete as possible documentation of the civil service relationship does not include the deletion of such documents. Information about health impairments does not contain any accusation and cannot be considered as an object of rehabilitation (cf. Guenther, in: Plog/Wiedow, Federal Civil Servants Act, as of May 2023, § 112 BBG, Rn. 11). The fact that the content of these documents could be unfavorable for the plaintiff or have a detrimental effect on him is not enough for a successful removal request. The provision is also not linked to the (alleged) inaccuracy of documents or the question of whether they are still needed, but only concerns cases of correct or at least not resolved allegations, the written record of which is therefore rightly included in the personnel file and there over several been left for years.<br />
<br />
10<br />
(2) Insofar as the plaintiff believes that the deletion claim arises from Section 113 Para. 2 Sentence 1 or Sentence 2 BBG for the documents that date from before June 16, 2006, because it cannot be assumed that These would still be needed for the reactivation procedure, he does not deal in the necessary manner with the – convincing – statements of the administrative court in the contested judgment. Accordingly, the personnel files from the time before the plaintiff first left the civil service have not yet been completed within the meaning of Section 113 Paragraph 1 BBG, so that the five-year retention period specified in sentence 1 of this regulation has not yet begun to run. The justification for approval does not contain any conclusive counterarguments to this.<br />
<br />
11<br />
(3) Contrary to the plaintiff's opinion, the asserted deletion claim does not arise from Article 5 Paragraph 1 Letters c, d and e GDPR. The plaintiff believes that all entries in the personnel file that date before June 16, 2006 should be deleted because the civil service relationship at that time ended at that point and is no longer related to the current civil service relationship. All documents collected up to his departure on June 16, 2006 were no longer relevant to the proceedings and should therefore be deleted from the personnel file from the perspective of storage limitation, data minimization and the principle of accuracy. This can not be followed.<br />
<br />
12<br />
In principle, the data collected in the personnel file during the existence of a civil servant relationship remains appropriate, relevant and limited to the necessary extent within the meaning of Article 5 Paragraph 1 Letter c GDPR even if the civil servant concerned leaves the civil service relationship. As the administrative court rightly stated, documents about incapacity for work due to illness not only serve to determine current absences, but also remain important for possible reactivation or reinstatement tests, where the respective historical context may be important. On the contrary, deletion could violate the principle of data accuracy. The claim for deletion cannot be based on the regulation in Article 5 Paragraph 1 Letter d of the GDPR, according to which personal data must be factually correct and “if necessary, up to date”. The data did not become incorrect as a result of the plaintiff's departure from the service, but rather remains correct in view of the legal reality at the time. A claim for correction under Art. 16 GDPR is therefore excluded. Only if the personnel files are kept up to date that was correct at the respective time can a picture of the origins and development of the employment relationship as a historical sequence of events, which is as complete as possible, be documented, which enables the employer to do justice to his task of personnel administration and management become. This means that Article 5 Paragraph 1 Letter e does not prevent the continued storage of the data collected in his personal file until the plaintiff left his civil service in 2006.<br />
<br />
13<br />
2. The defendant's application to allow the appeal also remains unsuccessful, insofar as the administrative court upheld the lawsuit and obliged it to delete the statement of the plaintiff's then service group leader dated July 4, 2018, which was contained in the factual files kept at the M. Federal Police Directorate. The serious doubts raised as to the correctness of the first instance judgment (Section 124 Para. 2 No. 1 VwGO) do not exist.<br />
<br />
14<br />
a) The administrative court accepted in its decision that the asserted claim to have the statement obtained in preparation for the examination of the plaintiff's reactivation removed from the accompanying file “Administrative dispute M.S. against the Federal Republic of Germany because of renewed appointment to civil service status” arises from a public law defense claim in the form of a claim for removal analogous to Section 1004 of the German Civil Code (BGB). The statement contains some legally violating factual claims for which there is no evidence; Furthermore, it is associated with a personal insult or disparagement of the plaintiff, which completely pushes the objective purpose of the statement - the provision of an objective assessment of the plaintiff's health suitability with regard to the pending reactivation of the plaintiff according to § 46 BBG - into the background have.<br />
<br />
15<br />
b) The notice of admission does not raise any serious doubts about the correctness of this legal opinion that would lead to the appeal being admitted.<br />
<br />
16<br />
(1) The defendant rightly objects that, contrary to the opinion of the administrative court, the reference contained in the superior's statement of July 4, 2018 to disciplinary proceedings initiated before the plaintiff's voluntary resignation from the service in 2006 does not contain an untrue statement of facts. This is no longer apparent from the plaintiff's personal file, since the defendant observed the repayment requirement of Section 16 Paragraph 3 BDG and destroyed the relevant documents. However, the references to the above-mentioned disciplinary proceedings mentioned by the defendant in its grounds for admission and still existing in its factual files/procedural files are sufficient to prove the accuracy of the factual assertion contained in the statement at issue. However, this does not help the defendant's application for leave to appeal to be successful.<br />
<br />
17<br />
On the one hand, the mention of the proceedings that took place years ago already constitutes a violation of the prohibition of exploitation regulated in Section 16 Paragraph 1 BDG. Together with the repayment requirement, the purpose is to free the official from the stain of past misconduct and to “remove” the stain. As a substantive legal protective measure in favor of the civil servant, the ban on exploitation and the requirement to repay the civil servant are intended to prevent him from being accused of a punishable official offense without a time limit and from having a detrimental effect on him. Admittedly, this does not mean that an absolute claim to protection arises in favor of the official concerned and that the canceled disciplinary procedure can no longer be mentioned at all. However, the disciplinary measure imposed may not be taken into account for further disciplinary measures or personnel measures after the specific period has expired (cf. BVerwG, U.v. October 13, 2020 - 2 C 41/18 - juris Rn. 24 f. m.w.N.).<br />
<br />
18<br />
Based on these principles, the mere mention of the disciplinary procedure that has already been deleted from the personnel file in the statement from the plaintiff's former service group leader obtained as part of the reactivation examination constitutes a violation of the prohibition of exploitation (Section 16 Paragraph 1 BDG). This is because it obviously has the purpose of: to awaken the memory of the past misconduct in order to exploit it again to the detriment of the plaintiff.<br />
<br />
19<br />
On the other hand, the plaintiff rightly points out that the service group leader not only mentioned the earlier disciplinary procedure, but also linked it to the assumption - which has not yet been proven - that this procedure was intended to lead to the plaintiff's voluntary resignation from the police service in 2006 have led. The files provide no evidence for this assumption. It is obviously a matter of passing on a mere rumor, which affects the plaintiff's personal rights and thus justifies the claim for removal under Section 1004 of the German Civil Code (BGB).<br />
<br />
20<br />
(2) In addition, the administrative court correctly determined that the statement also contains other - unsubstantiated - factual allegations in which there is no legally recognized interest on the part of the defendant in remaining in the factual files, such as the statement that the plaintiff has "several in the private sector Projects were thrown into the sand”, he “returned to the Federal Police to have himself rehabilitated”. The defendant's application for admission does not address this.<br />
<br />
21<br />
(3) There are also no serious concerns about the view taken by the administrative court that the disputed statement also contains, at least in part, defamatory statements that are likely to violate the plaintiff's rights and also justify the asserted removal claim under Section 1004 of the German Civil Code (BGB). . In this statement, EPHK S., as the plaintiff's former service group leader, should make statements about the possibility of reactivating the plaintiff, who had been retired early for health reasons. First, he objectively described the plaintiff's career and professional achievements during his period of service. However, the following statements, which clearly exceed the objective framework, should be judged differently. There can no longer be any question of a purely technical statement - which in principle does not represent an insult to honor (cf. BayVGH, B.v. July 15, 2003 - 25 ZB 03.1349 - juris Rn. 3) - if the plaintiff is assumed to have consciously joined the federal police returned “to be rehabilitated” after he had “scuttled several projects” during his freelance work. The advice to carry out a police check on the plaintiff in order to “not lay an egg in the nest” is obviously associated with a personal insult or degradation, which completely pushes the objective concern of the official statement into the background and the plaintiff in his personal rights injured.<br />
<br />
22<br />
The Senate therefore follows the opinion of the administrative court that the claim for removal is also justified due to the fact that the statement mentioned partially violates the principle of objectivity and is defamatory.<br />
<br />
23<br />
The defendant's objection that the administrative court failed to recognize that the statement was a purely internal and not a public statement. In any case, the statement, as part of the factual file, is intended to be disclosed initially to a limited group of people and, in the – always to be expected – event that a lawsuit is filed, also to a broader public. The employer's obligation to ensure the well-being of the civil servant and his family within the framework of the service and loyalty relationship also results in a right to safeguard the civil servant's honor, on the basis of which the employer is obliged to refrain from making defamatory statements or to do so to ensure that they do not remain in the files kept on the officials concerned and could therefore become known to third parties (cf. OVG Saarl, B.v. July 3, 1995 - 1 W 75/94 - juris Rn. 3).<br />
<br />
24<br />
3. The cost decision is based on Section 154 Paragraph 2 VwGO. The determination of the amount in dispute follows from Section 47 and Section 52 Paragraph 2 GKG.<br />
<br />
25<br />
This decision is incontestable (Section 152 Paragraph 1 VwGO). With this, the judgment of the administrative court becomes legally binding (Section 124a Paragraph 5 Sentence 4 VwGO).<br />
</pre></div>Ludwigederlehttps://gdprhub.eu/index.php?title=CJEU_-_C-740/22_-_Endemol_Shine_Finland_OyCJEU - C-740/22 - Endemol Shine Finland Oy2024-03-12T16:34:32Z<p>Nzm: </p>
<hr />
<div>{{CJEUdecisionBOX<br />
<br />
|Case_Number_Name=C-740/22 Endemol Shine Finland Oy<br />
|ECLI=ECLI:EU:C:2024:216<br />
<br />
|Opinion_Link=<br />
|Judgement_Link=https://curia.europa.eu/juris/document/document.jsf;jsessionid=36E0E3CCAE2E7CFD10822C42362A087A?text=2016%252F679&docid=283530&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=183462#ctx1<br />
<br />
|Date_Decided=07.03.2024<br />
|Year=2024<br />
<br />
|GDPR_Article_1=Article 2(1) GDPR<br />
|GDPR_Article_Link_1=Article 2 GDPR#1<br />
|GDPR_Article_2=Article 4(2) GDPR<br />
|GDPR_Article_Link_2=Article 4 GDPR#2<br />
|GDPR_Article_3=Article 4(6) GDPR<br />
|GDPR_Article_Link_3=Article 4 GDPR#6<br />
|GDPR_Article_4=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_4=Article 5 GDPR#1a<br />
|GDPR_Article_5=Article 6(1)(e) GDPR<br />
|GDPR_Article_Link_5=Article 6 GDPR#1e<br />
|GDPR_Article_6=Article 10 GDPR<br />
|GDPR_Article_Link_6=Article 10 GDPR<br />
|GDPR_Article_7=<br />
|GDPR_Article_Link_7=<br />
|GDPR_Article_8=<br />
|GDPR_Article_Link_8=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Reference_Body=Itä-Suomen hovioikeus<br />
|Reference_Case_Number_Name=<br />
<br />
|Initial_Contributor=nzm<br />
|<br />
}}<br />
<br />
The CJEU held that data relating to criminal convictions contained in a court’s filing system cannot be disclosed for the purpose of ensuring public access to documents if the person requesting the disclosure does not establish that they have a “specific interest” in obtaining said data.<br />
<br />
==English Summary==<br />
<br />
=== Facts ===<br />
A data subject participated in a competition organized by Endemol Shine Finland. The latter made an oral request to the Etelä-Savon käräjäoikeus (District Court, South Savo, Finland) for information on possible ongoing or completed criminal proceedings concerning the data subject, for the purpose of clarifying their criminal record. The district court refused the request. <br />
<br />
Following this, Endemol Shine Finland brought an appeal against the judgement before the Itä-Suomen hovioikeus (Court of Appeal, Eastern Finland, Finland). The latter stayed the proceedings and referred three questions to the CJEU:<br />
<br />
# Does an oral transfer of personal data constitute processing of personal data within the meaning of [[Article 2 GDPR#1|Article 2(1)]] and [[Article 4 GDPR#2|4(2) GDPR]]<br />
# Can public access to official documents allow information on criminal convictions or offences to be obtained from a court’s register without restriction when the request is made orally?<br />
# Is it relevant whether the person requesting the information is a company or a private individual?<br />
<br />
=== Holding ===<br />
'''On the first question:''' <br />
<br />
[[Article 4 GDPR#2|Article 4(2) GDPR]] defines “processing” as: any operation or set of operations which is performed on the personal data or on sets of personal data, whether or not by automated means. <br />
<br />
The Court determined that the use of “any operation” in this definition is intended to give the concept of “processing” a broad scope, which is corroborated by the non-exhaustive nature, expressed by the phrase “such as”. The Court added that [[Article 4 GDPR#2|Article 4(2) GDPR]] does not lay down any condition as to the form of processing meaning that the concept of processing covers the oral disclosure of personal data. <br />
<br />
The question still arose as to whether the oral disclosure of personal data falls within the material scope of the GDPR. [[Article 2 GDPR#1|Article 2(1) GDPR]] provides that the GDPR applies to the processing wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. [[Article 4 GDPR#6|Article 4(6) GDPR]] defines a “filing system” as: any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis. <br />
<br />
The oral disclosure of personal data constitutes processing other than by automated means. Therefore, the Court indicated that the data of that processing must form part or be intended to form part of a filing system in order for that processing to come within the material scope of the GDPR. In the present case, the Court held that it was clear that the data requested by Endemol Shine Finland Oy were contained in a “court’s register of persons” which constituted a filing system within the meaning of [[Article 4 GDPR#6|Article 4(6) GDPR]]. <br />
<br />
'''On the second and third questions:'''<br />
<br />
The Court pointed out that any processing of personal data must (i) comply with the principles relating to the processing of personal data and (ii) in order to comply with principle of lawfulness laid down in [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], satisfy one of the conditions listed in [[Article 6 GDPR]] (see [https://gdprhub.eu/index.php?title=CJEU_-_C-439/19_-_B_v._Latvijas_Republikas_Saeima C-439/19] and [https://gdprhub.eu/index.php?title=CJEU_-_C%E2%80%91634/21_-_SCHUFA C-634/21]). The Court found that the oral disclosure of the public data relating to criminal convictions may fall within [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]], under which processing is lawful if and to the extent that it is “necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.<br />
<br />
[[Article 10 GDPR]] makes the processing of data relating to criminal convictions and offences subject to additional restrictions: under said provision, the processing of such data shall be carried out only under the control of an official authority, unless it is authorized by Union or Member State law providing the appropriate safeguards for the rights and freedoms of data subjects’.<br />
<br />
The Court considered that the GDPR does not preclude personal data being disclosed to the public if the disclosure is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, within the meaning of [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]], even where the data related to criminal convictions and offences.<br />
<br />
In order to determine (i) whether public disclosure of personal data relating to criminal convictions is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, within the meaning of [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]] and (ii) whether the legislation authorising such disclosure provides for appropriate safeguards for the rights and freedoms of data subjects, the Court indicated that the judge must take into account the seriousness of the interference with the fundamental right to respect for private life and to the protection of personal data caused by that disclosure.<br />
<br />
Regarding the seriousness of the interference with those rights, due to the sensitivity of data relating to criminal convictions and offences, the processing of such data may constitute a particularly serious interference with the fundamental rights to respect private life and to the protection of personal data. The Court adds that this data relates to behaviour that gives rise to social disapproval and is liable to stigmatise the data subject (see [https://gdprhub.eu/index.php?title=CJEU_-_C-439/19_-_B_v._Latvijas_Republikas_Saeima C-439/19]).<br />
<br />
The Court found that in the light of the sensitivity of data relating to relating to criminal convictions and of the seriousness of the interference with the fundamental rights of data subjects to respect for private life and to the protection of personal data, which is caused by the disclosure of such data, those rights prevail over the public’s interest in having access to official documents. For the same reason, the right to freedom of information under [[Article 85 GDPR|Article 85 GDPR]] cannot justify the disclosure to any person who requests personal data relating to criminal convictions. <br />
<br />
Therefore, the Court held that [[Article 6 GDPR#1e|Article 6(1)(e)]] and [[Article 10 GDPR|Article 10 GDPR]] preclude data relating to criminal convictions contained in a court’s filing system from being disclosed orally to any person for the purpose of ensuring public access to official documents if the person requesting the disclosure does not establish that they have a specific interest in obtaining said data. The Court added that it is irrelevant whether that person is a commercial company or a private individual.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''</div>Nzmhttps://gdprhub.eu/index.php?title=IP_(Slovenia)_-_07101-22/2023/7IP (Slovenia) - 07101-22/2023/72024-03-12T16:15:11Z<p>Mg: /* English Summary */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Slovenia<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoSI.png<br />
|DPA_Abbrevation=IP<br />
|DPA_With_Country=IP (Slovenia)<br />
<br />
|Case_Number_Name=07101-22/2023/7<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Informacijski pooblaščenec<br />
|Original_Source_Link_1=https://gdprhub.eu/images/5/5e/07101-22-2023-7_34._%25C4%258Dlen_ZVOP-2_kr%25C5%25A1itev_brez_ukrepa_08012024.pdf<br />
|Original_Source_Language_1=Slovenian<br />
|Original_Source_Language__Code_1=SL<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Rejected<br />
|Date_Started=16.10.2023<br />
|Date_Decided=08.01.2024<br />
|Date_Published=31.01.2024<br />
|Year=2024<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 6(1) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1<br />
|GDPR_Article_2=Article 12 GDPR<br />
|GDPR_Article_Link_2=Article 12 GDPR<br />
|GDPR_Article_3=Article 15 GDPR<br />
|GDPR_Article_Link_3=Article 15 GDPR<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=im<br />
|<br />
}}<br />
<br />
The controller was not ordered to take any specific measures after they missed the deadline to respond to data subject’s access request at they followed the DPA’s order to take a decision.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
On 31 August 2023 the data subject received a marketing message. As he was curious to know how the controller obtained his data, he sent him a data access request, to which the controller did not reply. Therefore, the data subject filed a complaint with the Slovenian DPA. <br />
<br />
On 18 October 2023, the controller was requested by the DPA to take a written decision on the applicant's request in accordance with [[Article 12 GDPR|Article 12 GDPR]] and [[Article 15 GDPR]].<br />
<br />
On 3 November 2023, the data controller sent an email to the DPA, indicating that they responded to the request for access to personal data and removed the data subject from the customer database. <br />
<br />
On 8 November 2023, the data subject informed that he received a response in which the controller apologized for the delayed response. However, the apology did not change the fact that the controller missed the legally prescribed deadline, thereby violating the law and committing an offense for which a fine is prescribed.<br />
<br />
The controller stated the data subject had voluntarily subscribed to receive notifications on 19 June 2015. In connection with this, the applicant pointed out that there were changes in data protection legislation in recent years, and controllers were required to re-obtain consent for further use or delete data. Therefore, the data subject’s claimed that retaining the data for 8 years longer and starting using the same data after a period of 8 years was unlawful and unsolicited marketing communication. <br />
<br />
The data subject insisted on reporting the violations, believing that the controller stored and used his data without a legal basis.<br />
<br />
=== Holding ===<br />
The DPA acknowledged that the controller complied with the data subject’s request after the expiration of a 1-month deadline. However, the controller remedied this breach by a response to the data subject based on the DPA’s request of 18 October 2023. As a result, the DPA did not find a violation of unlawful storage of data lacking a basis according to [[Article 6 GDPR#1|Article 6(1) GDPR]]. <br />
<br />
Regarding the allegations concerning the unlawful use of personal data for direct marketing, the DPA stated that it is not competent to take action in the area regulated by the [http://www.pisrs.si/Pis.web/pregledPredpisa?id=ZAKO8611 Slovenian Electronic Communications Act] which mirrors the [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52017PC0010 ePrivacy Regulation]. <br />
<br />
Consequently, the DPA found no infringements on the side of the controller and the controller was not ordered to take any specific measures.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>Imhttps://gdprhub.eu/index.php?title=CNIL_(France)_-_SAN-2024-003CNIL (France) - SAN-2024-0032024-03-12T15:54:54Z<p>Nzm: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=France<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFR.png<br />
|DPA_Abbrevation=CNIL<br />
|DPA_With_Country=CNIL (France)<br />
<br />
|Case_Number_Name=SAN-2024-003<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Légifrance<br />
|Original_Source_Link_1=https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000049231950?page=1&pageSize=10&query=2016%252F679&searchField=ALL&searchType=ALL&sortValue=DATE_DECISION_DESC&tab_selection=cnil&typePagination=DEFAULT<br />
|Original_Source_Language_1=French<br />
|Original_Source_Language__Code_1=FR<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=23.09.2021<br />
|Date_Decided=31.01.2024<br />
|Date_Published=05.03.2024<br />
|Year=2024<br />
|Fine=310,000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 4(11) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#11<br />
|GDPR_Article_2=Article 6(1) GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR#1<br />
|GDPR_Article_3=Article 6(1)(a) GDPR<br />
|GDPR_Article_Link_3=Article 6 GDPR#1a<br />
|GDPR_Article_4=Article 6(1)(f) GDPR<br />
|GDPR_Article_Link_4=Article 6 GDPR#1f<br />
|GDPR_Article_5=Article 32 GDPR<br />
|GDPR_Article_Link_5=Article 32 GDPR<br />
|GDPR_Article_6=<br />
|GDPR_Article_Link_6=<br />
|GDPR_Article_7=<br />
|GDPR_Article_Link_7=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=nzm<br />
|<br />
}}<br />
<br />
The DPA fined a controller who carried out telephone canvassing campaigns using data purchased with data suppliers €310,000 for, among other things, not having a legal basis for processing. The controller did not appear in the data supplier’s list of partners, which did not allow the use of legitimate interest, and the data suppliers used a deceptive design when collecting consent.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
On 23 September 2021, the French DPA (“CNIL”) carried out an inspection on Foriou’s premises (“controller”), in particular regarding the legal basis of the processing and the security measures taken. The controller was in the business of marketing and managing loyalty programs and cards. In order to promote its programs, until 2021, the controller carried out telephone canvassing campaigns using prospect files purchased with several data suppliers who collected the data via entry forms for online competitions. The personal data collected was the following: surname, first name, title, email address, date of birth and postal address.<br />
<br />
During its investigations, the CNIL discovered that the data suppliers all had similar forms on their websites: there were fields which enabled the data subject to enter their contact details. Underneath these fields were a “Validate”, “I validate” or “I answer questions to apply” button. Above or below this button, a text specified that by clicking on it, the user declared that they read the data supplier’s data protection policy and accepts that the data collected would be used to send them offers from the company’s partners. Hyperlinks were provided to access the data protection policy as well as the list of partners concerned. However, the list did not mention the controller. At the end of the text it was specified that if the user wished to continue without receiving offers from the data supplier’s partners, they could click a link in the text (“click here”). <br />
<br />
Therefore, data subjects could either click on the “Validate” button and accept that their data would be used to send them offers from the data supplier’s partners or on the “click here” link to continue without receiving these offers.<br />
<br />
The controller also submitted 2 other forms in its observations. These forms contained “Validate my coordinates” and “Continue” buttons to validate participation in the game and transmit data to partners. The “click here” button remained unchanged and was still presented in the body of the text.<br />
<br />
Regarding security measures, the CNIL found that the controller indicated that they would keep customer data for a period of 5 years from the date of the end of the contract in an active database with no intermediate archiving mechanism implemented.<br />
<br />
=== Holding ===<br />
Firstly, the CNIL indicated that [[Article 6 GDPR#1|Article 6(1) GDPR]] establishes the legal bases of processing. The DPA also pointed out that commercial prospecting by telephone can be carried out on the legal basis of the controller’s legitimate interest or on the basis of consent. <br />
<br />
Regarding the controller’s legitimate interest, the CNIL added that the controller must ensure that the processing does not infringe the rights and interests of the data subject, taking into account their reasonable expectations. The CNIL held that regarding the fact that the controller was not listed as a partner from the data supplier, the controller could not rely on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] to justify its commercial canvassing operations by telephone, as the protection of the interests, freedoms and fundamental rights of the data subjects took precedence over the legitimate interests of the controller. <br />
<br />
Regarding consent, the CNIL stressed that concerning commercial canvassing operations, when the data subject’s data has not been collected directly from them by the canvassing organization, consent may be obtained by the initial collector on behalf of the organization that will carry out subsequent canvassing operations. If this is not the case, it is up to the prospecting organization to obtain such consent before proceeding with the processing. The CNIL considered that the design of the forms on the data supplier’s website did not allow data subject’s to express a valid choice as the interfaces particularly highlight the “Validate”, “I validate” or “I answer questions to apply” button, whose size and color make it stand out from the other information provided. The words used also suggested the conclusion of the data subject’s registration process rather than the transmission of data to partners and the location of the button on the form gave the impression that it must be clicked to complete the registration and take part in the competition. The CNIL also found that the hyperlink text which allowed data subjects to partake in the competition without agreeing to the transmission of their data to partners was presented in the body of the text in characters much smaller in size than those used for the buttons and without any particular emphasis. The CNIL also found that the forms submitted by the controller in its observations did not sufficiently inform the data subjects either. Therefore, the CNIL considered that the consent was not unambiguous and free as per required under [[Article 4 GDPR#11|Article 4(11) GDPR]].<br />
<br />
In the absence of a legal basis enabling the controller to base its commercial canvassing operations by telephone, the CNIL considered that a breach of [[Article 6 GDPR|Article 6 GDPR]] was constituted.<br />
<br />
Secondly, the CNIL also pointed out that a simple contractual commitment by a data broker to comply with the GDPR as well as the rules applicable to commercial prospecting do not constitute a sufficient measure (see [https://gdprhub.eu/index.php?title=CNIL_(France)_-_Deliberation_of_the_restricted_training_n%C2%B0SAN-2022-021_of_November_24,_2022_concerning_the_company_ELECTRICIT%C3%89_DE_FRANCE CNIL, SAN-2022-021]). Thus, the DPA considered that the contractual obligations that the controller imposed on its suppliers did not exonerate the controller from its liability, despite the possible existence of liability on part of suppliers.<br />
<br />
Finally, the CNIL noted that during the phase of current use, which corresponds to the time required to achieve the purpose of the processing, the data is kept in an “active base” and is accessible to all departments responsible for implementing and processing. At the end of this phase, when the data is no longer used to achieve the set objective, but is still of administrative use to the controller (for example the management of a possible dispute), it must be possible to consult only on an ad hoc basis and for a specific reason, by specially authorized people. With regards to this case, the CNIL held that the information they found did not make it possible to establish that persons would have access to the data without having a need to know. Therefore, the DPA concluded that there was no breach of [[Article 32 GDPR|Article 32 GDPR]]. <br />
<br />
Thus, the CNIL imposed a €310,000 fine on the controller for breaching [[Article 6 GDPR|Article 6 GDPR]].<br />
<br />
== Comment ==<br />
To grasp the notion of consent, the CNIL referred to several documents:<br />
<br />
* [https://gdprhub.eu/index.php?title=CJEU_-_C-673/17_-_Planet49 CJEU, 1 October 2019, Planet49 GmbH, C-673/17]<br />
* [https://www.legifrance.gouv.fr/ceta/id/CETATEXT000042040546 CE, 10ème et 9ème chambres réunies, 19 juin 2020, Google LLC, n° 430810]<br />
* [https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf Guidelines 05/2020 on consent under Regulation 2016/679]<br />
* [https://www.cnil.fr/sites/cnil/files/atoms/files/recommandation-cookies-et-autres-traceurs.pdf CNIL, Délibération SAN-2020-092]<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the French original. Please refer to the French original for more details.<br />
<br />
<pre><br />
Deliberation of restricted training no. SAN-2024-003 of January 31, 2024 concerning the company FORIOU<br />
<br />
The National Commission for Information Technology and Freedoms, gathered in its restricted formation composed of Mr. Alexandre LINDEN, president, Mr. Philippe-Pierre CABOURDIN, vice-president, Ms. Isabelle LATOURNARIE-WILLEMS and MM. Alain DRU and Bertrand du MARAIS, members;<br />
<br />
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of personal data and the free movement of such data;<br />
<br />
Having regard to law no. 78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular its articles 20 et seq.;<br />
<br />
Having regard to decree no. 2019-536 of May 29, 2019 taken for the application of law no. 78-17 of January 6, 1978 relating to computing, files and freedoms;<br />
<br />
Having regard to deliberation no. 2013-175 of July 4, 2013 adopting the internal regulations of the National Commission for Information Technology and Liberties;<br />
<br />
Having regard to decision no. 2021-191C of June 29, 2021 of the President of the National Commission for Information Technology and Freedoms to instruct the Secretary General to carry out or have carried out a verification mission of the processing implemented by the company SFK GROUP, by its subsidiaries or on its behalf, in any place likely to be affected by their implementation;<br />
<br />
Having regard to the decision of the President of the National Commission for Information Technology and Liberties appointing a rapporteur before the restricted panel, dated April 4, 2022;<br />
<br />
Having regard to the report of Ms. Valérie PEUGEOT, commissioner rapporteur, notified to the company FORIOU on August 23, 2023;<br />
<br />
Considering the written observations submitted by the company FORIOU on September 29, 2023;<br />
<br />
Having regard to the rapporteur's response to these observations, notified to the company on October 20, 2023;<br />
<br />
Considering the closure of the investigation, notified to the company on November 22, 2023;<br />
<br />
Considering the oral observations made during the restricted training session of December 7, 2023;<br />
<br />
Having regard to the deliberation preliminary to the law of restricted training n°SAN-2023-020 of December 14, 2023;<br />
<br />
Having regard to the written observations submitted by the rapporteur on December 21, 2023;<br />
<br />
Considering the written observations submitted by the company on December 28, 2023;<br />
<br />
Considering the oral observations made during the restricted training session of January 18, 2024;<br />
<br />
Considering the note for deliberation sent by the company on January 29, 2024;<br />
<br />
Considering the other documents in the file;<br />
<br />
Were present during the restricted training session:<br />
<br />
- Ms. Valérie PEUGEOT, commissioner, heard in her report;<br />
<br />
As representatives of the FORIOU company:<br />
<br />
- […]<br />
<br />
The FORIOU company having spoken last;<br />
<br />
The restricted formation adopted the following decision:<br />
<br />
I. Facts and procedure<br />
<br />
1. The company FORIOU (hereinafter "the company"), whose head office is located at 23/25 avenue Kléber in Paris (16th), is a subsidiary of the company SFK GROUP. Its activity is the marketing and management of loyalty programs and cards. It does not employ any employees but relies, for the conduct of its activities, on the services of personnel from other companies in the group. The company indicated that it had identified […] customers as of October 5, 2021. Its turnover for the year 2021 amounted to […] euros, for a net loss of […] euros.<br />
<br />
2. In order to promote its programs, the company carried out, until 2021, telephone canvassing campaigns based on prospect files purchased from two main partners, the companies […] and […].<br />
<br />
3. On September 23, 2021, a delegation from the National Commission for Information Technology and Liberties (hereinafter “the Commission” or “the CNIL”) carried out an inspection at the company’s premises, in order to verify the compliance with the provisions of law no. 78-17 of January 6, 1978 as amended relating to data processing, files and freedoms (hereinafter "the Data Protection Act" or "law of January 6, 1978 as amended") and of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of personal data and the free movement of such data (hereinafter the “Regulation” or “GDPR”).<br />
<br />
4. Report No. 2021-191/1, drawn up on the day of the inspection, was notified to the company on September 30, 2021.<br />
<br />
5. The company communicated additional documents on October 5 and November 22, 2021.<br />
<br />
6. For the purposes of examining these elements, the President of the Commission, on April 4, 2022, appointed Ms. Valérie PEUGEOT as rapporteur on the basis of article 22 of the law of January 6, 1978 as amended.<br />
<br />
7. On June 8, 2023, the rapporteur sent a supplementary request to which the company responded on June 23, 2023.<br />
<br />
8. On August 23, 2023, at the end of her investigation, the rapporteur notified the company of a report detailing the breaches of Articles 6 and 32 of the GDPR which she considered to have occurred in this case. This report proposed to the restricted panel to impose an administrative fine against the company. He also proposed that this decision be made public.<br />
<br />
9. On September 29, 2023, the company produced observations in response to the sanction report.<br />
<br />
10. The rapporteur responded to the company's observations on October 20, 2023.<br />
<br />
11. On November 22, 2023, the rapporteur, in application of III of article 40 of decree no. 2019-536 of May 29, 2019 taken for the application of the Data Protection Act, informed the company and the president of restricted training that the investigation was closed.<br />
<br />
12. The same day, the company was informed that the file was included on the agenda for the restricted training on December 7, 2023.<br />
<br />
13. The restricted panel held a session on December 7, 2023.<br />
<br />
14. By preliminary deliberation No. SAN-2023-020 of December 14, 2023, sent by email to the company the same day and notified by post on December 20, 2023, the restricted panel asked the company FORIOU and to the rapporteur the production of a complementary document, mentioned by the company during the meeting of December 7, 2023.<br />
<br />
15. On December 21, 2023, the rapporteur communicated to the restricted panel a document entitled “leads_701_23-09-2021 […]”.<br />
<br />
16. On December 28, 2023, the company communicated to the restricted panel a document also entitled “leads_701_23-09-2021 […]”.<br />
<br />
17. In application of article 41 of decree no. 2019-536 of May 29, 2019, a summons to the restricted training session of January 18, 2024 was notified to the company FORIOU on December 20, 2023.<br />
<br />
18. The rapporteur and the company presented oral observations during the restricted training session.<br />
<br />
II. Reasons for decision<br />
<br />
A. On the failure to comply with the obligation to process data lawfully<br />
<br />
19. Under the terms of Article 6 of the GDPR, “1. Processing is only lawful if, and to the extent that, at least one of the following conditions is met:<br />
<br />
a) the data subject has consented to the processing of his or her personal data for one or more specific purposes;<br />
<br />
b) the processing is necessary for the performance of a contract to which the data subject is party or for the execution of pre-contractual measures taken at the request of the data subject;<br />
<br />
c) the processing is necessary for compliance with a legal obligation to which the controller is subject;<br />
<br />
d) processing is necessary to safeguard the vital interests of the data subject or another natural person;<br />
<br />
e) the processing is necessary for the performance of a mission of public interest or relating to the exercise of public authority vested in the controller;<br />
<br />
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular when the person concerned is a child.<br />
<br />
20. The restricted training recalls that commercial prospecting actions by telephone calls can be carried out on the legal basis of the legitimate interest of the company (f) or on that of consent (a).<br />
<br />
21. In this case, the company indicated that it carried out commercial prospecting operations by telephone using prospect files purchased from several data providers, the latter collecting said data via participation forms in online competitions.<br />
<br />
22. The restricted panel notes that the company was not able, either in its written observations or in its oral observations during the session, to indicate precisely on what legal basis it was relying to carry out such processing. . Under these conditions, the two legal bases likely to be applicable in this case will be examined successively.<br />
<br />
1) On legitimate interest<br />
<br />
23. The rapporteur maintains that, to base its commercial prospecting operations by telephone, the company cannot rely on the legal basis of legitimate interest referred to in point f) of Article 6, paragraph 1 of the GDPR. It thus notes, with regard to the participation forms for online competitions through which the company […] collects the data of prospects which it resells to the company FORIOU, that the latter is not systematically mentioned in the list of partners likely to approach the persons concerned, and that the latter cannot legitimately expect to receive commercial offers from this company.<br />
<br />
24. In defense, the company relies on the contractual commitments of the company […], which provide that the company FORIOU must be mentioned among the recipients of the data collected. It considers that it cannot be held responsible for the shortcomings of its service provider, and produces an example of a form implemented by the company […] containing a URL link to a list of partners, including the company SFAM ( a link to the latter's confidentiality policy allowing access to the complete list of companies belonging to the same group as SFAM, including the company FORIOU). Finally, the company claims to implement regular checks relating to the conformity of the files delivered.<br />
<br />
25. The restricted training recalls that, if commercial prospecting by non-electronic means can be carried out on the basis of the legitimate interest of the company, the latter must ensure that the processing does not conflict with the rights and interests of the persons whose the data is processed, taking into account their reasonable expectations.<br />
<br />
26. In this regard, recital 47 of the GDPR provides that: “[…] the existence of a legitimate interest should be the subject of a careful assessment, in particular in order to determine whether a data subject can reasonably expect , at the time and in the context of the collection of personal data, that these are subject to processing for a given purpose. The interests and fundamental rights of the person could, in particular, prevail on the interest of the controller when personal data are processed in circumstances where the data subjects have no reasonable expectation of further processing […]. ".<br />
<br />
27. The restricted training firstly notes that it follows from these provisions that, in its capacity as data controller, the FORIOU company is required to verify itself that the conditions allowing it to carry out commercial prospecting operations are united. In this regard, the responsibility of an organization could be held by considering that a simple contractual commitment from its data broker to respect the GDPR and the rules applicable to commercial prospecting did not constitute a sufficient measure (CNIL, FR , November 24, 2022, Sanction, No. D-SAN-2022-021, published).<br />
<br />
28. Thus, with regard to the contractual commitments of the company [...] which the FORIOU company relies on, the restricted panel considers that the contractual obligations that may be imposed on suppliers cannot exempt the FORIOU company from its liability as responsible for processing, despite the possible existence of supplier liability.<br />
<br />
29. Furthermore, with regard to the checks that the company claims to carry out on the forms from which the data are collected, the restricted training notes that it does not produce any element to attest to this, the contractual commitments of its suppliers do not not constituting a control measure as such.<br />
<br />
30. In the present case, the restricted panel notes that certain competition forms from which the company [...] collects prospect data which it transmits to the company FORIOU do not allow the persons concerned to reasonably expect to receive commercial prospecting offers from this company.<br />
<br />
31. Thus, with regard to the form accessible from the website […], the restricted panel observes that the latter contains a hyperlink referring to a nominative list of partners and not to categories of partners. Thus, the persons concerned can legitimately expect that this list of partners is exhaustive. However, the said list does not mention the company FORIOU.<br />
<br />
32. Concerning the forms present on the sites […] (this form referring to the site […]) and […], the restricted training notes that they do not mention the list of partners or categories of partners to which the data is likely to be transmitted, and that they also do not contain any link allowing access to such a list.<br />
<br />
33. The restricted panel considers that under these conditions, the protection of the interests, freedoms and fundamental rights of the persons concerned takes precedence over the legitimate interests of the company, and that the latter cannot therefore rely on the legal basis mentioned in Article 6, paragraph 1, f) to base its commercial prospecting operations by telephone.<br />
<br />
2) On consent<br />
<br />
34. The rapporteur considers that, to base its commercial prospecting operations by telephone, the company cannot rely on the legal basis of consent referred to in point a) of Article 6, paragraph 1, of the GDPR. It notes that the findings made by the delegation made it possible to establish that the data brokers from which the company FORIOU obtains its supplies collect said data via participation forms for online competitions, the design of which does not allow does not allow users to demonstrate their consent by a clear and unambiguous positive act, and strongly encourages them to accept the transmission of their data to the company's partners for prospecting purposes.<br />
<br />
35. In defense, the company relies on the terms of the contract concluded with the company […]. It takes note of the material findings, but indicates that, if the breaches exist, they are neither representative of a desire to ignore its obligations, nor of generalized practices. In this regard, it provides two examples of collection forms implemented by its suppliers, which it considers to be compliant. Finally, it reports checks carried out on the files following their provision by the service provider, and emphasizes the impossibility, given the volume of these files, of implementing a unitary check.<br />
<br />
36. The restricted committee recalls that under the terms of Article 4, paragraph 11, of the GDPR, “consent” of the data subject means “any manifestation of will, free, specific, informed and unambiguous by which the data subject accepts, by a declaration or by a clear positive act, that personal data concerning him or her are subject to processing.<br />
<br />
37. With regard to commercial prospecting operations, it emphasizes that when the prospects' data have not been collected directly from them by the prospecting organization, consent may have been obtained at the time of the initial collection of the data. given by the first-time collector, on behalf of the organization which will carry out subsequent prospecting operations. Failing this, it is up to the prospecting organization to obtain such consent before carrying out prospecting acts (CNIL, FR, November 24, 2022, Sanction, n°SAN-2022-021, published)<br />
<br />
38. Firstly, with regard to the contractual commitments of the company [...] which the FORIOU company relies on, the restricted training refers to the elements developed in points 27 and 28. It further recalls that, if the intentional nature of the violation must be taken into account when deciding whether there is reason to impose a fine and when deciding its amount, it has no impact on the characterization of the breach, the latter possibly resulting from negligence. The same applies to the generalized nature or not of said breach.<br />
<br />
39. Secondly, the restricted training recalls that the consent mentioned by the provisions of Article 6, paragraph 1, a) of the GDPR, which allows the processing of personal data to be based, can only result from a express consent of the user, given in full knowledge of the facts after adequate information on the use that will be made of their personal data. It is therefore necessary to ensure that the persons concerned have given unequivocal, specific, free and informed consent when collecting their personal data via competition participation forms.<br />
<br />
40. The restricted training notes in this regard that the work carried out on the practices implemented in terms of cookies with regard to banners for collecting consent can usefully serve to assess in a more general manner the conditions for collecting free consent , unambiguous, specific and informed, and serve as a reference in matters of commercial prospecting when it is based on the collection of consent.<br />
<br />
41. Furthermore, on the same conditions of consent, the Court of Justice of the European Union (hereinafter "CJEU") specified, in its Planet49 GmbH decision: "Article 7(a) of Directive -tive 95 provides that the consent of the data subject can make such processing lawful provided that this consent is "undoubtedly" given by the data subject. However, only active behavior on the part of this person with a view to manifesting consent is likely to fulfill this requirement” (CJEU, Grand Chamber, October 1, 2019, Planet49 GmbH, C-673/17, ECLI:EU:C:2019:801, §54). Therefore, it should be considered that if consent is not given without doubt, it must be considered as lacking, which makes the processing illegal for lack of legal basis. More precisely on the methods of collection, the CJEU states that "the manifestation of will referred to in Article 2(h) of Directive 95/46 must, in particular, be "specific", in the sense that it must relate precisely to the data processing concerned and cannot be deduced from a manifestation of will having a distinct object. In this case, contrary to what Planet49 argued, the fact for a user to activate the button participation in the promotional game organized by this company cannot therefore be sufficient to consider that the user has validly given his consent to the placement of cookies" (Idem, §§ 58-59).<br />
<br />
42. Furthermore, the Council of State held that "free, specific, informed and unequivocal consent can only be an express consent of the user, given in full knowledge of the facts and after adequate information on the use that will be made of his personal data." (EC, 10th and 9th chambers combined, June 19, 2020, Google LLC, no. 430810, pt. 21).<br />
<br />
43. The restricted training also notes, by way of example, that guidelines 5/2020 on consent, adopted on May 4, 2020 by the "article 29" working group (now the European Data Protection Board, hereinafter "EDPS"), specify that the free nature of consent "implies a choice and real control for the data subjects. As a general rule, the GDPR provides that if the data subject is not genuinely able to exercise a choice, feels forced to consent or will suffer significant negative consequences if he or she does not give consent, the consent is not valid […] In general terms, any inappropriate pressure or influence exerted on the person concerned (which may manifest in different ways) preventing him from exercising his will will render the consent invalid.<br />
<br />
44. By way of illustration and comparison, in its deliberation no. 2020-092 of September 17, 2020 adopting a recommendation proposing practical methods of compliance in the event of use of "cookies and other tracers", the Commission recommends that the organizations concerned ensure "that users take the full measure of the options available to them, in particular through the design chosen and the information provided (§ 10) […] In order not to induce mislead users, the Commission recommends that data controllers ensure that interfaces for collecting choices do not include potentially misleading design practices leading users to believe that their consent is obligatory or which visually highlight a choice rather than another. It is recommended to use buttons and font of the same size, offering the same ease of reading, and highlighted in the same way" (§ 34). She adds that it is necessary "to be careful that the information accompanying each actionable element allowing consent or refusal to be expressed is easily understandable and does not require efforts of concentration or interpretation on the part of the the user. Thus, it is particularly recommended to ensure that it is not written in such a way that a quick or careless reading could lead one to believe that the selected option produces the opposite of what users thought they were choosing." (§ 23). Otherwise, the unequivocal nature of the consent would not be characterized.<br />
<br />
45. The restricted training also recalls that studies carried out on the practices of digital interfaces, in particular concerning cookies, note the considerable impact of the appearance of consent collection banners on the choice of users, which can encourage them to make choices that do not reflect their preferences on data sharing.<br />
<br />
46. In this case, it appears from the documents in the file that the companies […] and […], suppliers of prospect data to the company FORIOU, collect the data of the persons concerned (surname, first name, title, email address, mobile telephone number, date of birth and postal address) via participation forms in online competitions, in order to allow their partners to use them as part of their commercial prospecting.<br />
<br />
47. Regarding the findings made by the delegation during the inspection, the restricted panel notes that the forms accessible from the websites […], […], […] and […] are presented in a similar manner. Under the fields allowing the persons concerned to enter their contact details (which are requested by the formulas "fill in your details below if you win" or "fill in your details below to apply") is located a button "VALIDATE ", "I VALIDATE" or "I ANSWER THE QUESTIONS TO APPLY". Above or below this button, a text specifies that by clicking on it, the user declares to have read the company's data protection policy and accepts that the data collected will be used to send them offers. partners of the company. Hypertext links provide access to the data protection policy and the list of partners concerned. The end of the text specifies that if the user wishes to continue without receiving offers from the company's partners, they can click on a link present in the text ("click here").<br />
<br />
48. Thus, the user confronted with this form can either click on a button allowing both to validate their participation in the game and to accept that their data is used to send them offers from the company's partners, or click on the “click here” link allowing you to continue without receiving these offers.<br />
<br />
49. The restricted panel considers that as designed, the proposed forms do not allow data subjects to validly express a choice reflecting their preferences regarding the transmission of data for commercial prospecting purposes. The overall overview of the interfaces particularly highlights the "VALIDATE", "I VALIDATE" or "I ANSWER THE QUESTIONS TO APPLY" button which, by its size and color, stands out from the other information provided. Likewise, its title evokes more the conclusion of the user journey rather than a transmission of data to partners. Finally, its location gives the impression that it must be clicked to complete registration and participate in the competition. Conversely, the hypertext link allowing you to participate in the game without accepting the transmission of your data to partners is presented in the body of the text, in characters of a size significantly smaller than that used for the buttons and without particular emphasis, so that it does not appear intuitive that it is possible to participate without clicking on one of the aforementioned buttons and therefore without transmitting your data to third parties for prospecting purposes. The consent obtained is therefore devoid of an unequivocal and free nature.<br />
<br />
50. The restricted panel also notes that, as part of its written observations, the company produced two other forms, presented as compliant. However, the restricted panel notes that their design does not allow the persons concerned to demonstrate their consent by a clear and unambiguous positive act.<br />
<br />
51. On the one hand, the restricted panel observes that the presentation of these forms, like those consulted by the delegation during the on-site inspection, particularly highlights the "VALIDATE MY CONTACT INFORMATION" and "CONTINUE" button, to validate participation in the game and transmit data to partners. On the contrary, the hypertext link "click here" allowing you to participate in the game without accepting this transmission is presented in the body of the text, in characters of a size significantly smaller than that of the button and without particular emphasis. In addition, the overall visual of the form accessible from the site […], which contains three green inserts (“I VALIDATE MY PARTICIPATION”, “I CONFIRM MY DETAILS FOR DELIVERY IN CASE OF WIN” and “VALIDATE MY CONTACT DETAILS”) leads us to believe that there is a logical sequencing between these three actions and that the "VALIDATE MY CONTACT INFORMATION" button is the last button to activate to participate in the game and obtain your winnings. However, this button is not obligatory since the user can use the aforementioned link "click here", which is not intuitive given the general appearance of the form.<br />
<br />
52. In addition, with regard to the form implemented by the company […] from the site […], the restricted training notes the existence of two boxes to check, one concerning reading and acceptance of the rules of the game, the other reading the confidentiality policy and accepting the transmission of their data. The similar appearance of these boxes, presented as legal notices that must be read, and whose accompanying text begins with "I have read", pushes the user to check them indiscriminately, then to click on "CONTINUE" in transmitting its data. The possibility of participating in the draw without receiving promotional offers exists by clicking on the link "here" but is written in a smaller font and without emphasis compared to the "CONTINUE" button which on the one hand, is particularly visible by its size, color and font, on the other hand, seems to conclude the user journey due to its location at the bottom of the form. Thus, the optional nature of the “CONTINUE” button is not clearly deduced from the overall visual of the form.<br />
<br />
53. On the other hand, the restricted training notes that an online check carried out on October 17, 2023 revealed that, given its configuration, the form referred to in the preceding paragraph did not materially allow the user to participate to the game without accepting the transmission of their data to the company's partners, and therefore without being the recipient of commercial prospecting, contrary to what is indicated on the form.<br />
<br />
54. The restricted panel thus considers that the above-mentioned forms do not sufficiently inform the persons concerned of the fact that they consent to the transmission of their data for commercial prospecting purposes, in a context where the very purpose of these sites web is to offer a prospect of earnings which cannot suggest the objective of long-term collection of this data for such purposes. These people are not able to demonstrate their consent by a clear and unambiguous positive act.<br />
<br />
55. Third and last, with regard to the checks that the company claims to carry out on the files delivered, the restricted panel observes that the company does not produce any evidence to attest to this.<br />
<br />
56. On the one hand, in its written observations of September 29, 2023, then in its oral observations during the meeting of December 7, 2023, the company mentioned a document entitled "leads_701_23-09-2021 […]", collected during on-site inspection and reporting, according to it, "checks of the prospecting files carried out following their provision by the service provider". By deliberation no. SAN-2023-020 of December 14, 2023, the restricted panel requested the rapporteur and the company to produce this document.<br />
<br />
57. The restricted panel notes that the file produced by the rapporteur, the digital fingerprint of which certifies that it is indeed the file from which the findings were made by the delegation during the inspection, does not contain any element of a nature to certify the verifications relied upon by the company. In accordance with what is mentioned on the inspection report, this is a file of prospects (“leads”) delivered by the company […] to the INDEXIA group on September 23, 2021, containing the data of approximately 15,000 prospects. If, for each of these prospects, a URL link allowing access to the source of the data is present, the restricted training notes that no mention is made of verifications which could have been carried out by the FORIOU company or the INDEXIA group . During the meeting of January 18, 2024, the company indicated that it would not question the integrity of this part.<br />
<br />
58. Regarding the file produced by the company, the restricted panel notes that it does not correspond to that collected during the inspection, insofar as its digital footprint and its size differ. It further notes that this difference is confirmed by its content since, contrary to the findings appearing in the minutes of September 23, 2021, it does not contain any prospect data but only URL links accompanied by comments ("ok", "only one check box", "disputed").<br />
<br />
59. Finally, the restricted panel observes that the content of the file produced does not appear consistent with the purpose invoked insofar as the summary and undated comments which appear therein are not linked to any prospect sheet and that it is not Furthermore, it has not been demonstrated that the non-conformities identified would have been reported to the company […]. The restricted training thus considers that in any case, such a file does not make it possible to demonstrate the existence of checks carried out on the files delivered.<br />
<br />
60. On the other hand, with regard to the other documents in the file, the restricted panel notes that they attest exclusively to requirements imposed by the company FORIOU on the company […], prior to the resumption of their contractual relations, without constitute controls by the company FORIOU on the subsequent practices of its service provider.<br />
<br />
61. The restricted panel notes in any case that the proportion of non-compliant files among those randomly examined by the delegation (i.e. four non-compliant files out of the seven examined) demonstrates the insufficiency of the measures taken by the company to ensure the validity of the consent of the persons concerned.<br />
<br />
62. Therefore, in the absence of a legal basis allowing the FORIOU company to base its commercial prospecting operations by telephone, the restricted panel considers that a breach of Article 6 of the GDPR has occurred.<br />
<br />
B. On the failure to comply with the obligation to ensure data security<br />
<br />
63. Under the terms of Article 32, paragraph 1 of the GDPR, "taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks, the degree of probability and severity of which varies, for the rights and freedoms of natural persons, the controller and the processor implement appropriate technical and organizational measures in order to guarantee a level of security adapted to the risk [ …] "and in particular "means to guarantee the constant confidentiality, integrity, availability and resilience of processing systems and services" and a "procedure aimed at regularly testing, analyzing and evaluating the effectiveness of technical and organizational measures to ensure the security of the processing".<br />
<br />
64. The rapporteur notes that the company indicated that it kept its customers' data for a period of five years from the date of closing of the contract, in accordance with the legal limitation periods, specifying that this data was kept on an active basis, without that no intermediate archiving mechanism is implemented. The rapporteur considers that these storage arrangements do not make it possible to limit access to data to users with a need to know, to the extent that people with an interest in having access to this data during the duration of the contract continue, even after the closure of the latter, to be able to access it without restriction for a period of five years, even though their functions no longer necessarily require them to know about it.<br />
<br />
65. In defense, the company does not deny keeping its customers' data for a period of five years from the end of the contractual relationship, nor the absence of intermediate archiving, but considers that the notion of "basic active" constitutes restrictive terminology insofar as the information accessible during the life of a contract remains, for the vast majority of it, still necessary even after the latter has been closed. She also underlines that the implementation of intermediate archiving measures raises the question of the relationship between the human and financial investment effort that would be necessary and the limited gain that would result.<br />
<br />
66. The restricted training recalls that it follows from the provisions of Article 32 of the GDPR that the data controller must put in place appropriate measures to ensure the confidentiality of the data and prevent them from being processed unlawfully by the fact of people who do not need to know (CNIL, FR, October 29, 2021, Sanction, n°SAN-2021-019, published).<br />
<br />
67. This need to know is likely to evolve depending on the life cycle of the data and the purposes for which they are kept. Thus, during the phase of their current use, which corresponds to the duration necessary to accomplish the determined purpose, the data are kept on an "active basis" and accessible to all the services responsible for implementing the processing. At the end of this phase, when the data is no longer used to achieve the set objective but it still presents an administrative interest for the organization (for example for the management of possible litigation) or must be kept to meet a legal obligation, they must be able to be consulted only on an ad hoc and motivated basis by specifically authorized persons, participating in the objective which justified this conservation, by being the subject of intermediate archiving. This intermediate archiving requires a separation from the active database, which can be physical (via a transfer of data within a dedicated archive database), or logical (via the implementation of technical and organizational measures guaranteeing that only people with an interest in processing the data due to their functions can access it).<br />
<br />
68. The restricted panel notes that the company does not dispute retaining its customers' data at the end of the contractual relationship, without any intermediate archiving measure taking place. The restricted training recalls that the termination of contractual relations must lead to limiting access to data to certain employees due to their functions. However, the restricted panel considers that as it stands, the elements in the file do not make it possible to establish that people would have access to said data without needing to know it.<br />
<br />
69. It follows from the above that there is no breach of Article 32 of the GDPR.<br />
<br />
III. On the issuance of corrective measures and publicity<br />
<br />
70. Under the terms of article 20 of law no. 78-17 of January 6, 1978 as amended: "When the data controller or its subcontractor does not comply with the obligations resulting from regulation (EU) 2016/679 of 27 April 2016 or this law, the president of the National Commission for Information Technology and Freedoms may […] refer the matter to the restricted formation of the commission with a view to pronouncing, after contradictory procedure, one or more of the measures following: […] 7° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of a company, 2% of the figure total global annual business of the previous financial year, the highest amount being retained. In the hypotheses mentioned in 5 and 6 of Article 83 of Regulation (EU) 2016/679 of April 27, 2016, these ceilings are increased , respectively, to 20 million euros and 4% of said turnover. The restricted body takes into account, in determining the amount of the fine, the criteria specified in the same article 83 ".<br />
<br />
71. Article 83 of the GDPR provides that: "Each supervisory authority shall ensure that administrative fines imposed under this article for violations of this regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective , proportionate and dissuasive", before specifying the elements to be taken into account when deciding whether to impose an administrative fine and when deciding the amount of this fine.<br />
<br />
72. Firstly, the restricted panel recalls that it must take into account, when issuing an administrative fine, the criteria specified in Article 83 of the GDPR, such as the nature, seriousness and duration of the violation. , whether the violation was deliberate or not, the measures taken by the controller to mitigate the damage suffered by data subjects, the degree of cooperation with the supervisory authority and the categories of personal data affected by the violation .<br />
<br />
73. The restricted training underlines that the breach committed by the company relates to obligations relating to the fundamental principles of the protection of personal data.<br />
<br />
74. Indeed, the restricted training recalls that the consequence of failure to comply with the obligation to have a legal basis for processing prospects' data in the context of commercial prospecting by telephone is to deprive the operations concerned of lawfulness.<br />
<br />
75. She underlines that, if the company intends to base these on the legal basis of consent, the ecosystem of the resale of data from partners to partners requires particularly strong guarantees as to the quality and validity of the consent obtained by the first-time data collector and which partners use for commercial prospecting purposes. It emphasizes that in this regard, the organization which avails itself of such consent to carry out commercial prospecting operations assumes an essential responsibility requiring it, as data controller, to ensure that the conditions enabling it to carrying out said operations are combined, regardless of the possible liability of the data providers, primary collectors. The restricted training considers that these requirements must be particularly reinforced with regard to the methods of obtaining the consent of users of websites whose purpose is to offer prospects of earning, these people not necessarily being aware of the scope of their agreement as part of their registration.<br />
<br />
76. The restricted training also recalls the importance, in the absence of obtaining valid consent, of allowing the persons concerned to measure the extent of the processing to which their data is likely to be subject. Thus, the fact that at the time of data collection, a detailed list of partners likely to carry out commercial prospecting operations is made available to the persons concerned, without the FORIOU company appearing there, and without this list being supplemented by a statement specifying the categories of partners of which the company FORIOU could be a part, deprives the persons concerned of the minimum information base allowing them to preserve their interests, freedoms and fundamental rights.<br />
<br />
77. The restricted training emphasizes the fact that the company FORIOU, as a subsidiary of the company SFK GROUP, has sufficient human, financial and technical resources to ensure compliance with the rules relating to the protection of personal data .<br />
<br />
78. Finally, the restricted training intends to take into account […]<br />
<br />
79. In view of all of these elements, the restricted panel considers that it is appropriate to impose an administrative fine for the breach of Article 6 of the GDPR.<br />
<br />
80. Secondly, with regard to the amount of the administrative fine, the restricted committee recalls that the violation noted in this case concerns a breach likely to be subject, under Article 83 of the GDPR, to an administrative fine of up to 20 million euros or up to 4% of the global annual turnover of the previous financial year, whichever is higher.<br />
<br />
81. It considers that the activity of the company and its financial situation must in particular be taken into account. It notes in this regard that for the year 2021, the company achieved a turnover of […] euros, for an operating profit of […] euros. The restricted committee notes that, if the company presents a net loss of […] euros, it is only due to a waiver of debt of […] euros to the INDEXIA group. Furthermore, as this exceptional result is not deductible, the FORIOU company was subject, for the year 2021, to an amount of […] euros in corporate tax. Taking into account all of these elements, the restricted panel considers that the financial situation of the company is healthy.<br />
<br />
82. Therefore, with regard to the liability of the company, its financial capacities and the relevant criteria of Article 83, paragraph 2, of the GDPR mentioned above, the restricted panel considers that a fine of three hundred and ten one thousand euros (€310,000) appears justified.<br />
<br />
83. Thirdly, with regard to the publicity of the sanction, the restricted panel considers that this is justified in view of the seriousness of the breach in question, the position of the company on the market, the scope of the treatment and the number of people affected.<br />
<br />
84. It also notes that this measure is intended in particular to inform the people concerned by the company's prospecting operations. This information will allow them, if necessary, to assert their rights.<br />
<br />
85. Finally, it considers that this measure is proportionate since the decision will no longer identify the company by name at the end of a period of two years from its publication.<br />
<br />
FOR THESE REASONS<br />
<br />
The restricted formation of the CNIL, after having deliberated, decides to:<br />
<br />
• impose an administrative fine against the company FORIOU in the amount of three hundred and ten thousand euros (€310,000) for breach of article 6 of the GDPR;<br />
<br />
• make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer allow the company to be identified by name after a period of two years from its publication.<br />
<br />
President<br />
<br />
Alexandre LINDEN<br />
<br />
This decision may be the subject of an appeal before the Council of State within two months of its notification.<br />
</pre></div>Nzmhttps://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_28/2024APD/GBA (Belgium) - 28/20242024-03-12T14:51:55Z<p>Mg: /* Facts */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Belgium<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoBE.png<br />
|DPA_Abbrevation=APD/GBA<br />
|DPA_With_Country=APD/GBA (Belgium)<br />
<br />
|Case_Number_Name=28/2024<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=GBA<br />
|Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/zonder-gevolg-nr.-28-2024.pdf<br />
|Original_Source_Language_1=Dutch<br />
|Original_Source_Language__Code_1=NL<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Rejected<br />
|Date_Started=12.05.2023<br />
|Date_Decided=07.02.2024<br />
|Date_Published=<br />
|Year=2024<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 32 GDPR<br />
|GDPR_Article_Link_1=Article 32 GDPR<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=nzm<br />
|<br />
}}<br />
<br />
The DPA dismissed a complaint regarding the potential theft of medical documents as well as suspicions relating to the failure to safeguard confidentiality and integrity due to the lack of evidence provided by the data subject.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The data subject was an employee of a school and was absent for long periods of time in 2021-2022 for medical reasons. The data subject returned to work since April 2022. <br />
<br />
On 12 May 2023, the data subject filed a complaint with the Belgian DPA (“APD”) regarding two people: the complaint concerned, on the one hand, the theft of the data subject’s personnel file with the intention of copying and disseminating such data, and on the other hand, suspicions of failure to safeguard the confidentiality and integrity of the complainant’s personnel file.<br />
<br />
Regarding the alleged theft of personal data, it relied on the fact that a colleague of the data subject stated in writing that one of the defendants told the colleague that she was going to take the data subject’s file to go through it again and take any copies. <br />
<br />
Regarding the failure to safeguard the confidentiality and integrity of the personnel file, it relied on the fact that in October 2022, the data subject asked for access to her file in general terms, without specifying what she was looking for. In November 2022, she clarified that she was looking for “personal reports made by her directors over the years, medical info…”. She then added that she was also looking for “medical reports as well as correspondence regarding employment” from 2020-2022. In March 2023, the data subject clarified that medical information regarding her medical absence, documentation and communication regarding her return to work and evaluation reports from 2020 were missing from the personnel file.<br />
<br />
=== Holding ===<br />
Concerning the failure to safeguard the confidentiality and integrity of the data subject’s file, firstly, the APD proceeded with a policy dismissal as they found that the data subject did not provide evidence which allowed the DPA to decide whether or not there has been a breach of the GDPR under [[Article 32 GDPR|Article 32 GDPR]]. Secondly, the APD held that regarding each document, the data subject did not provide evidence that the controller was in possession of these documents. Therefore, the APD considered that the possible absence of documents from the data subject’s personnel file does not have a significant impact, as she did not demonstrate that she suffered any negative consequences after returning to the school. <br />
<br />
Concerning the suspicions of unlawful appropriation of the data from the data subject’s personnel file, the APD proceeded to a technical dismissal as the data subject did not provide sufficient evidence to the existence of the GDPR. The only piece of evidence brought was a summary witness statement of an alleged conversation between a colleague and the controller. Since there was only talk of “taking” the file and “possibly” taking copies, the APD considered that there was no evidence that the file was effectively taken or stolen. <br />
<br />
Therefore, the APD dismissed the complaint.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.<br />
<br />
<pre><br />
1/9<br />
<br />
<br />
<br />
Dispute Chamber<br />
<br />
<br />
Decision 28/2024 of February 7, 2024<br />
<br />
<br />
File number: DOS-2023-01969<br />
<br />
<br />
Subject: complaint about the absence due to theft of medical and other documents in one<br />
<br />
personnel file<br />
<br />
<br />
<br />
The Disputes Chamber of the Data Protection Authority, composed of Mr<br />
<br />
Hielke HIJMANS, sole chairman;<br />
<br />
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016<br />
<br />
on the protection of natural persons with regard to the processing of<br />
<br />
personal data and regarding the free movement of such data and to the revocation of<br />
<br />
Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;<br />
<br />
<br />
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,<br />
hereinafter “WOG”;<br />
<br />
<br />
In view of the internal rules of order, as approved by the House of Representatives<br />
<br />
Representatives on December 20, 2018 and published in the Belgian Official Gazette on<br />
<br />
January 15, 2019;<br />
<br />
<br />
Considering the documents in the file;<br />
<br />
<br />
Has made the following decision regarding:<br />
<br />
<br />
<br />
Complainant: X, hereinafter “the complainant”;<br />
<br />
<br />
Defendant 1: Y1, hereinafter “defendant 1”;<br />
<br />
<br />
Defendant 2: Y2, hereinafter “defendant 2”. Decision 28/2024 — 2/9<br />
<br />
<br />
I. Facts and procedure<br />
<br />
<br />
1. The complainant is an employee of an urban education school. At the moment of<br />
<br />
the alleged facts, Defendant 1 was the supervisor of the complainant. Defendant 2 was the one<br />
<br />
alleged controller of the data of the staff of<br />
the school. The complainant was absent for a long period of time in 2021-2022 for medical reasons. The complainer<br />
<br />
was back to work in the school since April 2022.<br />
<br />
<br />
2. The subject of the complaint against defendant 1 concerns suspicions of the self<br />
unlawful appropriation of data from the complainant's personnel file with the<br />
<br />
intention to copy and distribute this data. This concerns, among other things<br />
<br />
special data within the meaning of Article 9 GDPR, in this case medical data. In the complaint<br />
<br />
there is also talk of theft and criminally prosecuted offences.<br />
<br />
3. Since the complainant relies on the alleged incompleteness of her file for his<br />
<br />
To substantiate a complaint against defendant 1, the Disputes Chamber will deduce a complaint against it<br />
<br />
defendant 2, the controller of the file in question. Theobjectof<br />
<br />
the complaint against defendant 2 concerns suspicions of failure to guarantee the<br />
<br />
confidentiality and integrity of the complainant's personnel file.<br />
<br />
4. On October 5, 2022, a colleague of the complainant stated in writing that “the person [the<br />
<br />
Defendant1 told me in July 2021 that she was going to take [defendant's] file with her<br />
<br />
to go through it again and take any copies to cover themselves.”<br />
<br />
5. On October 20, 2022, the complainant requested access to her personnel file through a counselor<br />
<br />
with her current manager.<br />
<br />
6. On October 21, 2022, the current manager referred the complainant to the<br />
<br />
personnel department of the school group, as there was no file on the complainant<br />
<br />
the school.<br />
<br />
7. On October 26, 2022, the complainant requested to exercise her right of access to the<br />
<br />
school group. On November 7, 2022, the school group confirmed receipt of it<br />
<br />
requests, she asked for a specification of the documents for which access was requested<br />
<br />
given that a personnel file is very extensive.<br />
<br />
8. On November 17, 2022, the complainant clarified her question. She was, in her own words<br />
<br />
referred from the school group to the respondent 2 as the file manager<br />
<br />
of the complainant only had “reports with various appointments of the client, her<br />
<br />
leave system …” The complainant clarified that she was more precisely looking for “personal<br />
reports drawn up by its directors over the years, medical information…”<br />
<br />
<br />
9. On November 22, 2022, the defendant 2 invited the plaintiff to make an appointment to<br />
<br />
to view an additional number of documents that were already in the central archive. Decision 28/2024 — 3/9<br />
<br />
<br />
10. On November 29, 2022, the complainant noted at the offices of defendant 2 that the<br />
<br />
last report dated from 2020 and that the last two years were missing, “[…] this while there<br />
<br />
There can be no discussion about the existence of documents from the period 2020-2022 (medical<br />
<br />
reports as well as correspondence regarding the employment of [the complainant]). The complainer<br />
asked who she should contact to obtain the documents from this period<br />
<br />
to look.<br />
<br />
<br />
11. On December 19, 2022, Respondent 2 acknowledged receipt of the query.<br />
<br />
12. On January 13, 2023, defendant 2 communicated that she was discussing additional documents and also<br />
<br />
recent documents and that the complainant could come and inspect them again.<br />
<br />
13. On March 6, 2023, the complainant contacted defendant 1 through her counsel with the<br />
<br />
finding that in her personal file “[…] – in addition to personal reports<br />
<br />
by the management, - important medical documents from the period 2020-2021 were missing.” The<br />
<br />
The complainant reminded the respondent 1 of her responsibilities: “As [respondent 1] it was yours<br />
<br />
task to handle this personal and extremely sensitive information with care<br />
<br />
and “As a custodian, it was your obligation not to dispose of these documents<br />
operate, without express or tacit agreement from the client (art. 1930 Old Civil Code).”<br />
<br />
In addition, the complainant pointed out that she had heard from a colleague that “you have the file<br />
<br />
of the client in order to make the necessary copies.” The complainer<br />
<br />
accused the defendant 1 of theft and serious violation of the privacy of the<br />
<br />
complainant.<br />
<br />
14. The complainant demanded from the defendant 1 to provide the “complete personal file – together with all<br />
<br />
any copies” to be returned to the complainant. Failing this, the complainant would<br />
<br />
submit a criminal complaint to the investigating judge and the GBA without further notice<br />
<br />
notify. The complainant would also not fail to inform the current employer of the<br />
<br />
to inform defendant 1 of these facts. In addition, the defendant demanded a moral one<br />
damages of €2,500 “for the violation of her privacy as well as the insecure<br />
<br />
situation she finds herself in as a result. That such precarious, delicate information about her<br />
<br />
health were simply copied and could be or be shared with anyone<br />
<br />
is very painful for the client.”<br />
<br />
15. The complainant therefore served notice of default on defendant 1 “to resolve the matter by no later than March 15, 2023<br />
<br />
to return the client's personal file to us as well as the moral one<br />
<br />
to pay compensation of €2,500 to our third party account […].”<br />
<br />
16. On March 7, 2023, defendant 1 replied to the letter dated March 6, 2023 from the<br />
<br />
complainant. She stated that no official documents were copied or distributed from it<br />
<br />
the complainant's personnel file and that the complete file is available for inspection by the defendant<br />
<br />
2. Decision 28/2024 – 4/9<br />
<br />
<br />
17. On April 28, 2023, the complainant submitted an (inadmissible) complaint to the GBA. The complaint<br />
<br />
concerns, on the one hand, the alleged theft of personal data and a violation of the<br />
<br />
privacy of the plaintiff by the defendant 1. On the other hand, certain documents are missing<br />
from the complainant's file kept by the defendant 2.<br />
<br />
<br />
18. The complainant stated that the management of the complainant's file was inadequate and the following<br />
<br />
documents were missing from the file:<br />
<br />
• “all medical records regarding her illness;<br />
<br />
<br />
• certificates of disability;<br />
<br />
• all documentation following her return to work;<br />
<br />
<br />
• all correspondence between Ms [the complainant]'s lawyers and [the school];<br />
<br />
• evaluation interviews.”<br />
<br />
19. The complainant also stated that there had been problems between her and the<br />
<br />
Defendant 1. This one showed “not to be too careful with the personal, delicate<br />
<br />
[the complainant's] data.” The complainant also refers to the<br />
<br />
witness statement dated October 5, 2022. The complainant concludes: “Given her position as<br />
<br />
[manager] it was up to [defendant 1] to be caring with the personal and extremely<br />
sensitive information to handle. Since [defendant 1] is guilty of<br />
<br />
we would therefore politely request you to report theft and violation of [the complainant's] privacy<br />
<br />
investigate this complaint and take appropriate action.”<br />
<br />
20. On May 9, 2023, the First Line Service contacted the complainant to inform him that the<br />
<br />
complaint was not signed. In addition, the First Line Service invited the complainant to<br />
<br />
additional supporting documents to be added to the file as it<br />
<br />
lack of sufficient evidence may lead to the dismissal of the complaint in line with it<br />
<br />
dismissal policy of the Disputes Chamber.<br />
<br />
21. On May 12, 2023, the complainant submits an (admissible) complaint to the<br />
<br />
Data Protection Authority against the defendant.<br />
<br />
22. On May 16, 2023, the complaint is declared admissible by the First Line Service on the grounds<br />
<br />
of Articles 58 and 60 WOG and the complaint is filed on the basis of Article 62, § 1 WOG<br />
<br />
transferred to the Disputes Chamber.<br />
<br />
23. On September 28, 2023, the complainant inquired about the progress of her complaint.<br />
<br />
<br />
<br />
II. Justification<br />
<br />
<br />
24. On the basis of the elements in the file that are known to the Disputes Chamber, and on the basis<br />
<br />
of the powers granted to it by the legislature on the basis of Article 95, § 1 WOG Decision 28/2024 - 5/9<br />
<br />
<br />
<br />
assigned, the Disputes Chamber will decide on the further follow-up of the file; in this case<br />
<br />
the Disputes Chamber will dismiss the complaint in accordance with Article 95,<br />
<br />
§ 1, 3° WOG, based on the following justification.<br />
<br />
25. If a complaint is dismissed, the Disputes Chamber will make its decision<br />
<br />
to motivate gradually and:<br />
<br />
<br />
- to issue a technical dismissal if the file does not exist or is insufficient<br />
<br />
contains elements that could lead to a conviction, or if there is insufficient<br />
<br />
there is a prospect of a conviction due to a technical obstacle,<br />
<br />
which prevents her from reaching a decision;<br />
<br />
<br />
- or declare a policy rejection, if despite the presence of elements<br />
<br />
that could lead to a sanction, the continuation of the investigation<br />
dossier does not seem appropriate in the light of the priorities of the<br />
<br />
Data Protection Authority, as specified and explained in the<br />
<br />
dismissal policy of the Disputes Chamber. 2<br />
<br />
<br />
26. In the event of dismissal on more than one ground, the grounds for dismissal (resp.<br />
<br />
technical dismissal and policy dismissal) should be treated in order of importance. 3<br />
<br />
<br />
Complaint against defendant 2<br />
<br />
27. The complaint against defendant 2 concerns suspicions of failure to guarantee the<br />
<br />
confidentiality and integrity of the complainant's personnel file. Although the<br />
<br />
the complainant does not mention any complaint against the defendant in the complaint form<br />
<br />
2, the complainant specifically states in his letter attached to the complaint that there would be documents<br />
<br />
are missing from the file of the controller, in this case defendant 2:<br />
<br />
<br />
• “all medical records regarding her illness;<br />
<br />
<br />
• certificates of disability;<br />
<br />
• all documentation following her return to work;<br />
<br />
<br />
• all correspondence between Ms [the complainant]'s lawyers and [the school];<br />
<br />
<br />
• evaluation interviews.”<br />
<br />
28. With regard to the complaint against defendant 2, the Disputes Chamber considers this undesirable<br />
<br />
further action and decides to proceed with a policy dismissal. The complaint against<br />
<br />
<br />
<br />
<br />
1Court of Appeal Brussels, Market Court Section, 19 Chamber A, Chamber for Market Affairs, judgment 2020/AR/329, September 2, 2020,<br />
p. 18.<br />
2<br />
In this context, the Disputes Chamber refers to its dismissal policy as explained in detail on the GBA website:<br />
https://www.gegevensbeschermingsautoriteit.be/publications/sepotbeleid-van-de-geschikkamer.pdf<br />
3 Cf. Title 3 – In which cases is my complaint likely to be dismissed by the Disputes Chamber? from the<br />
dismissal policy of the Disputes Chamber. Decision 28/2024 – 6/9<br />
<br />
<br />
defendant 2 is not supported by evidence that the Litigation Chamber would be able to<br />
<br />
to decide whether or not there is a violation of the GDPR complaint<br />
<br />
has no major personal impact.<br />
<br />
<br />
29. On October 20 and October 26, 2022, the complainant requests access to general<br />
<br />
terms without specifying what she is looking for. On November 17, 2022, the<br />
<br />
complainant that she is looking for “personal reports made by her directors about<br />
<br />
over the years, medical information…”.On November 29, 2022, the complainer once again clarified her<br />
<br />
request access and is then looking for “medical reports as well as correspondence regarding<br />
<br />
employment” for the period 2020-2022. On March 6, 2023, the complainant clarified<br />
her communication to defendant 1 which, according to her, is missing from her file: “besides<br />
<br />
personal reports drawn up by the management, - important medical documents from<br />
<br />
period 2020-2021”.<br />
<br />
<br />
30. The Disputes Chamber concludes from this that the following documents are missing from the<br />
<br />
personnel file:<br />
<br />
• Medical information (medical reports, disability certificates)<br />
<br />
regarding the complainant's medical absence<br />
<br />
<br />
• Documentation and communication regarding the complainant's return to work<br />
<br />
and regarding the complainant's complaint regarding the incomplete personnel file<br />
<br />
• Evaluation reports from 2020<br />
<br />
<br />
31. Regarding medical information, Education Flanders collaborates with MEDEX, a<br />
<br />
service of the FPS Public Health. This procedure exists for a sick employee<br />
<br />
medical data is only shared with the MEDEX doctors and not with the employer itself<br />
<br />
given the sensitivity of such information and given the medical confidentiality. The<br />
<br />
Absence of such information in the personnel file testifies to good management<br />
<br />
the school. The complainant does not provide any evidence that defendant 2 is in possession of these<br />
documents and therefore cannot prove that this information has disappeared or<br />
<br />
Scattered.<br />
<br />
<br />
32. With regard to documentation and communication, it is not common practice that such<br />
<br />
documents are kept in a personnel file, which is mainly composed of<br />
<br />
decisions and evidence of decisions. The complainant does not demonstrate that this<br />
<br />
documentation and communication was of such a nature that it would be included in the personnel file<br />
<br />
must have been preserved. In addition, the complainant does not provide any evidence that the management<br />
<br />
<br />
<br />
<br />
<br />
4Cf. criterion B.5. in the dismissal policy of the Disputes Chamber.<br />
5https://onderwijs.vlaanderen.be/nl/onderwijspersoneel/van-basis-tot- Adultenonderwijs/je-loopbaan/Zieken-en-<br />
accident/sick leave/disposition due to illness, consulted on 02/02/2024. Decision 28/2024 — 7/9<br />
<br />
<br />
such communications and documents would have been problematic in view of<br />
<br />
defendant 2.<br />
<br />
<br />
33. Regarding the evaluation reports, the current manager declares on October 21, 2022<br />
<br />
that there is no file of the complainant in the school, but he also states that there is<br />
no 'incidental reports' have been made regarding the complainant since his appointment on 1<br />
<br />
September 2021. Following the inspection of November 29, 2022, the complainant states<br />
<br />
that only pieces from the period 2020-2022 were missing, which the complainant did not report<br />
<br />
makes of the lack of incidental reports or evaluation reports of the period<br />
<br />
for 2020. This shows that only incidental pieces would be missing from 2020 to the<br />
<br />
start of her absence in spring 2021. The complainant provides no evidence that during that period<br />
<br />
incidental reports or evaluations would have been drawn up.<br />
<br />
34. The Disputes Chamber is of the opinion that any missing documents from the<br />
<br />
the complainant's personnel file does not have a major personal impact, since the complainant<br />
<br />
in no way makes it plausible that she has suffered negative consequences after<br />
<br />
the return to school. The Disputes Chamber assumes that the medical<br />
<br />
the complainant's details have been correctly handled by the defendant 2 and are therefore not included in it<br />
<br />
Defendant's personnel file is 2. The complainant does not provide any evidence of it<br />
on the contrary.<br />
<br />
<br />
35. On May 9, 2023, the First Line Service asked the complainant to provide additional evidence<br />
<br />
in the absence of which the complaint may not be dealt with on the merits<br />
<br />
become. The complainant did not respond to this question.<br />
<br />
Complaint regarding defendant 1:<br />
<br />
<br />
36. The complaint against defendant 1 concerns suspicions of unlawful<br />
<br />
appropriation of data from the complainant's personnel file with the intention of this<br />
<br />
copy and distribute data. This includes special data<br />
the meaning of Article 9 GDPR, in this case medical data.<br />
<br />
<br />
37. With regard to the complaint against defendant 1, the Disputes Chamber considers it undesirable to continue<br />
<br />
to follow up on the file and decides to proceed with a technical dismissal<br />
<br />
because the complaint against defendant 1 has not been sufficiently substantiated with evidence for its existence<br />
<br />
of a breach of the GDPR or data protection laws and it clearly is not<br />
possible to obtain such proof. The Disputes Chamber is therefore not required to follow up<br />
<br />
to determine whether it is appropriate to continue the investigation of the file and, if necessary,<br />
<br />
to proceed with, inter alia, a treatment on the merits.<br />
<br />
<br />
<br />
<br />
<br />
<br />
6Cf. criterion A.1 in the dismissal policy of the Disputes Chamber. Decision 28/2024 — 8/9<br />
<br />
<br />
38. The complaint against defendant 1 is not supported by evidence that the Litigation Chamber<br />
<br />
would be able to decide whether or not there has been an infringement of the GDPR.<br />
<br />
The complainant provides as the only piece of evidence a summary witness statement from one<br />
<br />
alleged conversation between a colleague and defendant 1. Based on this<br />
<br />
witness statement, which only states that “the person [the defendant 1] July 2021 to me<br />
<br />
said that she was going to take [the complainant's] file with her to go through it again and<br />
to take any copies to cover itself,” is impossible for the Disputes Chamber<br />
<br />
evidence of the alleged infringement. There is only talk of “taking” it<br />
<br />
file and “possibly” take copies. So there is no beginning of evidence that the<br />
<br />
defendant 1 has actually taken the file or documents from the file 'home'<br />
<br />
or, as the complainant claims, has 'stolen'. There is, moreover, no beginning of proof that the<br />
<br />
defendant 1 has effectively “copied and with<br />
<br />
can be or be shared with anyone,” as the complainant states in her letter to the defendant<br />
1.<br />
<br />
<br />
39. Moreover, it is clear that the Data Protection Authority finds it impossible to prove<br />
<br />
will be able to obtain in this regard. Firstly, Respondent 1 had lawful access<br />
<br />
the file, which means that any access control of the file would not be evidence<br />
deliver. Secondly, it is a paper file given that it is<br />
<br />
take and copy. The chance that there is a trace of taking one<br />
<br />
paper file and copying it, is very small.<br />
<br />
<br />
40. On May 9, 2023, the First Line Service asked the complainant to provide additional evidence<br />
otherwise the complaint may not be dealt with on the merits<br />
<br />
become. The complainant did not respond to this question.<br />
<br />
<br />
<br />
III. Publication and communication of the decision<br />
<br />
<br />
41. Considering the importance of transparency with regard to decision-making<br />
<br />
Dispute Chamber, this decision will be published on the website of the<br />
<br />
Data Protection Authority. On the other hand, it is not necessary that the<br />
<br />
identification details of the parties are disclosed directly.<br />
<br />
42. In accordance with its deposit policy, the Disputes Chamber will make the decision regarding the defendants<br />
<br />
to transfer . After all, the Disputes Chamber has decided to dismiss its decisions<br />
<br />
ex officio to the defendants. However, the Dispute Chamber decided not to do so<br />
<br />
such notification where the complainant has requested anonymity<br />
of the defendants and the notification of the decision to the defendants, even if<br />
<br />
<br />
<br />
<br />
7<br />
Cf. Title 5 – Will the dismissal of my complaint be published? Will the other party be informed of this?<br />
of the dismissal policy of the Disputes Chamber. Decision 28/2024 – 9/9<br />
<br />
<br />
<br />
it is pseudonymised, nevertheless makes it possible to contact the complainant<br />
<br />
(re)identify . However, this is not the case in the present case.<br />
<br />
<br />
<br />
<br />
FOR THESE REASONS ,<br />
<br />
the Disputes Chamber of the Data Protection Authority decides, after deliberation,<br />
<br />
to dismiss the present complaint on the basis of Article 95, § 1, 3° of the WOG.<br />
<br />
<br />
<br />
<br />
<br />
Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the<br />
<br />
notice, an appeal against this decision will be filed with the Market Court (court of<br />
<br />
appeal Brussels), with the Data Protection Authority as defendant.<br />
<br />
<br />
Such an appeal can be lodged by means of an inter partes petition<br />
9<br />
must contain statements listed in Article 1034ter of the Judicial Code. It<br />
<br />
an objection petition must be submitted to the registry of the Market Court<br />
10<br />
in accordance with Article 1034quinquies of the Dutch Civil Code. , or via the e-Deposit<br />
<br />
IT system of Justice (Article 32ter of the Judicial Code).<br />
<br />
To enable the complainant to consider other possible remedies, the<br />
<br />
Disputes Chamber will refer the complainant to the explanation in its dismissal policy.<br />
<br />
<br />
The Disputes Chamber emphasizes that the closure of cases by the<br />
<br />
Data Protection Authority may be taken into account for its future<br />
<br />
determine priorities and/or may give rise to future investigations on its own initiative<br />
<br />
by the Inspection Service of the Data Protection Authority.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
(get). Hielke IJMANS<br />
<br />
<br />
Chairman of the Disputes Chamber<br />
<br />
<br />
<br />
8<br />
Ibid.<br />
9The petition states, under penalty of nullity:<br />
1° the day, month and year;<br />
2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or<br />
<br />
company number;<br />
3° the surname, first name, place of residence and, where applicable, the capacity of the person to be<br />
summoned;<br />
4° the subject matter and brief summary of the grounds of the claim;<br />
5° the judge before whom the claim is brought;<br />
6° the signature of the applicant or his lawyer.<br />
1The petition with its attachment will be sent by registered letter in as many copies as there are parties involved<br />
deposited with the clerk of the court or at the registry.<br />
<br />
1Cf. Title 4 – What can I do if my complaint is closed? of the dismissal policy of the Disputes Chamber.<br />
</pre></div>Nzmhttps://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_37/2024APD/GBA (Belgium) - 37/20242024-03-12T14:39:03Z<p>Nzm: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Belgium<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoBE.png<br />
|DPA_Abbrevation=APD/GBA<br />
|DPA_With_Country=APD/GBA (Belgium)<br />
<br />
|Case_Number_Name=37/2024<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=APD<br />
|Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/zonder-gevolg-nr.-37-2024.pdf<br />
|Original_Source_Language_1=French<br />
|Original_Source_Language__Code_1=FR<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Rejected<br />
|Date_Started=09.08.2022<br />
|Date_Decided=21.02.2024<br />
|Date_Published=<br />
|Year=2024<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 6(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1a<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=nzm<br />
|<br />
}}<br />
<br />
The DPA dismissed a cookie complaint regarding the absence of a “Reject all” button on the first layer of the cookie banner, as the “Confirm my choices” button meant that no cookies were placed since none of the categories of non-essential data were ticked by default.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A data subject represented by noyb (European Centre for Digital Rights) complained that a website did not provide a “refuse” option on the first layer of the cookie banner. On 9 August 2022, the data subject lodged a complaint with the Belgian DPA (“APD”).<br />
<br />
On 24 August 2022, the APD found that the cookie banner did not include a “reject all”, but required the data subject to choose between accepting all the cookies and confirming the default selection. The APD also discovered that none of the categories of non-essential data were ticked by default. Clicking on the “Confirm my choices” button meant that no cookies were placed, in the same way as a button allowing non-essential cookies to be rejected.<br />
<br />
The APD also noted that the cookie banner could be recalled at any time during the visit by means of a floating icon in the bottom left-hand corner of the web page in order to change the cookie settings.<br />
<br />
=== Holding ===<br />
The APD held that the sole violation cited in the complaint was no longer founded after 24 August 2022, presumably due to measures taken by the controller after the data subject’s visit to the website regarding the "Confirm my choices" button. Indeed, since that date, clicking on this button meant that no none essential cookies were placed on the device. The DPA therefore decided to dismiss the complaint given that the subject of the complaint had disappeared before the complaint was transferred to the APD.<br />
<br />
Additionally, the DPA also noted that since the date of the complaint, the controller also added a “Reject all” button.<br />
<br />
== Comment ==<br />
In this decision, the APD seems to have considered that the "Confirm my choices" button was equivalent to a "Reject all" button. <br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the French original. Please refer to the French original for more details.<br />
<br />
<pre><br />
1/6<br />
<br />
<br />
<br />
<br />
<br />
Litigation Chamber<br />
<br />
Decision 37/2024 of February 21, 2024<br />
<br />
<br />
File number: DOS-2022-03262<br />
<br />
<br />
Subject: Complaint due to the processing of personal data through<br />
<br />
of a website, without the valid consent of the person concerned<br />
<br />
<br />
<br />
The Litigation Chamber of the Data Protection Authority, made up of Mr.<br />
<br />
Hielke HIJMANS, president, sitting alone;<br />
<br />
<br />
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the<br />
<br />
protection of natural persons with regard to the processing of personal data and<br />
<br />
to the free movement of these data, and repealing Directive 95/46/EC (general regulation on the<br />
data protection), hereinafter “GDPR”;<br />
<br />
<br />
Having regard to the Law of December 3, 2017 establishing the Data Protection Authority, hereinafter<br />
<br />
“ACL”;<br />
<br />
<br />
Having regard to the Law of July 30, 2018 relating to the protection of individuals with regard to<br />
<br />
processing of personal data, hereinafter “LTD”;<br />
<br />
Having regard to the Internal Regulations as approved by the House of Representatives on<br />
<br />
December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;<br />
<br />
<br />
Considering the documents in the file;<br />
<br />
<br />
Has taken the following decision regarding:<br />
<br />
<br />
<br />
The complainant: X, hereinafter “the complainant”, represented by NOYB - EUROPEAN CENTER FOR<br />
<br />
DIGITALR IGHTS, Goldschlagstraße 172/4/3/2 – 1140 Vienna (Austria)<br />
<br />
<br />
The defendant: Y, hereinafter “the defendant” Decision 37/2024 — 2/6<br />
<br />
<br />
<br />
<br />
I. Facts and procedure<br />
<br />
<br />
1. The complaint concerns the processing of personal data through the site<br />
<br />
internet […], without the valid consent of the complainant.<br />
<br />
The complainant states that she visited the website on October 28, 2021, in. This web page<br />
<br />
presented a “banner” of a consent management platform (hereinafter, “Z1”)<br />
<br />
provided by Z2. On 10-06-2022, the complainant signed a representation mandate,<br />
<br />
in accordance with Article 80(1) GDPR, with NOYB.<br />
<br />
The complaint mentions several personal data processing operations,<br />
<br />
in the context of providing the web page in its entirety, allegedly based<br />
<br />
on the consent of the person concerned. More specifically, the complaint raises a<br />
<br />
violation of the GDPR as well as the ePrivacy Directive (ePD), namely the absence of an option<br />
<br />
allowing you to “refuse” cookies, at the first level of information in the banner<br />
<br />
Cookies.<br />
<br />
<br />
2. On August 9, 2022, the complainant filed a complaint with the Data Protection Authority.<br />
<br />
3. On August 9, 2023, the First Line Service of the Data Protection Authority<br />
<br />
declares the complaint admissible on the basis of articles 58 and 60 of the LCA, and transmits it<br />
<br />
to the Litigation Chamber in accordance with article 62, § 1 of the LCA.<br />
<br />
<br />
<br />
II. Motivation<br />
<br />
<br />
4. Based on the facts described in the complaint file as summarized above, and on the<br />
er<br />
basis of the powers assigned to it by the legislator under article 95, § 1<br />
<br />
of the LCA, the Litigation Chamber decides on the follow-up to be given to the file; as it happens,<br />
<br />
the Litigation Chamber decides to proceed with the classification without further action of the complaint,<br />
er<br />
in accordance with article 95, § 1, 3° of the LCA, for the reasons set out below.<br />
<br />
5. In matters of dismissal, the Litigation Chamber is required to provide reasons for its decision.<br />
<br />
decision by step and to:<br />
<br />
<br />
- pronounce a classification without technical follow-up if the file does not contain or not<br />
<br />
sufficient evidence likely to lead to a sanction or if it includes a<br />
technical obstacle preventing it from rendering a decision;<br />
<br />
<br />
- or pronounce a classification without further opportunity, if despite the presence<br />
<br />
of elements likely to lead to a sanction, the continuation of the examination of the<br />
<br />
file does not seem appropriate given the priorities of the Authority of<br />
<br />
<br />
<br />
<br />
<br />
1Market Court (Brussels Court of Appeal), September 2, 2020, judgment 2020/AR/329, p. 18. Decision 37/2024 — 3/6<br />
<br />
<br />
<br />
data protection as specified and illustrated in the Privacy Policy<br />
<br />
classification without further action by the Litigation Chamber. 2<br />
<br />
<br />
6. In the event of dismissal based on several reasons for dismissal, these<br />
<br />
last (respectively, classification without technical follow-up and classification without follow-up<br />
3<br />
opportunity) must be treated in order of importance.<br />
<br />
7. In this case, the Litigation Chamber decides to proceed with a classification without further action.<br />
<br />
the complaint on grounds of expediency. The decision of the Litigation Chamber is based<br />
<br />
more precisely on a reason for which it considers it inappropriate to pursue<br />
<br />
the follow-up of the file, and therefore decides not to proceed, among other things, with an examination<br />
<br />
<br />
of the case as to its merits.<br />
<br />
8. In this case, the Litigation Chamber was able to note, on August 24, 2022, that the<br />
<br />
cookie banner did not include a button allowing you to reject all cookies<br />
<br />
(“Reject All”), but required a choice from the user between accepting all cookies,<br />
<br />
on the one hand, and confirmation of the default selection, on the other hand. However, the Chamber<br />
<br />
litigation was also able to observe, during this visit to the site concerned,<br />
<br />
that none of the categories of non-essential cookies were checked by default. The second<br />
<br />
choice offered by Z1 (“CONFIRM MY CHOICES”) therefore resulted in the absence of placement of<br />
<br />
cookies, as well as a button allowing you to reject all non-essential cookies:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
It therefore appears that the only violation invoked by the complaint is no longer founded from the<br />
<br />
aforementioned date, presumably due to the measures taken by the defendant after<br />
<br />
<br />
<br />
<br />
2In this regard, the Litigation Chamber refers to its policy of classification without further action as developed and published on the<br />
website of the Data Protection Authority: https://www.autoriteprotectiondonnees.be/publications/politique-de-<br />
classification-without-suite-of-the-contentious-chamber.pdf.<br />
<br />
3Cf. Title 3 – In what cases is my complaint likely to be dismissed by the Litigation Chamber? of the<br />
policy of dismissal without further action by the Litigation Chamber. Decision 37/2024 — 4/6<br />
<br />
<br />
<br />
the visit to the site by the complainant. The Litigation Chamber therefore decides to classify<br />
<br />
without further action on the complainant's grievance, taking into account the fact that the subject of the complaint has disappeared<br />
<br />
made of the measures taken by the controller before the transfer of the complaint to the<br />
4<br />
Litigation Chamber by the APD Front Line Service.<br />
<br />
9. In the alternative, the Litigation Chamber was also able to observe, on the occasion of this<br />
<br />
visit to the site concerned, that the cookie banner could be recalled at any time during<br />
<br />
of the visit, by means of a floating icon at the bottom left of the internet page, in order to<br />
<br />
modify the settings relating to cookies:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
10. The Litigation Chamber further emphasizes that the above findings are still<br />
<br />
of application from February 19, 2024, with the exception of the addition of an explicit button<br />
<br />
“REJECT ALL” since the date of the complaint:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
11. In this regard, the Litigation Chamber recalls that the European Committee for the Protection of<br />
<br />
(EDPB) adopted, on January 17, 2023, the report established by the working group on<br />
<br />
<br />
<br />
<br />
<br />
<br />
4Cf. criterion B.6 in the Dispute Chamber's policy of dismissal. Decision 37/2024 — 5/6<br />
<br />
<br />
5<br />
cookie banners (“Cookie Banner Taskforce”), in which the supervisory authorities<br />
<br />
European countries have notably adopted a common position on the ban on the use<br />
<br />
pre-selected preferences authorizing the placement and reading of cookies<br />
<br />
essential, as well as the obligation to provide the possibility for users to withdraw their<br />
<br />
consent at any time, and easily. The Litigation Chamber notes that the<br />
<br />
data controller has, in this case, configured the cookies banner so<br />
<br />
complies with the requirements listed in the above-mentioned report.<br />
<br />
<br />
12. Finally, the Litigation Chamber specifies that it is not necessary to rule on<br />
<br />
the complainant's interest in taking action in the specific case, given the reasons for dismissal<br />
<br />
stated above.<br />
<br />
<br />
<br />
III. Publication and communication of the decision<br />
<br />
<br />
13. Considering the importance of transparency regarding the process<br />
<br />
decision-making and the decisions of the Litigation Chamber, this decision will be published on the<br />
<br />
website of the Data Protection Authority. However, it is not necessary for this<br />
<br />
so that the identification data of the parties are directly communicated.<br />
<br />
<br />
14. In accordance with its policy of dismissal, the Litigation Chamber<br />
6<br />
will communicate the decision to the defendant. Indeed, the Litigation Chamber decided to<br />
<br />
communicate the decisions of dismissal to the defendants by default. There<br />
<br />
Chambre Litigation, however, refrains from such communication when the complainant<br />
<br />
requested anonymity vis-à-vis the defendant and when the communication of the decision to the<br />
7<br />
defendant, even pseudonymized, nevertheless risks allowing his reidentification. This<br />
<br />
is not the case in the present case.<br />
<br />
<br />
<br />
FOR THESE REASONS ,<br />
<br />
<br />
the Litigation Chamber of the Data Protection Authority decides, after<br />
<br />
deliberation, to classify this complaint without further action in application of article 95,§ 1, 3°<br />
<br />
of the LCA.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
5<br />
EDPB – Report on the work undertaken by the Cookie Banner Taskforce (adopted on 17 January 2023), available at the link<br />
following: https://edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf.<br />
6Cf.Title 5–Will the classification without further action be published? Will the opposing party be informed? of the classification policy<br />
without further action by the Contentious Chamber.<br />
<br />
7Ibidem. Decision 37/2024 — 6/6<br />
<br />
<br />
<br />
er<br />
In accordance with article 108, § 1 of the LCA, an appeal against this decision may be lodged,<br />
<br />
within thirty days from its notification, to the Court of Markets (court<br />
<br />
of Appeal of Brussels), with the Data Protection Authority as defendant.<br />
<br />
<br />
Such an appeal may be introduced by means of an interlocutory request which must contain the<br />
<br />
information listed in article 1034ter of the Judicial Code. The interlocutory request must be<br />
<br />
9<br />
filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , Or<br />
<br />
via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. judic.).<br />
<br />
<br />
To enable it to consider any other possible course of action, the Litigation Chamber refers<br />
<br />
the complainant to the explanations provided in its policy of dismissal. 10<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
(sé). Hielke HIJMANS<br />
<br />
<br />
<br />
President of the Litigation Chamber<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
8The request contains barely any nullity:<br />
<br />
1° indication of the day, month and year;<br />
2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualifications and his national register number or<br />
<br />
Business Number;<br />
3° the surname, first name, address and, where applicable, the status of the person to be summoned;<br />
<br />
4° the object and summary of the grounds of the request;<br />
<br />
5° indication of the judge who is seized of the request;<br />
6° the signature of the applicant or his lawyer.<br />
<br />
9 The request, accompanied by its annex, is sent, in as many copies as there are parties involved, by letter<br />
recommended to the court clerk or filed with the court registry.<br />
<br />
10Cf. Title 4 – What can I do if my complaint is closed? of the Chamber's policy of dismissal<br />
Contentious.<br />
</pre></div>Nzmhttps://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_35/2024APD/GBA (Belgium) - 35/20242024-03-11T16:12:33Z<p>Abel.kaszian: /* Comment */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Belgium<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoBE.png<br />
|DPA_Abbrevation=APD/GBA<br />
|DPA_With_Country=APD/GBA (Belgium)<br />
<br />
|Case_Number_Name=35/2024<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Belgian DPA<br />
|Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/bevel-nr.-35-2024.pdf<br />
|Original_Source_Language_1=Dutch<br />
|Original_Source_Language__Code_1=NL<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=06.11.2023<br />
|Date_Decided=20.02.2024<br />
|Date_Published=28.02.2024<br />
|Year=2024<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 4(1) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#1<br />
|GDPR_Article_2=Article 4(2) GDPR<br />
|GDPR_Article_Link_2=Article 4 GDPR#2<br />
|GDPR_Article_3=Article 4(11) GDPR<br />
|GDPR_Article_Link_3=Article 4 GDPR#11<br />
|GDPR_Article_4=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_4=Article 5 GDPR#1a<br />
|GDPR_Article_5=Article 6(1)(b) GDPR<br />
|GDPR_Article_Link_5=Article 6 GDPR#1b<br />
|GDPR_Article_6=Article 6(1)(a) GDPR<br />
|GDPR_Article_Link_6=Article 6 GDPR#1a<br />
|GDPR_Article_7=Article 6(1)(f) GDPR<br />
|GDPR_Article_Link_7=Article 6 GDPR#1f<br />
|GDPR_Article_8=Article 12(3) GDPR<br />
|GDPR_Article_Link_8=Article 12 GDPR#3<br />
|GDPR_Article_9=Article 12(4) GDPR<br />
|GDPR_Article_Link_9=Article 12 GDPR#4<br />
|GDPR_Article_10=Article 17(1)(d) GDPR<br />
|GDPR_Article_Link_10=Article 17 GDPR#1d<br />
|GDPR_Article_11=<br />
|GDPR_Article_Link_11=<br />
|GDPR_Article_12=<br />
|GDPR_Article_Link_12=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=X<br />
|Party_Link_1=<br />
|Party_Name_2=Y<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Matthias Vandamme<br />
|<br />
}}<br />
<br />
The DPA held that the publication of a former employee's photo in an online recruitment campaign by the former employer constitutes unlawful processing as it could not be based on consent, contract or legitimate interest. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The data subject was a former employee of the controller and worked with them until 2021. In August 2023 the data subject noticed that the controller published her photo in a recruitment campaign on the controller's website and social media. The data subject had never consented to this and was working with one of the controller's competitors at that time.<br />
<br />
On 31 August 2023, the data subject requested the controller to erase all her images on the website and social media and not use them again in the future. The controller responded that arrangements were being taken regarding the use of people's photos after their departure from the company. Therefore, the controller refused to delete the images, but informed the data subject that new photographs would be made to prevent situations like this.<br />
<br />
On 6 November 2023 the data subject filed a complaint with the Belgian DPA ("APD").<br />
<br />
=== Holding ===<br />
Firstly, the DPA noted that a person's name, first name and photograph are considered personal data under [[Article 4 GDPR#1|Article 4(1) GDPR]] and the publishing of such data is considered to be processing under [[Article 4 GDPR#2|Article 4(2) GDPR]]. <br />
<br />
Secondly, the APD noted that each processing activity should have a legal basis according to [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] read together with [[Article 6 GDPR#1|Article 6(1) GDPR]]. The DPA examined consent, contract and legitimate interest as possible legal bases.<br />
<br />
Regarding consent, the DPA stressed that consent seemed impossible because there can be no 'free' consent in the context of an employee-employer relationship according to [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]] and [[Article 4 GDPR#11|Article 4(11) GDPR]].<br />
<br />
Regarding contract, the APD stated that to successfully invoke the performance of a contract as a legal basis, the processing needs to be necessary to perform that contract according to [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]. Since the data subject's contract had already ended in 2021, the controller could no longer invoke this legal basis. Additionally, the DPA stated that the controller would also not be able to invoke contract as a legal basis during the employment contract, since the publishing of the data subject's photo on the controller's social media and website did not seem necessary to perform that the employment contract. <br />
<br />
Regarding legitimate interest, the DPA performed a legitimate interest assessment composed of a purpose test, a necessity test and a balancing test between the consequences for the data subject and the consequences for the controller. Concerning the purpose test, the DPA confirmed that attracting new employees can be considered as a legitimate interest for the controller. Regarding the necessity test, the DPA did not find it necessary to publish images of employees to reach this purpose, especially since the employee in question was no longer working for the controller. Concerning the balancing test, the DPA considered that it may not be within the data subject's reasonable expectations as a former employee that her photograph be published on the data subject's website and social media to recruit new colleagues. Especially, since the data subject was employed by a competitor. The DPA also took into account that the data subject had not been employed by the controller since 2021. The DPA found that that legitimate interest as a legal basis under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] did not apply.<br />
<br />
The DPA noted that no other legal bases under [[Article 6 GDPR#1|Article 6(1) GDPR]] seemed to apply and therefore did not need to be examined. The DPA concluded that the publication of the the data subject's photograph constituted unlawful processing. <br />
<br />
Thirdly, the DPA confirmed that the data subject has the right to request the erasure of her personal data under [[Article 17 GDPR#1d|Article 17(1)(d) GDPR]]. This Article establishes that the data subject may obtain the erasure of their personal data if such data has been unlawfully processed. The DPA held that there might have been a breach of [[Article 17 GDPR#1d|Article 17(1)(d) GDPR]].<br />
<br />
Finally, [[Article 12 GDPR#3|Article 12(3) GDPR]] indicates that the controller shall provide information on action taken regarding data subject's rights without undue delay. The data subject exercised this right on 31 August 2023 and the controller responded the same day that it refused to erase the photographs since this was covered by the work regulations. The DPA therefore held no infringement regarding [[Article 12 GDPR#3|Article 12(3) GDPR]] as the controller did respond (negatively) to the request.<br />
<br />
Therefore, the DPA ordered the controller to comply with the data subject's erasure request within 30 days of the notification of the decision.<br />
<br />
== Comment ==<br />
''Comment from the initial contributor'': As this is a 'prima facie' decision, not much information is available. The Litigation Chamber of the DPA has ruled solely based on the complaint without having a procedure. The controller could demand for a procedure on the merits within 30 days after the decision.<br />
<br />
The DPA seems to contradict itself with regards to the applicability of consent as a legal base. On its website, the DPA explicitly states that an employee's consent is required to use his/her photograph taken for the purpose of a security badge, for other purposes. Also, in the past the DPA has on numerous occasions held that as a rule of thumb consent should be used in the context of 'nice to have' photographs and other legal bases can be relied on for 'need to have' photographs.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.<br />
<br />
<pre><br />
1/8<br />
<br />
<br />
<br />
Dispute Chamber<br />
<br />
<br />
Decision35/2024 of February 20, 2024<br />
<br />
<br />
File number: DOS-2023-04528<br />
<br />
<br />
Subject: Failure to comply with a request for data erasure<br />
<br />
<br />
<br />
The Disputes Chamber of the Data Protection Authority, composed of Mr<br />
<br />
Hielke HIJMANS, sole chairman;<br />
<br />
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016<br />
<br />
on the protection of natural persons with regard to the processing of<br />
<br />
personal data and regarding the free movement of such data and to the revocation of<br />
<br />
Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;<br />
<br />
<br />
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,<br />
<br />
hereinafter “WOG”;<br />
<br />
In view of the internal rules of order, as approved by the House of Representatives<br />
<br />
Representatives on December 20, 2018 and published in the Belgian Official Gazette on<br />
<br />
January 15, 2019;<br />
<br />
<br />
Considering the documents in the file;<br />
<br />
<br />
Has made the following decision regarding:<br />
<br />
<br />
Complainant: X, hereinafter “the complainant”;<br />
<br />
<br />
<br />
The defendant: Y, hereinafter “the defendant”. Decision 35/2024 — 2/8<br />
<br />
<br />
<br />
I. Facts and procedure<br />
<br />
<br />
1. The complainant worked as an employee of the defendant until 2021. In August 2023<br />
<br />
the complainant found that a photo of her was published on the website of the<br />
defendant in a campaign to recruit new colleagues. The complainant points out that she<br />
<br />
never gave permission for this. The complainant is currently employed by a<br />
<br />
colleague at the defendant where she was confronted about this by colleagues. Consequently<br />
<br />
the complainant wrote to the defendant on August 31, 2023 with the request for the<br />
<br />
delete photos on social media accounts and no more images in the future<br />
<br />
publish on which she or her name appears. The defendant answers<br />
<br />
the same day that a regulation for the use of photo material after termination of employment was introduced<br />
<br />
elaborated, as a result of which he claims to be in order. The defendant also states that this is the case<br />
<br />
worked on new photo material to avoid such situations in the future. The<br />
<br />
Defendant states that he had already requested that no more names be mentioned, but that<br />
<br />
he has not yet been able to verify whether this has happened.<br />
<br />
2. On November 6, 2023, the complainant will submit a complaint to the Data Protection Authority<br />
<br />
against the defendant.<br />
<br />
<br />
3. On February 6, 2024, the First Line Service informs the complainant that it has received a version of the complaint<br />
<br />
without signature, nor the requested additional information, i.e.<br />
<br />
has received supporting documents.<br />
<br />
4. On February 6, 2024, the complainant submits the complaint with signature and the requested information<br />
<br />
supporting documents, namely the correspondence between her and the defendant and<br />
<br />
screenshots of the photos in question on the defendant's website as well as on the<br />
<br />
profile of the defendant on LinkedIn, Facebook and Instagram.<br />
<br />
5. On February 13, 2024, the complaint will be declared admissible by the First Line Service on<br />
<br />
on the basis of articles 58 and 60 of the WOG and the complaint is filed on the basis of article 62, § 1<br />
<br />
of the WOG transferred to the Disputes Chamber. 2<br />
<br />
<br />
6. In accordance with Article 95, § 2, 3° of the WOG as well as Article 47 of the internal regulations<br />
<br />
order of the GBA, the parties can request a copy of the file. If one<br />
<br />
both parties wish to make use of the opportunity to consult and<br />
<br />
copying the file, he or she must contact the secretariat of the<br />
<br />
Disputes Chamber, preferably via litigationchamber@apd-gba.be.<br />
<br />
<br />
<br />
<br />
<br />
<br />
1In accordance with Article 61 of the WOG, the Disputes Chamber hereby informs the parties that the complaint is admissible<br />
declared.<br />
2In accordance with Article 95, § 2 of the WOG, the Disputes Chamber hereby informs the parties that the file will be sent to<br />
has been transferred to her as a result of this complaint. Decision 35/2024 — 3/8<br />
<br />
<br />
II. Justification<br />
<br />
<br />
7. It is up to the Disputes Chamber to assess prima facie whether the complainant has opted out<br />
<br />
can successfully invoke the right to erasure of data under Article 17 GDPR and/or<br />
<br />
where appropriate, the defendant has given appropriate response to this request.<br />
<br />
8. The Disputes Chamber points out that the contact details of a natural person, such as<br />
<br />
name, first name and photo are personal data within the meaning of Article 4.1 of the GDPR. This is<br />
<br />
information relating to an identified or identifiable natural person<br />
person (the "data subject"), in this case the complainant, who can be contacted directly<br />
<br />
identified based on this information. The publication of such data on the<br />
<br />
website and social media accounts constitutes processing within the meaning of Article 4.2 GDPR. The<br />
<br />
Dispute Chamber reminds that any processing must comply with the basic principles<br />
<br />
of data protection as set out in article 5.1 GDPR, such as the legality of<br />
<br />
the processing (Article 5.1.a) GDPR). The Disputes Chamber notes that the name of the complainant<br />
is not mentioned in the supporting documents submitted by the complainant.<br />
<br />
<br />
9. In accordance with Article 5.1.a) j° Article 6.1 of the GDPR, any processing of<br />
<br />
personal data have a legal basis. Article 6.1 of the GDPR stipulates that the<br />
processing must take place on the basis of one of the following legal bases: de<br />
<br />
the person concerned has given permission for the processing of his personal data<br />
<br />
for one or more specific purposes (Article 6.1.a) GDPR - consent); the processing<br />
<br />
is necessary for the execution of an agreement to which the data subject is a party or<br />
<br />
for the implementation of pre-contractual measures at the request of the data subject<br />
taken (Article 6.1.b) GDPR - execution of the agreement); the processing is<br />
<br />
necessary to comply with a legal obligation to which the<br />
<br />
controller is subject (Article 6.1.c) GDPR - legal obligation);<br />
<br />
the processing is necessary for the vital interests of the data subject or of another person<br />
<br />
protect natural person (Article 6.1.d) GDPR - vital interest); the processing is<br />
necessary for the performance of a task of general interest or a task in the<br />
<br />
in the exercise of official authority vested in the controller<br />
<br />
is assigned (Article 6.1.e) GDPR - task of public interest) or the processing is<br />
<br />
necessary for the representation of the legitimate interests of the<br />
<br />
controller or of a third party, except where the interests or<br />
<br />
fundamental rights and freedoms of the data subject which are intended to protect<br />
personal data outweigh those interests, especially when the<br />
<br />
the data subject is a child (Article 6.1.f) GDPR - legitimate interest).<br />
<br />
<br />
10. The Disputes Chamber will then assess whether the processing of the personal data<br />
is based on one of the above legal bases. Decision 35/2024 — 4/8<br />
<br />
<br />
11. Based on the defendant's email dated. The Disputes Chamber will determine August 31, 2023<br />
<br />
that the defendant points out that the publication of images on the website and on social media<br />
<br />
media accounts of the defendant is regulated by the employment regulations, that part<br />
forms part of the employment contract.<br />
<br />
<br />
12. Article 6.1.b) GDPR provides a legal basis for the processing of<br />
<br />
personal data if the “processing [is] necessary for the execution of a<br />
<br />
agreement to which the data subject is a party, or at the request of the data subject before the<br />
conclusion of an agreement to take measures'. A successful appeal to this one<br />
<br />
legal basis therefore requires that the processing is necessary for that specific purpose<br />
<br />
to execute the agreement with the data subject. Since the<br />
<br />
employment contract between the parties was terminated in 2021, according to the<br />
<br />
Disputes Chamber established on the basis of the complaint, is a successful appeal to Article 6.1.b) GDPR<br />
primafacie is no longer possible in the absence of an agreement. Moreover, primafacie also appears<br />
<br />
the necessity requirement is not met as the publication of a photo on the<br />
<br />
website or on social media to attract new colleagues, not necessarily to<br />
<br />
to execute the employment contract. This therefore suggests that it was not successful<br />
<br />
an appeal to Article 6.1.b) GDPR is possible in the present case.<br />
<br />
13. Article 6.1.f) GDPR stipulates that the processing is lawful if “the processing[…]<br />
<br />
necessary for the pursuit of the legitimate interests of the<br />
<br />
controller or of a third party, except when fundamental<br />
<br />
freedoms of the data subject that require the protection of personal data are more stringent<br />
weigh those interests, in particular when the person concerned is a child”. The case law of<br />
<br />
the Court of Justice of the European Union requires that an appeal to Article 6.1.f) of the GDPR<br />
<br />
meets three cumulative conditions. The controller must:<br />
<br />
show that:<br />
<br />
a. the interests he pursues with the processing can be justified<br />
<br />
recognized ('the target test');<br />
<br />
b. the intended processing is necessary for the realization of these interests ('de<br />
<br />
necessity test'); and<br />
<br />
<br />
c. the weighing of these interests against fundamental interests, freedoms and<br />
fundamental rights of the data subjects in favor of the controller or<br />
<br />
of a third party ('the assessment test').<br />
<br />
<br />
14. With regard to the first condition, the Disputes Chamber acknowledges that attracting<br />
new employees constitutes a legitimate interest on the part of the defendant<br />
<br />
so that the first condition, the target test, appears to be met. As for the<br />
<br />
second condition, the Disputes Chamber notes that the publication of a photo of a Decision 35/2024 - 5/8<br />
<br />
<br />
employee, a fortiori a former employee, does not seem necessary for this purpose<br />
<br />
reaches. The Disputes Chamber refers to the strict interpretation of the<br />
<br />
necessity requirement by the Court of Justice. Also the third condition, the<br />
<br />
assessment, prima facie, does not seem to be satisfied. According to consideration 47 GDPR, it must exist<br />
<br />
of a legitimate interest are carefully assessed. When determining whether the<br />
<br />
legitimate interest outweighs the interest or fundamental rights and<br />
freedoms of the data subject must be taken into account, among other things<br />
<br />
reasonable expectations based on his relationship with the controller.<br />
<br />
The Disputes Chamber notes that it may not fall within reasonable expectations<br />
<br />
of the complainant as a former employee that her photo is published on the website for new reasons<br />
<br />
to recruit colleagues, and certainly not if she herself works for a competitor. Hereby<br />
<br />
the Disputes Chamber takes into account the fact that the complainant no longer works at the<br />
<br />
defendant since 2021. A successful appeal to Article 6.1.f) GDPR seems prima facie<br />
ruled out.<br />
<br />
<br />
15. The Dispute Chamber then reminds that consent can only become valid<br />
<br />
invoked if, in accordance with the definition in Article 4.11 GDPR, it is free, specific,<br />
<br />
is informed and unambiguous. The Disputes Chamber emphasizes that this is not possible<br />
are of free consent in the context of an employee-employer relationship<br />
<br />
prima facie no successful appeal to Article 6.1.a) GDPR appears possible.<br />
<br />
<br />
16. Finally, the Disputes Chamber notes that the other legal grounds from Article 6.1 GDPR do not apply<br />
<br />
seem to apply to the present case.<br />
<br />
17. The above makes the Dispute Chamber suspect that the publication of the photo of the<br />
<br />
complainant constitutes unlawful processing.<br />
<br />
18. The right to erasure under Article 17.1.d) GDPR expressly recognizes the right<br />
<br />
of data subjects to obtain the erasure of data without delay<br />
<br />
controller if the personal data has been processed unlawfully.<br />
<br />
<br />
19. In accordance with Article 12.3 GDPR, the controller shall provide the<br />
person concerned without delay and in any case within one month of receipt of the request<br />
<br />
pursuant to Articles 15 to 22 GDPR information about the outcome of the request<br />
<br />
is given. Depending on the complexity of the requests and the number of requests<br />
<br />
that period may be extended by a further two months if necessary. The<br />
<br />
the controller shall inform the data subject within one month of receipt of the<br />
<br />
request of such extension.<br />
<br />
20. The Disputes Chamber determines, based on the e-mail conversation attached to the complaint,<br />
<br />
that the complainant has exercised her right to erasure in accordance with Article 17.1 GDPR<br />
<br />
<br />
3<br />
CJEU Judgment of 4 May 2017, Rīgas Satiksme, C-13/16 ECLI:EU:C:2017:336, para. 30. Decision 35/2024 — 6/8<br />
<br />
<br />
August 31, 2023. Pursuant to Article 12.3 GDPR, the controller must, in<br />
<br />
in this case the defendant, without delay and no later than one month after receipt of the request<br />
<br />
to respond to the request for data erasure. This period may possibly be extended<br />
<br />
may be extended for another two months, given the complexity of the request. The complainer<br />
This extension must be submitted within one month of the request for data deletion<br />
<br />
to be informed. If the defendant decides not to comply with the<br />
<br />
request of the complainant, it must do so within one month of receipt of the request<br />
<br />
communicate to the data subject, in accordance with Article 12.4 GDPR.<br />
<br />
21. The Disputes Chamber determines that the complainant will have an answer on August 31, 2023<br />
<br />
may receive about the consequences that the defendant has of the data erasure<br />
<br />
is given. The defendant states that her name had already been deleted and that the photo was<br />
<br />
published on the basis of the employment regulations. Prima facie, the defendant has<br />
<br />
responded in a timely manner to the complainant's request for data erasure.<br />
<br />
22. The above analysis suggests to the Disputes Chamber that this should be done<br />
<br />
concluded that the defendant may have violated Article 17.1.d) of the GDPR<br />
<br />
was committed, which justifies taking one in this case<br />
<br />
decision on the basis of Article 95, § 1, 5° of the WOG, more specifically<br />
<br />
23. This decision is a prima facie decision taken by the Disputes Chamber<br />
<br />
in accordance with Article 95 of the WOG on the basis of the complaint submitted by the complainant,<br />
<br />
in the context of the “procedure prior to the decision on the merits” and none<br />
<br />
decision on the merits of the Disputes Chamber within the meaning of Article 100 of the WOG.<br />
<br />
24. The Disputes Chamber has thus decided, on the basis of Article 58.2.c GDPR and Article 95, §<br />
<br />
1, 5° WOG, to order the defendant to comply with the data subject's request<br />
<br />
to exercise its rights, in particular the right to erasure ("right to<br />
<br />
oblivion”) as provided for in Article 17 GDPR.<br />
<br />
25. The purpose of this decision is to inform the defendant of the fact that this<br />
<br />
has committed an infringement of the provisions of the GDPR and has the opportunity to do so<br />
<br />
still agree to comply with the aforementioned provisions.<br />
<br />
26. If the defendant does not agree with the content of this primafacie case<br />
<br />
decision and is of the opinion that it can apply factual and/or legal arguments<br />
<br />
that could lead to a different decision, this can be done via the e-mail address<br />
<br />
litigationchamber@apd-gba.be send a request to hear the merits of the case<br />
to the Disputes Chamber within 30 days after notification of this<br />
<br />
decision. The implementation of this decision will, if necessary, continue for a period of time<br />
<br />
suspended for the aforementioned period. Decision 35/2024 — 7/8<br />
<br />
<br />
27. In the event of a continuation of the merits of the case, the<br />
<br />
Dispute Chamber the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 WOG<br />
<br />
invite them to submit their defenses as well as any documents they consider useful in the case<br />
file to add. If necessary, the present decision will be permanently suspended.<br />
<br />
<br />
28. Finally, for the sake of completeness, the Disputes Chamber points out that a hearing on the merits<br />
<br />
of the case may lead to the imposition of the measures stated in Article 100 of the WOG.<br />
<br />
<br />
III. Publication of the decision<br />
<br />
<br />
29. Considering the importance of transparency with regard to decision-making<br />
<br />
Dispute Chamber, this decision will be published on the website of the<br />
<br />
Data Protection Authority. However, it is not necessary that the<br />
<br />
identification details of the parties are disclosed directly.<br />
<br />
<br />
<br />
FOR THESE REASONS ,<br />
<br />
the Disputes Chamber of the Data Protection Authority decides, with reservations<br />
<br />
from the submission of a request by the defendant for a hearing on the merits<br />
<br />
in accordance with Article 98 et seq. of the WOG, to:<br />
<br />
- on the basis of Article 58.2.c) of the GDPR and Article 95, § 1, 5° of the WOG the<br />
<br />
to order the defendant to comply with the complainant's request<br />
<br />
to exercise rights, in particular the right to erasure (Article 17.1<br />
<br />
GDPR), and to erase the personal data of the data subject<br />
website and social media accounts, within 30 days<br />
<br />
count from the notification of this decision;<br />
<br />
<br />
- order the defendant to contact the Data Protection Authority (Dispute Chamber)<br />
<br />
by e-mail within the same period of the consequences<br />
this decision will be given via the email address litigationchamber@apd-gba.be;<br />
<br />
and<br />
<br />
<br />
- in the absence of timely implementation of the above by the defendant,<br />
to consider the merits of the case ex officio in accordance with Articles 98 et seq.<br />
<br />
of the WOG.<br />
<br />
<br />
<br />
Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the<br />
<br />
notice, an appeal against this decision will be filed with the Market Court (court of<br />
<br />
appeal Brussels), with the Data Protection Authority as defendant. Decision 35/2024 — 8/8<br />
<br />
<br />
Such an appeal can be lodged by means of an inter partes petition<br />
<br />
4<br />
must contain statements listed in Article 1034ter of the Judicial Code. It<br />
<br />
an objection petition must be submitted to the registry of the Market Court<br />
5<br />
in accordance with Article 1034quinquies of the Dutch Civil Code. , or via the e-Deposit<br />
<br />
IT system of Justice (Article 32ter of the Judicial Code).<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
(ge). Hielke H IJMANS<br />
<br />
Chairman of the Disputes Chamber<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
4The petition states, under penalty of nullity:<br />
<br />
1° the day, month and year;<br />
2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or<br />
company number;<br />
3° the surname, first name, place of residence and, where applicable, the capacity of the person to be<br />
summoned;<br />
4° the subject matter and brief summary of the grounds of the claim;<br />
<br />
5° the judge before whom the claim is brought;<br />
6° the signature of the applicant or his lawyer.<br />
5The petition with its attachment will be sent by registered letter in as many copies as there are parties involved<br />
deposited with the clerk of the court or at the registry.<br />
</pre></div>Matthias.vandammehttps://gdprhub.eu/index.php?title=AG_M%C3%BCnchen_-_322_C_3109/23_(2)AG München - 322 C 3109/23 (2)2024-03-10T21:46:27Z<p>Sharalie: Links to the GDPR Articles, ECLI Number</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Germany<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=AG München<br />
|Court_Original_Name=Amtsgericht München<br />
|Court_English_Name=Local Court Munich<br />
|Court_With_Country=AG München (Germany)<br />
<br />
|Case_Number_Name=322 C 3109/23 (2)<br />
|ECLI=ECLI:DE:AGMUENC:2023:0726.322C3109.23.2.0A<br />
<br />
|Original_Source_Name_1=Bayerische Staatskanzlei <br />
|Original_Source_Link_1=https://www.gesetze-bayern.de/Content/Document/Y-300-Z-BECKRS-B-2023-N-22736?hl=true<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Date_Decided=26.07.2023<br />
|Date_Published=<br />
|Year=2023<br />
<br />
|GDPR_Article_1=Article 6(1)(f) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1f<br />
|GDPR_Article_2=Article 17(1)(a) GDPR<br />
|GDPR_Article_Link_2=Article 17 GDPR#1a<br />
|GDPR_Article_3=Article 17(1)(d) GDPR<br />
|GDPR_Article_Link_3=Article 17 GDPR#1d<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Sara Horvat<br />
|<br />
}}<br />
<br />
The data subject demanded the erasure of the data in the HIS Information System upon [[Article 17 GDPR]], as the vehicle had been repaired. The interest to prevent insurance fraud prevailed and the processing is lawful upon [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]].<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The plaintiff - the data subject, suffered damage to his vehicle with the vehicle identification number, which is insured with the defendant, on 28.03.2022. The defendant processed and settled this claim as the liable insurer on the basis of a cost estimate submitted by the plaintiff. The calculated repair costs excluding VAT amounted to EUR 3,351.93. The defendant then forwarded the following information to the HIS Information System (HIS - Hinweis- und Informationssystem, a federal directory of the German insurance industry); Date of the fictitious settlement, reporting body, Motor vehicle Reference number of the reporting body, <br />
<br />
The defendant - the data controller, did not delete or arrange for the deletion of the entry despite a request from the plaintiff or his attorney of record.<br />
<br />
The data subject claims that the entries in the HIS directory are incorrect, as their vehicle was repaired and therefore there is no fictitious settlement of the damage. Moreover, there was no need for storage due to the repair carried out.<br />
<br />
In this case, the parties were arguing if the data of the data subject could be deleted upon [[Article 17 GDPR|Article 17 GDPR]] from the federal Notice and information system, since there was no reason to retain the Data in the system, since the insurance paid for the repair.<br />
<br />
=== Holding ===<br />
The court held that, in the case of a fictitious settlement of vehicle damage exceeding EUR 1,500, the comprehensive insurance of the policyholder is authorized to report the occurrence of a fictitious settlement, the amount of the incurred damage, and the vehicle identification number to the HIS Information System.<br />
<br />
Even in the case of a (flat) claimed repair of the damage with a remaining diminished value, there is still an overriding interest in this reporting, and therefore, no deletion under [[Article 17 GDPR|Article 17 GDPR]] is required.<br />
<br />
Even in the event of a proper and expert repair, a balancing of interests under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] indicates a continued interest of the insurer in reporting the data to the HIS Information System of the German Insurance Industry. This is because, despite a proper and comprehensive repair, the fact that the vehicle has suffered significant past damage remains, which represents disclosable information in the event of a sale and typically leads to a permanently diminished value of the vehicle, especially in the absence of specific evidence of repair.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
Title:<br />
Reporting of data to the notice and information system (HIS) of the German insurance industry in the event of fictitious claims settlement in comprehensive insurance<br />
Chain of standards:<br />
GDPR Art. 6, Art. 17<br />
Guiding principles:<br />
1. In the case of a fictitious settlement with vehicle damage that exceeds EUR 1,500.00, the policyholder's comprehensive insurance is entitled to send the amount of the damage incurred and the vehicle identification number of the affected vehicle to the HIS as the reason for reporting the fictitious settlement -Information system to report. (Rn. 15 – 19) (editorial principle)<br />
2. Even in the case of a merely (generally) claimed repair of the damage with a remaining reduced value, there is still an overriding interest in this report, so that deletion does not need to be carried out in accordance with Article 17 of the GDPR. (No. 21 – 24) (editorial principle)<br />
3. Even in the case of a proper and professional repair, there is a continued interest of the insurer in the reporting of the data to the notice and information system (HIS) of the German insurance industry when weighing up the interests in accordance with Art. 6 GDPR. Even with a professional and comprehensive repair, the fact remains that the vehicle has suffered significant damage in the past, which represents information that must be clarified in the event of a sale and usually leads to a permanent reduction in the value of the vehicle, especially if there is no specific damage Evidence of a repair is available. In order to be able to carry out such an assessment, a continuing interest in storing the data in the HIS - regardless of the quality of the repair carried out - must be affirmed (connection to AG Düsseldorf BeckRS 2023, 12459; differentiation from LG Schweinfurt judgment of April 12, 2021 - 23 O 809/20; for the legal situation according to the BDSG see AG Coburg BeckRS 2013, 3586). (Nos. 25 and 26) (editorial principle)<br />
Tags:<br />
Traffic accident, comprehensive insurance, fictitious damage settlement, notice and information system, HIS, data processing, deletion claim, insurance abuse, personal data, legitimate interest<br />
Location:<br />
BeckRS 2023, 22736<br />
<br />
<br />
tenor<br />
<br />
1. The lawsuit is dismissed.<br />
<br />
2. The plaintiff must bear the costs of the legal dispute.<br />
<br />
3. The judgment is provisionally enforceable. The plaintiff can avert the defendant's enforcement by providing security in the amount of 110% of the amount to be enforced, unless the defendant pays 110% of the amount to be enforced before enforcement.<br />
<br />
The amount in dispute is set at EUR 1,000.00.<br />
<br />
Facts of the case<br />
<br />
1<br />
The parties are in dispute over a claim to the deletion of data from the notice and information system (HIS).<br />
<br />
2<br />
The plaintiff suffered damage to his vehicle with the vehicle identification number, which is insured by the defendant, on March 28, 2022. The defendant processed and settled this damage as compulsory insurance under the damage number based on a cost estimate submitted by the plaintiff. The calculated repair costs without VAT amounted to EUR 3,351.93. The defendant then passed on the following information to the company Informa HIS GmbH, which entered the following into the HIS directory:<br />
<br />
Fictitious billing from March 28, 2022<br />
<br />
Division: Motor transport Reference number of the reporting body:<br />
<br />
3<br />
Despite requests from the plaintiff or his legal representative, the defendant did not delete the entry or cause such deletion.<br />
<br />
4<br />
The plaintiff claims that the entries in the HIS directory are incorrect because the plaintiff's vehicle was repaired and there is therefore no fictitious settlement of the damage. Furthermore, due to the repair being carried out, there would be no need for storage.<br />
<br />
5<br />
The plaintiff requests<br />
<br />
I. The defendant is ordered to delete or have deleted the entry it made about the plaintiff in the HIS directory:<br />
<br />
Fictitious settlement, from March 28, 2022<br />
<br />
Reference number of the reporting body:<br />
<br />
II. The defendant is further ordered to pay the plaintiff EUR 159.94 plus interest of 5% points above the respective base interest rate since October 5, 2022.<br />
<br />
6<br />
The defendant requests<br />
<br />
7<br />
The defendant is of the opinion that no personal data was stored. In any case, a balancing of interests would show that the insured community has an overriding interest. The defendant also claims that the plaintiff's vehicle was in any case not completely repaired properly and professionally and is of the opinion that even if the repair was completely repaired correctly and properly, there is still an interest in reporting it.<br />
<br />
8th<br />
For additional information, please refer to the parties' written submissions.<br />
<br />
9<br />
The parties have agreed to a decision in the written procedure.<br />
<br />
Reasons for the decision<br />
<br />
10<br />
The admissible action is unfounded.<br />
<br />
Lack of right to deletion<br />
<br />
11<br />
I. The plaintiff has no claim against the defendant under Article 17 Paragraph 1d) GDPR to ensure that the disputed entry in the HIS is deleted.<br />
<br />
12<br />
According to Art. 17 Para. 1 d) GDPR, personal data must be deleted if the personal data has been processed unlawfully.<br />
<br />
13<br />
The reported data is probably personal data within the meaning of the regulation, as a connection to the plaintiff as a person can be established by simply querying the VIN.<br />
<br />
14<br />
Contrary to the plaintiff's opinion, however, there is no incorrect entry in the HIS directory and therefore no unlawful processing of the data. The court considers it to be sufficiently proven that the disputed damage to the plaintiff's vehicle was settled by the defendant based on a fictitious settlement. It is undisputed that the plaintiff submitted a cost estimate to the defendant. Based on this cost estimate, the defendant settled the damage in a letter dated April 26, 2022 (attachment to the defendant's written statement dated May 25, 2023) and reimbursed the plaintiff for the net repair costs. Even if the plaintiff actually repaired his vehicle afterwards, this does not change the fictitious billing initially made by the defendant. It was also not stated that the plaintiff had subsequently changed his billing method and was now billing based on specific repair costs incurred.<br />
<br />
15<br />
In addition, the processing of the data about the fictitious billing in the HIS was lawful because the insurance company had a legitimate interest.<br />
<br />
16<br />
The insurance industry has an interest in preventing insurance abuse in the case of multiple billing in the event of fictitious damage calculation. By storing the data, it can be made easier to detect abusive behavior through repeated claims for the same damage to a vehicle. It may be irrelevant whether the operating company has its own legitimate interest in the storage, as it is sufficient to look after the interests of third parties. In these cases, there is the possibility of misuse in that a vehicle that was fictitiously billed for is taken over by a third party at scrap price, is involved in another accident by the third party, and the damage is then billed for again.<br />
<br />
17<br />
The storage of the insured person's data is also necessary to prevent crimes or to maintain public safety - which also includes individual legal interests - since there are no milder, equally effective means available.<br />
<br />
18<br />
In addition, the entry is also justified in order to accurately assess the amount of damage caused in another traffic accident and to prevent the settlement of an excessively high compensation claim at the expense of the insured community. Other people outside the insured community can also benefit from such a report, since an injured party, as the owner of the vehicle, can also find out about previous damage from the previous ownership period and, if necessary, receive information about the previous damage.<br />
<br />
19<br />
In contrast, the harm caused to the plaintiff by storing the data is to be classified as minor in the context of an overall balance of interests.<br />
<br />
20<br />
II. The plaintiff also has no right to the deletion of the reported data pursuant to Art. 17 Para. 1 a) GDPR.<br />
<br />
21<br />
According to Article 17 Paragraph 1 a) GDPR, personal data must be deleted as soon as they are no longer necessary for the purposes for which they were collected or otherwise processed. This is particularly the case where an examination procedure on which data collection or storage is based has been finally completed with regard to the recorded data (ECJ, NJW 2018, 767).<br />
<br />
22<br />
These requirements are not met here. The defendant continues to have a legitimate interest in storage, while the plaintiff's legitimate interests are not affected.<br />
<br />
23<br />
The plaintiff's side is of the opinion that there is an impairment of the plaintiff's interests that is worthy of protection, since the plaintiff's vehicle has now been repaired.<br />
<br />
24<br />
However, the plaintiff does not state that the plaintiff's vehicle was repaired properly and professionally in accordance with the cost estimate presented. It is also not explained what specific damage was present and what repair measures were carried out with what spare parts and what work steps. Despite a corresponding statement from the defendant and a note from the court, the plaintiff only submitted photographs of a repaired plaintiff's vehicle. There was no further presentation. There is no need to obtain an expert opinion on this question because, in the absence of further information from the plaintiff, such an opinion would amount to pure research.<br />
<br />
25<br />
Furthermore, even in the case of a proper and professional repair, when weighing up the interests in accordance with Article 6 of the GDPR, the insurance company's continued interest in the report or the corresponding data must be affirmed.<br />
<br />
26<br />
Even with a professional and comprehensive repair, the fact remains that the vehicle has suffered significant damage in the past, which represents information that must be clarified in the event of a sale and usually leads to a permanent reduction in the value of the vehicle, especially if there is no specific damage Evidence of a repair is available. In order to be able to carry out such an assessment, there remains an interest in storing the data in HIS, regardless of the quality of the repair carried out (also AG Düsseldorf, judgment of February 23, 2023, 40 C 226/22).<br />
<br />
27<br />
In this respect, registration is also justified in order to be able to accurately assess the amount of damage caused in another traffic accident and to prevent the billing of an excessively high compensation claim at the expense of the insured community. So it's not just about cases of targeted deception, but also constellations are conceivable in which the claimant himself has no knowledge of previous damage or does not correctly assess the extent of the damage or the quality of the repair measures carried out - even in these cases For the benefit of the insured community, it must be possible to examine whether and to what extent new damage has occurred and what repair costs are necessary to eliminate it. The amount of a replacement value is also influenced by this.<br />
<br />
28<br />
Insofar as the LG Schweinfurt affirms a deletion claim in its decision of April 12, 2021, Ref. 23 O 809/20, this decision cannot be transferred to the present constellation. Contrary to the facts underlying the decision of the Schweinfurt Regional Court, the plaintiff in the present case did not provide any confirmation of repair. In the court's opinion, it is not only important that double billing is avoided, but that previous damage that has been repaired yourself can potentially affect the assessment of further damage and in particular the replacement value. This interest continues.<br />
<br />
Interest and pre-litigation legal fees<br />
<br />
29<br />
In the absence of a main claim, there is also no entitlement to reimbursement of the pre-trial legal fees asserted as an additional claim.<br />
<br />
Costs and provisional enforceability<br />
<br />
30<br />
The cost decision follows from Section 91 Paragraph 1 Sentence 1 ZPO.<br />
<br />
31<br />
The decision on provisional enforceability is based on Sections 708 No. 11 and 711 ZPO.<br />
<br />
32<br />
The amount in dispute results from the claim without including pre-litigation legal fees. Contrary to the defendant's opinion, the amount in dispute is set at EUR 1,000.00. It is a matter of registering higher repair damage. However, a corresponding reduction must be made since the repair damage is not claimed, but only an entry relating to it. This must be significantly less than the repair damage or a corresponding vehicle value.<br />
</pre></div>Sharaliehttps://gdprhub.eu/index.php?title=EDPB_-_C%E2%80%9137/20_and_C%E2%80%91601/20EDPB - C‑37/20 and C‑601/202024-03-09T19:13:00Z<p>Mgrd: </p>
<hr />
<div>{{DISPLAYTITLE:CJEU - C‑37/20 and C‑601/20 SOVIM / WM v Luxembourg Business Registers}}<br />
{{DPAdecisionBOX<br />
<br />
|Jurisdiction=European Union<br />
|DPA-BG-Color=<br />
|DPAlogo=<br />
|DPA_Abbrevation=CJEU<br />
|DPA_With_Country=CJEU<br />
<br />
|Case_Number_Name=C‑37/20 and C‑601/20<br />
|ECLI=ECLI:EU:C:2022:912<br />
<br />
|Original_Source_Name_1=CJEU<br />
|Original_Source_Link_1=https://curia.europa.eu/juris/document/document.jsf;jsessionid=7822E0491037A3F35E2A8E87BF4C8A78?text=&docid=268059&pageIndex=0&doclang=PT&mode=lst&dir=&occ=first&part=1&cid=5227097<br />
|Original_Source_Language_1=English<br />
|Original_Source_Language__Code_1=EN<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Advisory Opinion<br />
|Outcome=<br />
|Date_Started=<br />
|Date_Decided=22.11.2022<br />
|Date_Published=22.11.2022<br />
|Year=2022<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 5(1) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=Article 30 Directive (EU) 2015/849<br />
|EU_Law_Link_1=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%253A32015L0849<br />
|EU_Law_Name_2=Article 7 and 9 (EU) Charter of Fundamental Rights<br />
|EU_Law_Link_2=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012P/TXT<br />
|EU_Law_Name_3=Directive (EU) 2018/843<br />
|EU_Law_Link_3=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%253A32018L0843<br />
|EU_Law_Name_4=<br />
|EU_Law_Link_4=<br />
|EU_Law_Name_5=<br />
|EU_Law_Link_5=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=SOVIM SA<br />
|Party_Link_1=<br />
|Party_Name_2=WM<br />
|Party_Link_2=<br />
|Party_Name_3=Luxembourg Business Registers<br />
|Party_Link_3=https://www.lbr.lu/mjrcs-lbr/jsp/IndexActionNotSecured.action?time=1710010265362&loop=3<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Mgrd<br />
|<br />
}}<br />
<br />
The CJEU ruled that [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32018L0843 Directive 2018/843], determining public access to EU beneficial ownership data of companies on Member State registers, violates privacy rights under the EU Charter of Fundamental Rights.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
In Case C-37/20, YO, a real estate company, lodget a request to Luxembourg Business Registers (LBR) pursuant [https://www.cssf.lu/wp-content/uploads/L_130119_RBE_eng.pdf Article 15 Law of 13 January 2019] (Law of 13 January 2019 of Luxembourg establishing the Beneficial Owner Register - transposing the provisions of [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32015L0849 Article 30 Directive (EU) 2015/849] on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing) requesting that access to the information concerning WM, its beneficial owner, contained in the register, to be restricted solely to the entities mentioned in that provision, on the ground that the general public’s access to that information would seriously, actually and immediately expose WM and his family to a disproportionate risk and risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation.<br />
<br />
On November 20, 2019 the request was rejected by LBR arguing that WM’s situation does not meet the requirements of [https://www.cssf.lu/wp-content/uploads/L_130119_RBE_eng.pdf Article 15 Law of 13 January 2019], since WM cannot rely either on ‘exceptional circumstances’ or on any of the risks referred to in that article.<br />
<br />
On 5 December 2019, WM brought an action before the tribunal d’arrondissement de Luxembourg (Luxembourg District Court, Luxembourg), maintaining that his position as executive officer and beneficial owner of YO and of a number of commercial companies requires him frequently to travel to countries whose political regime is unstable and where there is a high level of crime, which creates a significant risk of his being kidnapped, abducted, subjected to violence or even killed.<br />
<br />
In that regard, the referring court raised the question of the interpretation to be given to the concepts of ‘exceptional circumstances’, ‘risk’ and ‘disproportionate’ risk within the meaning of [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32015L0849 Article 30(9) Directive 2015/849], as amended.<br />
<br />
In Case C‑601/20, Sovim lodged a request to LBR, pursuant to [https://www.cssf.lu/wp-content/uploads/L_130119_RBE_eng.pdf Article 15 Law of 13 January 2019], requesting that access to the information concerning its beneficial owner, contained in the register, be restricted solely to the entities mentioned in that provision. On February 6, 2020, the request was rejected by LBR. <br />
<br />
On 24 February 2020, Sovim brought an action before the referring court seeking a declaration that [https://www.cssf.lu/wp-content/uploads/L_130119_RBE_eng.pdf Article 12 Law of 13 January 2019], pursuant to which access to certain information contained in the register is open to ‘any person’, and/or [https://www.cssf.lu/wp-content/uploads/L_130119_RBE_eng.pdf Article 15 Law of 13 January 2019] are inapplicable and an order for the information provided by Sovim pursuant to [https://www.cssf.lu/wp-content/uploads/L_130119_RBE_eng.pdf Article 3 Law of 13 January 2019] not to be made publicly accessible.<br />
<br />
Sovim argued that granting public access to the identity and personal data of its beneficial owner would infringe the right to respect for private and family life and the right to the protection of personal data, enshrined respectively in [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012P/TXT Articles 7 and 8 EU Charter of Fundamental Rights.]<br />
<br />
They also stated that the aim of [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32015L0849 Directive 2015/849], on the basis of which the [https://www.cssf.lu/wp-content/uploads/L_130119_RBE_eng.pdf Law of 13 January 2019] was introduced into Luxembourg law, are to identify the beneficial owners of companies used for the purposes of money laundering or terrorist financing, as well as to ensure certainty in commercial relationships and market confidence. However, it has not been shown how granting the public entirely unrestricted access to the data held in the register enables those aims to be attained.<br />
<br />
Sovim highlighted that public access to personal data contained in the register constitutes an infringement of several provisions of the GDPR, in particular a number of fundamental principles set out in [[Article 5 GDPR|Article 5(1)]] thereof.<br />
<br />
In the alternative, Sovim claims that the referring court should hold that there is a disproportionate risk in the present case, within the meaning of [https://www.cssf.lu/wp-content/uploads/L_130119_RBE_eng.pdf Article 15(1) Law of 13 January 2019], and accordingly make an order requiring LBR to restrict access to the information referred to in [https://www.cssf.lu/wp-content/uploads/L_130119_RBE_eng.pdf Article 3 Law of 13 January 2019.]<br />
<br />
=== Holding ===<br />
CJEU examined if Directive 2018/843's amendment, mandating public access to beneficial ownership data, was valid under [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012P/TXT Articles 7 and 8 EU Charter of Fundamental Rights.] <br />
<br />
This amendment requires Member States to ensure that information on beneficial ownership is accessible to the general public. The Court identified that making beneficial ownership information publicly accessible does indeed constitute an interference with these fundamental rights. <br />
<br />
CJEU emphasized the potential for creating detailed profiles on individuals based on their economic activities and the unlimited access by potentially any person, which could lead to misuse of this information. Despite recognizing that such transparency aims to deter money laundering and terrorist financing, the Court questioned whether this broad access is strictly necessary and proportionate to the objectives pursued. <br />
<br />
The CJEU questioned the justification for this interference, considering whether the measures respect the essence of the fundamental rights under the Charter, whether they genuinely meet objectives of general interest recognized by the EU, and whether they are necessary and proportionate.<br />
<br />
Despite acknowledging the importance of combating financial crimes, CJEU found that the directive's approach to providing unrestricted public access to beneficial ownership information did not guarantee a proper balance between the objective of general interest and the protection of fundamental rights, such as privacy. The Court highlighted the lack of clear and precise rules on the scope and application of this measure, raising concerns over the adequacy of safeguards against the risk of abuse and the difficulty for individuals to control or challenge the use of their data. <br />
<br />
Ultimately, the CJEU declared [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32018L0843 Article 1(15)(c) Directive 2018/843] invalid, concluding that making beneficial ownership information universally accessible to the public constitutes a serious interference of the rights pursuant [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012P/TXT Articles 7 and 8 EU Charter of Fundamental Rights] that is not justified by the objectives of general interest it seeks to achieve. <br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the English original. Please refer to the English original for more details.<br />
<br />
<pre><br />
Language of document: Bulgarian<br />
Spanish<br />
Czech<br />
Danish<br />
German<br />
Estonian<br />
Greek<br />
English<br />
French<br />
Italian<br />
Latvian<br />
Lithuanian<br />
Hungarian<br />
Maltese<br />
Dutch<br />
Polish<br />
English<br />
Romanian<br />
Slovak<br />
Slovenian<br />
Finnish<br />
Swedish<br />
Croatian<br />
Irish<br />
ECLI:EU:C:2022:912<br />
JUDGMENT OF THE COURT OF JUSTICE (Grand Chamber)22 November 2022 (*)«Reference for a preliminary ruling — Prevention of the use of the financial system for the purposes of money laundering or terrorist financing — Directive (EU) 2018/843 amending the Directive (EU) 2015/849 — Amendment to Article 30(5), first subparagraph, point c) of the latter Directive — Access by any member of the general public to information on beneficial owners — Validity — Articles 7 and 8 of the Charter of Fundamental Rights of the European Union — Respect for private and family life — Protection of personal data” In joined cases C‑37/20 and C‑601/20, which concern two requests for a preliminary ruling, presented, pursuant to Article 267 TFEU, by the tribunal d'arrondissement de Luxembourg (Court of First Instance of Luxembourg, Luxembourg), by Decisions of 24 January 2020 and 13 October 2020, received at the Court of Justice , respectively, on 24 January 2020 and on 13 November 2020, in casesWM (C‑37/20),Sovim SA (C‑601/20)vLuxembourg Business Registers,THE COURT OF JUSTICE (Grand Chamber),composed by: K. Lenaerts, President, A. Arabadjiev, A. Prechal, K. Jürimäe, C. Lycourgos, E. Regan, M. Safjan, P. G. Xuereb, L. S. Rossi, Section Presidents, S. Rodin, F. Biltgen, N. Piçarra, I. Jarukaitis, A. Kumin (rapporteur) and I. Ziemele, judges, general advocate: G. Pitruzzella, secretary: L. Carrasco Marco, administrator, having seen the file and after the hearing of October 19, 2021, considering the observations presented:– on behalf of WM, by M. Jammaers, A. Komninos, L. Lorang and V. Staudt, avocats,– on behalf of Sovim SA, by P. Elvinger and K. Veranneman, avocats,– representing the Luxembourg Government, by A. Germeaux, C. Schiltz and T. Uri, acting as agents,– representing the Austrian Government, by M. Augustin, A. Posch and J. Schmoll , acting as agents,– representing the Finnish Government, by M. Pere, acting as agent,– representing the Norwegian Government, by J. T. Kaasin and G. Østerman Thengs, acting as agents,– representing of the European Parliament, by J. Etienne, O. Hrstková Šolcová and M. Menegatti, acting as Agents,– representing the Council of the European Union, by M. Chavrier, I. Gurov and K. Pleśniak, acting as Agents, – representing the European Commission, by V. Di Bucci, C. Giolito, L. Havas, H. Kranenborg, D. Nardi, T. Scharf and H. Tserepa‑Lacombe, acting as Agents,– representing the European Authority for Data Protection, by C.‑A. Marnier, in his capacity as agent, having heard the Advocate General's conclusions at the hearing on 20 January 2022, delivers this Judgment1 The requests for a preliminary ruling have as their object, in essence, the validity of Article 1, point 15, subparagraph c), of Directive (EU) 2018/843 of the European Parliament and of the Council, of 30 May 2018, which amends Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing and amending Directives 2009/138/EC and 2013/36/EU (OJ 2018, L 156, p. 43), insofar as this provision amended Article 30(5), first subparagraph , point c), of Directive (EU) 2015/849 of the European Parliament and of the Council, of 20 May 2015, on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, which amends the Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (OJ 2015, L 141, p. 73), as well as the interpretation, on the one hand, of Article 30(9) of Directive 2015/849, as amended by Directive 2018/843 (hereinafter 'Amended Directive 2015/849'), and, on the other , Article 5(1)(a) to c) and (f), Article 25(2) as well as Articles 44 to 50 of Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) ( OJ 2016, L 119, p. 1, hereinafter “GDPR”).2 These requests were made in the context of two disputes opposing, the first, WM (case C‑37/20) and, the second, Sovim SA (case C‑601/20) to Luxembourg Business Registers (hereinafter 'LBR') due to the latter's refusal to prevent public access to information relating, on the one hand, to WM's status as beneficial owner of a real estate civil society and, on the other, to the beneficial owner of Sovim. Legal framework Union Law Directives 2015/849, 2018/843 and 2015/849 as amended3 Pursuant to recitals 4, 30, 31, 34, 36 and 38 of Directive 2018/843:«(4) […] [is] The need to further increase the transparency of the Union's entire economic and financial system is evident. The prevention of money laundering and terrorist financing can only be effective if the entire system is hostile to criminals who seek to protect their finances through non-transparent structures. The integrity of the Union's financial system depends on the transparency of corporate structures and other legal entities, trust funds and similar unincorporated collective interest centers. This Directive aims not only to detect and investigate money laundering, but also to prevent it from occurring. Enhanced transparency could have a powerful deterrent effect.[…](30) Public access to information about beneficial owners allows for greater scrutiny of information by civil society, including the press or civil society organizations, and contributes to maintain confidence in the integrity of commercial transactions and the financial system. It can contribute to combating the abusive use of corporate entities and other legal persons and centers of collective interests without legal personality for the purposes of money laundering or terrorist financing by facilitating investigations and having reputational effects, as all persons capable of carrying out transactions would have knowledge of the identity of the beneficial owners. It also facilitates the timely and efficient provision of information to financial institutions, as well as competent authorities, including authorities in third countries involved in the fight against these crimes. Access to this information would also be useful for investigations into money laundering, associated predicate offenses and terrorist financing.(31) Confidence in financial markets by investors and the general public depends, to a large extent, on the existence of an accurate disclosure regime that establishes transparency regarding the beneficial owners and control structures of companies. […] The potential increase in confidence in financial markets should be considered a positive secondary effect and not the objective of increasing transparency, which is to create an environment less susceptible to being used for the purposes of money laundering and terrorist financing .[…](34) In all cases, both in the case of corporate entities and other legal persons as well as trust funds and similar collective interest centers without legal personality, a fair balance must be sought, particularly between the interest general public in the prevention of money laundering and terrorist financing and the fundamental rights of data subjects. The set of data to be provided to the public must be limited, clearly and exhaustively defined and must be of a general nature, in order to minimize the potential harm to beneficial owners. At the same time, information made available to the public should not vary significantly from data currently collected. In order to limit interference with the right to respect for your private life, in general, and the protection of your personal data, in particular, this information should essentially focus on the situation of the beneficial owners of corporate entities and other legal entities and funds fiduciaries and similar unincorporated collective interest centers and must strictly concern the sphere of economic activities in which the beneficial owners operate. […][…](36) Furthermore, with the aim of ensuring a proportionate and balanced approach and to guarantee the rights to privacy and the protection of personal data, Member States should be able to provide for exceptions to disclosure and access to such information about beneficial owners through the registers, in exceptional circumstances, if such information exposes the beneficial owner to a disproportionate risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation. Member States should also be able to require online registration in the register to identify persons requesting information contained in the register, as well as the payment of a fee for access to such information.[…](38) The [GDPR] is applicable to the processing of personal data applies to the processing of personal data under this Directive. Therefore, natural persons whose personal data are kept in national registers as beneficial owners should be informed of this fact. Furthermore, only updated personal data that actually correspond to the beneficial owners should be made available and they should be informed of their rights under the current Union data protection legal regime […], as well as the applicable procedures for exercising of these rights. To prevent the abusive use of information contained in the registers and as a counterbalance to the rights of beneficial owners, Member States may also consider the desirability of making information relating to the applicant available to the beneficial owner, together with the legal basis of his request.'4 Article 1(1) of the amended Directive 2015/849 provides: "This Directive aims to prevent the use of the financial system for the purposes of money laundering and terrorist financing."5 Article 3 of the 2015 Directive /849 as amended reads as follows:«For the purposes of this Directive, the following definitions apply:[…]6) “Beneficial owner”: the natural person or persons who ultimately have ownership or control of the customer and/or the person or natural persons on whose behalf an operation or activity is carried out, including at least:a) In the case of corporate entities:i) the natural person or persons who ultimately hold the property or control, direct or indirect, of a sufficient percentage of shares or voting rights or participation in the capital of a legal person […][…]ii) if, after exhausting all possible means and on condition that there are no reasons of suspicion, no person has been identified in accordance with subparagraph i), or if there are doubts that the person or persons identified are the beneficial owners, the natural person or persons holding top management; […][…]»6 Article 30(1) and (3) of Directive 2015/849 as amended provides:«1. Member States shall ensure that corporate entities and other legal persons incorporated in their territory are obliged to obtain and maintain sufficient, accurate and current information on their beneficial owners, including detailed data on the economic interests held. […][…]3. Member States shall ensure that the information referred to in paragraph 1 is kept in a central register in each Member State […][…]»7 As amended prior to the entry into force of Directive 2018/843, Article 30, paragraphs 5 and 9 of Directive 2015/849 were worded as follows:«5. Member States shall ensure that information on beneficial owners is accessible in all cases:a) To competent authorities and [Financial Intelligence Units], without restrictions;b) To obliged entities, as part of customer due diligence in under chapter II;c) To any persons or organizations that can prove a legitimate interest. The persons or organizations referred to in paragraph c) have access to at least the name, month and year of birth, nationality and country of residence of the beneficial owner, as well as the nature and extent of the economic interest held.[…]9. Member States may provide for an exemption from access referred to in paragraphs 5(b) and (c) to all or part of the information on the beneficial owner on a case-by-case basis and in exceptional circumstances, if such access exposes the beneficial owner the risk of fraud, kidnapping, extortion, violence or intimidation, or if the beneficial owner is a minor or incapacitated. […]»8 Article 1, point 15, subparagraphs c), d) and g) of Directive 2018/843, respectively, amended paragraph 5, inserted a paragraph 5‑A and amended paragraph 9 of Article 30 .o of Directive 2015/849. Article 30(5), 5-A and 9 of Directive 2015/849, as amended, reads as follows: '5. Member States shall ensure that information on beneficial owners is accessible, in all cases:a) To competent authorities and [Financial Intelligence Units], without restrictions;b) To obliged entities, as part of customer due diligence in accordance with chapter II;c) To all members of the public.The persons referred to in paragraph c) must be authorized to access, at least, the name, month and year of birth, country of residence and nationality of the beneficial owner, as well as the nature and extent of the economic interest held.Member States may, under conditions to be determined by national law, provide for access to additional information enabling the beneficial owner to be identified. Such additional information shall include at least date of birth or contact details in accordance with data protection standards.5‑A. Member States may choose to make the provision of information contained in their national registers referred to in paragraph 3 subject to the condition of online registration in the register and payment of a fee, which shall not exceed the administrative costs arising from making that information available , including the costs of maintaining and developing the registry.[…]9. In exceptional circumstances to be defined in national law, if the access referred to in paragraph 5, first subparagraph, points b) and c), exposes the beneficial owner to disproportionate risk, risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation, or if the beneficial owner is a minor or legally incapable, Member States may provide for a [derogation] from access to all or part of the information about the beneficial owner on a case-by-case basis. Member States shall ensure that those exemptions are granted following a detailed assessment of the exceptional nature of the circumstances. The right to administrative challenge of the exemption decision and the right to legal action are guaranteed. Member States that have granted exemptions must publish annual statistical data on the number of exemptions granted together with the reasons given, and communicate the data to the Commission.[…]»9 Article 41(1) of Directive 2015/ 849 as amended states: "The processing of personal data under this Directive is subject to compliance with Directive 95/46/EC [of the European Parliament and of the Council of 24 October 1995 on the protection of natural persons with regard to concerns the processing of personal data and the free movement of such data (OJ 1995, L 281, p. 31)], as transposed into national law. […]» GDPR10 Article 5 of the GDPR, entitled “Principles relating to the processing of personal data”, provides, in paragraph 1: “Personal data are: a) Subject to lawful, fair and transparent processing in relation to the data subject (“lawfulness, loyalty and transparency”);b) Collected for specific, explicit and legitimate purposes and cannot be further processed in a way that is incompatible with those purposes; […] (“purpose limitation”);c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”);[…]f) Processed in a way that guarantees the its security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by adopting appropriate technical or organizational measures (“integrity and confidentiality”).»11 Article 25 of this regulation, under the heading “Data protection by design and by default”, provides in paragraph 2: “The controller applies technical and organizational measures to ensure that, by default, only those personal data that are necessary for each purpose are processed specific to the treatment. This obligation applies to the amount of personal data collected, the extent of their processing, their retention period and their accessibility. In particular, these measures ensure that, by default, personal data are not made available without human intervention to an indeterminate number of natural persons. :«Any transfer of personal data that is or will be processed after transfer to a third country or an international organization is only carried out if, without prejudice to the other provisions of this regulation, the conditions established in this chapter are respected by the person responsible processing and the processor, including with regard to onward transfers of personal data from the third country or international organization to another third country or other international organization. All provisions of this Chapter are applied in such a way as to ensure that the level of protection of natural persons guaranteed by this Regulation is not compromised.”13 Article 49 of the GDPR, entitled “Derogations for specific situations”, provides: "1. In the absence of an adequacy decision pursuant to Article 45(3) or appropriate safeguards pursuant to Article 46, including binding business rules, transfers or sets of transfers of personal data to third countries or international organizations are only carried out if one of the following conditions is met:[…]g) The transfer is carried out from a register which, in accordance with Union or Member State law, is intended to inform the public and is is open to consultation by the general public or by any person who can demonstrate that they have a legitimate interest in it, but only to the extent that the conditions for consultation laid down in Union or Member State law are met in that specific case.[ …]»14 Pursuant to article 94 of this regulation:«1. Directive 95/46/EC is repealed with effect from 25 May 2018.2. References to the repealed Directive shall be considered references to [this] Regulation. […]» Luxembourg law15 Article 2 of the loi du 13 janvier 2019 instituant un Registre des bénéficiaires effectifs (Mémorial A 2019, no. 15) [(Law, of 13 January 2019, establishing a register of beneficial owners) , hereinafter «Law of 13 January 2019»)] is worded as follows:«A register called “Register of Beneficial Beneficiaries” is created under the authority of the Minister of Justice, which is given the acronym “RBE”, which its purpose is to preserve and make available information on the beneficial owners of registered entities."16 Article 3(1) of this law provides:"The following information on the beneficial beneficiaries of the entities registered:1) surname;2) first name(s);3) nationality(ies);4) day of birth;5) month of birth;6) year of birth;7) place of birth;8) country of residence;9) exact private address or exact professional address […][…]10) for persons registered in the National Register of Natural Persons: identification number […];11) for non-resident persons not registered in the National Register of Natural Persons: foreign identification number;12) nature of the interests actually held;13) scope of the effective interests held.»17 Article 11(1) of the aforementioned law states:«In the exercise of their functions, the national authorities will have access to the information referred to in article 3»18 Article 12 of the same law provides:«Access to the information referred to in article 3, paragraph 1, points 1 to 8, 12 and 13 is open to any person .»19 Article 15, paragraphs 1 and 2, of the Law of 13 January 2019 provides:«(1) A registered entity or beneficial owner may request, on a case-by-case basis and in the exceptional circumstances set out below , upon a duly substantiated request addressed to the manager, that access to the information referred to in Article 3 is limited exclusively to national authorities, credit institutions and financial institutions, as well as bailiffs and notaries acting in their capacity as public servants, when such access may expose the beneficial owner to a disproportionate risk, to a risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation or when the beneficial owner is a minor or legally incapable.(2) The manager limits provisionally access to the information referred to in Article 3 only to national authorities from receipt of the request until notification of their decision, and, in the event of rejection of the request, for an additional period of fifteen days. In the event of an appeal against a rejection decision, the limitation of access to information is maintained until that decision is no longer subject to appeal.' Disputes in the main proceedings and questions referred for a preliminary ruling Case C‑37/2020 YO, a civil real estate company, submitted to the LBR under Article 15 of the Law of 13 January 2019 a request for access to information relating to WM, its beneficial owner, which appears in the RBE, was limited only to the entities referred to in this provision, having based this request on the fact that access by the general public to this information would expose him, as well as his family, in a characterized, real and current situation, to a disproportionate risk, as well as a risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation. This request was rejected by Decision of 20 November 2019.21 On 5 December 2019, WM lodged with the tribunal d'arrondissement de Luxembourg (Luxembourg Court of First Instance, Luxembourg), which is the referring court, an appeal in whose scope he claimed that his role as administrator and beneficial owner of YO, as well as a certain number of commercial companies, requires him to frequently travel to countries whose political regimes are unstable and which are characterized by significant common law crime , leaving WM subject to a high risk of kidnapping, kidnapping, physical harm and even death.22 The LBR contests this argument and considers that WM's situation does not meet the requirements set out in article 15. of the Law of 13 January 2019, as the latter cannot invoke “exceptional circumstances” nor any of the risks provided for in this article.23 In this regard, the referring court wonders about the interpretation that should be made of the concepts of "exceptional circumstances", "risk" and "disproportionate" risk within the meaning of Article 30(9) of Directive 2015/849 as amended.24 In these circumstances, the Tribunal d'arrondissement de Luxembourg (Court of First Instance of Luxembourg) decided to stay the proceedings and refer the following questions to the Court of Justice for a preliminary ruling:«1) [The] concept of “exceptional circumstances”.a) Should Article 30(9) of [Directive 2015/ 849 as amended], insofar as it makes the limitation of access to information relating to [beneficial] beneficiaries subject to “exceptional circumstances to be defined [in national law], be interpreted as authorizing national law to define the concept of “exceptional circumstances” solely as being equivalent to “a disproportionate risk, a risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation”, concepts that [became] a condition for the application of access limitation [in ] wording of Article 30(9) [of this Directive as amended]?b) In case of a negative answer to [question 1(a)] and in case the national transposing legislation has only defined the concept of “ exceptional circumstances” by referring to the inoperative concepts of “disproportionate risk, risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation”, Article 30(9) [of Directive 2015/849 as per amended], be interpreted in the sense that it allows the national judge to ignore the condition of “exceptional circumstances”, or must the said judge make up for this omission by the national legislator by determining through jurisprudence the scope of the concept of “exceptional circumstances”? In the latter case, given that, in accordance with Article 30(9) [of Directive 2015/849 as amended], it is a condition whose content is determined by national law, may the Court of Justice […] guide the national judge in his mission? If the latter question is answered in the affirmative, what guidelines should guide the national judge in determining the content of the concept of “exceptional circumstances”?2) [The] concept of “risk”a) Should Article 30(9) , of [Directive 2015/849 as amended], in that it makes limiting access to information relating to [beneficial] beneficiaries subject to “a disproportionate risk, risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation” , be interpreted [in the sense] that it refers to a set of eight situations, the first of which [corresponds] to a general risk subject to the condition of disproportion and the following seven to specific risks subtracted from that condition, or in the sense of which refers to a set of seven situations, each of which corresponds to a specific risk subject to the condition of disproportionality?b) Should Article 30(9) of [Directive 2015/849 as amended], insofar as subordinates the limitation of access to information relating to [beneficial] beneficiaries to “a risk”, be interpreted as meaning that it limits the assessment of the existence and extent of that risk only to the links that the [beneficial] beneficiary has with the legal person in in relation to which it specifically requests [the limitation of] access to information relating to its status as [beneficial] beneficiary, or in the sense that it implies that account be taken of the links that the [beneficial] beneficiary in question has with other legal persons? If it is necessary to take into account links with other legal persons, should only the status of [beneficial] beneficiary in relation to other legal persons be taken into account or should any link with other legal persons be taken into account? If it is necessary to take into account any link with other legal persons, does the nature of that link influence the assessment of the existence and extent of the risk?c) Should Article 30(9) of [Directive 2015/849 as amended], to the extent that it makes the limitation of access to information relating to beneficial owners subject to “a risk”, be interpreted as meaning that it excludes the benefit of protection resulting from a limitation of access when such information, or other elements provided by the beneficiary [effective] to demonstrate the existence and extent of the “risk” to which you are exposed, are they easily accessible to third parties through other means of information?3) [The] concept of “disproportionate” risk What divergent interests must be taken into account in the context of the application of Article 30(9) of [Directive 2015/849 as amended], insofar as it makes the limitation of access to information relating to a [beneficial] beneficiary subject to the existence of a “disproportionate” risk? » Case C‑601/2025 Sovim submitted to the RBE, under article 15 of the Law of 13 January 2019, a request that access to the information, which appears in the RBE, relating to its beneficial owner, be limited only to the entities referred to in this provision. This request was rejected by Decision of 6 February 2020.26 On 24 February 2020, Sovim filed an appeal with the referring court.27 Primarily, this company requests that Article 12 of the Law of 13 January of 2019, according to which access to certain information contained in the RBE is open to "any person", and/or article 15 of this law are not applied and that the information provided by you in execution of article 3 of the said law are not accessible to the public.28 In this regard, Sovim claims, firstly, that the fact of granting public access to the identity and personal data of its beneficial owner violates the right to the protection of private and family life, as well as the right to the protection of personal data, enshrined respectively in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (hereinafter «Charter»).29 Indeed, this company considers that Directive 2015/849 complies with amended, on the basis of which the Law of 13 January 2019 was introduced into Luxembourg legislation, aims to identify the beneficial owners of companies used for the purpose of money laundering or financing terrorism, as well as ensuring security commercial relations and confidence in markets. However, it has not been demonstrated to what extent uncontrolled public access to data contained in the RBE allows these objectives to be achieved.30 Secondly, Sovim claims that public access to personal data contained in the RBE constitutes a violation of several provisions of the GDPR, in particular a number of fundamental principles set out in Article 5(1.31) In the alternative, Sovim asks the referring court to declare that there is, in the present case, a disproportionate risk within the meaning of Article 15(1) of the Law of 13 January 2019 and therefore order the LBR to limit access to the information provided for in Article 3 of this law.32 In this regard, the referring court notes that article 15, paragraph 1, of the Law of 13 January 2019 provides that the LBR must carry out a case-by-case analysis of the existence of exceptional circumstances that justify a restriction of access to the RBE. Although, in the context of this law, several questions have already been submitted to the Court of Justice in case C‑37/20, relating to the interpretation of the concepts of 'exceptional circumstances', 'risk' and 'disproportionate' risk, the present case also raises other issues, in particular whether access by the general public to some of the data appearing in the RBE is compatible with the Charter and the GDPR.33 Under these conditions, the Tribunal d'arrondissement de Luxembourg (Court of First Luxembourg) decided to stay the proceedings and refer the following questions to the Court of Justice for a preliminary ruling:«1) Is Article 1, [point] 15, point c), of [Directive 2018/843], which amends the Article 30(5), first subparagraph, of [Directive 2015/849], in that it requires Member States to provide information on beneficial ownership accessible in all cases to any member of the general public without proof of a legitimate interest,– in light of the right to respect for private and family life guaranteed by Article 7 of the [Charter], interpreted in accordance with Article 8 of the European Convention [for the Protection of Human Rights], taking into account the objectives set out, in particular, in recitals 30 and 31 of Directive 2018/843, which aim, in particular, to combat money laundering and terrorist financing; and– in light of the right to the protection of personal data guaranteed in Article 8 of the Charter, insofar as it aims, in particular, to guarantee lawful, fair and transparent processing of data in relation to the data subject, the limitation of the purposes of collection and processing and minimization of data?2) a) Should Article 1, [point]15, point g), of Directive 2018/843 be interpreted as meaning that the exceptional circumstances to which it refers, in which Member States may provide for an exemption from access to all or part of the information on beneficial owners, where access by the general public would expose the beneficial owner to disproportionate risk, risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation, only occur if there is proof of a disproportionate risk of fraud, kidnapping, blackmail, extortion of funds, harassment, violence or exceptional intimidation, which effectively imposes on the specific person of the beneficial owner, who is characterized, real and current?b) If the answer is affirmative, article 1, [point] 15, point g), of Directive 2018/843 thus interpreted is valid in light of the right to respect for private and family life guaranteed by article 7 .of the Charter and the right to protection of personal data guaranteed by Article 8 of the Charter?3) a) Should Article 5(1)(a) of the [GDPR], which imposes lawful processing, fair and transparent nature of the data in relation to the data subject, be interpreted as not precluding– the personal data of a beneficial owner being registered in a register of beneficial owners established in accordance with Article 30 of the 2015 Directive /849, as amended by Article 1, [point] 15, of Directive 2018/843, are accessible to the general public without control or justification by any member of the public and without the data subject (beneficial owner) being able to know who had access to this personal data concerning you; nor– that [the] person responsible [for] the processing of such a register of beneficial owners gives access to the personal data of the beneficial owners to an unlimited and non-determinable number of people?b) Should Article 5(1)(b) ), of the [GDPR], which imposes purpose limitation, be interpreted as not precluding the personal data of a beneficial owner from being registered in a register of beneficial owners established in accordance with Article 30 of the Directive 2015/849, as amended, are accessible to the general public without the person responsible for processing these data being able to guarantee that said data are used exclusively for the purpose for which they were collected, that is, in essence, the fight against money laundering and terrorist financing, a purpose that the general public is not the body responsible for enforcing?c) Should Article 5(1)(c) of the [GDPR], which requires minimization of the data, be interpreted as not precluding, through a register of beneficial owners created in accordance with Article 30 of Directive 2015/849, as amended[a], the general public having access, in addition to the name, month and year of birth, nationality, and country of residence of a beneficial owner, as well as the nature and scope of the beneficial interests held by him, also his date of birth and his location of birth?d) Article 5(1)(f) of the [GDPR], which requires the processing of data to be carried out in a way that guarantees its security, including protection against unauthorized processing or illicit, thus guaranteeing the integrity and confidentiality of such data, does not preclude unlimited and unconditional access, without commitment to confidentiality, to the personal data of beneficial owners available in the register of beneficial owners created in accordance with Article 30 of the Directive 2015/849, as amended[a]?e) Should Article 25(2) of the [GDPR], which guarantees the protection of data by default, by virtue of which, inter alia, personal data should not, by defect, be made available to an indeterminate number of natural persons without the intervention of the natural person concerned, be interpreted as meaning that it does not preclude – a register of beneficial owners created in accordance with Article 30 of Directive 2015/849 , as amended, does not require registration on the website of said registry of members of the general public who consult the personal data of a beneficial owner; nor– that no information about a consultation of personal data of a beneficial owner registered in that register is communicated to said beneficial owner; nor– that no restrictions on the extent and accessibility of the personal data in question are applicable in relation to the purpose of their processing?f) Should Articles 44 to 50 of the GDPR, which subject the transfer of personal data to strict conditions for a third country, be interpreted as meaning that they do not preclude such data of a beneficial owner registered in a register of beneficial owners created in accordance with Article 30 of Directive 2015/849, as amended, from being accessible, in all cases, to the general public without the need to justify a legitimate interest and without limitations as to the location of that public?» Regarding the questions referred for a preliminary ruling Regarding the first question submitted in case C‑601/2034 With the first question submitted in case C‑601/20, the referring court asks, in essence, about the validity, in the light of Articles 7 Articles 1(1) and 8 of the Charter, of Article 1(15)(c) of Directive 2018/843, insofar as this provision amended Article 30(5) first subparagraph(c), of Directive 2015/849 in the sense that it provides, in its version as amended, that Member States must ensure that information on the beneficial owners of corporate entities and other legal persons incorporated in their territory is accessible in all cases to any member of the general public. Regarding the interference resulting from the general public's access to information on beneficial owners in the fundamental rights guaranteed in Articles 7 and 8 of the Charter35 Article 7 of the Charter guarantees everyone the right to respect for their private life and family, for their home and for their communications, while Article 8(1) of the Charter expressly grants everyone the right to the protection of personal data concerning them.36 As is clear from Article 30. Under paragraphs 1 and 3 of Directive 2015/849 as amended, Member States shall ensure that corporate entities and other legal persons incorporated in their territory are obliged to obtain and maintain sufficient, accurate and current information on the its beneficial owners and that this information is kept in a central register in each Member State. Pursuant to Article 3(6) of this Directive, beneficial owners are the natural person or persons who ultimately have ownership or control of the customer and/or the natural person or persons on whose behalf an operation or activity is carried out.37 Article 30(5), first subparagraph, point c), of Directive 2015/849 as amended requires Member States to ensure that information on beneficial owners is accessible, in all cases, "to all members of the public", while its second paragraph specifies that the persons referred to in this way must be authorized "to access, at least, the name, month and year of birth, country of residence and nationality of the beneficial owner, as well as the nature and extent of the economic interest held”. This Article 30(5) adds, in its third paragraph, that ‘Member States may, under conditions to be determined by national law, provide for access to additional information enabling the identification of the beneficial owner’, which ‘shall include at least the date of birth or contact details, in accordance with the rules on data protection'.38 In this regard, it is important to highlight that, since the data provided for in the aforementioned Article 30(3) 5, contain information on identified natural persons, namely the beneficial owners of corporate entities and other legal persons constituted in the territory of the Member States, access by any member of the general public to these data affects the fundamental right to respect privacy, guaranteed by Article 7 of the Charter (see, by analogy, Judgment of 21 June 2022, Ligue des droits humains, C‑817/19, EU:C:2022:491, paragraph 94 and case law referred to), it is not relevant, in this context, that the data in question may be related to professional activities (see, by analogy, Judgment of 9 November 2010, Volker und Markus Schecke and Eifert, C‑92/09 and C ‑93/09, EU:C:2010:662, paragraph 59). Furthermore, this making the aforementioned data available to the general public constitutes processing of personal data falling within the scope of Article 8 of the Charter (see, by analogy, Judgment of 9 November 2010, Volker und Markus Schecke and Eifert, C‑92/09 and C‑93/09, EU:C:2010:662, paragraphs 52 and 60).39 It should also be noted that, as is clear from the Court of Justice's consistent case law, the communication of personal data to a third party constitutes an interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter, regardless of the use that may subsequently be made of the information communicated. In this regard, it matters little whether or not the information relating to private life in question is sensitive, or whether or not the interested parties have suffered inconvenience due to that interference (Judgment of 21 June 2022, Ligue des droits humains, C‑817 /19, EU:C:2022:491, paragraph 96 and case law cited).40 Therefore, access by the general public to information on beneficial owners, as provided for in Article 30(5) of Directive 2015/849 as amended, constitutes an interference with the rights guaranteed in Articles 7 and 8 of the Charter.41 With regard to the seriousness of this interference, it is important to highlight that, insofar as the information made available to the general public concerns the identity of the beneficial owner, as well as the nature and extent of his beneficial interests held in corporate entities or other legal persons, this information is likely to allow the establishment of a profile relating to certain personal identification data of a more or less broad nature depending on the configuration of national law, the patrimonial situation of the interested party, as well as the economic sectors, countries and specific companies in which he has invested.42 In addition to this, it is inherent in such information being made available to the public that this are thus accessible to a potentially unlimited number of people, so that similar processing of personal data can also allow people who, for reasons unrelated to the objective pursued by this measure, seek to obtain information about the situation, particularly material and financial, of a beneficial owner, freely access that data (see, by analogy, Judgment of 1 August 2022, Vyriausioji tarnybinės etikos komisija, C‑184/20, EU:C:2022:601, paragraphs 102 and 103) . This possibility is facilitated when, as is the case in Luxembourg, the data in question can be consulted on the Internet.43 Furthermore, the potential consequences for data subjects resulting from a possible misuse of their personal data are aggravated by the fact that, After having been made available to the general public, these data can not only be freely consulted, but can also be preserved and disseminated, meaning that, in the case of such successive processing, it becomes all the more difficult, or even illusory, for these people to defend effectively protect against abuse.44 Therefore, access by the general public to information on beneficial owners, as provided for in Article 30(5), first subparagraph, point c), of Directive 2015/849 as amended, constitutes a serious interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter (see, by analogy, Judgment of 1 August 2022, Vyriausioji tarnybinės etikos komisija, C‑184/20, EU:C:2022:601, No. 105). Regarding the justification of interference resulting from the general public's access to information on beneficial owners45 The fundamental rights enshrined in Articles 7 and 8 of the Charter are not absolute prerogatives, but must be taken into account in accordance with their function in society (Judgment of 21 June 2022, Ligue des droits humains, C‑817/19, EU:C:2022:491, paragraph 112 and case law cited).46 Under Article 52(1), first sentence , of the Charter, any restriction on the exercise of the rights and freedoms recognized by it must be provided for by law and respect its essential content. In accordance with the second sentence of Article 52(1) of the Charter, in compliance with the principle of proportionality, restrictions on these rights and freedoms may only be introduced if they are necessary and effectively correspond to objectives of general interest recognized by the Union, or the need to protect the rights and freedoms of third parties. In this regard, Article 8(2) of the Charter specifies that personal data must, inter alia, be processed “for specific purposes and with the consent of the person concerned or on another legitimate basis provided for by law”. – Regarding compliance with the principle of legality47 Regarding the requirement that any restriction on the exercise of fundamental rights must be provided for by law, this implies that the act that allows interference with these rights must itself define the scope of the restriction to the exercise of the right in question, specifying, on the one hand, that this requirement does not prevent the restriction in question from being formulated in terms that are sufficiently open to be able to adapt to different situations, as well as the evolution of circumstances and, on the other, that the Court of Justice may, where appropriate, clarify, through interpretation, the concrete scope of the restriction in light of both the terms of the Union legislation in question itself and its general scheme and the objectives it pursues, as interpreted in light of the fundamental rights guaranteed by the Charter (Judgment of 21 June 2022, Ligue des droits humains, C‑817/19, EU:C:2022:491, paragraph 114 and case law cited).48 In this regard, it should be noted whereas the restriction on the exercise of fundamental rights guaranteed in Articles 7 and 8 of the Charter resulting from the general public's access to information on beneficial owners is provided for in a Union legislative act, namely Directive 2015/849 as amended. Furthermore, Article 30 thereof provides, in its paragraphs 1 and 5, on the one hand, access by the general public to data relating to the identification of beneficial owners and the beneficial interests they hold, specifying that these data must be sufficient, accurate and current, and expressly lists some of the aforementioned data to which access by any member of the general public must be authorized. On the other hand, this Article 30 establishes, in paragraph 9, the conditions under which Member States may provide for derogations from such access.49 Under these conditions, it must be considered that the principle of legality has been respected.– Regarding compliance of the essential content of the fundamental rights guaranteed in Articles 7 and 8 of the Charter50 With regard to compliance with the essential content of the fundamental rights enshrined in Articles 7 and 8 of the Charter, it should be noted that the information expressly referred to in Article 30(5), second subparagraph, of Directive 2015/849 as amended can be classified into two distinct categories of data, the first including data relating to the identity of the beneficial owner (name, month and year of birth, as well as such as nationality) and in the second data of an economic nature (nature and extent of the effective interests held).51 Furthermore, although it is true that Article 30(5), second paragraph, of Directive 2015/849 as amended does not contain, as follows from the use of the expression 'at least', an exhaustive enumeration of the data to which access must be authorized by any member of the general public and that this Article 30(5) adds, in the third paragraph, that Member States may provide for access to additional information, it remains certain that, in accordance with the aforementioned Article 30(1), only “sufficient” information about beneficial owners and beneficial interests held may be obtained, retained, and thus potentially being made accessible to the public, which excludes in particular information that does not have a sufficient relationship with the purposes of this directive.52 Now, it does not appear that the making available to the general public of information that does have such a relationship would in any way undermine the essential content of the fundamental rights guaranteed in Articles 7 and 8 of the Charter.53 In this context, it should also be noted that Article 41(1) of Directive 2015/849 as amended provides expressly that the processing of personal data as provided for therein is subject to Directive 95/46 and, therefore, to the GDPR, whose article 94(2) indicates that references made to the latter directive must be understood as being made to this regulation. Therefore, it is an established fact that any collection, conservation and provision of information under Directive 2015/849 as amended must fully comply with the requirements arising from the GDPR.54 Under these conditions, the interference that implies the general public's access to information about beneficial beneficiaries provided for in Article 30(5), first subparagraph, point c), of Directive 2015/849 as amended does not prejudice the essential content of the fundamental rights enshrined in Articles 7 and 8 of the Charter.– Regarding the objective of general interest recognized by the Union55 Directive 2015/849 as amended, according to the very terms of its Article 1(1), aims to prevent the use of the financial system for the purposes of money laundering and terrorist financing. In this regard, recital 4 of Directive 2018/843 states that the pursuit of this objective can only be effective if the entire system is hostile to criminals and that strengthening the overall transparency of the Union's economic and financial system could have a powerful deterrent effect .56 With regard, more specifically, to the objective pursued by the general public's access to information on beneficial owners, introduced by Article 1, point 15, point c), of Directive 2018/843, recital 30 of that directive states that this access, first of all, «allows for greater scrutiny of information by civil society, including the press or civil society organizations, and contributes to maintaining confidence in the integrity of commercial transactions and the financial system». Next, the access in question "[can] contribute to combating the abusive use of corporate entities and other legal persons and centers of collective interests without legal personality for the purposes of money laundering or terrorist financing by facilitating investigations and have reputational effects, since all people likely to carry out transactions would be aware of the identity of the beneficial beneficiaries”. Finally, this access “also facilitates the timely and efficient provision of information to financial institutions, as well as competent authorities, including authorities of third countries involved in the fight against such crimes” and “would also be useful for investigations into money laundering, associated predicate offenses and terrorist financing'.57 On the other hand, recital 31 of Directive 2018/843 specifies that '[t]he potential increase in confidence in financial markets should be considered as a positive secondary effect and not the objective increasing transparency, which is to create an environment that is less susceptible to being used for the purposes of money laundering and terrorist financing».58 It follows that, by providing for access by the general public to information on beneficial owners, the Union legislator aims to prevent money laundering and terrorist financing, creating, through greater transparency, an environment less likely to be used for these purposes.59 Now, this purpose constitutes an objective of general interest capable of justifying interference , including serious ones, to the fundamental rights enshrined in Articles 7 and 8 of the Charter (see, to this effect, Judgment of 21 June 2022, Ligue des droits humains, C‑817/19, EU:C:2022: 491, paragraph 122 and the case law cited).60 To the extent that the Council of the European Union furthermore refers, in this context, expressly to the principle of transparency, as this follows from Articles 1 and 10 TEU, as well as from Article 15th TFEU, it should be noted that this principle, as the institution itself highlights, makes it possible to ensure better participation of citizens in the decision-making process, as well as guaranteeing greater legitimacy, effectiveness and responsibility of the Administration towards citizens in a democratic system (Judgment of 9 November 2010, Volker und Markus Schecke and Eifert, C‑92/09 and C‑93/09, EU:C:2010:662, paragraph 68 and case law cited).61 Now, if, in this regard, the said principle is embodied, first and foremost, in requirements of institutional and procedural transparency aimed at activities of a public nature, including the use of public funds, such a connection with public institutions does not exist when, as in the present situation, the measure in question aims to make publicly available data relating to the identity of private beneficial owners, as well as the nature and extent of their beneficial interests held in corporate entities or other legal persons.62 Therefore, the principle of transparency, as it follows from Articles 1. and 10 TEU, as well as Article 15 TFEU, cannot be considered, as such, an objective of general interest capable of justifying interference with the fundamental rights guaranteed by Articles 7 and 8 of the Charter, resulting from access information about the beneficial owners.– Regarding the appropriate, necessary and proportionate nature of the interference in question63 According to settled case law, the proportionality of measures resulting in an interference with the rights guaranteed by Articles 7 and 8 of the Charter requires that the requirements of suitability and necessity are respected, as well as the requirement relating to the proportional nature of these measures in relation to the objective pursued (see, to this effect, Judgment of 5 April 2022, Commissioner of An Garda Síochána and others, C‑ 140/20, EU:C:2022:258, paragraph 93).64 More specifically, derogations from the protection of personal data and respective restrictions must occur to the strictest extent necessary, with the understanding that, when there is a choice between several appropriate measures to satisfy the legitimate objectives pursued, the least restrictive one must be used. Furthermore, an objective of general interest cannot be pursued without taking into account the fact that it must be reconciled with the fundamental rights affected by the measure, through a balanced consideration between, on the one hand, the objective of general interest and , on the other, the rights in question, in order to ensure that the inconveniences caused by this measure are not disproportionate in relation to the objectives pursued. Therefore, the possibility of justifying a restriction on the rights guaranteed by Articles 7 and 8 of the Charter must be assessed by measuring the seriousness of the interference that such a restriction implies and by verifying that the importance of the objective of general interest pursued by this restriction is related to that gravity (see, to this effect, Judgments of 26 April 2022, Poland v Parliament and Council, C‑401/19, EU:C:2022:297, paragraph 65, and of 21 June 2022, 2022, Ligue des droits humains, C‑817/19, EU:C:2022:491, paragraphs 115 and 116 and case law cited).65 On the other hand, to meet the requirement of proportionality, the regulation in question that contains interference must also provide for clear and precise rules that regulate the scope and application of the measures provided for therein and impose minimum requirements, so that data subjects have sufficient guarantees to effectively protect their personal data against the risks of abuse. This regulation must, in particular, indicate in what circumstances and under what conditions a measure can be adopted that provides for the processing of these data, thus ensuring that interference is limited to what is strictly necessary. The need to have such guarantees is even more important when personal data are made accessible to the general public, and thus to a potentially unlimited number of people, and are likely to reveal sensitive information about data subjects (see in this sense , Judgment of 21 June 2022, Ligue des droits humains, C‑817/19, EU:C:2022:491, paragraph 117 and the case law cited).66 In accordance with this case law, it must first be verified whether the access by the general public to information on beneficial owners is appropriate to achieve the objective of general interest pursued, second, if the interference with the rights guaranteed by Articles 7 and 8 of the Charter resulting from such access is limited to what is strictly necessary, in the sense that the objective cannot reasonably be achieved in such an effective manner through other means that are less violative of these fundamental rights of the right holders, and, thirdly, if this interference is not disproportionate in relation to that objective, which implies in particular that consideration must be given to its importance and the seriousness of the said interference.67 First, it must be considered that access by the general public to information on beneficial owners is appropriate to contribute to the achievement of the objective of general interest, highlighted in paragraph 58 of this judgment, which aims to prevent money laundering and terrorist financing, because the public nature of this access and the greater transparency that results from it contribute to the creation of an environment less susceptible to being used for these purposes.68 Second, To demonstrate the strict necessity of the interference resulting from the general public's access to information on beneficial owners, the Council and the Commission refer to the impact analysis accompanying the Proposal for a Directive of the European Parliament and of the Council amending the Directive ( EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering and terrorist financing and Directive 2009/101/EC (COM/2016/0450 final), which is the origin of Directive 2018/843 . According to these institutions, while Article 30(5), first subparagraph, point c), of Directive 2015/849, in its version prior to its amendment by Directive 2018/843, subordinated any person's access to information about beneficial beneficiaries to the requirement of being able to demonstrate a "legitimate interest", the aforementioned impact analysis found that the lack of a uniform definition of this concept of "legitimate interest" had posed practical difficulties, and it was therefore considered that the appropriate solution consisted of in removing the aforementioned requirement.69 Furthermore, in their written observations, the Parliament, the Council and the Commission emphasize, notably by reference to recital 30 of Directive 2018/843, that access by the general public to information on beneficial owners , as set out in Directive 2015/849 as amended, has a deterrent effect, allows for greater scrutiny and facilitates investigations, including those carried out by third country authorities, and that these results cannot be achieved otherwise.70 At the hearing, The Commission was asked to indicate whether, in order to mitigate the risk that the obligation on any person or organization to demonstrate a "legitimate interest", as initially provided for in Directive 2015/849, will lead, due to divergences in the definition of this concept in Member States, to excessive restrictions on access to information on beneficial owners, had considered the possibility of proposing a uniform definition of that concept.71 In response to this question, the Commission noted that the 'legitimate interest' criterion is a concept that hardly lends itself to a legal definition and which, despite having considered the possibility of proposing a uniform definition of this criterion, ended up refusing to do so, as this, even with a definition, continued to be difficult to put into practice and that its application may give rise to arbitrary decisions.72 In this regard, it must be considered that the possible existence of difficulties in precisely defining the hypotheses and conditions under which the publicico can access information about beneficial owners cannot justify the Union legislator providing for access by the general public to that information (see, by analogy, Judgment of 5 April 2022, Commissioner of An Garda Síochána and o. , C‑140/20, EU:C:2022:258, paragraph 84).73 Furthermore, the effects invoked and the reference made, in this context, to the explanations set out in recital 30 of Directive 2018/843 cannot demonstrate either the strict necessity of the interference in question.74 Indeed, to the extent that this recital states that the general public's access to information on beneficial owners allows greater scrutiny of the information by civil society and in that it is expressly mentioned, to this title, the press and civil society organizations, it should be noted that both the press and civil society organizations that have a connection with preventing and combating money laundering and terrorist financing have a legitimate interest in accessing information about beneficial owners. The same applies to people, also mentioned in the aforementioned recital, who wish to know the identity of the beneficial beneficiaries of a corporate entity or other legal person because they can carry out transactions with them, or of the financial institutions and authorities involved in the fight against offenses relating to money laundering or terrorist financing, to the extent that the latter entities do not already have access to the information in question under Article 30(5), first subparagraph, points a) and (b), of the Directive 2015/849 as amended.75 In fact, and despite the fact that it is specified, in this same recital, that access by the general public to information on beneficial owners “may contribute” to combating the abusive use of corporate entities and other legal persons and which “would also be useful” for criminal investigations, it must be noted that such considerations are also not capable of demonstrating that this measure is strictly necessary to prevent money laundering and terrorist financing.76 In view of the above, it is not may consider that the interference with the rights guaranteed by Articles 7 and 8 of the Charter resulting from the general public's access to information on beneficial owners is limited to what is strictly necessary.77 Third, with regard to the elements presented to demonstrate the proportionate nature of the interference in question, insofar as, inter alia, access by the general public to information on beneficial owners, provided for in Article 30(5) of Directive 2015/849 as amended, is based on a balanced balance between, on the one hand, the objective of general interest pursued and, on the other, the fundamental rights in question, and where there are sufficient guarantees against the risks of abuse, the following must be added.78 First of all, the Commission claims that , as is clear from recital 34 of Directive 2018/843, the Union legislator took care to specify that the set of data to be provided to the public must be limited, defined in a clear and exhaustive manner and must be of a general nature, so as to minimize potential harm to beneficial owners. It is in this context that, based on Article 30(5) of Directive 2015/849 as amended, only the data strictly necessary to identify the beneficial owners, as well as the nature and extent of their interests, are accessible to the public.79 Next, the Parliament, the Council and the Commission emphasize that the principle of access by the general public to information on beneficial owners may be restricted because Article 30(9) of Directive 2015/849 as amended states that, in "exceptional circumstances", "Member States may provide for a [derogation] from access to all or part of the information on the beneficial owner on a case-by-case basis" where access by the general public to that information "exposes the beneficial owner to risk of fraud, kidnapping, extortion, violence or intimidation, or if the beneficial owner is a minor or incapacitated'.80 Finally, both Parliament and the Commission note that, as follows from Article 30(5‑A) of Directive 2015/849 as amended, read in conjunction with recital 36 of Directive 2018/843, Member States may make the provision of information on beneficial owners subject to the condition of an online registration in order to be able to identify the persons requesting that information . Furthermore, in accordance with recital 38 of the latter Directive, to prevent the misuse of information on beneficial owners, Member States may make information relating to the applicant available to beneficial owners, together with the legal basis of their request.81 In this regard, it should be noted that, as recalled in paragraph 51 of this judgment, Article 30(5) of Directive 2015/849 as amended provides, in the second paragraph, that any member of the general public must be authorized to access, 'at least', the data referred to in this provision and adds, in its third paragraph, that Member States may provide for access to 'additional information enabling the identification of the beneficial owner', which must include, 'at least' , the date of birth or the contact details of the beneficial owner in question.82 Now, it follows from the use of the expression “at least” that these provisions authorize the making available to the public of data that are neither sufficiently defined nor sufficiently identifiable. Consequently, the substantive rules governing interference with the rights guaranteed by Articles 7 and 8 of the Charter do not meet the requirement of clarity and precision referred to in paragraph 65 of this judgment [see, by analogy, Opinion 1/15 ( EU‑Canada PNR Agreement), of 26 July 2017, EU:C:2017:592, no. present judgment, with the importance of the general interest objective of preventing money laundering and terrorist financing, it must be considered that, although, given its importance, this objective is, as stated in paragraph 59 of this judgment, susceptible to justify interference, including serious ones, with the fundamental rights enshrined in Articles 7 and 8 of the Charter, it remains certain that the fight against money laundering and the financing of terrorism is mainly the responsibility of public authorities, as well as of entities, such as credit or financial institutions, which, due to their activities, have specific obligations in this matter.84 It is, in fact, for this reason that Article 30, paragraph 5, first paragraph, subparagraphs a) and b) , of Directive 2015/849 as amended provides that information on beneficial owners must be accessible, in all cases, to competent authorities and financial intelligence units, without restrictions, as well as to obliged entities, within the framework of diligence regarding clientele.85 On the other hand, when compared with a regime such as that of Article 30(5) of Directive 2015/849, in its version prior to the entry into force of Directive 2018/843, which provided, in addition to access to competent authorities and certain entities, that of any persons or organizations that could demonstrate a legitimate interest, the regime introduced by this latest directive, which provides for access by the general public to information on beneficial owners, represents a considerably more serious breach of fundamental rights guaranteed by articles 7 and 8 of the Charter, without this worsening being compensated by the possible benefits that could result from this last regime in relation to the first with regard to combating money laundering and terrorist financing (see ., by analogy, Judgment of 1 August 2022, Vyriausioji tarnybinės etikos komisija, C‑184/20, EU:C:2022:601, paragraph 112).86 In these circumstances, the optional provisions of Article 30(n) .os 5‑A and 9, of Directive 2015/849 as amended, which allow Member States, respectively, to make the provision of information on beneficial owners subject to the condition of an online registration and to provide, in exceptional circumstances, restrictions on public access to that information, are not, in themselves, capable of demonstrating either a balanced consideration between the objective of general interest pursued and the fundamental rights enshrined in Articles 7 and 8 of the Charter, nor the existence of sufficient guarantees that allow data subjects to effectively protect their personal data against the risks of abuse.87 Furthermore, the reference that the Commission makes to the Judgment of 9 March 2017, Manni (C‑) is irrelevant in this context. 398/15, EU:C:2017:197), regarding mandatory advertising relating to companies, including their legal representatives, provided for in First Council Directive 68/151/EEC, of 9 March 1968, aimed at coordinating the guarantees which, for the protection of the interests of shareholders and third parties, are required in the Member States from companies, within the meaning of the second paragraph of Article 58 of the Treaty, in order to make those guarantees equivalent throughout the Community (OJ 1968, L 65, p. 8; EE 17 F 01 p. 3), as amended by Directive 2003/58/EC of the European Parliament and of the Council of 15 July 2003 (OJ 2003, L 221, p. 13). Indeed, the mandatory advertising provided for in this directive, on the one hand, and the general public's access to information on beneficial owners provided for in Directive 2015/849 as amended, on the other, differ both in their respective purposes and in their scope in terms of personal data covered.88 Taking into account all the above considerations, it is necessary to answer the first question submitted in case C‑601/20 that Article 1, point 15, point c), of Directive 2018/843 is invalid in in so far as it amended Article 30(5), first subparagraph, point c), of Directive 2015/849, in the sense that it provides, in its version as amended, that Member States must ensure that information about the beneficial owners of corporate entities and other legal entities incorporated in their territory are accessible in all cases to any member of the general public. Regarding the second and third questions raised in case C‑601/20 and the questions raised in case C‑37/2089 With regard to the second question raised in case C‑601/20 and the questions raised in case C‑37/ 20, these are based on the premise of the validity of Article 30(5) of Directive 2015/849 as amended, in so far as it provides for public access to information on beneficial owners.90 Now, given the answer given to first question submitted in case C‑601/20, there is no need to examine these questions.91 Furthermore, given this same answer, there is also no need to examine the third question submitted in case C‑601/20. Regarding costs92 Considering the case, as regards the parties to the main case, the nature of the incident raised before the referring court, it is up to the latter to decide on costs. Expenses incurred by the other parties in submitting observations to the Court of Justice are not refundable.On these grounds, the Court of Justice (Grand Chamber) declares:Article 1(15)(c) of the Directive (E.U. ) 2018/843 of the European Parliament and of the Council, of 30 May 2018, amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing and amending Directives 2009/138/EC and 2013/36/EU, is invalid insofar as it amends Article 30(5), first subparagraph, point c), of Directive (EU) 2015/849 of the European Parliament and the Council of 20 May 2015 on preventing the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Directive 2006/70/EC of the Commission, in the sense in which this Article 30(5), first subparagraph, point c), provides, in its version as follows as amended, that Member States must ensure that information on the beneficial owners of corporate entities and other legal persons incorporated in their territory is accessible in all cases to any member of the general public.Signatures<br />
</pre><br />
{{DEFAULTSORT:CJEU - C‑37/20 andC‑601/20 SOVIM / WM v Luxembourg Business Registers}}</div>Mgrdhttps://gdprhub.eu/index.php?title=CJEU_-_C%E2%80%91755/21_P_-_Ko%C4%8Dner_v_EuropolCJEU - C‑755/21 P - Kočner v Europol2024-03-08T15:39:32Z<p>10.90.129.159: </p>
<hr />
<div>{{CJEUdecisionBOX<br />
<br />
|Case_Number_Name=C‑755/21 P Kočner v Europol<br />
|ECLI=ECLI:EU:C:2024:202<br />
<br />
|Opinion_Link=<br />
|Judgement_Link=https://curia.europa.eu/juris/document/document.jsf;jsessionid=E7B0DB74BBB1714B85B2E41B7A9584AC?text=&docid=283444&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=155911<br />
<br />
|Date_Decided=05.03.2024<br />
|Year=2024<br />
<br />
|GDPR_Article_1=Article 82(4) GDPR<br />
|GDPR_Article_Link_1=Article 82 GDPR#4<br />
|GDPR_Article_2=Article 82(5) GDPR<br />
|GDPR_Article_Link_2=Article 82 GDPR#5<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
<br />
|EU_Law_Name_1=Article 340 TFEU<br />
|EU_Law_Link_1=https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:12012E/TXT:en:PDF<br />
|EU_Law_Name_2=Article 50(1) Regulation 2016/794<br />
|EU_Law_Link_2=https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0794<br />
|EU_Law_Name_3=<br />
|EU_Law_Link_3=<br />
|EU_Law_Name_4=<br />
|EU_Law_Link_4=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Marián Kočner<br />
|Party_Link_1=https://en.wikipedia.org/wiki/Mari%25C3%25A1n_Ko%25C4%258Dner<br />
|Party_Name_2=Europol<br />
|Party_Link_2=https://www.europol.europa.eu/<br />
|Party_Name_3=Slovak Republic<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Reference_Body=<br />
|Reference_Case_Number_Name=<br />
<br />
|Initial_Contributor=im<br />
|<br />
}}<br />
<br />
The CJEU found that Europol and the Slovak Republic are jointly liable for an unauthorized disclosure of intimate conversations between the data subject and his girlfriend, which were leaked to press. The data subject was granted €2,000 as a compensation for the non-material damage suffered.<br />
<br />
==English Summary==<br />
<br />
=== Facts ===<br />
Following the murder of a Slovak journalist and his fiancée, Mr Ján Kuciak and Ms Martina Kušnírová, in Slovakia on 21 February 2018, the Slovak authorities (Národná kriminálna agentúra (National Crime Agency, Slovakia; ‘NAKA’)) conducted an extensive investigation. <br />
At the request of those authorities, the European Union Agency for Law Enforcement Cooperation (‘Europol’) extracted the data stored on two mobile telephones allegedly belonging to Mr Marian Kočner, the data subject, who was prosecuted as an accomplice to that murder for having ordered the killings, following the investigation. <br />
<br />
Europol sent its scientific reports to those authorities and delivered to them a hard disk containing the encrypted data it had extracted. In one of its reports, Europol stated that Mr Kočner had been detained on suspicion of a financial offence since 2018 and that his name was, inter alia, directly linked to the ‘so-called mafia lists’ and the ‘Panama Papers’.<br />
<br />
In May 2019, the Slovak press and international network of investigative journalists published a large amount of information relating to Mr Kočner from his mobile telephones, including transcripts of intimate communications exchanged between him and his girlfriend. The conversation was carried by means of encrypted messaging service. <br />
<br />
For the reasons stated above, Mr Kočner sent a complaint to Europol seeking compensation in the amount of €100,000 as a reparation for the non-material damage on the bases of [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32016R0794 Article 50(1) Regulation 2016/794]. The sought compensation consisted of €50,000 for the unlawful disclosure of data subject's intimate conversation with his girlfriend and €50,000 for the inclusion of his name on the 'mafia list'. <br />
<br />
Europol and Slovak Republic contended that the arguments are unfounded as, firstly, Regulation 2016/794 (setting up the rules for the Europol) does not provide for such joint liability of Europol and the Member State. Secondly, Europol rejects any liability due to the absence of unlawful conduct on its part given that alleged harmful events occurred during storage of the national investigation file. As such, these circumstances do not constitute ‘unlawful data processing operations’ within the meaning of [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32016R0794 Article 50(1) Regulation 2016/794]. <br />
<br />
Lastly, Europol stated that even if joint liability was applicable, the absence of any unlawful conduct on its part and of a causal link between such conduct and the damage suffered could not give rise to a liability.<br />
<br />
=== Holding ===<br />
Firstly, the CJEU ruled that there is no need to establish additionally to which of these two entities - Europol or the Member State - that unlawful processing was attributable. In order for such joint and several liability to be incurred in the first stage, the individual concerned must show only that, in the course of cooperation between Europol and the Member State concerned, unlawful data processing that caused him or her to suffer damage has been carried out.<br />
<br />
Secondly, concerning specifically the leak of the 'so-called mafia list', the CJEU found that the data subject had failed to establish that the ‘mafia lists’ on which his name had allegedly been included had been drawn up and kept by Europol. The data subject's claim contradicted the evidence whereby it was apparent that the leaked Europol report containing Mr Kočner’s name on the ‘mafia list’ was subsequent to and, thus, unrelated to Slovak press publications where he was represented as ‘member of the mafia’. <br />
<br />
Thirdly, the CJEU rejected the Europol’s argument that it met its obligations and implemented appropriate technical and organizational measures to protect personal data against any form of unauthorized access. The Court observed that the data of such intimate nature bears out the need for its protection to be strictly ensured in cooperation with Member States under [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32016R0794 Regulation 2016/794]. As an unauthorized access took place it constituted a sufficiently serious breach of a rule of EU law intended to confer rights on individuals. <br />
<br />
Fourthly, the Court held that European Union can incur non-contractual liability in the present case, as the result of publication of data subject’s intimate conversations. The leak of this information adversely affected his honour and professional reputation, and violated his rights to privacy, family life and respect for his communications guaranteed by Article 7 of the Charter of Fundamental Rights of the European Union.<br />
<br />
As a result, the CJEU held Europol and the Slovak Republic jointly and severally liable for the unlawful data processing which caused the data subject to suffer non-material damage. The Court stated that Europol has the possibility to refer the matter to its Management Board so that it can determine who has the ultimate responsibility for the compensation awarded to the data subject. However, this exclusively concerns the internal allocation of responsibilities between the two jointly liable controllers.<br />
<br />
The compensation attributed to the data subject for the inclusion of his name on the ‘mafia list’ by Europol was firstly set at €50,000. As this claim was dismissed, the Court only examined the damage regarding the compensation of €50,000 for disclosure of the data subject’s conversation with his girlfriend. The Court decided that the alleged damage resulted solely from the disclosure of transcripts of the conversation and no evidence established that any photographs have been disclosed. <br />
<br />
As a result, the CJEU granted Mr Kočner compensation in the amount of €2,000 as reparation for that damage.<br />
<br />
== Comment ==<br />
The case refers to the joint and several liability of two controllers under Regulation 2016/794. However, this concept is also relevant under [[Article 82 GDPR#4|Article 82(4) GDPR]] and [[Article 82 GDPR#5|Article 82(5) GDPR]].<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''</div>Imhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_PS-00446-2023AEPD (Spain) - PS-00446-20232024-03-08T09:28:51Z<p>Teresa.lopez: Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS-00446-2023 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00446-2023.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Cod..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=PS-00446-2023<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/documento/ps-00446-2023.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=20.05.2023<br />
|Date_Decided=<br />
|Date_Published=06.03.2024<br />
|Year=<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 6(1) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Teresa.lopez<br />
|<br />
}}<br />
<br />
The Spanish Data Protection Authority fined a controller €2,000 for requiring an employee to use their personal cell phone for work purposes without establishing an appropriate legal basis for the processing.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
An ex-employee of the controller filed a complaint with the Spanish Data Protection Authority, alleging that the company, for which they provided services, compelled them to utilize their personal cell phone for work purposes. This requirement involved installing an application, specifically a company wallet card platform. <br />
<br />
Despite the complaints raised, the controller's response was adamant that they would not provide the employee with a company cell phone. Subsequently, the ex-employee mentioned that even after leaving the company, their phone number remained part of two WhatsApp groups. Consequently, they continued to receive messages from former colleagues, appearing in those groups as a former member, with their phone number and name still visible.<br />
<br />
=== Holding ===<br />
The Spanish Data Protection Authority ruled that the processing activities conducted by the controller violated Article 6.1 of the GDPR. As a result, the DPA imposed a fine of €2,000 on the controller.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/12<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
File No.: EXP202310230<br />
<br />
<br />
<br />
RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE<br />
VOLUNTEER<br />
<br />
<br />
From the procedure instructed by the Spanish Data Protection Agency and based<br />
to the following<br />
<br />
<br />
BACKGROUND<br />
<br />
<br />
FIRST: On January 8, 2024, the Director of the Spanish Agency for<br />
Data Protection agreed to initiate sanctioning proceedings against VUKMAL TRADE,<br />
S.L. (hereinafter, the claimed party), through the Agreement transcribed:<br />
<br />
<<<br />
<br />
File No.: EXP202310230<br />
<br />
<br />
AGREEMENT TO START SANCTIONING PROCEDURE<br />
<br />
<br />
Of the actions carried out by the Spanish Data Protection Agency and in<br />
based on the following<br />
<br />
FACTS<br />
<br />
FIRST: Mr. A.A.A., with DNI ***NIF.1 (hereinafter, the claiming party) with date<br />
<br />
05/28/2023 filed a claim with the Spanish Data Protection Agency.<br />
The claim is directed against VUKMAL TRADE, S.L. with NIF B09966508 (in<br />
forward, the claimed part). The grounds on which the claim is based are:<br />
following:<br />
<br />
<br />
The claimant states that the company for which he provided his services until<br />
on ***DATE.1, required him to use his personal mobile phone for work, having<br />
have to install an application (Soldo as a wallet card platform<br />
company, which I had to enter daily to make transfers and to<br />
account for expenses, requiring access to a phone to send the code<br />
<br />
verification) to access a website in Ireland, and that, in addition, the company<br />
shared your personal mobile number with other employees without their consent.<br />
<br />
After notifying the situation, the company's response was that they were not going to give him<br />
a company cell phone; The claimant states that, although he no longer works in the<br />
company, his personal phone was included in two WhatsApp groups (Notices<br />
<br />
Expofactory and Central Services, the first for HR issues and the second<br />
for work issues), being contacted by former colleagues, appearing<br />
in these groups as a former member, with your phone number and name. The company<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 2/12<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
refuses to delete such groups and continues to force its employees to use their phones<br />
personal to work.<br />
<br />
<br />
The claimant emphasizes that, in the two months that he worked in the company, for<br />
part of the HR manager (whatsapp group administrator) and the<br />
CFO of the company, he was told that it was nonsense regarding the<br />
use of personal cell phone at work, with the financial director telling him not to<br />
would give a company cell phone to the claimant.<br />
<br />
<br />
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5<br />
December, Protection of Personal Data and guarantee of digital rights (in<br />
hereinafter LOPDGDD), on 07/21/2023 said claim was transferred to the party<br />
claimed, so that it could proceed with its analysis and inform this Agency within the period<br />
of one month, of the actions carried out to adapt to the planned requirements<br />
<br />
in data protection regulations.<br />
<br />
The transfer, which was carried out in accordance with the rules established in the Law<br />
39/2015, of October 1, of the Common Administrative Procedure of the<br />
Public Administrations (hereinafter, LPACAP) through electronic notification,<br />
was not collected by the person responsible, within the period of making it available,<br />
<br />
understood to be rejected in accordance with the provisions of art. 43.2 of the LPACAP in<br />
date 08/01/2023, as stated in the certificate in the file.<br />
<br />
Although the notification was validly carried out by electronic means,<br />
the procedure being considered completed in accordance with the provisions of article 41.5 of the<br />
<br />
LPACAP, for information purposes, a copy was sent by postal mail that was notified<br />
reliably on 08/10/2023. In said notification, he was reminded of his<br />
obligation to relate electronically with the Administration, and were informed<br />
of the means of access to said notifications, reiterating that, from now on, you will be<br />
would notify exclusively by electronic means.<br />
<br />
<br />
THIRD: On 08/28/2023, in accordance with article 65 of the LOPDGDD,<br />
The claim presented by the complaining party was admitted for processing.<br />
<br />
<br />
FOURTH: In writing dated 09/13/2023, the defendant has stated that on ***DATE.1<br />
<br />
The complainant asked the company to remove him from the WhatsApp group and<br />
the Soldo application and how many it will be used on; that the next day he was informed that<br />
their data had been deleted in accordance with what was requested; that he<br />
claimed has carried out a risk analysis on the processing of data of a nature<br />
personnel, has drawn up a protocol of technical and security measures<br />
<br />
organizational measures implemented to comply with data protection regulations and<br />
has drafted a safety policy document to inform workers of<br />
your rights and obligations regarding the processing of personal data;<br />
that to date, WhatsApp groups were created to speed up the day-to-day life of the<br />
company requesting only verbal consent; which since 05/03/2023 has been requested<br />
<br />
written consent to all workers.<br />
<br />
FOUNDATIONS OF LAW<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 3/12<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Yo<br />
<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
<br />
(General Data Protection Regulation, hereinafter RGPD), grants each<br />
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the<br />
Organic Law 3/2018, of December 5, on Protection of Personal Data and<br />
guarantee of digital rights (hereinafter, LOPDGDD), is competent to<br />
initiate and resolve this procedure the Director of the Spanish Protection Agency<br />
of data.<br />
<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: "The<br />
Procedures processed by the Spanish Data Protection Agency will be governed<br />
by the provisions of Regulation (EU) 2016/679, in this organic law, by the<br />
regulatory provisions dictated in its development and, as far as they are not<br />
<br />
contradict, on a subsidiary basis, by the general rules on the<br />
administrative procedures."<br />
<br />
II<br />
The reported events materialize in the inclusion in WhatsApp groups<br />
without basis of legitimation, which could violate the regulations on protection<br />
<br />
of personal data.<br />
<br />
Article 58 of the GDPR, Powers, states:<br />
<br />
"2. Each supervisory authority will have all of the following powers<br />
<br />
corrective measures indicated below:<br />
<br />
(…)<br />
d) order the person responsible or in charge of the treatment that the operations of<br />
treatment comply with the provisions of this Regulation, when<br />
<br />
appropriate, in a certain manner and within a specified period;<br />
(…)<br />
i) impose an administrative fine in accordance with Article 83, in addition to or in<br />
instead of the measures mentioned in this section, according to the<br />
circumstances of each particular case;<br />
(…)”<br />
<br />
<br />
III<br />
Article 5 of the GDPR, Principles relating to processing, states that:<br />
<br />
"1. The personal data will be:<br />
<br />
<br />
a) treated in a lawful, fair and transparent manner in relation to the interested party<br />
("legality, loyalty and transparency");<br />
(…)”<br />
<br />
<br />
Article 6.1 of the RGPD establishes the assumptions that allow considering<br />
lawful processing of personal data:<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 4/12<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
"1. The treatment will only be legal if it meets at least one of the following<br />
conditions:<br />
<br />
a) the interested party gave their consent for the processing of their data<br />
personal for one or more specific purposes;<br />
<br />
b) the processing is necessary for the performance of a contract in which the<br />
interested party is part or for the application at his request of measures<br />
pre-contractual;<br />
c) the processing is necessary for compliance with a legal obligation<br />
applicable to the data controller;<br />
d) the processing is necessary to protect the vital interests of the interested party or<br />
<br />
of another natural person.<br />
e) the processing is necessary for the fulfillment of a mission carried out in<br />
public interest or in the exercise of public powers conferred on the person responsible<br />
of the treatment;<br />
f) the processing is necessary for the satisfaction of legitimate interests<br />
<br />
pursued by the person responsible for the treatment or by a third party, provided that<br />
The interests or rights and freedoms do not prevail over said interests.<br />
fundamentals of the interested party that require the protection of personal data,<br />
particularly when the interested party is a child.<br />
<br />
The provisions of letter f) of the first paragraph will not apply to the<br />
<br />
processing carried out by public authorities in the exercise of their functions.”<br />
<br />
Likewise, Recital 40 of the aforementioned GDPR provides that "In order for<br />
processing is lawful, personal data must be processed with the<br />
consent of the interested party or on some other legitimate basis established in accordance<br />
a Law, whether in this Regulation or under other Union law<br />
<br />
or of the Member States referred to in this Regulation, including the<br />
need to comply with the legal obligation applicable to the data controller or the<br />
need to execute a contract to which the interested party is a party or for the purpose of<br />
take measures at the request of the interested party prior to the conclusion of a<br />
contract."<br />
<br />
<br />
On the other hand, article 4 of the RGPD, Definitions, in sections 1, 2 and 11,<br />
notes that:<br />
<br />
“1) “personal data”: any information about an identified natural person<br />
or identifiable ("the interested party"); Any identifiable natural person will be considered<br />
person whose identity can be determined, directly or indirectly, in particular<br />
<br />
by means of an identifier, such as a name, an identification number,<br />
location data, an online identifier or one or more elements of the<br />
physical, physiological, genetic, mental, economic, cultural or social identity of said<br />
person;<br />
<br />
<br />
“2) “treatment”: any operation or set of operations performed<br />
on personal data or sets of personal data, whether by procedures<br />
automated or not, such as the collection, registration, organization, structuring,<br />
conservation, adaptation or modification, extraction, consultation, use,<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 5/12<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
communication by transmission, broadcast or any other form of habilitation of<br />
access, collation or interconnection, limitation, deletion or destruction;<br />
<br />
<br />
“11) “consent of the interested party”: any manifestation of free will,<br />
specific, informed and unequivocal by which the interested party accepts, either through<br />
a statement or a clear affirmative action, the processing of personal data that<br />
concern him.”<br />
<br />
IV<br />
<br />
The infraction attributed to the defendant is classified in the<br />
article 83.5 a) of the GDPR, which considers that the violation of “the basic principles<br />
for processing, including the conditions for consent under the<br />
articles 5, 6, 7 and 9” is punishable, in accordance with section 5 of the aforementioned<br />
article 83 of the aforementioned Regulation, “with administrative fines of €20,000,000 as<br />
<br />
maximum or, in the case of a company, an amount equivalent to 4% as<br />
maximum of the total global annual turnover of the previous financial year,<br />
opting for the highest amount.”<br />
<br />
The LOPDGDD in its article 71, Infractions, states that: “They constitute<br />
infractions the acts and conduct referred to in sections 4, 5 and 6 of the<br />
<br />
article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the<br />
present organic law.”<br />
<br />
And in its article 72, it considers for the purposes of prescription, which are: “Infringements<br />
considered very serious:<br />
<br />
<br />
1. Based on what is established in article 83.5 of the Regulation (EU)<br />
2016/679 are considered very serious and will prescribe after three years the infractions that<br />
involve a substantial violation of the articles mentioned therein and, in<br />
in particular, the following:<br />
<br />
<br />
(…)<br />
b) The processing of personal data without any of the<br />
conditions of legality of the treatment established in article 6 of the<br />
Regulation (EU) 2016/679.<br />
(…)”<br />
<br />
<br />
V<br />
The processing of personal data requires the existence of a database<br />
legal that legitimizes it.<br />
<br />
<br />
In accordance with article 6.1 of the GDPR, in addition to consent,<br />
There are other possible bases that legitimize the processing of data without the need for<br />
have the authorization of its owner. in particular, when necessary for the<br />
execution of a contract to which the affected party is a party or for the application, at the request<br />
of this, pre-contractual measures, or when necessary for the satisfaction of<br />
<br />
legitimate interests pursued by the data controller or by a third party,<br />
provided that the interests or rights do not prevail over said interests and<br />
fundamental freedoms of the affected party that require the protection of such data. He<br />
Treatment is also considered lawful when it is necessary for the fulfillment of<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 6/12<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
a legal obligation applicable to the data controller, to protect interests<br />
vital of the affected person or of another natural person or for the fulfillment of a mission<br />
carried out in the public interest or in the exercise of public powers conferred on the<br />
<br />
responsible for the treatment.<br />
<br />
The claimant in his writing of 05/28/2023 stated that the claimant is obliged<br />
its workers to use their personal mobile phone to work (through the<br />
Soldo application) and, furthermore, that having stopped providing services for the same<br />
continues to be included in two WhatsApp groups, with the company refusing to delete the<br />
<br />
themselves and forcing their employees to use their personal phones for work.<br />
<br />
The defendant in writing dated 09/13/2023 has stated that “To date,<br />
They created WhatsApp groups to streamline the day-to-day life of the company, it was not a<br />
mandatory requirement, but only verbal consent was requested, since 31<br />
<br />
May 2023, written consent is requested from all workers.”<br />
<br />
Therefore, it is considered that the conduct of the defendant violates the principle of<br />
legality enshrined in article 6.1 of the RGPD, typified in article 83.5 a) of the<br />
GDPR.<br />
<br />
<br />
SAW<br />
In order to establish the administrative fine that should be imposed, they must<br />
The provisions contained in articles 83.1 and 83.2 of the RGPD must be observed, which<br />
they point out:<br />
<br />
<br />
"1. Each supervisory authority will ensure that the imposition of fines<br />
administrative sanctions under this article for violations of this<br />
Regulations indicated in sections 4, 5 and 6 are in each individual case<br />
effective, proportionate and dissuasive.<br />
<br />
<br />
2. Administrative fines will be imposed, depending on the circumstances<br />
of each individual case, as an additional or substitute for the measures contemplated<br />
in Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine<br />
administrative and its amount in each individual case will be duly taken into account:<br />
<br />
a) the nature, severity and duration of the infringement, taking into account the<br />
<br />
nature, scope or purpose of the processing operation in question<br />
as well as the number of interested parties affected and the level of damage and<br />
damages they have suffered;<br />
b) intentionality or negligence in the infringement;<br />
c) any measure taken by the person responsible or in charge of the treatment<br />
<br />
to alleviate the damages and losses suffered by the interested parties;<br />
d) the degree of responsibility of the person responsible or in charge of the<br />
treatment, taking into account the technical or organizational measures that have been<br />
applied under articles 25 and 32;<br />
e) any previous infraction committed by the person responsible or in charge of the<br />
<br />
treatment;<br />
f) the degree of cooperation with the supervisory authority in order to put<br />
remedy the infringement and mitigate the possible adverse effects of the infringement;<br />
g) the categories of personal data affected by the infringement;<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 7/12<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
h) the way in which the supervisory authority became aware of the infringement, in<br />
particular whether the person responsible or the person in charge notified the infringement and, in that case,<br />
what extent;<br />
<br />
i) when the measures indicated in Article 58(2) have been<br />
previously ordered against the person responsible or the person in charge in question<br />
in relation to the same matter, compliance with said measures;<br />
j) adherence to codes of conduct under Article 40 or to mechanisms<br />
of certification approved in accordance with Article 42, and<br />
k) any other aggravating or mitigating factor applicable to the circumstances of the<br />
<br />
case, such as financial benefits obtained or losses avoided, direct<br />
or indirectly, through infringement.<br />
<br />
In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its<br />
Article 76, “Sanctions and corrective measures”, establishes that:<br />
<br />
<br />
"2. In accordance with the provisions of article 83.2.k) of the Regulation (EU)<br />
2016/679 may also be taken into account:<br />
<br />
a) The continuous nature of the infringement.<br />
b) The linking of the offender's activity with the performance of treatments<br />
<br />
of personal data.<br />
c) The benefits obtained as a consequence of the commission of the infraction.<br />
d) The possibility that the conduct of the affected person could have induced the<br />
commission of the infraction.<br />
e) The existence of a merger by absorption process after the commission<br />
<br />
of the infringement, which cannot be attributed to the absorbing entity.<br />
f) The impact on the rights of minors.<br />
g) Have, when it is not mandatory, a delegate for the protection of<br />
data.<br />
h) Submission by the person responsible or in charge, with character<br />
<br />
voluntary, to alternative conflict resolution mechanisms, in those<br />
cases in which there are disputes between them and any<br />
interested."<br />
<br />
<br />
In accordance with the transcribed precepts, and without prejudice to what results from the<br />
<br />
instruction of the procedure, for the purposes of setting the amount of the fine sanction<br />
impose in the present case for the violation of article 6.1 of the RGPD, typified in the<br />
article 83.5.a) of the RGPD for which the defendant is held responsible, in an assessment<br />
initial, it is considered appropriate to establish a penalty of €2,000 (two thousand euros).<br />
<br />
<br />
<br />
VII<br />
If the violation is confirmed, it could be agreed to impose the person responsible<br />
adoption of appropriate measures to adjust its actions to the aforementioned regulations<br />
in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD,<br />
<br />
according to which each control authority may “order the person responsible or in charge<br />
of the processing that the processing operations comply with the provisions of the<br />
this Regulation, where appropriate, in a certain manner and within a<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 8/12<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
specified period…” The imposition of this measure is compatible with the sanction<br />
consisting of an administrative fine, as provided in art. 83.2 of the GDPR.<br />
<br />
<br />
Therefore, it would be considered appropriate to order that the defendant within the period of<br />
six months adapt the treatments object of this procedure to the regulations<br />
applicable. The text of this agreement establishes the facts that<br />
have given rise to the violation of data protection regulations, which is<br />
clearly infers what measures to adopt, without prejudice to the type of<br />
specific procedures, mechanisms or instruments to implement them<br />
<br />
corresponds to the sanctioned party, since it is the one who fully knows its organization<br />
and must decide, based on proactive responsibility and a risk approach, how<br />
comply with the RGPD and the LOPDGDD. Specifically, to proceed to comply with the<br />
required by data protection regulations, legitimizing the processing<br />
which is carried out both in the use of the app and in the WhatsApp groups in the<br />
<br />
company or such processing is terminated.<br />
<br />
Please note that failure to comply with the order imposed by this body may be<br />
<br />
considered as an administrative offense in accordance with the provisions of the RGPD,<br />
classified as an infraction in its articles 83.5 and 83.6, and such conduct may be motivated by<br />
opening of a subsequent administrative sanctioning procedure.<br />
<br />
<br />
<br />
Therefore, in light of the above,<br />
<br />
<br />
By the Director of the Spanish Data Protection Agency,<br />
<br />
HE REMEMBERS:<br />
<br />
FIRST: START SANCTIONING PROCEDURE against VUKMAL TRADE, S.L., with<br />
NIF B09966508, for the alleged violation of article 6.1 of the RGPD, typified in the<br />
<br />
article 83.5.a) of the RGPD.<br />
<br />
SECOND: APPOINT B.B.B. Instructor. and Secretary to C.C.C., indicating that<br />
Any of them may be challenged, if applicable, in accordance with the provisions of the<br />
articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sector<br />
<br />
Public (LRJSP).<br />
<br />
THIRD. INCORPORATE into the sanctioning file, for evidentiary purposes, the<br />
claim filed by the claimant and its documentation, the documents<br />
obtained and generated by the Inspection Services; documents all of which<br />
<br />
make up the file.<br />
<br />
ROOM. THAT for the purposes provided for in art. 64.2 b) of law 39/2015, of 1<br />
October and article 58.2.b) of the RGPD, the sanction that may apply for the<br />
violation of article 6.1 of the RGPD would be €2,000 (two thousand euros), without prejudice to<br />
what results from the instruction.<br />
<br />
<br />
FIFTH. NOTIFY this Agreement to VUKMAL TRADE, S.L., with NIF<br />
B09966508, expressly indicating your right to a hearing in the procedure<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 9/12<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
and granting you a period of TEN WORKING DAYS to formulate the allegations and<br />
propose the evidence you consider appropriate. In his brief of allegations<br />
You must provide your NIF and the procedure number that appears in the heading<br />
<br />
of this document.<br />
<br />
If within the stipulated period you do not make allegations to this initial agreement, the<br />
The same may be considered a proposal for a resolution, as established in the<br />
article 64.2.f) of Law 39/2015, of October 1, on Administrative Procedure<br />
Common of Public Administrations (hereinafter, LPACAP).<br />
<br />
<br />
In accordance with the provisions of article 85 of the LPACAP, in case of<br />
that the sanction to be imposed was a fine, may recognize its responsibility within<br />
of the period granted for the formulation of allegations to this initiation agreement; it<br />
which will entail a reduction of 20% of the sanction that may be imposed in<br />
<br />
the present procedure. With the application of this reduction, the sanction would be<br />
established at 1,600 euros, resolving the procedure with the imposition of this<br />
sanction.<br />
<br />
Likewise, you may, at any time prior to the resolution of the<br />
this procedure, carry out the voluntary payment of the proposed sanction, which<br />
<br />
which will mean a 20% reduction in the amount. With the application of this<br />
reduction, the penalty would be established at 1,600 euros and its payment will imply the<br />
termination of the procedure, without prejudice to the measures that, if applicable,<br />
impose<br />
<br />
<br />
The reduction for the voluntary payment of the penalty is cumulative with that<br />
It is appropriate to apply for the recognition of responsibility, provided that this<br />
acknowledgment of responsibility becomes evident within the deadline<br />
granted to formulate allegations at the opening of the procedure. The pay<br />
voluntary of the amount referred to in the previous paragraph may be made at any<br />
<br />
moment before the resolution. In this case, if it were appropriate to apply both<br />
reductions, the amount of the penalty would be established at 1,200 euros.<br />
<br />
In any case, the effectiveness of any of the two reductions mentioned<br />
will be conditioned on the withdrawal or waiver of any action or resource pending.<br />
administrative against the sanction.<br />
<br />
<br />
In the event that you choose to proceed with the voluntary payment of any of the<br />
amounts indicated above (1,600 or 1,200 euros), you must make it effective<br />
by depositing it into account number ES00 0000 0000 0000 0000 0000 open to<br />
name of the Spanish Data Protection Agency at CAIXABANK Bank,<br />
<br />
S.A., indicating in the concept the reference number of the procedure that appears in<br />
the heading of this document and the reason for the reduction of the amount to which<br />
welcomes<br />
<br />
Likewise, you must send proof of income to the General Subdirectorate of<br />
<br />
Inspection to continue the procedure in accordance with the quantity<br />
entered.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 10/12<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The procedure will have a maximum duration of twelve months counting from the<br />
date of the initiation agreement or, where applicable, of the draft initiation agreement.<br />
After this period, its expiration will occur and, consequently, the file of<br />
<br />
performances; in accordance with the provisions of article 64 of the LOPDGDD.<br />
<br />
In compliance with articles 14, 41 and 43 of the LPACAP, it is noted that,<br />
From now on, the notifications sent to you will be made exclusively<br />
electronically, through the Unique Enabled Electronic Address<br />
(dehu.redsara.es), and that, if you do not access them, your rejection will be recorded in the<br />
<br />
file, considering the procedure completed and the procedure being followed. You will<br />
informs that you can identify an email address to this Agency<br />
to receive the notice of making notifications available and that the lack of<br />
practice of this notice will not prevent the notice from being fully considered<br />
valid.<br />
<br />
<br />
Finally, it is noted that in accordance with the provisions of article 112.1 of the<br />
LPACAP, there is no administrative appeal against this act.<br />
<br />
Sea Spain Martí<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
>><br />
<br />
<br />
SECOND: On January 16, 2024, the claimed party has proceeded to pay<br />
of the penalty in the amount of 1,200 euros making use of the two reductions<br />
provided for in the initiation Agreement transcribed above, which implies the<br />
recognition of responsibility.<br />
<br />
<br />
THIRD: The payment made, within the period granted to formulate allegations to<br />
The opening of the procedure entails the renunciation of any action or appeal pending.<br />
administrative against sanction and recognition of responsibility in relation to<br />
the facts referred to in the Initiation Agreement.<br />
<br />
FOURTH: In the initiation Agreement transcribed previously it was stated that,<br />
<br />
If the infringement is confirmed, it could be agreed to impose on the person responsible the adoption of<br />
appropriate measures to adjust its actions to the regulations mentioned in this<br />
act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the<br />
which each control authority may “order the person responsible or in charge of the<br />
treatment that the processing operations comply with the provisions of the<br />
<br />
this Regulation, where appropriate, in a certain manner and within a<br />
specified period…”<br />
<br />
Having recognized responsibility for the infraction, the imposition of penalties proceeds.<br />
the measures included in the Initiation Agreement.<br />
<br />
<br />
<br />
FOUNDATIONS OF LAW<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 11/12<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Yo<br />
Competence<br />
<br />
<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
(General Data Protection Regulation, hereinafter RGPD), grants each<br />
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the<br />
Organic Law 3/2018, of December 5, on Protection of Personal Data and<br />
guarantee of digital rights (hereinafter, LOPDGDD), is competent to<br />
initiate and resolve this procedure the Director of the Spanish Protection Agency<br />
<br />
of data.<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
<br />
regulations dictated in its development and, insofar as they do not contradict them, with a<br />
subsidiary, by the general rules on administrative procedures."<br />
<br />
II<br />
Termination of the procedure<br />
<br />
<br />
Article 85 of Law 39/2015, of October 1, on Administrative Procedure<br />
Common Public Administrations (hereinafter, LPACAP), under the heading<br />
“Termination in sanctioning procedures” provides the following:<br />
<br />
"1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility,<br />
<br />
The procedure may be resolved with the imposition of the appropriate sanction.<br />
<br />
2. When the sanction is solely pecuniary in nature or a penalty can be imposed<br />
pecuniary sanction and another of a non-pecuniary nature but the<br />
inadmissibility of the second, the voluntary payment by the alleged responsible, in<br />
<br />
Any time prior to the resolution, will imply the termination of the procedure,<br />
except in relation to the restoration of the altered situation or the determination of the<br />
compensation for damages caused by the commission of the infringement.<br />
<br />
3. In both cases, when the sanction has only a pecuniary nature, the<br />
body competent to resolve the procedure will apply reductions of, at least,<br />
<br />
20% of the amount of the proposed penalty, these being cumulative with each other.<br />
The aforementioned reductions must be determined in the initiation notification.<br />
of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of<br />
any administrative action or appeal against the sanction.<br />
<br />
<br />
The reduction percentage provided for in this section may be increased<br />
“regularly.”<br />
<br />
According to what was stated,<br />
the Director of the Spanish Data Protection Agency RESOLVES:<br />
<br />
<br />
FIRST: DECLARE the termination of the procedure EXP202310230, of<br />
in accordance with the provisions of article 85 of the LPACAP.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 12/12<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
SECOND: ORDER from VUKMAL TRADE, S.L. so that within 6 months<br />
Since this resolution is final and enforceable, notify the Agency of the<br />
adoption of the measures described in the legal foundations of the<br />
Initiation agreement transcribed in this resolution.<br />
<br />
<br />
THIRD: NOTIFY this resolution to VUKMAL TRADE, S.L..<br />
<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
<br />
Resolution will be made public once it has been notified to the interested parties.<br />
<br />
Against this resolution, which puts an end to the administrative procedure as prescribed by<br />
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure<br />
<br />
Common of Public Administrations, interested parties may file an appeal<br />
administrative litigation before the Administrative Litigation Chamber of the<br />
National Court, in accordance with the provisions of article 25 and section 5 of<br />
the fourth additional provision of Law 29/1998, of July 13, regulating the<br />
<br />
Contentious-Administrative Jurisdiction, within a period of two months from the<br />
day following the notification of this act, as provided for in article 46.1 of the<br />
referred Law.<br />
<br />
<br />
1259-16012024<br />
<br />
Sea Spain Martí<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
</pre></div>Teresa.lopezhttps://gdprhub.eu/index.php?title=CNIL_(France)_-_Deliberation_of_the_restricted_training_n%C2%B0SAN-2022-021_of_November_24,_2022_concerning_the_company_ELECTRICIT%C3%89_DE_FRANCECNIL (France) - Deliberation of the restricted training n°SAN-2022-021 of November 24, 2022 concerning the company ELECTRICITÉ DE FRANCE2024-03-06T21:54:59Z<p>Annkathrin.a.dix: Created page with "{{DPAdecisionBOX |Jurisdiction=France |DPA-BG-Color= |DPAlogo=LogoFR.png |DPA_Abbrevation=CNIL |DPA_With_Country=CNIL (France) |Case_Number_Name=Deliberation of the restricted training n°SAN-2022-021 of November 24, 2022 concerning the company ELECTRICITÉ DE FRANCE |ECLI= |Original_Source_Name_1=Légifrance |Original_Source_Link_1=https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000046650733?page=1&pageSize=10&query=2016%252F679&searchField=ALL&searchType=ALL&sortVal..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=France<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFR.png<br />
|DPA_Abbrevation=CNIL<br />
|DPA_With_Country=CNIL (France)<br />
<br />
|Case_Number_Name=Deliberation of the restricted training n°SAN-2022-021 of November 24, 2022 concerning the company ELECTRICITÉ DE FRANCE<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Légifrance <br />
|Original_Source_Link_1=https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000046650733?page=1&pageSize=10&query=2016%252F679&searchField=ALL&searchType=ALL&sortValue=DATE_DECISION_DESC&tab_selection=cnil&typePagination=DEFAULT<br />
|Original_Source_Language_1=French<br />
|Original_Source_Language__Code_1=FR<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=24.11.2022<br />
|Date_Published=29.11.2022<br />
|Year=2022<br />
|Fine=600,000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5 GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR<br />
|GDPR_Article_2=Article 7 GDPR<br />
|GDPR_Article_Link_2=Article 7 GDPR<br />
|GDPR_Article_3=Article 12 GDPR<br />
|GDPR_Article_Link_3=Article 12 GDPR<br />
|GDPR_Article_4=Article 13 GDPR<br />
|GDPR_Article_Link_4=Article 13 GDPR<br />
|GDPR_Article_5=Article 14 GDPR<br />
|GDPR_Article_Link_5=Article 14 GDPR<br />
|GDPR_Article_6=Article 15 GDPR<br />
|GDPR_Article_Link_6=Article 15 GDPR<br />
|GDPR_Article_7=Article 21 GDPR<br />
|GDPR_Article_Link_7=Article 21 GDPR<br />
|GDPR_Article_8=Article 32 GDPR<br />
|GDPR_Article_Link_8=Article 32 GDPR<br />
|GDPR_Article_9=<br />
|GDPR_Article_Link_9=<br />
|GDPR_Article_10=<br />
|GDPR_Article_Link_10=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=L. 34-5 of the CPCE<br />
|National_Law_Link_1=https://www.legifrance.gouv.fr/codes/texte_lc/LEGITEXT000006070987/<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
<br />
|Party_Name_1=Electricité de France<br />
|Party_Link_1=https://www.edf.fr/<br />
|Party_Name_2=Commission nationale de l'informatique et des libertés<br />
|Party_Link_2=https://cnil.fr/fr<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Annkathrin.a.dix<br />
|<br />
}}<br />
<br />
The National Commission on Informatics and Liberty imposed a fine of € 600, 000 on Electricité de France for breaches of Article 7, 12, 13, 14, 15, 21, and 32 of the GDPR.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Electricité de France (hereinafter referred to as the EDF company or the company) is an entity active on the electricity markets—in particular, in the production of electricity, and the wholesale, trading, transportation, distribution, and supply of electricity. In its business activities, the company processed personal data of its customers and prospects (i.e. data controller). At the end of 2020, EDF had 25.7 million customers in its databases. The National Commission on Informatics and Liberty (hereinafter referred to as the CNIL or the Commission) received numerous complaints against the company relating to the exercise of rights between August 2019 and December 2020.<br />
<br />
=== Holding ===<br />
The Commission imposed an administrative fine of € 600, 000 against EDF for breaches of Article 7, 12, 13, 14, 15, 21, and 32 of the General Data Protection Regulation (GDPR). <br />
<br />
Firstly, EDF failed to comply with its obligation to obtain the consent of the persons concerned for the implementation of commercial prospecting by electronic means as prescribed in Article 7(1) of GDPR. This was due to the fact that EDF was unable to provide proof of validly expressed consent by prospects whose data stems from data brokers prior to canvassing. In particular, the data broker was merely able to produce the standard form, as opposed forms completed individually by each prospect. <br />
<br />
Secondly, the company failed to comply with its obligation to inform individuals as established in Articles 13 and 14 of the GDPR. There were shortcomings in the charter on personal data protection that appeared on the website of the company—no legal basis was mentioned and the periods of data retention were not sufficiently precise to ensure fair and transparent processing of the personal data. In addition, consumers were not informed of the (precise) source of their personal data (ie. the identity of EDF).<br />
<br />
Thirdly, the company did not comply with its obligations related to the exercise of individual rights. CNIL found a breach of the obligation of transparency, as prescribed in Article 12 of the GDPR—the company did not provide a written response containing correct information within the prescribed time limit in regards to referrals made by data subjects. The Commission also held that EDF violated its obligations under Article 15 of the GDPR, as it provided erroneous information on the source of the data collected as part of the request made by data subjects to invoke their right to access. Additionally, CNIL found that the company failed to take into account oppositions made to the processing of personal data, thereby failing to comply with its obligations under Article 21 of the GDPR. <br />
<br />
Fourthly, EDF breached its obligation to guarantee data security as prescribed in Article 32 of the GDPR. In particular, the implemented hash function did not apply to a significant amount of accounts—as a result, such data was not stored securely. These concerns were exacerbated as the company did not systematically use a salt in the transformation of passwords, thus failing to guarantee both the security and confidentiality of the personal data of its customers. <br />
<br />
The Commission therefore imposed a fine and sought an injunction, and publicized its declaration based on Article 83 of the GDPR.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the French original. Please refer to the French original for more details.<br />
<br />
<pre><br />
Deliberation of the restricted training n°SAN-2022-021 of November 24, 2022 concerning the company ELECTRICITÉ DE FRANCE<br />
<br />
The National Commission for Information Technology and Freedoms, gathered in its restricted formation composed of Mr. Alexandre LINDEN, president, Mr. Philippe-Pierre CABOURDIN, vice-president, Mr. Alain DRU and Mr. Bertrand du MARAIS, members;<br />
<br />
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of personal data and the free movement of such data;<br />
<br />
Having regard to Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector;<br />
<br />
Having regard to the postal and electronic communications code;<br />
<br />
Having regard to law no. 78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular its articles 20 et seq.;<br />
<br />
Having regard to decree no. 2019-536 of May 29, 2019 taken for the application of law no. 78-17 of January 6, 1978 relating to computing, files and freedoms;<br />
<br />
Having regard to deliberation no. 2013-175 of July 4, 2013 adopting the internal regulations of the National Commission for Information Technology and Liberties;<br />
<br />
Having regard to decision no. 2021-020C of January 4, 2021 of the President of the National Commission for Information Technology and Freedoms to instruct the Secretary General to carry out or have carried out a verification mission of the processing implemented by the company ELECTRICITÉ DE FRANCE or on its behalf;<br />
<br />
Having regard to the decision of the president of the National Commission for Information Technology and Liberties appointing a rapporteur before the restricted panel, dated May 19, 2022;<br />
<br />
Having regard to the report of Mrs. Valérie PEUGEOT, commissioner rapporteur, notified to the company ELECTRICITÉ DE FRANCE on June 23, 2022;<br />
<br />
Having regard to the written observations submitted by the council of the company ELECTRICITÉ DE FRANCE on July 25, 2022;<br />
<br />
Considering the response of the rapporteur to these observations notified on August 11, 2022 to the company's board;<br />
<br />
Having regard to the written observations submitted by the council of the company ELECTRICITÉ DE FRANCE on September 9, 2022;<br />
<br />
Considering the other documents in the file;<br />
<br />
Were present during the restricted training session on October 13, 2022:<br />
<br />
- Mrs. Valérie PEUGEOT, commissioner, heard in her report;<br />
<br />
as representatives of the company ELECTRICITÉ DE FRANCE:<br />
<br />
- […] ;<br />
<br />
The company ELECTRICITÉ DE FRANCE having spoken last;<br />
<br />
The restricted formation adopted the following decision:<br />
<br />
I. Facts and procedure<br />
<br />
1. Created in 1955, the company ELECTRICITÉ DE FRANCE (hereinafter “the EDF company” or “the company”) is a public limited company with a board of directors whose head office is located at 22 avenue de Wagram in Paris (75008) .<br />
<br />
2. The EDF group, which includes the parent company EDF and its subsidiaries, is mainly active in France and abroad on the electricity markets and, in particular, in the production of electricity (nuclear, renewable and fossil) and the wholesale, trading, transportation, distribution and supply of electricity. The EDF group is also present in the gas and energy services markets, as well as in the construction, operation and maintenance of power plants and electricity networks and provides waste recycling and energy services. The EDF group employs more than 131,000 employees, including more than 63,000 for the EDF company.<br />
<br />
3. In 2020, the EDF group achieved a turnover of more than 69 billion euros for a net profit of […] euros. In 2021, its turnover amounted to more than 84 billion euros for a net profit of […] euros.<br />
<br />
4. As part of the services provided by the company, personal data of its customers and prospects are processed. At the end of December 2020, the company had in its databases 25.7 million customers for the supply of electricity, gas and services and approximately […] prospects, regarding the individual market.<br />
<br />
5. The National Commission for Information Technology and Liberties (hereinafter "the CNIL" or "the Commission") has received several complaints against the company EDF, relating to the exercise of rights between August 2019 and December 2020.<br />
<br />
6. An online check was carried out on the website “www.edf.fr” on February 15, 2021. Report No. 2021-020-1, drawn up by the delegation at the end of the check, was notified to EDF on February 17, 2021.<br />
<br />
7. A documentary inspection mission was also carried out by sending a questionnaire to the company on March 25, 2021, to which the company responded on April 29, 2021.<br />
<br />
8. Two requests for additional information were sent to the company on July 13 and August 18, 2021. The company responded to them on July 30, August 31 and September 3, 2021.<br />
<br />
9. For the purposes of examining this file, the President of the Commission appointed Ms. Valérie PEUGEOT as rapporteur, on May 19, 2022, on the basis of Article 39 of Decree No. 2019-536 of May 29, 2019. amended.<br />
<br />
10. On June 23, 2022, the rapporteur notified the company of a report detailing the breaches of the GDPR that she considered to have occurred in this case. This report proposed to the restricted formation of the Commission to impose an administrative fine with regard to the breaches constituted in articles 7, paragraph 1, 12, 13, 14, 15, 21 and 32 of the GDPR and L. 34-5 of the postal code and electronic communications (hereinafter “the CPCE”). He also proposed that an injunction to bring the processing into compliance with the provisions of Articles 7, paragraph 1, 14 and 32 of the GDPR and L. 34-5 of the CPCE, accompanied by a penalty, be issued. Finally, he proposed that the sanction decision be made public, but that it would no longer be possible to identify the company by name after a period of two years from its publication.<br />
<br />
11. On July 25, 2022, the company produced its observations in response to the sanction report.<br />
<br />
12. The rapporteur responded to the company's observations on August 11, 2022.<br />
<br />
13. On September 9, 2022, the company produced new observations in response to those of the rapporteur.<br />
<br />
14. By letter dated September 15, 2022, the rapporteur informed the company's board that the investigation was closed, in application of article 40, III, of amended decree no. 2019-536 of May 29, 2019.<br />
<br />
15. By letter of the same day, the company's council was informed that the file was included on the agenda for the restricted training of October 13, 2022.<br />
<br />
16. The company and the rapporteur presented oral observations during the restricted training session.<br />
<br />
II. Reasons for decision<br />
<br />
A. On the failure to comply with the obligation to obtain the consent of the persons concerned for the implementation of commercial prospecting by electronic means<br />
<br />
17. Under the terms of article L. 34-5 of the CPCE, “direct prospecting by means of an automated electronic communications system […], a fax machine or e-mails using the contact details of a natural person is prohibited […] who has not previously expressed their consent to receive direct marketing by this means. For the application of this article, consent means any manifestation of free, specific and informed will by which a person accepts that data of a personal nature concerning it are used for the purpose of direct prospecting. […] ".<br />
<br />
18. Under the terms of Article 4, paragraph 11, of the GDPR, “For the purposes of this Regulation, […] “consent” of the data subject means any manifestation of will, free, specific, informed and unambiguous by in which the data subject accepts, by a declaration or by a clear positive act, that personal data concerning him or her are subject to processing.<br />
<br />
19. Under Article 7(1) of the GDPR, "In cases where processing is based on consent, the controller is able to demonstrate that the data subject has given consent to the processing of data to personal character concerning her.<br />
<br />
20. The rapporteur, to propose to the restricted panel to consider that the company has failed to comply with its obligations resulting from articles L. 34-5 of the CPCE and 7, paragraph 1, of the GDPR, as clarified by the provisions of article 4, paragraph 11, of the GDPR, is based on the fact that the company EDF, which carries out commercial prospecting operations by electronic means, is not able to have and provide proof of consent validly expressed by prospects whose data comes from data brokers before being canvassed. Furthermore, the rapporteur noted that, in the context of the investigation of three complaints, it appeared that the company had difficulty obtaining evidence from the data broker concerned regarding the collection of consent: the data broker produced the standard form, and not the form completed individually by each prospect, thus not being able to transmit individual proof of consent.<br />
<br />
21. In defense, the company argues that none of the three complaints referred to in the report concerns electronic commercial prospecting operations and therefore that article L. 34-5 of the CPCE is inapplicable. The company adds that electronic commercial prospecting operations based on data collected from data brokers are very punctual and target an insignificant number of prospects ([…]%). In addition, the company indicates that it has always strictly regulated its contractual relations with the data brokers it uses and that frequent exchanges took place, even if they were not necessarily formalized in the form of audits. Finally, the company explains […] that data already collected as part of previous campaigns has been deleted. However, it adds that it has evolved the contracts concluded with data brokers and implemented, from November 2021, formalized audits.<br />
<br />
22. Firstly, the restricted training recalls that, when the prospects' data have not been collected directly from them by the prospecting organization, consent may have been obtained at the time of the initial collection of the data by the first-time collector, on behalf of the organization which will carry out subsequent prospecting operations. Failing this, it is up to the prospecting organization to obtain such consent before carrying out prospecting acts. With regard to the provisions of Article 7(1) of the GDPR, the prospector must then be able to prove that he has this consent. In addition, for consent to be informed, individuals must be clearly informed of the identity of the prospector on whose behalf the consent is collected and the purposes for which the data will be used. To do this, an exhaustive and updated list must be made available to people at the time of obtaining their consent, for example directly on the collection medium or, if it is too long, via a hypertext link referring to to said list and the confidentiality policies of service providers and suppliers.<br />
<br />
23. The restricted panel notes that the three complaints received by the CNIL and referred to by the rapporteur do not relate to electronic commercial prospecting operations. It notes, however, that […] prospects were the subject of commercial prospecting electronically by the company EDF between 2020 and January 2021, for which EDF is not able to provide documents demonstrating the obtaining consent validly obtained from individuals.<br />
<br />
24. Furthermore, if the company provided the controlling delegation with two examples of standard form for collecting data from prospects made available by the data broker [...], the restricted training notes that no list of partners - including EDF- which must be made available to prospects at the time of consent, was not communicated as part of the procedure, despite requests from the rapporteur to this effect.<br />
<br />
25. Secondly, the restricted training notes that, in the context of the documentary control, the company indicated that the data brokers are responsible for collecting the consent of the persons concerned and that it asks them to commit contractually to respect the GDPR and the rules applicable to commercial prospecting. The company acknowledged that it does not exercise any control over the collection forms used, nor carries out audits on its co-contractors, but affirmed that it conducts informal exchanges with them.<br />
<br />
26. The restricted panel therefore considers that the measures put in place by the company EDF to ensure with its partners that consent was validly given by prospects before being approached were insufficient.<br />
<br />
27. Under these conditions, the restricted panel considers that the company has failed to comply with its obligations resulting from articles L. 34-5 of the CPCE and 7, paragraph 1, of the GDPR, as clarified by the provisions of article 4, paragraph 11, GDPR.<br />
<br />
28. It nevertheless notes that, in the context of the present procedure, the company indicated that it had deleted the data already collected in the context of previous campaigns.<br />
<br />
B. On the failure to comply with the obligation to inform individuals<br />
<br />
29. Article 13(1) of the GDPR lists the information that must be communicated by the data controller to data subjects when their personal data is collected directly from them, including "the purposes of the processing for which the personal data are intended as well as the legal basis for the processing.<br />
<br />
30. Paragraph 2 of the same article provides that "in addition to the information referred to in paragraph 1, the controller shall provide to the data subject, at the time when the personal data are obtained, the following additional information which is necessary to ensure fair and transparent treatment:<br />
<br />
a) the duration of retention of personal data or, where this is not possible, the criteria used to determine this duration […]".<br />
<br />
31. Article 14 of the GDPR lists the information that must be communicated by the data controller to the data subjects when their personal data has not been collected from them. Paragraph 2 of the same article provides that "in addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing with regard to the data subject: [ …]<br />
<br />
f) the source from which the personal data come and, where applicable, a statement indicating whether or not they come from sources accessible to the public […]".<br />
<br />
32. The guidelines on transparency within the meaning of Regulation (EU) 2016/679, adopted by the "Article 29" working group in their revised version on April 11, 2018, clarifying the provisions of Article 13, specify that : "the retention period [...] should be formulated in such a way that the data subject can assess, depending on the situation in which he or she finds himself, what the retention period will be with regard to specific data or in the case of specific purposes The controller cannot simply state generally that personal data will be kept for as long as the legitimate purpose of the processing requires. Where applicable, different storage periods should be mentioned for different categories of data. personal data and/or the different purposes of processing, in particular the periods for archival purposes.”<br />
<br />
33. They also specify that "the waiver of the obligation to provide the data subject with information on the source of his or her personal data only applies where such provision is not possible due to the impossibility to attribute different elements of the personal data concerning the same person to a particular source. On the other hand, the simple fact that a database comprising the personal data of several data subjects has been compiled by a controller using more than one source is not sufficient to waive this obligation if it is possible (although time-consuming or tedious) to determine the source from which the personal data of the data subjects originate” (paragraph 60).<br />
<br />
34. The rapporteur notes, on the one hand, a breach of Article 13 of the GDPR insofar as, at the time of the online check carried out on February 15, 2021, the legal basis was not mentioned and the retention periods data was not developed in a sufficiently precise manner in the “personal data protection charter” appearing on the subdomain “private.edf.fr”; it also notes a breach of Article 14 of the GDPR, insofar as the people contacted by post by the company were not informed of the precise source of their personal data, namely the the identity of the company from which EDF obtained them.<br />
<br />
35. In defense, the company considers that the "personal data protection charter" which appeared on the website "private.edf.fr" during the online inspection of February 15, 2021 contained all of the information required under Article 13 of the GDPR and guaranteed “fair and transparent processing” of the data concerned. Regarding the retention periods, the company notes that certain retention periods were mentioned, although not exhaustive because the company was carrying out, at the date of the online check, a large overhaul of the retention periods. She considers that it was therefore not possible to indicate all the retention periods, since they were being reviewed and modified. Regarding the legal bases, the company indicates that Article 13(1)(c) of the GDPR does not require the controller to indicate to the data subjects each legal basis for each purpose pursued, but simply that it informs of the legal bases used. It specifies that it has nevertheless undertaken a profound modification of the charter mentioned, the update of which was published in April 2021 on the site "private.edf.fr".<br />
<br />
36. Regarding the breach of Article 14, the company indicates that the nature of the source was at least referred to in the information notices brought to the attention of the persons concerned, namely an "organization specializing in data enrichment". She adds that limiting herself to fairly general information on the origin of the data made it possible to avoid confusion by suggesting to the person concerned that they were only registered in the data broker's database, whereas it was likely to appear simultaneously in several databases held by different data brokers. The company finally argues that there was no harm caused to people who could contact EDF in order to obtain more information.<br />
<br />
37. Firstly, the restricted training notes that the "personal data protection charter" present on the subdomain "private.edf.fr" constituted the information delivered by the company under Article 13 of the GDPR for types of processing other than prospecting (for example creation of a customer account or subscription to an online contract). However, the charter did not specify the legal basis corresponding to each purpose listed, an element required by Article 13 of the GDPR.<br />
<br />
38. Furthermore, if the restricted panel takes note of the explanations provided by the company regarding the overhaul of the retention periods in progress at the time of the online findings made by the control delegation, the fact remains that , at the time of these findings, the said charter specified "We only keep your data for the period necessary for their processing according to the purpose that has been set", with an example relating to the retention periods for customers equipped with a Linky meter . The restricted training considers that the information on retention periods was vague and imprecise, so that it was not sufficient to guarantee "fair and transparent processing" of the personal data processed.<br />
<br />
39. Therefore, the restricted panel considers that the company failed to comply with its obligations resulting from Article 13 of the GDPR. It nevertheless takes note of the fact that the company has remedied this breach, since the legal bases and retention periods are now detailed in the charter mentioned above.<br />
<br />
40. Secondly, with regard to the breach of Article 14 of the GDPR, the restricted committee notes that, on the first prospecting letter sent to the complainants (referrals no. […], no. […] and no. […]), whose data was obtained indirectly, the following statement appears: “EDF, data controller, implements processing of personal data for prospecting purposes […]. Your data was collected from an organization specializing in data enrichment.<br />
<br />
41. The restricted panel considers that the sole mention that the data was collected from an "organization specializing in data enrichment", appearing in the first commercial prospecting letter sent by EDF, is not sufficiently precise as to to the source from which the data comes. This information is therefore not likely to "guarantee fair and transparent treatment" with regard to the prospect, in particular in a context of successive resales of data between multiple actors and in the event that the prospect wishes to exercise its rights with the data broker whose identity he does not know.<br />
<br />
42. The restricted panel considers that the absence of significant harm for people invoked by the company and the possibility of contacting EDF in order to obtain more information has no influence on the characterization of the failure to inform people , which is an obligation distinct from the right to obtain any available information as to the source of the data pursuant to Article 15(1)(g) of the GDPR.<br />
<br />
43. Therefore, the restricted panel considers that the aforementioned facts constitute a breach of Article 14 of the GDPR.<br />
<br />
44. The restricted committee notes that during the procedure, the company modified the information contained in the prospecting letters, in order to include the name of the data broker concerned.<br />
<br />
C. On breaches linked to the exercise of individual rights<br />
<br />
45. Under Article 12 of the GDPR:<br />
<br />
"1. The controller shall take appropriate measures […] to make any communication under Articles 15 to 22 and Article 34 regarding the processing to the data subject in a concise, transparent, understandable and easily accessible, in clear and simple terms [...]. The information is provided in writing or by other means including, where appropriate, electronically. When the data subject requests it, the Information may be provided orally, provided that the identity of the person concerned is demonstrated by other means. […]<br />
<br />
3. The controller shall provide the data subject with information on the measures taken following a request made pursuant to Articles 15 to 22, as soon as possible and in any event within one month. from receipt of the request. If necessary, this deadline may be extended by two months, taking into account the complexity and number of requests. The data controller shall inform the data subject of this extension and the reasons for the postponement within one month of receipt of the request. […]<br />
<br />
4. If the data controller does not respond to the request made by the data subject, he shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for his request. inaction and the possibility of lodging a complaint with a supervisory authority and seeking legal recourse. […] ".<br />
<br />
46. Article 15(1) of the GDPR provides for the right of an individual to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and, where they are, to access to personal data concerning them, in particular "g) when the personal data are not collected from the person concerned, any information available as to their source". It is also provided in paragraph 3 of the same article that “the data controller shall provide a copy of the personal data subject to processing. […]”.<br />
<br />
47. Article 21(2) of the GDPR provides that, “When personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of the personal data concerning it for such prospecting purposes, including profiling to the extent that it is linked to such prospecting. […] "<br />
<br />
1. On the breach of the obligation of transparency<br />
<br />
48. The rapporteur, to propose to the restricted panel to consider that the company has failed to comply with its obligations resulting from Article 12 of the GDPR, relies on two referrals to the CNIL, emanating from Mr […] (referral no. [… ]) and Mr […] (referral no […]). Regarding the first referral, the rapporteur noted that the company EDF had contacted the complainant by telephone to provide him with a response, without sending him a written letter, in violation of Article 12, paragraph 1, of the GDPR. In addition, the answer given to him about the organization behind the data was incorrect. Finally, the company answered his questions, again by phone, more than nine months later. Regarding the second referral, the rapporteur noted that the company had closed the complainant's request instead of transmitting it to the department in charge of requests to exercise rights and had not responded to Mr. […]. It was only six months after his initial request – as part of the control procedure – that a response was provided to the complainant.<br />
<br />
49. In defense, the company indicates that EDF's policy has always been to respond in writing to all requests to exercise rights from its prospects and customers. It specifies that, for any written complaint, the advisor attempts to contact the prospect or client by telephone, before sending them a documented response in written form. The company adds that the lack of a written response to Mr. […] is a simple human error committed by the advisor, who did not follow internal procedures. The company adds that the processing of requests to exercise rights from complainants took place in the particularly difficult context of both the health crisis, which led to an increase in the number of requests to exercise rights, and postponement of the end of the winter break to September 1, 2020, which may explain why their mail could not be correctly processed within the usual deadlines.<br />
<br />
50. The restricted panel notes that the company recognizes an error in the direction of the complainants' requests which resulted in "either a lack of response within the time limit, or a poor quality of response". A breach of the obligations of Article 12 of the GDPR is constituted when the company did not provide a written response and gave the complainant incorrect information regarding the referral to Mr. […]. In addition, the company did not process these requests to exercise rights within the time limit with regard to the two referrals.<br />
<br />
51. Consequently, the restricted panel considers that the breach of Article 12 of the GDPR has been established.<br />
<br />
2. On the failure to comply with the obligation to respect the right of access<br />
<br />
52. The rapporteur, to propose to the restricted panel to consider that the company has failed to comply with its obligations resulting from Article 15 of the GDPR in terms of right of access, relies on two referrals to the CNIL, emanating from Mr. (referral no […]) and Madam (referral no […]). Regarding the referral from Mr […], the first response given by telephone to the complainant on the source of the data collected was incorrect. As for the referral from Madame […], the company specifies that a response was sent to it on July 17, 2020, indicating that it had no other data concerning her than her first and last name in its databases . The rapporteur considered that such a statement was inaccurate and that the company at least had its address – or former address – to make the comparison with the first and last name of the complainant since the EDF company sent her a letter to her home. parents.<br />
<br />
53. In defence, with regard to the referral relating to Mr […], the company acknowledges that the advisor's response to the complainant was "partly inaccurate" due to an error regarding the source of the data. As for the referral relating to Mrs […], the company considers that the response given to it by the advisor was correct since the only data relating to the complainant were her first and last name.<br />
<br />
54. In view of the elements provided by the company, the rapporteur proposes to the restricted panel not to consider the breach of Article 15 of the GDPR with regard to the referral relating to Mrs […].<br />
<br />
55. The restricted panel notes that the facts noted by the rapporteur are not contested by the company with regard to the referral from Mr […] and that it is proven that an inaccurate response was provided to him in the context of his request for right of access. She considers that a breach of the obligations of Article 15 has occurred with regard to this complaint, since the company provided her with erroneous information on the source of the data collected as part of her right of access request. . On the other hand, with regard to the complaint of Mrs […], the restricted panel takes note of the elements provided by the company and considers that the alleged breach is not characterized.<br />
<br />
3. On the failure to comply with the obligation to respect the right of opposition<br />
<br />
56. The rapporteur, to propose to the restricted panel to consider that the company has failed to comply with its obligations resulting from Article 21 of the GDPR, relies on the referral from Mr. […] (no. […]). The rapporteur indicates that the company did not take into account the complainant's opposition to the processing of the personal data of his minor son for commercial prospecting purposes. Indeed, the minor son of Mr […] received a second commercial prospecting letter, despite the latter's request for the deletion of personal data relating to his son.<br />
<br />
57. In defense, the company explains that, in the May 2020 “Complaint” guide for all advisors, the latter were instructed, for any request to delete a prospect’s data, to “systematically collect the prospect's objection". Concerning the referral from Mr […], the advisor did proceed with the erasure of the data as he had indicated by telephone to the complainant but did not completely follow the internal procedure by not proceeding with the opposition before erase data. The company adds that it has simplified this deletion procedure. Thus, since July 2021, when the advisor processes a deletion request, an opposition is automatically implemented.<br />
<br />
58. The restricted panel notes that the facts noted by the rapporteur regarding the complainant's situation are not contested by the company and constitute a breach of the obligations arising from Article 21 of the GDPR. It notes that during the sanction procedure, the company improved its procedure for managing erasure requests.<br />
<br />
D. On the failure to comply with the obligation to ensure data security<br />
<br />
59. Under Article 32(1) of the GDPR, "Taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as risks, the degree of probability and severity of which varies, for the rights and freedoms of natural persons, the controller and the processor implement appropriate technical and organizational measures in order to guarantee a level of security adapted to the risk , including among others, as needed:<br />
<br />
has) […] ;<br />
<br />
(b) means to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services;<br />
<br />
vs) […] ;<br />
<br />
(d) a procedure aimed at regularly testing, analyzing and evaluating the effectiveness of technical and organizational measures to ensure the security of the processing. ".<br />
<br />
• On the password hashing function of the “prime energy” portal<br />
<br />
60. Taking into account the company's initial declarations during the inspection procedure, the rapporteur noted that the passwords to the customer area of the "prime energy" portal were stored using the MD5 hash function. The rapporteur then took note of the company's new claims and the fact that, since January 2018, the SHA-256 hash function has been used. It nevertheless noted that, until July 2022, the passwords of more than 25,800 accounts were stored insecurely, with the MD5 hash function.<br />
<br />
61. In defense, the company explains that, since January 2018, all registrations or modifications of a user password are recorded in the directory associated with the "prime energy" portal in SHA-256 with a random mechanism associated (salting). The MD5 hash corresponds only to the hashing level historically implemented by the company […], subcontractor of EDF, and for which only a few thousand accounts were still affected in April 2021. The company adds that these passwords were still stored with the robustness of the additional randomness mechanism (salting), preventing attacks by precomputed tables. She concluded that the passwords were secure. In addition, the company indicates that, since the beginning of 2022, a final purge of passwords that were still stored using the MD5 hash function (approximately 3.2% of the total number of prime energy customers ") was realized. It specifies that all the passwords of users of the “prime energy” site are today stored with a salt and a strong algorithm.<br />
<br />
62. The restricted training recalls that it follows from the provisions of Article 32 of the GDPR that the data controller is required to ensure that the automated data processing that it implements is sufficiently secure. The sufficiency of the security measures is assessed, on the one hand, with regard to the characteristics of the processing and the risks it induces, and on the other hand, taking into account the state of knowledge and the cost of the measures. Implementing a robust authentication policy constitutes a basic security measure which generally contributes to compliance with the obligations of Article 32 of the GDPR. Thus, it is necessary to ensure that a password allowing authentication to a system cannot be disclosed. Keeping passwords secure is a basic precaution when it comes to protecting personal data. As early as 2013, the National Information Systems Security Agency (ANSSI) alerted and recalled good practices regarding the retention of passwords, indicating that they must "be stored in a form transformed by a function one-way cryptographic (hash function) and slow to calculate such as PBKDF2" and that "the transformation of passwords must involve a random salt to prevent an attack by precomputed tables". Indeed, non-robust hash functions present known vulnerabilities which do not guarantee the integrity and confidentiality of passwords in the event of a brute force attack after compromise of the servers which host them. To the extent that a large number of Internet users use the same password to authenticate to their different online accounts, attackers could exploit the compromised data to increase intrusions on their other accounts to commit, for example, theft or scams.<br />
<br />
63. Likewise, the Commission also specifies in its deliberation no. 2017-012 of January 19, 2017, with regard to the storage methods, that "the password must never be stored in clear text. It recommends that it be transformed by means of a non-reversible and secure cryptographic function (i.e. using a public algorithm deemed strong whose software implementation is free of known vulnerabilities), integrating the use of a salt or a key. The Commission further considers that the salt or the key must be generated by means of a cryptographically secure pseudo-random number generator (that is to say based on a public algorithm deemed strong whose implementation software is free of known vulnerabilities), and not be stored in the same storage space as the password verification item.<br />
<br />
64. In addition to these recommendations, the restricted committee emphasizes that it has, on several occasions, adopted financial sanctions where the characterization of a breach of Article 32 of the GDPR is the result of insufficient measures to guarantee the security of the data processed. . She thus had the opportunity to recall that "the use of the MD5 hash function by the company has no longer been considered state of the art since 2004 and its use in cryptography or security is prohibited. Thus , the use of this algorithm would allow a person with knowledge of the hashed password to decipher it without difficulty in a very short time (for example, by means of freely accessible websites which make it possible to find the value corresponding to the hash of the password) "(deliberation SAN-2021-008 of June 14, 2021).<br />
<br />
65. However, the restricted panel notes that, until July 2022, the passwords of more than 25,800 accounts were kept insecurely, with the MD5 hash function. Under these conditions, having regard to the risks incurred by individuals, the restricted committee considers that the company has failed to fulfill its obligations under Article 32 of the GDPR.<br />
<br />
66. It nevertheless notes that, in the context of this procedure, the company has justified having taken measures to comply with the obligations arising from Article 32 of the GDPR.<br />
<br />
• On the password hashing function in the EDF customer area<br />
<br />
67. Taking into account the company's initial declarations during the control procedure, the rapporteur noted that the passwords to the EDF customer area, accessible at the URL "www.particuliers.edf.fr", were stored in chopped and salted form using the SHA-1 function, although it is considered obsolete. It therefore considered that the methods for storing passwords do not guarantee the security and confidentiality of customers' personal data.<br />
<br />
68. In defense, the company indicates that the hashing algorithm used to store passwords in the directory […], which manages the authentication of customer areas, is in reality SHA-512 supplemented by a mechanism of the addition of hazard (salting) since May 17, 2017, and not SHA-1, contrary to what it had indicated to the control delegation. The company adds that the renewal of passwords and the purging of old passwords were carried out in a phased manner.<br />
<br />
69. In the latest state of her submissions, the rapporteur notes that, if 11,241,166 account passwords are hashed and salted, 2,414,254 account passwords are hashed only, without having been salted.<br />
<br />
70. In defense, the company recalls that it deploys significant resources, both human and material, in terms of cybersecurity. She adds that, since her last observations, the company implemented the mechanism of adding randomness (salting) to the fraction of passwords in the directory [...] which did not have it, but which were however already hashed with SHA-512. Thus, to this day there is no longer any SHA-512 hashed password without a random addition mechanism (salting).<br />
<br />
71. Restricted training refers to the developments above regarding the need to use a random salt for the transformation of passwords (§§ 62 and 63). It further notes that, in its guide “Recommendations relating to multi-factor authentication and passwords” of October 8, 2021, ANSSI writes: “It is recommended to use a salt chosen randomly for each account and to a length of at least 128 bits".<br />
<br />
72. The restricted panel notes that, here again, the company does not contest the breach itself but requests not to be sanctioned to the extent that it has now remedied the breach. The restricted panel considers that the company has failed to fulfill its obligations under Article 32 of the GDPR, since it has not taken the necessary measures to ensure the security of all the data it processes. and which are accessible from user accounts at the URL "www.particuliers.edf.fr", by not systematically using a salt in the transformation of passwords.<br />
<br />
73. It nevertheless notes that, in the context of this procedure, the company has justified having taken measures to comply with the obligations arising from Article 32 of the GDPR.<br />
<br />
III. On corrective measures and their publicity<br />
<br />
74. Under the terms of article 20, III, of the law of January 6, 1978 as amended, "When the data controller or its subcontractor does not comply with the obligations resulting from regulation (EU) 2016/679 of April 27, 2016 or of this law, the president of the National Commission for Information Technology and Liberties may also, where appropriate after having sent him the warning provided for in I of this article or, where appropriate in addition to a notice remains provided for in II, refer the matter to the restricted formation of the commission with a view to pronouncing, after adversarial procedure, one or more of the following measures: […]<br />
<br />
7° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of a company, 2% of the global annual turnover total of the previous financial year, the highest amount being retained. In the hypotheses mentioned in 5 and 6 of Article 83 of Regulation (EU) 2016/679 of April 27, 2016, these ceilings are increased, respectively, to 20 million euros and 4% of said turnover. The restricted panel takes into account, in determining the amount of the fine, the criteria specified in the same article 83".<br />
<br />
75. Article 83 of the GDPR provides that "each supervisory authority shall ensure that administrative fines imposed under this article for violations of this regulation referred to in paragraphs 4, 5 and 6 are, in each case , effective, proportionate and dissuasive", before specifying the elements to be taken into account when deciding whether to impose an administrative fine and when deciding the amount of this fine.<br />
<br />
76. Firstly, on the principle of issuing a sanction, the company indicates that in addition to the fact that it contests the failings alleged by the rapporteur or justifies them, it has already taken all measures to remedy all of the alleged facts and ensure compliance with applicable legislation. She emphasizes the goodwill and efforts she demonstrated throughout the procedure. The company considers that the mitigating factors posed by Article 83, paragraph 2, of the GDPR should lead the restricted body not to impose a financial sanction or at the very least to very significantly reduce the amount of the fine proposed by the rapporteur. It considers that the alleged breaches are not substantial in this case, since they represented a limited or even non-existent impact on the rights and freedoms of the persons concerned given their small number and their non-structural nature.<br />
<br />
77. The restricted committee recalls that it must take into account, when issuing an administrative fine, the criteria specified in Article 83 of the GDPR, such as the nature, seriousness and duration of the violation, the measures taken by the controller to mitigate the damage suffered by data subjects, the degree of cooperation with the supervisory authority and the categories of personal data affected by the violation.<br />
<br />
78. The restricted training underlines that the breaches committed by the company relate to obligations relating to the fundamental principles of the protection of personal data and that numerous breaches are made.<br />
<br />
79. The restricted training then notes that the company is the leading player in electricity in France, since it counted, at the end of December 2020, 25.7 million customers for the supply of electricity, gas and services and approximately […] prospects, regarding the individual market. It therefore has significant resources enabling it to deal with personal data protection issues.<br />
<br />
80. Consequently, the restricted panel considers that it is appropriate to impose an administrative fine with regard to the breaches constituted by article L. 34-5 of the CPCE and articles 7, paragraph 1, 12, 13, 14, 15, 21 and 32 of the GDPR.<br />
<br />
81. The restricted training nevertheless underlines the efforts that the company EDF demonstrated within the framework of the procedure, since it complied with all the shortcomings noted by the rapporteur. It further considers that the failure to comply with the obligation to obtain the consent of the persons concerned for the implementation of commercial prospecting by electronic means, although being a structural failure, is in this case of limited seriousness in the to the extent that the number of prospects whose data has been collected from data brokers and who have received commercial prospecting electronically only represents […]% over the period 2020-2022 of all people targeted by actions commercial prospecting carried out by EDF with prospects whose data was obtained via data brokers. Regarding the failure to comply with the information obligation, the restricted committee takes note of the company's declarations, according to which it was carrying out a large overhaul of the retention periods, thus preventing it from indicating them all since they were in review and modification course. It further notes, with regard to the referrals made to the debates, that the breaches of people's rights are not structural and result from human errors.<br />
<br />
82. The restricted panel recalls that the violations of the GDPR noted in this case are breaches of principles likely to be subject, under Article 83 of the GDPR, to an administrative fine of up to 20,000,000 euros or up to 4% of the global annual turnover of the previous financial year, whichever is higher.<br />
<br />
83. The restricted panel also recalls that administrative fines must be both dissuasive and proportionate. It considers in particular that the activity of the company and its financial situation must be taken into account in determining the amount of the administrative fine. It notes in this regard that the EDF group achieved a turnover of more than 69 billion euros for a net result of […] euros in 2020 and more than 84 billion euros for a net result of [ …] euros in 2021.<br />
<br />
84. Therefore, in view of these elements, the restricted panel considers that the imposition of an administrative fine in the amount of 600,000 euros appears justified.<br />
<br />
85. Secondly, an injunction to bring the processing into compliance with the provisions of Articles 7, paragraph 1, 14 and 32 of the GDPR and L. 34-5 of the CPCE was initially proposed by the rapporteur.<br />
<br />
86. The company maintains that the actions it has implemented with regard to all the breaches noted must result in not issuing an injunction under penalty.<br />
<br />
87. As indicated previously, the restricted panel notes that the company has taken compliance measures with regard to all of the shortcomings noted by the rapporteur. It therefore considers that there is no need to issue an injunction.<br />
<br />
88. Thirdly, with regard to the publication of the sanction decision, the company asks the restricted body not to publish it or, in the alternative, to anonymize it immediately or at the latest within eight days.<br />
<br />
89. The restricted panel considers that the publicity of the sanction is justified in view of the nature and number of breaches committed, as well as the number of people affected by said violations, in particular more than 2,400,000 customers with regard to the breach. to data security.<br />
<br />
FOR THESE REASONS<br />
<br />
The restricted formation of the CNIL, after having deliberated, decides to:<br />
<br />
• impose an administrative fine against the company ÉLECTRICITÉ DE FRANCE in the amount of 600,000 (six hundred thousand) euros for breaches of article L. 34-5 of the CPCE and articles 7, paragraph 1, 12, 13, 14, 15, 21 and 32 of the GDPR;<br />
<br />
• make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer identify the company by name at the end of a period of two years from its publication.<br />
<br />
President<br />
<br />
Alexandre LINDEN<br />
<br />
This decision may be the subject of an appeal before the Council of State within two months of its notification.<br />
</pre></div>Annkathrin.a.dixhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202201673AEPD (Spain) - EXP2022016732024-03-06T09:20:03Z<p>Nzm: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=EXP202201673<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/documento/pd-00197-2023.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=<br />
|Date_Decided=05.01.2024<br />
|Date_Published=<br />
|Year=2024<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 15 GDPR<br />
|GDPR_Article_Link_1=Article 15 GDPR<br />
|GDPR_Article_2=Article 18 GDPR<br />
|GDPR_Article_Link_2=Article 18 GDPR<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=Ley 25/2007, de 18 de octubre, de Conservación de Datos relativos a las comunicaciones electrónicas<br />
|National_Law_Link_1=https://www.boe.es/buscar/act.php?id=BOE-A-2007-18243<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Appealed - Confirmed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=nzm<br />
|<br />
}}<br />
<br />
The Spanish DPA decided that Law 25/2007 did not release the controller from its obligation to give access to geolocation data in the case of an access request.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A data subject requested access to his personal data, specifically the geolocation data regarding his telephone number with Euskaltel (“controller”). A few days after this access request, he also exercised his right to restrict the processing and specifically requested that they do not proceed with the deletion of the data until he had been given access to it. <br />
<br />
The controller responded that they could not provide the data subject with this information as Law 25/2007, of October 18, 2007, on the Conservation of Data related to electronic communications and public communications networks (Ley 25/2007, de 18 de octubre, de Conservación de Datos relativos a las comunicaciones electrónicas) would impose the obligation to retain certain data generated as a result of the activity of its users for the sole and exclusive purpose of making them available to the authorities for the detection, investigation and prosecution of serious crimes. Therefore, no access to personal data under [[Article 15 GDPR|Article 15 GDPR]] could be granted. Following this response, the data subject filed a complaint against the controller with the Spanish DPA (“AEPD”).<br />
<br />
On 25 April 2022, the AEPD decided to archive the proceedings with regard to the reasoned refusal given by the controller. The data subject filed an administrative appeal against this decision with the Audencia Nacional (“AN”) who annulled the decision of the AEPD in January 2023. <br />
<br />
As a result, the AEPD reopened the proceedings in order to take AN decision into account. The DPA heard both parties.<br />
<br />
=== Holding ===<br />
Firstly, the AEPD indicated that the controller did not dispute the personal data nature of the information requested by the data subject, therefore, once this nature is established, the only exceptions that may apply to the exercise of any GDPR rights are those established by the law. The AEPD found that Law 25/2007 does not establish a limitation to the exercise of the right of access other that the the data subject is not to be informed about the the transfer of the retained data to competent authorities. Moreover the law establishs that the right of erasure cannot be exercised. The AEPD therefore concluded that the telephone line location data could be subject of a right of access request under [[Article 15 GDPR|Article 15 GDPR]].<br />
<br />
Secondly, the AEPD found that the data subject’s request for the right of access concerned the geolocation data of his mobile phone line and that the reason for his request was irrelevant. Therefore, the AEPD rejected the controller’s argument that they provided a “reasonable alternative” with a document containing roaming information about the country where the data subject connected to a mobile network. Moreover, the request was neither excessive nor unfounded so the controller could not refuse it. <br />
<br />
Finally, the AEPD noted that the data subject exercised the right of restriction but the controller did not expressly reply to the request nor refused it with reasons. Therefore, the controller breached [[Article 18 GDPR]] as well as [https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673&p=20230509&tn=0 Article 12.4 LOPDGDD] under which the controller must send a mandatory response to the data subject.<br />
<br />
Therefore, the AEPD considered that the controller breached [[Article 15 GDPR|Articles 15]] and [[Article 18 GDPR|18 GDPR]].<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
The campaign, carried out by the Agency and the Spanish Association of Pediatrics, promotes the digital health of minors through raising the awareness of their fathers and mothers, reducing the risks posed on a physical, mental and social level by intensive and uncontrolled use. of the screens.<br />
</pre></div>Nzmhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_RR/00075/2024AEPD (Spain) - RR/00075/20242024-03-06T09:19:53Z<p>Nzm: /* Comment */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=RR/00075/2024<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/documento/reposicion-pd-00197-2023.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=<br />
|Date_Decided=23.02.2024<br />
|Date_Published=<br />
|Year=2024<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 15 GDPR<br />
|GDPR_Article_Link_1=Article 15 GDPR<br />
|GDPR_Article_2=Article 18 GDPR<br />
|GDPR_Article_Link_2=Article 18 GDPR<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=Ley 25/2007, de 18 de octubre, de Conservación de Datos relativos a las comunicaciones electrónicas<br />
|National_Law_Link_1=https://www.boe.es/buscar/act.php?id=BOE-A-2007-18243<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
<br />
|Party_Name_1=Euskaltel<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=nzm<br />
|<br />
}}<br />
<br />
The DPA confirmed that telecommunication service providers have to provide access to location data they process under national data retention legislation contrary to the controller who argued that such legislation provided a full exemption for the right to access. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
See also: [[AEPD (Spain) - EXP202201673]]<br />
<br />
A data subject requested access and the restriction of the processing specifically of his geolocation data regarding his telephone number with Euskaltel (“controller”). The controller refused to comply with the access request arguing that Law 25/2007, of October 18, 2007, on the Conservation of Data related to electronic communications and public communications networks (Ley 25/2007, de 18 de octubre, de Conservación de Datos relativos a las comunicaciones electrónicas) did not allow him to do so. The data subject then filed a complaint with the Spanish DPA (“AEPD”). The AEPD archived the proceedings. Following that the data subject appealed this decision with the Audencia Nacional (“AN”) who annulled the AEPD decision.<br />
<br />
On 5 January 2024, the AEPD issued a new decision in the proceedings, stating that the controller was in violation of [[Article 15 GDPR|Articles 15]] and [[Article 18 GDPR|18 GDPR]]. <br />
<br />
On 25 January 2024, the controller filed an internal appeal for reconsideration against this decision with the AEPD (recurso de reposición). claiming that (i) the initial decision required the controller to infringe the law, (ii) the controller does not process geolocation data.<br />
<br />
On 23 February 2024, the AEPD issued a decision on this matter.<br />
<br />
=== Holding ===<br />
Firstly, the AEPD stated that the GDPR and Law 25/2007 are not contradictory rules, but complementary by their purpose or the balance sought between public safety and respect for individual rights. However, the AEPD also pointed out that Law 25/2007 establishes special rules in relation to the rights conferred by the GDPR, and is for these purposes a ''lex specialis''. The AEPD maintained the same reasoning as in the appealed decision, by stating that Law 25/2007 does not establish that the right to access cannot be exercised. Furthermore, the AEPD added that this position does not depart from the AEPD’s precedents.<br />
<br />
Secondly, regarding the argument that the controller does not process geolocation data, the AEPD noted that on the one hand, the controller stated that they did not have, nor have they ever had geolocation data, but on the other hand they told the data subject that they could not provide him with the geolocation data with regard to Law 25/2007. Furthermore, this law also indicates that geolocation data must be kept by the operators. Therefore, the AEPD did not accept this argument. <br />
<br />
Thirdly, regarding the absence of information regarding the restriction of processing, the AEPD indicated that the GDPR does not allow the request to be ignored as if it had not been made leaving it without response. Therefore, the DPA reiterated that the request for the exercise of rights obliges the controller to give an express reply in any case, using any means that justifies receipt of the reply. <br />
<br />
Finally, regarding the stay of execution of the contested act, the AEPD considered that in light of Spanish law, the request for suspension could not be granted since the contested decision was not immediately effective and would be enforceable once the appeal for reconsideration (recurso de reposición) had been resolved. Therefore, the AEPD considered that the suspension request was devoid of purpose.<br />
<br />
In conclusion, the AEPD ruled that no new facts or legal arguments had been put forward, dismissed the appeal and upheld its previous decision.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
The campaign, carried out by the Agency and the Spanish Association of Pediatrics, promotes the digital health of minors through raising the awareness of their fathers and mothers, reducing the risks posed on a physical, mental and social level by intensive and uncontrolled use. of the screens.<br />
</pre></div>Nzmhttps://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_39/2024APD/GBA (Belgium) - 39/20242024-03-06T08:25:26Z<p>Nzm: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Belgium<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoBE.png<br />
|DPA_Abbrevation=APD/GBA<br />
|DPA_With_Country=APD/GBA (Belgium)<br />
<br />
|Case_Number_Name=39/2024<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=APD<br />
|Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-39-2024.pdf<br />
|Original_Source_Language_1=French<br />
|Original_Source_Language__Code_1=FR<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Other Outcome<br />
|Date_Started=29.06.2020<br />
|Date_Decided=22.02.2024<br />
|Date_Published=<br />
|Year=2024<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 80(1) GDPR<br />
|GDPR_Article_Link_1=Article 80 GDPR#1<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=nzm<br />
|<br />
}}<br />
<br />
The DPA considered that an e-reputation consultancy company cannot represent a data subject under [[Article 80 GDPR#1|Article 80(1) GDPR]], as it is for-profit body whose statutory objectives are not in the public interest. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
In 2007, the newspaper “La Dernière Heure Les Sports” (“controller”) published an article on their website on the managing director of a company ("data subject") following the death of one of his employees. This article reported that the data subject was found guilty of manslaughter as well as for contravention of legislation on the use of work equipment and on health and safety at work. Adjustments had been made since the accident, so the court decided to suspend the data subject’s criminal sentencing. He was however declared civilly liable and ordered to pay compensation to the parents of the deceased worker. <br />
<br />
In 2018 and 2019, the data subject requested the removal of the URL of the article 3 times, using the standard form made available online by the controller for the dereferencing of results. The second and third requests were made by a French e-reputation consultancy company on behalf of the data subject. An e-reputation consultancy company takes care of people's reputation online, in particular by asking the removal of URLs linked to them. <br />
<br />
The controller indicated that after considering the balance of interests and rights, they decided not to block the URL. <br />
<br />
On 18 June 2020, the e-reputation consultancy company lodged a complaint with the Belgian DPA (“APD”) on behalf of the data subject. The company also attached a mandate received from the data subject which says the following: “I, the undersigned X [read data subject] (...) declare and certify that company X1 [read e-consultancy company] (...) is authorised to represent me on an exclusive basis in relation to publishers and hosts of Internet sites, in order to carry out the assignment entrusted to it”. <br />
<br />
The controller asked that the APD consider the complaint inadmissible as it was brought by a company incorporated by French law, thus breaching [[Article 80 GDPR#1|Article 80(1) GDPR]].<br />
<br />
=== Holding ===<br />
[[Article 80 GDPR#1|Article 80(1) GDPR]] states that the data subject has the right to mandate (i) a non-for-profit body, organization or association (ii) which has been properly constituted with the law of a Member state and (iii) has statutory objectives which are in the public interest and is active in the field of data protection, to lodge a complaint on their behalf. <br />
<br />
The APD considered that the e-consultancy company is not a non-for-profit body, organization or association and does not have statutory objectives which are in the public interest, as evidenced by the terms and conditions of the company’s website which refer to “the sale of the following services: e-reputation cleansing (request for deletion of URLs) and Serp-Sculpting”, for which different prices are set.<br />
<br />
The APD concluded that the company does not fulfill the requirements of [[Article 80 GDPR#1|Article 80(1) GDPR]], and therefore cannot represent a data subject. Thus, the complaint was considered inadmissible.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the French original. Please refer to the French original for more details.<br />
<br />
<pre><br />
1/10<br />
<br />
<br />
<br />
Litigation Chamber<br />
<br />
<br />
Decision on the merits 39/2024 of February 22, 2024<br />
<br />
<br />
File number: DOS-2020-02861<br />
<br />
<br />
Subject: Complaint for refusal of dereferencing by a search engine –<br />
<br />
representation of the complainant within the meaning of section 80.1. GDPR<br />
<br />
<br />
<br />
The Litigation Chamber of the Data Protection Authority, made up of Mr.<br />
<br />
Hielke HIJMANS, president, and gentlemen Yves Poullet and Jelle Stassijns, members;<br />
<br />
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the<br />
<br />
protection of natural persons with regard to the processing of personal data and<br />
<br />
to the free movement of these data, and repealing Directive 95/46/EC (General Regulation on the<br />
<br />
data protection), hereinafter “GDPR”;<br />
<br />
Having regard to the Law of December 3, 2017 establishing the Data Protection Authority (hereinafter<br />
<br />
“LCA”);<br />
<br />
<br />
Having regard to the Law of July 30, 2018 relating to the protection of individuals with regard to<br />
<br />
processing of personal data (hereinafter “LTD”);<br />
<br />
Considering the internal regulations as approved by the House of Representatives on<br />
<br />
December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;<br />
<br />
<br />
Considering the documents in the file;<br />
<br />
<br />
Has taken the following decision regarding:<br />
<br />
<br />
<br />
The complainant: Mr. X1, hereinafter “the complainant”;<br />
<br />
<br />
Represented by Madame X2, e-reputation consultant of the company X3<br />
<br />
<br />
<br />
The defendants: Y1, hereinafter “the first defendant”;<br />
<br />
<br />
<br />
Y2, hereinafter “the second defendant”;<br />
<br />
<br />
Hereinafter collectively referred to as “the defendants”; Decision on merits 39/2024 — 2/10<br />
<br />
<br />
Having for advice Master Gerrit VANDENDRIESSCHE,<br />
<br />
qerrit.vandendriessche@altius.com and Master Louis-Dorsan JOLLY, louis-<br />
<br />
dorsan.jolly@altius.com, lawyers whose practice is established in 1000 Brussels,<br />
avenue du Port 86C, box 414.<br />
<br />
<br />
<br />
<br />
<br />
I. Facts and procedure<br />
<br />
1. The subject of the complaint filed on June 18, 2020 with the Data Protection Authority (APD)<br />
<br />
speakscomplainantrepresentedbytheFrenchcompanydee-reputationX3,concernstherefusalby<br />
<br />
the first defendant to dereference a depressed article from the newspaper La Dernière Heure<br />
<br />
Les Sports published on this newspaper's website in 2007 under the title “..” […].<br />
<br />
2. This article relates legal facts concerning the complainant. It mentions the name and<br />
<br />
of the first name of the complainant and informs Internet users about his conviction by the<br />
<br />
labor courts in 2007.<br />
<br />
3. Specifically, the article reports that in 2007, the complainant was convicted of<br />
<br />
of involuntary manslaughter due to lack of foresight or precaution, as well as<br />
<br />
contravention of the legislation on the use of work equipment and on signaling<br />
<br />
safety and health at work. This conviction follows the death (…) of a<br />
worker of the company ... of which the complainant was general manager.<br />
<br />
<br />
4. In view of the adjustments made since the accident when adopting its decision and<br />
<br />
in order not to compromise the professional activities of the complainant, the court seized<br />
<br />
decided to suspend the sentencing. As reported in the article by<br />
press, the complainant was nevertheless declared civilly responsible and was sentenced to<br />
<br />
compensate the parents of the deceased worker.<br />
<br />
<br />
5. It appears from the documents in the files transmitted by the defendants and from the documents produced<br />
by the complainant that before the referral to the APD, the dereferencing of this URL was requested<br />
<br />
3 times from the first defendant, via the standard form made available<br />
<br />
online by the latter for the purpose of dereferencing search results.<br />
<br />
6. Thus, the defendants report that in 2018, the son of the plaintiff, Mr. S.D., introduced<br />
<br />
in the name of his father a first request for dereferencing of the disputed URL. There<br />
<br />
first respondent acknowledged receipt of the request the same day, analyzed and processed<br />
<br />
the request and responded to it the next day, i.e. (…), motivating its response by indicating that it<br />
<br />
had decided not to intervene regarding this URL due to factors such as<br />
the relevance of it in the context of the professional life of the complainant. Decision on merits 39/2024 — 3/10<br />
<br />
<br />
7. The complainant's son reiterated his request by email addressed to the first respondent<br />
<br />
later in 2018 and the first respondent responded to her the same day that she maintained<br />
<br />
her decision.<br />
<br />
8. At the end of 2019, Madame X4, e-reputation consultant for the company X3, introduced on behalf of the<br />
<br />
complainant a second request for dereferencing of the same disputed URL via the<br />
<br />
online form of the first respondent.<br />
<br />
9. The first respondent acknowledged receipt of the request the same day and, after analysis<br />
<br />
of the request, given that the press article only concerned the professional life of the<br />
<br />
complainant, requested (…) more information on the “current” profession of the<br />
<br />
complainant (i.e. that exercised at the time of the reference request) in order to be able to<br />
<br />
continue to review the request.<br />
<br />
10. Mrs. X4 indicated the next day that the content of the disputed press article was<br />
<br />
related to a job that the complainant was still doing. On this basis, the first<br />
<br />
defendant stated in November 2019 that she had decided not to dereference the URL<br />
<br />
contentious due to factors such as the relevance of the latter in the context of life<br />
professional of the complainant.<br />
<br />
<br />
11. In May 2020, Madame X2, also an e-reputation consultant for X3 company, introduced<br />
<br />
in the name of the complainant a third request for dereference always from the same URL<br />
<br />
disputed via the first defendant's online form. The first defendant<br />
acknowledged receipt of the request the same day and indicated a week later that she had<br />
<br />
decided not to proceed with the requested referencing for reasons similar to those<br />
<br />
mentioned in the context of the first two requests addressed to him.<br />
<br />
Madame X2 reiterated her request in a June 2020 email addressed to the first<br />
<br />
defendant. The first respondent responded the next day that she maintained her<br />
<br />
position.<br />
<br />
12. On several occasions therefore, the first defendant considered that it was not required to<br />
<br />
give a favorable response to the request for dereferencing of the disputed URL in the<br />
<br />
terms below and invited the complainant to contact the APD in the event of disagreement with this<br />
<br />
decision.<br />
<br />
“After examining the balance between the interests and rights associated with the content in<br />
<br />
question, including factors such as the relevance of the latter in the context<br />
<br />
of your client's professional life, (read the search engine) has decided to<br />
don't block it.<br />
<br />
<br />
For the moment, we have decided not to take any action regarding this URL.<br />
<br />
(…)”. Decision on merits 39/2024 — 4/10<br />
<br />
<br />
13. As explained in point 1, the complainant represented by the French company e-<br />
<br />
reputation X3 already mentioned, on June 18, 2020, filed a complaint with the APD.<br />
<br />
<br />
14. This complaint form is sent to the APD by the company X3 on behalf of the complainant. He is there<br />
<br />
thus stated by the said company that:<br />
<br />
“the refusal of (read the search engine) does not respect, in our opinion, the<br />
<br />
latest clarifications from the Council of State on the application of the right to<br />
<br />
dereferencing. Regarding an article relating a conviction relating to our<br />
<br />
client for facts dating from 1998 and a judgment rendered in 2006, the inclusion of<br />
<br />
this processing of personal data in the engines is not relevant to this<br />
<br />
day and has very significant repercussions in his life. There is no character<br />
<br />
strictly necessary to maintain these links justifying the refusal of (reads the engine<br />
<br />
of research). Furthermore, regarding an accident, our client having no role<br />
in public life and the facts being very old, we do not understand the refusal<br />
<br />
from (read the search engine). (…)<br />
<br />
<br />
Our request for the Right to be Forgotten has been refused. Following which we contacted the<br />
<br />
writing. We had several discussions with the lawyers in charge, but they<br />
<br />
unfortunately did not result in a common agreement. You will find attached<br />
<br />
all exchanges in question. This is why we allow ourselves today<br />
<br />
to file a complaint for the reasons mentioned above in order to contest<br />
1<br />
these decisions which do not seem fair to us.<br />
<br />
15. In support of the complaint lodged by the complainant, the company X3 attaches a “mandate” received from<br />
<br />
complainant whose text reads as follows: “I, the undersigned X1 [read the complainant] (…) declare and<br />
<br />
certifies that the company X3 (…) is authorized to represent me exclusively with the<br />
<br />
publishers and hosts of websites in order to carry out the mission assigned to it<br />
<br />
entrusted”.<br />
<br />
16. On June 29, 2020, the complaint was declared admissible by the First Line Service (SPL) of<br />
<br />
ODA on the basis of articles 58 and 60 of the LCA and the complaint is transmitted to the Chamber<br />
<br />
Litigation under article 62, § 1 of the LCA.<br />
<br />
er<br />
17. On July 28, 2020, the Litigation Chamber decides, under Article 95, § 1, 1° and<br />
<br />
article 98 of the LCA, that the file can be processed on its merits.<br />
<br />
18. On this same date, the parties concerned are informed by registered mail of the<br />
<br />
provisions as set out in article 95, § 2 as well as article 98 of the LCA. They are<br />
<br />
<br />
<br />
<br />
<br />
<br />
1It is the Litigation Chamber which underlines. The underlined elements demonstrate that it is indeed the X3 company which introduced the<br />
complaint on behalf of his client, the complainant. Decision on merits 39/2024 — 5/10<br />
<br />
<br />
also informed, under article 99 of the LCA, of the deadlines for transmitting their<br />
<br />
conclusions.<br />
<br />
19. The deadline for receipt of the defendants' response submissions has been set<br />
<br />
on September 8, 2020, that for the complainant's reply conclusions on September 28<br />
<br />
2020 and that for the defendants' reply conclusions as of October 20, 2020.<br />
<br />
<br />
20. On August 26, 2020, the defendants requested a copy of the file (art. 95, §2, 3° LCA),<br />
which was sent to them on August 27, 2020.<br />
<br />
<br />
21. By their same letter of August 26, 2020, the defendants agree to receive all<br />
<br />
communications relating to the case by electronic means and express their wish,<br />
subject to in-depth examination of the file, to have recourse to the possibility of being heard<br />
<br />
in accordance with section 98 of the LCA.<br />
<br />
<br />
22. On September 8, 2020, the Litigation Chamber received the conclusions in response from the<br />
<br />
defendants.<br />
<br />
23. The complainant does not submit a reply.<br />
<br />
24. On October 20, 2020, the Litigation Chamber received the conclusions in reply and<br />
<br />
summary of the defendants. Their argument can be summarized as follows:<br />
<br />
<br />
- Primarily, the defendants consider that the complaint is inadmissible in that it<br />
<br />
is introduced by the French company X3 on behalf of the complainant in violation of the<br />
prescribed in section 80.1. of the GDPR read in conjunction with article 220.2 of the LTD;<br />
<br />
<br />
- In the alternative, if the Litigation Chamber were to consider that the complaint is<br />
<br />
validly introduced, the defendants argued at the time that it was appropriate to<br />
<br />
stay the proceedings (…).<br />
<br />
- In the alternative, the defendants argue that the complaint is unfounded in this regard.<br />
<br />
that there is no reason to pursue the second defendant who is not responsible for<br />
<br />
treatment. There is also no reason to order the dereferencing of the article.<br />
contentious since the conditions for dereferencing are not met, the result<br />
<br />
of the balancing of the interests present revealing a preponderant interest of the<br />
<br />
public to access the information contained in the referenced article. The seriousness of the source<br />
<br />
journalistic, the accuracy of the facts reported, the link of the facts with the activities<br />
<br />
professional performance of the complainant both at the time and on the day the conclusions were drawn up,<br />
<br />
and the role played by the latter in public life as businessmen are as much<br />
criteria invoked by the search engine to support its decision not to<br />
<br />
dereference. The defendants conclude that the referencing of the disputed article<br />
<br />
is necessary for freedom of expression and information within the meaning of Article 17.3.a) of the<br />
<br />
GDPR and none of the grounds in Article 17.1.a) to f) of the GDPR are applicable. Decision on merits 39/2024 — 6/10<br />
<br />
<br />
<br />
II. Motivation<br />
<br />
<br />
25. The Litigation Chamber recalls that under the terms of article 77.1 of the GDPR, “without prejudice<br />
<br />
any other administrative or judicial remedy, any person concerned has the right<br />
<br />
to lodge a complaint with a supervisory authority, in particular in the State<br />
<br />
member in which his habitual residence is located, his place of work or the place where the<br />
<br />
violation would have been committed, if it considers that the processing of personal data<br />
<br />
personnel concerning it constitutes a violation of these regulations”.<br />
<br />
<br />
26. This article 77.1. is supplemented by article 80.1. of the GDPR which provides for its part that “the<br />
<br />
data subject has the right to mandate a body, organization or<br />
<br />
non-profit association, which has been validly constituted in accordance with the law of a<br />
<br />
Member State, whose statutory objectives are of public interest and is active in the field<br />
<br />
the protection of the rights and freedoms of the persons concerned within the framework of the<br />
<br />
protection of personal data concerning them, so that it introduces a<br />
claim in his name, exercises in his name the rights referred to in articles 77, 78 and 79 and<br />
<br />
exercises on his behalf the right to obtain compensation referred to in article 82 when the law of a State<br />
<br />
member foresees it” .2<br />
<br />
<br />
27. Regarding the conditions provided for by Belgian law in execution of article 80.1. of the GDPR,<br />
<br />
they appear in article 220.2. of the LT, are cumulative and the following:<br />
<br />
<br />
Ҥ 2. In the disputes provided for in paragraph 1, a body, an organization or a<br />
<br />
non-profit association must:<br />
<br />
1° be validly constituted in accordance with Belgian law;<br />
<br />
<br />
2° have legal personality;<br />
<br />
<br />
3° have statutory objectives of public interest;<br />
<br />
4° be active in the field of protecting the rights and freedoms of individuals<br />
<br />
concerned in the context of the protection of personal data<br />
<br />
for at least three years.<br />
<br />
<br />
§3.The body, organization or non-profit association provides proof, through<br />
<br />
presentation of its activity reports or any other document, that its activity<br />
<br />
<br />
<br />
2 It is the Litigation Chamber which underlines. See. also the first part of recital 142 of the GDPR: (142):<br />
Where a data subject considers that his or her rights under this Regulation are infringed, he or she should have the<br />
right to apply for a non-profit body, organization or association, constituted in accordance with the law of a<br />
Member State, whose statutory objectives are of public interest and which is active in the field of data protection<br />
of a personal nature, so that he lodges a complaint in his name with a supervisory authority, exercises the right to a<br />
legal recourse on behalf of the data subject or, if provided for by the law of a Member State, exercise the right<br />
to obtain redress on behalf of affected individuals.<br />
<br />
3The preparatory work of the LTD mentions that the condition of 3 years applies both to the existence of the personality<br />
legal and for the exercise of activities in the field of data protection. See. House of Representatives, Draft<br />
of law relating to the protection of individuals with regard to the processing of personal data, Doc. Parl.,<br />
DOC 54 31/26/001 (article by article commentary – article 220). Decision on merits 39/2024 — 7/10<br />
<br />
<br />
has been in effect for at least three years, that it corresponds to its corporate purpose and that<br />
<br />
This activity is related to the protection of personal data.<br />
<br />
<br />
28. In this case, it appears from the file as reported above in points 13-15 that it is the company<br />
<br />
X3 (..), an e-reputation consultancy company established in Marseille in France, which has<br />
<br />
submits the complaint on behalf of the complainant and represents the latter in the exercise<br />
<br />
of his right to complain (complaint) within the meaning of article 77.1. of the GDPR before the Chamber<br />
<br />
Litigation (APD).<br />
<br />
29. The Litigation Chamber notes that the company X3 is a company in the form of a<br />
<br />
joint stock company (..).<br />
<br />
<br />
30. The Litigation Chamber is of the opinion that there are serious doubts as to the compatibility<br />
<br />
with the GDPR of the condition set by the Belgian legislator in article 220.2.1° of the LTD in<br />
<br />
what the non-profit body, organization or association must be validly<br />
constituted in accordance with Belgian law. Indeed, the Belgian legislator introduced in doing so a<br />
<br />
more restrictive condition than that provided for in section 80.1. of the GDPR which requires that this<br />
<br />
body, this non-profit organization or association is constituted<br />
<br />
in accordance with the law of a Member State.<br />
<br />
<br />
31. This consideration has no impact in this case since, in any hypothesis, the company<br />
<br />
X3 does not meet the other conditions of article 80.1 GDPR, read in combination with<br />
<br />
article 220.2 of the LTD, since it is not a “body, organization or<br />
<br />
non-profit association” and also has no “statutory purpose of public interest. He<br />
it is a commercial company as evidenced for example by its General Conditions<br />
<br />
sales available on its internal website […] under the terms of which it is a question of “sale<br />
<br />
of the following services: E-reputation cleaning (request for deletion<br />
<br />
URL) and Serp-Sculpting. » for which different prices are established.<br />
<br />
<br />
32. In support of the above, the Litigation Chamber concludes that this company does not meet<br />
<br />
therefore in no way the conditions of article 80.1 GDPR, read in combination with article<br />
<br />
220.2 of the LTD recalled above and that the complainant could not and cannot validly<br />
<br />
be represented by this company to exercise the right conferred by section 77.1. of<br />
GDPR.<br />
<br />
<br />
33. The Litigation Chamber adds that in this it follows the defendants' argument<br />
<br />
except on the consequences that they think they can draw from the absence of deposit of<br />
<br />
<br />
<br />
4<br />
The preparatory work of the LTD specifies with regard to article 220.2. that “it is the choice to limit this right to<br />
non-profit bodies, organizations and associations validly constituted in accordance with Belgian law and<br />
in particular to the law of June 27, 1921 on non-profit associations, foundations, European political parties and<br />
European political foundations. House of Representatives, Bill relating to the protection of natural persons<br />
with regard to the processing of personal data, Doc. Parl., DOC 54 31/26/001 (article by article commentary –<br />
section 220). Decision on merits 39/2024 — 8/10<br />
<br />
<br />
conclusions in reply by the complainant on this point in particular. Unlike this<br />
<br />
that the defendants expose, the absence of filing of conclusions by the complainant (point 23)<br />
<br />
- and therefore argumentation in response to the defendants' thesis as to its<br />
<br />
non-compliant representation - does not amount to acquiescence on the part of the complainant.<br />
The latter remains free to conclude or not, certainly depriving himself if necessary of supporting his<br />
<br />
complaint and to defend oneself in the light of the arguments developed by the parties<br />
<br />
defendants. However, it cannot be deduced from this that he acquiesces in the defense of these<br />
<br />
this.<br />
<br />
<br />
<br />
III. Corrective measures and sanctions<br />
<br />
<br />
34. Under the terms of article 100.1 of the LCA, the Litigation Chamber has the power to:<br />
<br />
1° close the complaint without further action;<br />
<br />
2° order the dismissal of the case;<br />
<br />
<br />
3° pronounce a suspension of the sentence;<br />
<br />
4° propose a transaction;<br />
<br />
<br />
5° issue warnings or reprimands;<br />
<br />
6° order to comply with the requests of the person concerned to exercise their rights;<br />
<br />
<br />
7° order that the person concerned be informed of the security problem;<br />
<br />
8° order the freezing, limitation or temporary or definitive ban on processing;<br />
<br />
<br />
9° order compliance of the processing;<br />
<br />
10° order the rectification, restriction or erasure of the data and the notification of<br />
<br />
these to the recipients of the data;<br />
<br />
11° order the withdrawal of the accreditation of certification bodies;<br />
<br />
<br />
12° give fines;<br />
<br />
13° issue administrative fines;<br />
<br />
<br />
14° order the suspension of cross-border data flows to another State or a<br />
international body;<br />
<br />
<br />
15° transmit the file to the public prosecutor of the King of Brussels, who informs him of the<br />
<br />
follow-up given to the file;<br />
<br />
16° decide on a case-by-case basis to publish its decisions on the website of the Authority of<br />
<br />
Data protection. Decision on merits 39/2024 — 9/10<br />
<br />
<br />
35. In matters of dismissal (article 100.1.1° LCA), the Litigation Chamber must<br />
<br />
motivate your decision step by step and:5<br />
<br />
<br />
- pronounce a classification without technical follow-up if the file does not contain or not<br />
<br />
sufficient elements likely to lead to a sanction or if it includes a<br />
<br />
technical obstacle preventing it from rendering a decision;<br />
<br />
- or pronounce a classification without further opportunity, if despite the presence of elements<br />
<br />
likely to result in a sanction, the continuation of the examination of the file does not seem to him<br />
<br />
<br />
not appropriate given the ODA priorities as specified and illustrated in<br />
6<br />
the Disposition Policy of the Litigation Chamber.<br />
<br />
36. In the event of classification without follow-up on the basis of several reasons (respectively, classification<br />
<br />
without technical and/or appropriate action), the reasons for classification without action must be<br />
<br />
treated in order of importance .7<br />
<br />
<br />
37. In the present case, the Litigation Chamber decides to proceed with a classification without<br />
<br />
continued for technical reasons on the basis of article 100.1.1° of the LCA due to the absence<br />
<br />
compliance of the complainant's representation with articles 80.1. of the GDPR and 220.2. of the<br />
<br />
LTD applied in combination with section 77.1. of the GDPR and therefore, the absence of<br />
<br />
validity of the complaint lodged which prevent it from taking any decision<br />
<br />
on the merits of the request.<br />
<br />
<br />
38. The Litigation Chamber specifies in this regard that this classification without technical follow-up<br />
<br />
leaves intact the complainant's right to lodge a complaint with the same subject matter as the complaint<br />
<br />
leading to this decision in compliance with the conditions of admissibility of the<br />
<br />
complaints. This decision to classify without technical action does not in any way prejudge<br />
<br />
of the merits as to the merits of the complainant's delisting request that the<br />
<br />
Litigation Chamber could be required to examine whether it should be validly<br />
<br />
entered in the future.<br />
<br />
<br />
39. The Litigation Chamber having thus granted the request made by the<br />
<br />
principal defendants without ruling on the merits of the plaintiff's request,<br />
<br />
it decides to adopt this decision without convening the hearing requested by these<br />
<br />
the latter only, the complainant not having for his part requested to be heard.<br />
<br />
<br />
<br />
<br />
<br />
<br />
5Market Court (Brussels Court of Appeal), September 2, 2020, 2020/AR/329, p. 18.<br />
6https://www.autoriteprotectiondonnees.be/publications/politique-de-classement-sans-suite-de-la-chambre-<br />
<br />
contentious.pdf .<br />
7Clearance policy of the Litigation Chamber, 06/18/2021, point 3 (“In what cases is my complaint<br />
likely to be closed without further action by the Litigation Chamber?”), available on<br />
https://www.autoriteprotectiondonnees.be/publications/politique-de-classement-sans-suite-de-la-chambre-<br />
contentieuse.pdf Decision on the merits 39/2024 — 10/10<br />
<br />
<br />
IV. Publication of the decision<br />
<br />
<br />
<br />
40. Given the importance of transparency regarding the decision-making process of the Chamber<br />
<br />
Contentious, this decision is published on the APD website. However, it is not<br />
<br />
in view of all the specific elements and considerations of the case, not<br />
<br />
necessary for this purpose that the identification data of the parties to this decision are<br />
<br />
directly mentioned.<br />
<br />
<br />
<br />
FOR THESE REASONS ,<br />
<br />
<br />
the Litigation Chamber of the Data Protection Authority decides, after<br />
er<br />
deliberation, to dismiss this complaint in accordance with article 100, § 1,<br />
<br />
1° of the LCA.<br />
<br />
<br />
<br />
<br />
<br />
In accordance with article 108, § 1 of the LCA, an appeal against this decision may be lodged,<br />
<br />
within thirty days from its notification, to the Court of Markets (court<br />
<br />
of Appeal of Brussels), with the Data Protection Authority as defendant.<br />
<br />
<br />
Such an appeal may be introduced by means of an interlocutory request which must contain the<br />
8<br />
information listed in article 1034ter of the Judicial Code. The interlocutory request must be<br />
<br />
filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or 9<br />
<br />
via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. judic.).<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
(sé). Hielke H IJMANS<br />
<br />
President of the Litigation Chamber<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
8The request contains barely any nullity:<br />
<br />
1° indication of the day, month and year;<br />
2° the name, first name, domicile of the applicant, as well as, where applicable, his qualifications and his national register number or<br />
Business Number;<br />
3° the surname, first name, address and, where applicable, the status of the person to be summoned;<br />
4° the object and summary of the grounds of the request;<br />
5° indication of the judge who is seized of the request;<br />
<br />
the signature of the applicant or his lawyer.<br />
9 The request, accompanied by its annex, is sent, in as many copies as there are parties involved, by letter<br />
<br />
recommended to the court clerk or filed with the court registry.<br />
</pre></div>Nzmhttps://gdprhub.eu/index.php?title=CE_-_474625CE - 4746252024-03-06T08:16:01Z<p>Sfl: </p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=France<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=CE<br />
|Court_Original_Name=Conseil d'Etat<br />
|Court_English_Name=Supreme Administrative Court<br />
|Court_With_Country=CE (France)<br />
<br />
|Case_Number_Name=474625<br />
|ECLI=ECLI:FR:CECHS:2024:474625.20240214<br />
<br />
|Original_Source_Name_1=Légifrance<br />
|Original_Source_Link_1=https://www.legifrance.gouv.fr/ceta/id/CETATEXT000049149941?juridiction=CONSEIL_ETAT&juridiction=COURS_APPEL&page=1&pageSize=10&query=2016%252F679&searchField=ALL&searchType=ALL&sortValue=DATE_DESC&tab_selection=cetat<br />
|Original_Source_Language_1=French<br />
|Original_Source_Language__Code_1=FR<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Date_Decided=14.02.2024<br />
|Date_Published=<br />
|Year=2024<br />
<br />
|GDPR_Article_1=Article 17 GDPR<br />
|GDPR_Article_Link_1=Article 17 GDPR<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=Article 20 Loi Informatique et Libertés<br />
|National_Law_Link_1=https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000045072444<br />
|National_Law_Name_2=Article 8 Loi Informatique et Libertés<br />
|National_Law_Link_2=https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037822923<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
|National_Law_Name_4=<br />
|National_Law_Link_4=<br />
<br />
|Party_Name_1=Societe.com<br />
|Party_Link_1=https://www.societe.com/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_From_Body=CNIL (France)<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=nzm<br />
|<br />
}}<br />
<br />
The Supreme Administrative Court found that a DPA’s order to reply to an access request is a sufficient corrective measure under Article 58(2) GDPR. However, if a data subject does not get a reply from the controller within 6 weeks, it can file a second complaint and the DPA’s discretion will be limited. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
On 10 April 2023, a data subject sent an erasure request to Societe.com (“controller”). The controller failed to respond to the request, therefore the data subject lodged a complaint with the French DPA (“CNIL”). <br />
<br />
The CNIL reminded the company of its legal obligations, in particular by asking the controller to provide a response to the request, and therefore closed the data subject’s complaint and invited the data subject to submit a new complaint to the CNIL in 6 weeks if the controller failed to reply to this request. <br />
<br />
The data subject sought the annulment of this decision with the French Supreme Administrative Court (“Conseil d’Etat”).<br />
<br />
=== Holding ===<br />
The Conseil d’Etat considered that with regard to [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037822923 Article 8] and [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000045072444 20 of "Loi Informatique et Libertés"] it is the CNIL’s responsibility to examine the facts giving rise to a complaint and to decide on the action to be taken. The Conseil d’Etat added that the data subject may refer to the CNIL’s refusal to act with the administrative judge (juge de l’excès de pouvoir). It is then up to the judge to review the CNIL’s refusal, where appropriate. However, if the data subject alleges that a controller has disregarded the rights regarding personal data, guaranteed by law to the data subject with regard to personal data concerning them the CNIL's discretionary power to decide what action to take is exercised under the full control of the juge de l'excès de pouvoir.<br />
<br />
The Conseil d’Etat ruled that it was clear from the documents that the CNIL did not vitiate its decision to close the complaint as (i) the DPA reminded the controller of its legal obligation by asking the controller to comply with the request and (ii) they invited the data subject to submit a new complaint to the CNIL if the controller failed to comply with the request within 6 weeks.<br />
<br />
The Conseil d’Etat therefore rejected the appeal against the CNIL decision.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the French original. Please refer to the French original for more details.<br />
<br />
<pre><br />
Full Text<br />
<br />
FRENCH REPUBLIC<br />
IN THE NAME OF THE FRENCH PEOPLE<br />
<br />
Considering the following procedure:<br />
<br />
By a request registered on May 30, 2023 at the litigation secretariat of the Council of State, Mr. B... C... asks the Council of State:<br />
<br />
1°) to annul for abuse of power the decision by which the National Commission for Information Technology and Liberties (CNIL), on May 25, 2023, declared the closure of its complaint against the company Societe.com relating to the deletion personal data concerning him;<br />
<br />
2°) to order the CNIL to take all appropriate measures to implement the right to delete personal data concerning him, accessible online on the societe.com website.<br />
<br />
Considering the other documents in the file;<br />
<br />
Seen :<br />
- Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016;<br />
- Law No. 78-17 of January 6, 1978;<br />
- the administrative justice code;<br />
<br />
After hearing in public session:<br />
<br />
- the report of Mr. Emmanuel Weicheldinger, master of requests for extraordinary service,<br />
<br />
- the conclusions of Ms. Esther de Moustier, public rapporteur;<br />
<br />
Considering the following:<br />
<br />
1. It appears from the documents in the file that, on April 10, 2023, Mr. C... sent the company Societe.com a request to erase personal data concerning him, accessible online. On May 17, 2023, Mr. C... filed a complaint with the National Commission for Information Technology and Liberties (CNIL) due to the lack of response from the company Societe.com to his request. On May 25, 2023, the CNIL indicated to Mr. C... that it had reminded the company of its legal obligations, in particular by asking him to provide a response to his request, that he would have the possibility of contacting the CNIL again. , after the expiration of a period of six weeks, in the event that the company has not complied with its obligations, and has therefore taken a decision to close its complaint. Mr. C... requests the annulment of this decision.<br />
<br />
2. Firstly, Article 17 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free circulation of these data (known as GDPR) provides that: "1. The data subject has the right to obtain from the data controller the erasure, as soon as possible, of personal data concerning him or her and the data controller has the "obligation to erase these personal data as soon as possible when one of the following reasons applies (...). ". Article 51 of the law of January 6, 1978 relating to data processing, files and freedoms provides that: "I. The right to erasure is exercised under the conditions provided for in article 17 of the regulation (EU ) 2016/679 of April 27, 2016. / (...) In the event of non-execution of the erasure of personal data or in the event of no response from the data controller within a period of one month to From the date of the request, the person concerned may contact the National Commission for Information Technology and Freedoms, which will rule on this request within three weeks from the date of receipt of the complaint.<br />
<br />
3. Secondly, under the terms of article 8 of the law of January 6, 1978: "I.- The National Commission for Information Technology and Liberties is an independent administrative authority. It is the national supervisory authority in meaning and for the application of Regulation (EU) 2016/679 of April 27, 2016. It carries out the following missions:/ (...) 2° It ensures that the processing of personal data is implemented in accordance with to the provisions of this law and other provisions relating to the protection of personal data provided for by legislative and regulatory texts, European Union law and France's international commitments. As such:/ (...) d) It handles complaints, petitions and complaints lodged by a data subject or by a body, organization or association, examines or investigates the subject matter of the complaint, to the extent necessary, and informs the author of the complaint of the progress and outcome of the investigation (...)".<br />
<br />
4. Thirdly, under the terms of article 20 of the same law: "II.- When the data controller or its subcontractor does not respect the obligations resulting from regulation (EU) 2016/679 of April 27, 2016 or this law, the president of the National Commission for Information Technology and Freedoms may remind him of his legal obligations or, if the breach noted is likely to be subject to compliance, pronounce on him a formal notice, within the deadline it sets: 1° To satisfy the requests presented by the data subject with a view to exercising their rights; 2° To bring the processing operations into compliance with the applicable provisions; 3° A with the exception of processing which concerns state security or defence, to communicate to the data subject a violation of personal data; 4° To rectify or erase personal data, or to limit the processing of these data. In the case provided for in 4° of this II, the president may, under the same conditions, give formal notice to the data controller or its subcontractor to notify the recipients of the data of the measures it has taken. The president may request that compliance be justified within a deadline he sets. (...) ".<br />
<br />
5. It follows from the provisions mentioned in points 3 and 4 that it is up to the CNIL to proceed, when it receives a complaint or a claim relating to the implementation of its powers, to the examination of the facts which are at the origin and to decide on the follow-up to be given to them. To this end, it has a broad power of appreciation and may take into account the seriousness of the alleged breaches with regard to the legislation or regulations that it is responsible for enforcing, the seriousness of the evidence relating to these facts, the date on which they were committed, the context in which they were committed and, more generally, all the general interests for which it is responsible. The author of a complaint may refer the CNIL's refusal to respond to it to the judge for abuse of power. It is up to the judge to censure it, if necessary, for reasons of external illegality and, on the grounds of the merits of the decision, in the event of an error of fact or of law, of a manifest error of appreciation or misuse of power. However, when the author of the complaint relies on the lack of awareness by a data controller of the rights guaranteed by law to the data subject with regard to personal data concerning him or her, in particular the rights of access, rectification , erasure, limitation and opposition mentioned in articles 49, 50, 51, 53 and 56 of the law of January 6, 1978 relating to data processing, files and freedoms, the discretionary power of the CNIL to decide on the follow-up to be taken is exercised, having regard to the nature of the individual right in question, under the entire control of the judge of excess of power.<br />
<br />
6. It appears from the documents in the file that, as stated in point 1, the CNIL, upon receipt of Mr. C...'s complaint, decided to remind the company Societe.com of its legal obligations by asking it to comply with these, while inviting Mr. C..., in the event that the company does not respond to this request within six weeks, to submit a new complaint to the CNIL. In doing so, in the circumstances of this case, it did not taint its decision to close the complaint with an error of assessment.<br />
<br />
7. It follows from all of the above that the applicant is not justified in requesting the annulment of the decision he is impugning. Its conclusions for the purpose of an injunction can, therefore, only be rejected.<br />
<br />
DECIDED :<br />
--------------<br />
<br />
Article 1: Mr. C...'s request is rejected.<br />
Article 2: This decision will be notified to Mr. B... C....<br />
A copy will be sent to the National Commission for Information Technology and Liberties.<br />
<br />
Deliberated at the end of the session of January 11, 2024 where sat: Mr. Bertrand Dacosta, president of the chamber, presiding; Mr. Olivier Yeznikian, State Councilor and Mr. Emmanuel Weicheldinger, master of requests in extraordinary service-rapporteur.<br />
<br />
Returned on February 14, 2024.<br />
<br />
President :<br />
Signed: Mr. Bertrand Dacosta<br />
<br />
The rapporteur :<br />
Signed: Mr. Emmanuel Weiheldinger<br />
<br />
The Secretary :<br />
Signed: Ms. Sylvie Leporcq<br />
<br />
ECLI:FR:CECHS:2024:474625.20240214<br />
</pre></div>Nzmhttps://gdprhub.eu/index.php?title=Commissioner_(Cyprus)_-_11.17.001.008.229Commissioner (Cyprus) - 11.17.001.008.2292024-03-04T12:40:16Z<p>Im: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Cyprus<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoCY.jpg<br />
|DPA_Abbrevation=Commissioner<br />
|DPA_With_Country=Commissioner (Cyprus)<br />
<br />
|Case_Number_Name=11.17.001.008.229<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Office of the Commissioner for Personal Data Protection<br />
|Original_Source_Link_1=https://gdprhub.eu/images/4/45/111700_2.PDF<br />
|Original_Source_Language_1=Greek<br />
|Original_Source_Language__Code_1=EL<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=17.08.2020<br />
|Date_Decided=28.02.2024<br />
|Date_Published=<br />
|Year=2024<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 5(2) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#2<br />
|GDPR_Article_2=Article 44 GDPR<br />
|GDPR_Article_Link_2=Article 44 GDPR<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=ARKTINOS” Publications Ltd<br />
|Party_Link_1=https://politis.com.cy/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=im<br />
|<br />
}}<br />
<br />
In one of the 101 complaints filed by noyb, the DPA reprimanded a private news company for transferring personal data in the US without a legal basis in accordance with Chapter V GDPR.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
On 12 August 2020, the data subject visited the website ''politis.com.cy'' while logged in to a ''Facebook'' account with his e-mail address. The private news company managing the website, the controller, integrated HTML code for Facebook Services, including Facebook Connect. Facebook Connect is a service used by third party websites, that allows Facebook users to log into other websites with their Facebook profile, without having to create separate accounts there. At the same time, this service enables the flow of user’s personal data between the site and Facebook. <br />
<br />
While the data subject visited the website, the controller processed their personal data of which at least some were transferred to Facebook Inc, in the United States. <br />
<br />
Because the CJEU has annulled the EU-US Privacy Shield in judgment C-311/18, the data transfer could not be based on the adequacy decision as per Article 45 GDPR. Yet, the data transfers were still based on the invalidated EU-US Privacy Shield, as was evident by section 4 of the Facebook Data Processing Terms. Facebook Inc. is subject to oversight by U.S. intelligence services in accordance with 50 U.S. Code § 1881 and therefore obliged to provide U.S. authorities with personal data. <br />
<br />
For this reason, the data subject filed a complaint against the controller for a breach of provisions of Chapter V concerning the transfer of personal data to third countries. Additionally, the data subject requested a clarification whether Facebook Business Tools Terms and Facebook Data Processing Terms met the requirements of Article 28 GDPR on the transfer of personal data to third countries. <br />
<br />
The controller claimed that they did not collect personal data of any users who visited the website from a Facebook link and the only use of Facebook tools made by the controller was to promote their news articles to more people on the basis of the criteria provided to them. After the DPA asked the controller to clarify whether the data received from the use of Facebook pixel tool led to user’s identification and, therefore, processing of their personal data, even if it was not their intention, no statement was submitted.<br />
<br />
=== Holding ===<br />
The DPA started an investigation into the relationship between the controller and Facebook Inc, analysing the Terms of Use of Facebook Business Tools. the DPA confirmed that Facebook Inc. is acknowledged as a data processor and a joint controller for processing occurring on websites which use Facebook Business Tools. <br />
<br />
Moreover, the DPA stated that due to the implementation of the Facebook Pixel tool on the website, at least the IP address, browser information, website location, pixel ID and click data of the data subject were processed. On the basis of the evidence provided, the DPA found that a data transfer to the United States occurred. The DPA clarified that data processing took place due to the decision of a controller to incorporate the Facebook Service Tools on its website. Furthermore, the abovementioned processing was based on the EU-US Privacy Shield even after its invalidation by the CJEU decision of 16 July 2020.<br />
<br />
Thus, the DPA found a violation of Article 5(2) GPDR since the controller failed to demonstrate compliance with Article 5(1) GDPR and a violation of Article 44 GDPR since the controller did not ensure a level of protection of the data subject guaranteed by the GDPR. <br />
<br />
The DPA did not fine the controller and did not prohibit or suspend the data transfer. Instead the DPA ordered the controller to ensure that transfer of data takes place on the basis of the new EU-US Data Protection Framework, Implementing Decision (EU) 2023/1795, or on the basis of an appropriate guarantee under Article 46 GDPR, if the use of services in question continue. <br />
<br />
Regarding the analysis of whether Facebook Inc.’s bears responsibilities of a controller, the DPA concluded that in the present case Facebook Inc. does not determine purposes and means of the processing. At the same time, the possibility that Facebook Inc. will receive requests from U.S security authorities does not automatically lead to that conclusion.<br />
<br />
Additionally, the DPA analysed that Facebook Inc. is a data importer and not a data exporter. Therefore, the obligations set out in Chapter V of GDPR do not apply to Facebook Inc. and no breach of Article 44 GDPR by Facebook Inc. can be established. <br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.<br />
<br />
<pre><br />
REPUBLIC OF CYPRUS OFFICE OF THE COMMISSIONER<br />
FOR PERSONAL DATA PROTECTION<br />
<br />
<br />
<br />
MACHINE TRANSLATED<br />
<br />
Case Reg.: 11.17.001.008.229<br />
<br />
<br />
DECISION<br />
<br />
<br />
Complaint of a personal data breach<br />
<br />
<br />
In the light of the tasks and powers conferred on me by Article 57(1)(f) of Regulation (EU)<br />
2016/679 on the protection of natural persons with regard to the processing of personal<br />
<br />
data and on the free movement of such data (hereinafter referred to as “the Regulation”), I<br />
have examined a complaint lodged at my Office, pursuant to Article 77(1) of the Regulation,<br />
against “ARKTINOS” Publications Ltd (“Politis” newspaper) (hereinafter the “defendant”);<br />
Facebook Ireland Ltd (hereinafter “Facebook Ireland”) and Facebook Inc. The complaint<br />
was lodged with the Austrian Data Protection Supervisory Authority on 17 August 2020 by<br />
a resident of Austria (hereinafter the “complainant”), represented, pursuant to Article 80(1)<br />
<br />
of the Regulation, by the non-profit organisation noyb – European Centre for Digital Rights.<br />
<br />
On the basis of the investigation, I have found an infringement of the Regulation by the<br />
defendant and therefore adopt this Decision.<br />
<br />
<br />
<br />
A. Facts of the case<br />
<br />
Positions of the Complainant<br />
<br />
2. The complaint relates to an alleged breach of the provisions of Chapter V of the<br />
Regulation. The complaint states inter alia that:<br />
<br />
2.1. the complainant, on 12 August 2020, at 11:43 a.m., visited the website<br />
https://politis.com.cy (hereinafter the “website”) while logged in to a Facebook account with<br />
his e-mail address,<br />
<br />
2.2. the defendant has integrated HTML code for Facebook Services (including<br />
Facebook Connect).<br />
<br />
<br />
2.3. during the complainant’s visit to the website, the defendant processed the<br />
complainant’s personal data (at least the IP address and cookie data), of which at least<br />
some were transferred to Facebook Inc, in the United States. The complainant does not<br />
have the technical means to determine whether such data transfer took place directly<br />
between defendant and Facebook Inc. or via Facebook Ireland as an intermediary,<br />
<br />
<br />
<br />
2.4. Facebook Connect is a service used by third party websites, enabling the flow of<br />
user’s personal data between the site and Facebook;<br />
<br />
<br />
Kypranoros 15, Nicosia 1061, CYPRUS / P.O.23378, 1682 Nicosia, CYPRUS. Tel: +35722818456, Fax: +35722304565<br />
E-mail: commissioner@dataprotection.gov.cy, Website: http://www.dataprotection.gov.cy2.5. the use of Facebook Connect was subject, when submitting the complaint, to the<br />
documents Facebook Business Tools Terms and Facebook Data Processing Terms.<br />
These two documents would be updated with effect from 31 August 2020 (New Facebook<br />
<br />
Business Tools Terms and New Facebook Data Processing Terms);<br />
<br />
2.6. interpreting the Facebook Business Tools Terms and Facebook Data Processing<br />
Terms, which were in force at the time of the complaint, it is concluded that:<br />
2.6.1. Facebook Ireland is the contractual partner of the controller and acts as processor<br />
in accordance with Article 4(8) of the Regulation,<br />
2.6.2. Facebook Inc. acts as a sub-processor.<br />
<br />
<br />
This conclusion is also apparent from the New Facebook Business Tools Terms and New<br />
Facebook Data Processing Terms.<br />
<br />
2.7. in any case, the complainant’s personal data has been transferred by the defendant<br />
in the United States. This transfer, by the defendant, which is an EEA-based company, to<br />
Facebook Inc. or to any other processor in the United States (or to any other country<br />
<br />
outside the EEA) requires a legal basis in accordance with Article 44 of the Regulation;<br />
<br />
2.8. as the CJEU has annulled the EU-US Privacy Shield in judgment C-311/18, the<br />
controller can no longer base the transfer of data to Facebook Inc. on an adequacy decision<br />
under Article 45 of the Regulation;<br />
<br />
2.9. however, the Facebook team and the controller are still trying to base the transfer<br />
<br />
on the invalidated “EU-US Privacy Shield”, as evidenced by point 4 of the Facebook Data<br />
Processing Terms:<br />
Facebook, Inc. has made commitments under the EU-U.S. Privacy Shield and Swiss-U.S.<br />
Privacy Shield that may apply to data transferred by you or Facebook Ireland Limited to<br />
Facebook, Inc. under the Applicable Product Terms. When applicable as the means to<br />
transfer Personal Data outside of the EU or Switzerland to Facebook, Inc. where you are<br />
in the European Union or Switzerland, you acknowledge that the Privacy Shield Terms<br />
<br />
(https://www.facebook.com/legal/privacyshieldtermsforadvertisers) apply to such data in<br />
addition to the Applicable Product Terms.’;<br />
<br />
2.10. regarding these data transfers, the Facebook Data Processing Terms contains a<br />
link and reference to Privacy Shield Terms, which in turn is linked to Facebook Inc. and the<br />
EU-U.S. and Swiss-U.S. Privacy Shield.<br />
<br />
<br />
2.11. a similar reference can be found in the New Facebook Data Processing Terms<br />
document, which would be implemented 6 weeks after the CJEU’s ruling:<br />
Facebook, Inc., which is used by Facebook Ireland as a sub-processor, has made<br />
commitments under the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield that may<br />
apply to Personal Information transferred by you or Facebook Ireland to Facebook, Inc.<br />
under the Applicable Product Terms. When applicable as the means to transfer Personal<br />
<br />
Information outside of the EU/EEA or Switzerland to Facebook, Inc., you acknowledge that<br />
the Privacy Shield Terms apply in addition to the Applicable Product Terms.’;<br />
<br />
2.12. a regular data transmission system based on an annulled adequacy decision<br />
constitutes a serious, systematic and, in view of the New Facebook Data Processing<br />
Terms, an intentional violation of Article 45 and subsequent articles of the Regulation;<br />
<br />
<br />
22.13. nor can the controller base the transfer of data on standard contractual clauses, in<br />
accordance with Article 46(2)(c) and (d) of the Regulation, if the third country does not<br />
ensure adequate protection of personal data transferred in accordance with these clauses,<br />
<br />
under EU law. The CJEU explicitly found that onward transfer to companies falling under<br />
50 U.S. Code § 1881a, not only violates the relevant articles of Chapter V of the Regulation,<br />
but also Articles 7 and 8 of the EU Charter of Fundamental Rights, as well as the substance<br />
of Article 47 of the Charter (C-362/14 (“Schrems I”), para. 95). Therefore, any onward<br />
transfer violates the fundamental right to privacy, data protection and the right to effective<br />
judicial protection and a fair trial;<br />
<br />
<br />
2.14. Facebook Inc. qualifies as a provider of electronic communications services within<br />
the meaning of 50 U.S. Code § 1881(b)(4) and is therefore subject to U.S. intelligence<br />
surveillance under 50 U.S. Code § 1881a (“FISA 702”). As evidenced by the Snowden<br />
Transparencys and the Facebook Transparency Report<br />
(https://transparencyreport.google.com/userdata/us-national-security), Facebook Inc.<br />
actively provides personal data to the U.S. Government pursuant to 50 U.S. Code § 1881a;<br />
<br />
<br />
2.15. consequently, the controller is not in a position to ensure adequate protection of the<br />
complainant’s personal data transferred to Facebook Inc. Therefore, the controller has a<br />
legal obligation to refrain from transferring the complainant’s data – or any other personal<br />
data – to Facebook Inc. However, for more than one month after the decision, the controller<br />
has not acted on the basis of the decision,<br />
<br />
2.16. the Facebook group continues to accept data transfers from the EU/EEA, both on<br />
<br />
the basis of the invalidated “EU-US Privacy Shield” and standard contractual clauses,<br />
despite the CJEU’s clear judgement and violation of Articles 44 to 49 of the Regulation.<br />
Facebook Inc. further discloses personal data from the EU/EEA to the U.S. government, in<br />
violation of Article 48 of the Regulation.<br />
<br />
2.17. in accordance with Article 3(2)(a) of the Regulation, the Regulation is extended to<br />
sub-performers, who are not established in the Union, where the processing activities relate<br />
<br />
to the offering of services to data subjects in the Union. Consequently, there is direct<br />
jurisdiction against Facebook Inc. While Facebook Ireland may claim to fall under the<br />
jurisdiction of the Supervisory Authority of Ireland, as the lead Supervisory Authority (Article<br />
56 of the Regulation), there is no main establishment of Facebook Inc. in the Union.<br />
Therefore, any Data Protection Authority of the Union has direct jurisdiction over Facebook<br />
Inc., under its sub-processor activities,<br />
<br />
<br />
2.18 pursuant to Articles 58 and 83 of the Regulation, the competent Supervisory<br />
Authority may use corrective and sanctioning powers against both the controller and the<br />
processor Facebook Ireland and the underprocessor Facebook Inc.,<br />
<br />
2.19. in accordance with the above CJEU ruling, the competent Supervisory Authority<br />
must suspend or terminate the transfer of personal data to the third country, pursuant to<br />
<br />
Article 58(2)(f) and (j) of the Regulation;<br />
<br />
2.20. the complainant requests that:<br />
2.20.1. the complaint under Article 58 of the Regulation has been fully investigated and<br />
clarified:<br />
<br />
<br />
<br />
3(a) what personal data has been transferred by defendant and/or Facebook Ireland to<br />
Facebook Inc. in the United States or to any other third country or international<br />
organisation;<br />
(b) on which transfer mechanism the defendant and/or Facebook Ireland based the<br />
<br />
transfer of data;<br />
(c) whether the provisions of the Facebook Business Tools Terms and Facebook Data<br />
Processing Terms, at the time of lodging the complaint and as to be amended as from 31<br />
August 2020, met the requirements of Article 28 of the Regulation concerning the transfer<br />
of personal data to third countries;<br />
<br />
2.20.2.immediately prohibit or suspend any transfer of data by defendant and/or Facebook<br />
<br />
Ireland to Facebook Inc. in the United States, and order the data to be returned to the<br />
EU/EEA or another country providing adequate protection pursuant to Article 58(2)(d), (f)<br />
and (j) of the Regulation;<br />
<br />
2.20.3.an effective, proportionate and dissuasive fine shall be imposed on the defendant,<br />
Facebook Ireland and Facebook Inc. pursuant to Article 83(5)(c) of the Regulation, taking<br />
into account that:<br />
<br />
(a) the complainant is probably only one out of thousands of users (Rule 83(2)(a) of the<br />
Rules of Procedure);<br />
(b) at the time of the complaint, more than a month had elapsed since judgment C-<br />
311/18 of the CJEU and the defendant did not take any measures to bring the processing<br />
operations into compliance with the provisions of the Regulation (Rule 83(2)(b) of the Rules<br />
of Procedure).<br />
<br />
<br />
Where reference is made to the controller above, the defendant is understood.<br />
<br />
<br />
Positions of the Defendant<br />
<br />
3. As part of the investigation of the complaint, my Office sent a letter to the defendant<br />
with clarification questions on 23 December 2020. This letter was sent again to the<br />
<br />
defendant on 7 January and 18 February 2021.<br />
<br />
4. In a letter dated 18 February 2021, the defendant submitted the reply of the<br />
technician, who developed the website. In particular, it was mentioned that to the best of<br />
his knowledge, there were no specific codes on the site, as “login with facebook etc” was<br />
never used. However, the relevant questionnaire sent was not answered.<br />
<br />
<br />
5. On 20 January 2022, my Office sent a new letter to the defendant, and after it was<br />
reiterated that, based on the analysis of the data and file submitted by the complainant, as<br />
well as an audit on the website, a Facebook tool was used, new questions were asked and<br />
the questions contained in the Office’s letter of 23 December 2020 requested to be<br />
answered.<br />
<br />
<br />
6. In a letter dated 26 January 2022, the defendant stated inter alia the following:<br />
6.1. as regards the questions contained in my Office’s letter of 23 December 2020<br />
concerning the Facebook Connect tool, it was already mentioned in the letter dated 18<br />
February 2021 that the Facebook Connect tool is not used. However, the technical<br />
developer of the website was contacted again, who confirmed that this tool was never used<br />
on the website. A user chooses to access a third-party website through Facebook Connect,<br />
<br />
<br />
4they allow that website to retrieve information they have given to Facebook, including their<br />
full name, pictures, wall posts, friend information, etc.. It was stated that the defendant<br />
never had access to such sensitive information, let alone to process it,<br />
<br />
<br />
6.2. the Facebook tools that were, and still were, at the time of submitting the reply, are<br />
the Facebook domain verification and the Facebook pixel.<br />
6.2.1. Facebook domain verification is a tool for website validation purposes, to avoid<br />
blocking from the platform, in cases of spam reporting, and<br />
<br />
6.2.2. the Facebook pixel tool is a tool for paid ads (“paid ads”) of defendant’s news articles<br />
on Facebook,<br />
<br />
<br />
6. 3. under no circumstances does the defendant collect or process personal data of<br />
users. The only use of Facebook made by the defendant is to promote her news articles to<br />
more people on the basis of the criteria provided by the platform.<br />
<br />
6.4. the defendant does not keep a record of the personal data of any user who visits<br />
the site from a Facebook link.<br />
<br />
<br />
7. In a letter from my Office to the defendant dated 30 May 2022, it was stated inter<br />
alia that the use of the Facebook pixel tool results in the processing of data of users –<br />
visitors to the website. This data can lead to user-visitor identification, possibly in<br />
combination with other data. Therefore, the visit of internet users to the website results in<br />
the processing of their personal data, even if it was not the intention of the defendant.<br />
Therefore, the respondent was again requested to reply to the questions contained in the<br />
<br />
Office’s letter of 20 January 2022.<br />
<br />
8. However, the defendant did not provide any reply or information to my Office.<br />
<br />
<br />
B. Legal framework<br />
<br />
<br />
9. According to Article 4 of the Regulation, personal data are to be interpreted as ‘any<br />
information relating to an identified or identifiable natural person (‘data subject’); an<br />
identifiable natural person is one who can be identified, directly or indirectly, in particular<br />
by reference to an identifier such as a name, an identification number, location data, an<br />
online identifier or to one or more factors specific to the physical, physiological, genetic,<br />
mental, economic, cultural or social identity of that natural person’.<br />
<br />
<br />
10. The controller is defined in Article 4 of the Regulation as ‘the natural or legal person,<br />
public authority, agency or other body which, alone or jointly with others, determines the<br />
purposes and means of the processing of personal data; where the purposes and means<br />
of such processing are determined by Union or Member State law, the controller or the<br />
specific criteria for its nomination may be provided for by Union or Member State law’.<br />
<br />
<br />
11. A processor is defined in Article 4 of the Regulation as ‘a natural or legal person,<br />
public authority, agency or other body which processes personal data on behalf of the<br />
controller’.<br />
<br />
12. Regarding the principles governing the processing of personal data, Article 5 of the<br />
Regulation provides the following:<br />
<br />
<br />
5 ‘1. Personal data shall be:<br />
(a) processed lawfully, fairly and in a transparent manner in relation to the data<br />
subject (‘lawfulness, fairness and transparency’);<br />
<br />
(b) collected for specified, explicit and legitimate purposes and not further<br />
processed in a manner that is incompatible with those purposes; further processing<br />
for archiving purposes in the public interest, scientific or historical research purposes<br />
or statistical purposes shall, in accordance with Article 89(1), not be considered to<br />
be incompatible with the initial purposes (‘purpose limitation’);<br />
(c) adequate, relevant and limited to what is necessary in relation to the<br />
purposes for which they are processed (‘data minimisation’);<br />
<br />
(d) accurate and, where necessary, kept up to date; every reasonable step must<br />
be taken to ensure that personal data that are inaccurate, having regard to the<br />
purposes for which they are processed, are erased or rectified without delay<br />
(‘accuracy’);<br />
(e) kept in a form which permits identification of data subjects for no longer than<br />
is necessary for the purposes for which the personal data are processed; personal<br />
data may be stored for longer periods insofar as the personal data will be processed<br />
<br />
solely for archiving purposes in the public interest, scientific or historical research<br />
purposes or statistical purposes in accordance with Article 89(1) subject to<br />
implementation of the appropriate technical and organisational measures required<br />
by this Regulation in order to safeguard the rights and freedoms of the data subject<br />
(‘storage limitation’);<br />
(f) processed in a manner that ensures appropriate security of the personal<br />
data, including protection against unauthorised or unlawful processing and against<br />
<br />
accidental loss, destruction or damage, using appropriate technical or organisational<br />
measures (‘integrity and confidentiality’).<br />
<br />
2. The controller shall be responsible for, and be able to demonstrate<br />
compliance with, paragraph 1 (‘accountability’).’<br />
<br />
13. Pursuant to Article 44 of the Regulation, it is provided that:<br />
<br />
<br />
“Any transfer of personal data which are undergoing processing or are intended for<br />
processing after transfer to a third country or to an international organisation shall<br />
take place only if, subject to the other provisions of this Regulation, the conditions<br />
laid down in this Chapter are complied with by the controller and processor, including<br />
for onward transfers of personal data from the third country or an international<br />
<br />
organisation to another third country or to another international organisation. All<br />
provisions in this Chapter shall be applied in order to ensure that the level of<br />
protection of natural persons guaranteed by this Regulation is not undermined.”<br />
<br />
14. Pursuant to Article 57(1)(f) of the Regulation, the Commissioner for Personal Data<br />
Protection has the duty to:<br />
<br />
<br />
“handle complaints lodged by a data subject, or by a body, organisation or<br />
association in accordance with Article 80, and investigate, to the extent appropriate,<br />
the subject matter of the complaint and inform the complainant of the progress and<br />
the outcome of the investigation within a reasonable period, in particular if further<br />
investigation or coordination with another supervisory authority is necessary.”<br />
<br />
<br />
<br />
615. As regards the submission of a complaint to the Supervisory Authority, Article 77 of<br />
the Regulation provides that:<br />
<br />
“Without prejudice to any other administrative or judicial remedy, every data subject<br />
<br />
shall have the right to lodge a complaint with a supervisory authority, in particular in<br />
the Member State of his or her habitual residence, place of work or place of the<br />
alleged infringement if the data subject considers that the processing of personal<br />
data relating to him or her infringes this Regulation.”<br />
<br />
16. Pursuant to Article 58(2) of the Regulation, the Commissioner for Personal Data<br />
Protection has the following corrective powers:<br />
<br />
<br />
“a) to issue warnings to a controller or processor that intended processing<br />
operations are likely to infringe provisions of this Regulation;<br />
(b) to issue reprimands to a controller or a processor where processing<br />
operations have infringed provisions of this Regulation;<br />
(c) to order the controller or the processor to comply with the data subject's<br />
requests to exercise his or her rights pursuant to this Regulation;<br />
<br />
(d) to order the controller or processor to bring processing operations into<br />
compliance with the provisions of this Regulation, where appropriate, in a specified<br />
manner and within a specified period;<br />
(e) to order the controller to communicate a personal data breach to the data<br />
subject;<br />
(f) to impose a temporary or definitive limitation including a ban on processing;<br />
(g) to order the rectification or erasure of personal data or restriction of<br />
<br />
processing pursuant to Articles 16, 17 and 18 and the notification of such actions to<br />
recipients to whom the personal data have been disclosed pursuant to Article 17(2)<br />
and Article 19;<br />
(h) to withdraw a certification or to order the certification body to withdraw a<br />
certification issued pursuant to Articles 42 and 43, or to order the certification body<br />
not to issue certification if the requirements for the certification are not or are no<br />
longer met;<br />
<br />
(i) to impose an administrative fine pursuant to Article 83, in addition to, or<br />
instead of measures referred to in this paragraph, depending on the circumstances<br />
of each individual case;<br />
(j) to order the suspension of data flows to a recipient in a third country or to an<br />
international organisation.’<br />
<br />
<br />
17. As regards the general conditions for imposing administrative fines, Article 83(2) of<br />
the Regulation provides:<br />
<br />
‘2. Administrative fines shall, depending on the circumstances of each individual<br />
case, be imposed in addition to, or instead of, measures referred to in points (a) to<br />
(h) and (j) of Article 58(2). When deciding whether to impose an administrative fine<br />
and deciding on the amount of the administrative fine in each individual case due<br />
<br />
regard shall be given to the following:<br />
(a) the nature, gravity and duration of the infringement taking into account the<br />
nature scope or purpose of the processing concerned as well as the number of data<br />
subjects affected and the level of damage suffered by them;<br />
(b) the intentional or negligent character of the infringement;<br />
<br />
<br />
<br />
7(c) any action taken by the controller or processor to mitigate the damage<br />
suffered by data subjects;<br />
(d) the degree of responsibility of the controller or processor taking into account<br />
technical and organisational measures implemented by them pursuant to Articles 25<br />
<br />
and 32;<br />
(e) any relevant previous infringements by the controller or processor;<br />
(f) the degree of cooperation with the supervisory authority, in order to remedy<br />
the infringement and mitigate the possible adverse effects of the infringement;<br />
(g) the categories of personal data affected by the infringement;<br />
(h) the manner in which the infringement became known to the supervisory<br />
authority, in particular whether, and if so to what extent, the controller or processor<br />
<br />
notified the infringement;<br />
(i) where measures referred to in Article 58(2) have previously been ordered<br />
against the controller or processor concerned with regard to the same subject-<br />
matter, compliance with those measures;<br />
(j) adherence to approved codes of conduct pursuant to Article 40 or approved<br />
certification mechanisms pursuant to Article 42; and<br />
(k) any other aggravating or mitigating factor applicable to the circumstances of<br />
<br />
the case, such as financial benefits gained, or losses avoided, directly or indirectly,<br />
from the infringement.<br />
<br />
3. If a controller or processor intentionally or negligently, for the same or linked<br />
processing operations, infringes several provisions of this Regulation, the total<br />
amount of the administrative fine shall not exceed the amount specified for the<br />
gravest infringement.<br />
<br />
<br />
4. Infringements of the following provisions shall, in accordance with paragraph<br />
2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an<br />
undertaking, up to 2 % of the total worldwide annual turnover of the preceding<br />
financial year, whichever is higher:<br />
(a) the obligations of the controller and the processor pursuant to Articles 8, 11,<br />
25 to 39 and 42 and 43;<br />
<br />
(b) the obligations of the certification body pursuant to Articles 42 and 43;<br />
(c) the obligations of the monitoring body pursuant to Article 41(4).<br />
<br />
5. Infringements of the following provisions shall, in accordance with paragraph<br />
2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an<br />
undertaking, up to 4 % of the total worldwide annual turnover of the preceding<br />
<br />
financial year, whichever is higher:<br />
(a) the basic principles for processing, including conditions for consent, pursuant<br />
to Articles 5, 6, 7 and 9;<br />
(b) the data subjects' rights pursuant to Articles 12 to 22;<br />
(c) the transfers of personal data to a recipient in a third country or an<br />
international organisation pursuant to Articles 44 to 49;<br />
(d) any obligations pursuant to Member State law adopted under Chapter IX;<br />
<br />
(e) non-compliance with an order or a temporary or definitive limitation on<br />
processing or the suspension of data flows by the supervisory authority pursuant to<br />
Article 58(2) or failure to provide access in violation of Article 58(1).”<br />
<br />
<br />
<br />
<br />
<br />
8C. Rationale<br />
<br />
18. On the basis of the information provided by the complainant, it appears that the<br />
subject of the complaint is the possible transfer of data by the complainant and whether<br />
<br />
there was an adequate level of data protection, as provided for in Article 44 of the<br />
Regulation, due to the inclusion of a Facebook tool on the website. In this context, it should<br />
also be investigated whether Facebook Ireland and/or Facebook Inc. have an obligation to<br />
comply with Article 44 of the Regulation.<br />
<br />
19. At this point, I note that any further processing is not addressed in this Decision. I<br />
also note that I do not consider whether the transfer was made directly by defendant to<br />
<br />
Facebook Inc. or via Facebook Ireland. The question is whether, in the case of a transfer,<br />
there was the required level of protection of the data transmitted.<br />
<br />
20. The defendant is a private news company. The defandant’s website contains articles<br />
of a variety of topics, in Greek. Taking into account the themes of the website’s content, it<br />
appears that the website is targeted at persons present in Cyprus. Furthermore, the<br />
defendant is based and active only in Cyprus and not in another Member State.<br />
<br />
<br />
21. The Facebook Pixel tool (hereinafter the “tool”) is a piece of code that is placed on<br />
a website and allows measuring the effectiveness of the company’s website ads by<br />
understanding the actions that users take on the site. Based on information on a Facebook<br />
website, Meta’s Pixel tool (as it’s now called) can help the site-company understand the<br />
effectiveness of its ads and the actions users take on the site, such as visiting a page or<br />
adding a product to the cart. It is also possible for the company to see when customers<br />
<br />
have taken any action after seeing the ad on Facebook and Instagram, which can help with<br />
retargeting. The Facebook Pixel tool is used to make sure the company’s ads are displayed<br />
to the right people, increase the company’s sales, and measure the results of its ads.<br />
<br />
22. Regarding the tool, a relevant Facebook website mentions the following:<br />
The Meta Pixel can collect the following data:<br />
— HTTP Headers – Anything that is generally present in HTTP headers, a standard<br />
<br />
web protocol sent between any browser request and any server on the internet. This<br />
information may include data like IP addresses, information about the web browser, page<br />
location, document, referrer and person using the website.<br />
— Pixel-specific Data – Includes Pixel ID and the Facebook Cookie.<br />
— Click Data – Includes any buttons clicked by site visitors, the labels of those buttons<br />
and any pages visited as a result of the button clicks.<br />
<br />
— Optional Values – Developers and marketers can optionally choose to send<br />
additional information about the visit through Custom Data events. Example custom data<br />
events are conversion value, page type and more.<br />
— Form Field Names – Includes website field names like email, address, quantity, etc.,<br />
for when you purchase a product or service. We don't capture field values unless you<br />
include them as part of Advanced Matching or optional values.<br />
<br />
<br />
23. It is not known when the tool was installed on the site. However, by studying the har<br />
file submitted by the complainant, it is confirmed that at the material time the tool was<br />
installed.<br />
<br />
24. The defendant decided to integrate the tool into the website for purposes that it has<br />
defined. The defendant did not mention to my office the purpose for which she incorporated<br />
<br />
<br />
9the tool. However, in view of its reply that the Facebook pixel tool is a paid ads tool of the<br />
defendant’s Facebook news articles, I consider that the purpose of the inclusion is included<br />
in the above reply. Therefore, because of its own choice decision, the tool code, which was<br />
provided to it by Facebook, was installed.<br />
<br />
<br />
25. In the light of the above, I find that the defendant is the controller for that processing,<br />
after it has determined the purposes and means of the processing.<br />
<br />
26. Due to its own decision to incorporate the tool, the complainant’s personal data was<br />
processed. Even if no processing is carried out directly by the defendant or, as she herself<br />
mentioned, does not keep a record of the personal data of any user who visits the site,<br />
<br />
from a Facebook link, any processing is made due to the defendant’s own decision to<br />
integrate the tool.<br />
<br />
27. Therefore, as a controller, it had to take all measures so as not to undermine the<br />
level of protection of personal data which it processes or entrusts to a processor.<br />
<br />
28. The Terms of Use of Facebook Business Tools, in section 5.a., state that:<br />
<br />
<br />
To the extent that Business Tool Data includes Personal Data that you process in<br />
accordance with the General Data Protection Regulation (Regulation (EU) 2016/679)<br />
(“GDPR”), the following terms will apply:<br />
<br />
I. The parties acknowledge and agree that you will have the role of Data Controller in<br />
relation to the processing of Personal Data included in the Business Tool Data for the<br />
<br />
purposes of providing the matching, measurement and analysis services described in<br />
paragraphs 2.a.i and 2.a.ii above (e.g. for the provision of Analysis and Reporting for<br />
Campaigns), and that you give to Facebook Ireland Ltd.; 4 Grand Canal Square, Grand<br />
Canal Harbour, Dublin 2 Ireland (“Facebook Ireland”) to process on your behalf, and as a<br />
Data Processor, such Personal Data for these purposes, in accordance with the Terms of<br />
Use of the Business Tools and the Facebook Data Processing Terms. The Data Processing<br />
Terms are explicitly incorporated herein by reference and govern your relationship with<br />
<br />
Facebook Ireland in conjunction with the Terms of Use of the Business Tools.<br />
<br />
II. With regard to Personal Data contained in Event Data, it concerns user actions on your<br />
websites and apps that incorporate Facebook Business Tools, and for the means and<br />
purposes of which you jointly decide with Facebook Ireland, you and Facebook Ireland<br />
acknowledge and agree that you will act as Data Controller jointly, in accordance with<br />
<br />
Article 26 of the GDPR. The joint responsibility for the processing of the data also extends<br />
to the collection of such Personal Data through Facebook Business Tools and its<br />
subsequent transmission to Facebook Ireland for use for the purposes specified in<br />
paragraphs 2.a.iii to 2.a.v.1 (“Joint Processing”) above. For more information, click here.<br />
The Joint Processing is subject to the Annex for Data Controllers, which is expressly<br />
incorporated herein by reference and governs your relationship with Facebook Ireland in<br />
conjunction with the Terms of Use of the Business Tools. Facebook Ireland remains an<br />
<br />
independent Data Controller pursuant to Article 4(7) of the GDPR for the processing that<br />
takes place after the data has been transferred to Facebook Ireland.<br />
<br />
III. You, as appropriate, and Facebook Ireland remain independent Data Controllers<br />
pursuant to Article 4(7) of the GDPR for the processing of Personal Data included in Tool<br />
<br />
<br />
<br />
10Data for businesses that, according to the GDPR, are not subject to paragraphs 5.a.i and<br />
5.a.ii.”<br />
<br />
29. There is therefore an assumption by Facebook of the relationship it has with the<br />
<br />
defendant in relation to the processing of the personal data of visitors to the site. On the<br />
basis of this relationship, Facebook Ireland is entrusted with the processing of data by the<br />
controller. There are also cases where the defendant and Facebook Ireland have the role<br />
of joint controller. However, it is not stated in any way that the defendant has a role other<br />
than the above.<br />
<br />
30. As mentioned by the complainant, on 12 August 2020 at 11:43 a.m., he visited the<br />
<br />
website while logged in to a Facebook account with his email address. The har file, which<br />
the complainant submitted to my Office, contains information on the communication<br />
between the web server and the complainant – visitor, as well as information on cookies<br />
used during navigation. Also, data sharing, through cookies, has been revealed from<br />
services provided by Facebook.<br />
<br />
31. It also includes the cookie file _fbp, which is stored on the user’s device – visitor to<br />
<br />
a website. With regard to this file, Facebook provides the following information on its<br />
website:<br />
When the Meta Pixel is installed on a website, and the Pixel uses first-party cookies, the<br />
Pixel automatically saves a unique identifier to an _fbp cookie for the website if one does<br />
not already exist.<br />
<br />
The FBP event parameter value must be of the form<br />
<br />
version.subdomainIndex.creationTime.randomnumber, where:<br />
— version is always this prefix: FB<br />
— subdomainIndex is which domain the cookie is defined on (‘com’ = 0, ‘facebook.com’<br />
= 1, ‘www.facebook.com’ = 2). If you're generating this field on a server, and not saving an<br />
_fbp cookie, use the value 1.<br />
— creationTime is the UNIX time since epoch in milliseconds when the _fbp cookie<br />
was saved. If you don't save the _fbp cookie, use the timestamp when you first observed<br />
<br />
or received this FBP value.<br />
— Randomnumber is generated by the Meta Pixel SDK to ensure every fbp cookie is<br />
unique.<br />
<br />
Here’s an example of what the FBP value could look like:<br />
fb.1.1596403881668.1116446470’<br />
<br />
<br />
32. The Facebook Data Processing Terms document states that:<br />
Facebook, Inc. has made commitments under the EU-U.S. Privacy Shield and Swiss-U.S.<br />
Privacy Shield that may apply to data transferred by you or Facebook Ireland Limited to<br />
Facebook, Inc. under the Applicable Product Terms. This refers to a transfer of data from<br />
the EU/EEA either directly from the website – company or from Facebook Ireland.<br />
<br />
<br />
33. Therefore, due to the application of the Facebook Pixel tool on the website, at least<br />
the IP address, browser information, website location, pixel ID and click data on the<br />
complainant’s terminal were processed.<br />
<br />
<br />
<br />
<br />
<br />
1134. Because the tool is embedded in the website, Facebook has the technical ability to<br />
obtain the information that a particular Facebook account user has visited that website if<br />
the user is logged in to his Facebook account.<br />
<br />
<br />
35. As a result of the application of the Facebook Business Tools tool on the website,<br />
cookies were placed on the complainant’s terminal device, which contain a unique<br />
randomly generated price. This makes it possible to personalise the complainant’s terminal<br />
device and record his/her navigation behaviour in order to display appropriate personalised<br />
advertising.<br />
<br />
36. The defendant stated that under no circumstances does it collect or process<br />
<br />
personal data of users. However, even if it does not process it itself, this processing is<br />
carried out because of its own decision to integrate the tool into the website.<br />
<br />
37. The European Data Protection Supervisor’s decision of 5 January 2022 against the<br />
European Parliament on the use of Google Analytics states that cookies that make the user<br />
identifiable constitute personal data, regardless of whether the user’s identity is unknown<br />
or deleted after its collection. It is also stated that all data containing identifiers that can be<br />
<br />
used to identify/segregate users are considered personal data and should be handled and<br />
protected as such. Although the European Data Protection Supervisor is responsible for<br />
the application of Regulation (EU) 2018/1725, this can also be interpreted in this case.<br />
<br />
38. Guidelines 5/2021 of the European Data Protection Board on the interplay between<br />
the application of Article 3 and the provisions on international transfers as per Chapter V<br />
of the Regulation provide for the following three cumulative criteria for the qualification of a<br />
<br />
processing operation as a transfer:<br />
“1) A controller or a processor (“exporter”) is subject to the GDPR for the given processing.<br />
<br />
2) The exporter discloses by transmission or otherwise makes personal data, subject to<br />
this processing, available to another controller, joint controller or processor (“importer”).<br />
<br />
3) The importer is in a third country, irrespective of whether or not this importer is subject<br />
<br />
to the GDPR for the given processing in accordance with Article 3, or is an international<br />
organisation.”<br />
<br />
39. In relation to the above, the following are apparent:<br />
39.1. the defendant is established in Cyprus and is responsible for the operation of the<br />
website,<br />
<br />
39.2. the defendant disclosed personal data of the complainant due to the installation of<br />
the tool on the website, which resulted in their (final) disclosure to Facebook Inc.,<br />
39.3. Facebook Inc. has a registered office in the U.S.<br />
<br />
40. Therefore, sharing data on Facebook Inc. is a data transfer.<br />
<br />
41. Pursuant to Article 28(1) of the Regulation, the defendant, as a controller, is obliged<br />
<br />
to use only processors who provide sufficient assurances for the implementation of<br />
appropriate technical and organisational measures in such a way that the processing<br />
meets the requirements of the Regulation and ensures the protection of the data subject’s<br />
rights. In the present case, after the defendant incorporated the tool, it implies that the<br />
defendant accepted the terms of data processing contained in the Facebook Business<br />
<br />
<br />
<br />
12Tools document and agreed that Facebook Inc. acts as a sub-processor. That document<br />
states, inter alia, that:<br />
‘2. You agree that Facebook may subcontract its data processing obligations under these<br />
Terms of Use for data processing to a subprocessor. However, this can only be done by<br />
<br />
means of a written agreement with the subprocessor which imposes obligations on the<br />
subprocessor that are no less burdensome than those imposed on Facebook by these data<br />
processing terms. If a subprocessor fails to comply with such obligations, Facebook<br />
remains fully liable to you for the fulfilment of the obligations of this subprocessor. You<br />
currently authorise Facebook to oblige Facebook Inc. (and other Facebook companies) as<br />
its subprocessors. Facebook must inform you in advance of (any) any additional<br />
subprocessor(s).<br />
<br />
<br />
42. On the basis of the information on a Facebook website on the EU-US Privacy Shield,<br />
the following is provided:<br />
You acknowledge that the use of certain Facebook services for advertisements or<br />
measurements (the “Services”) may result in Facebook, Inc. (“Facebook”) receiving data<br />
from you (either directly or when acting on behalf of Facebook Ireland Ltd). This is done by<br />
referring to the EU-US Privacy Shield or the Swiss-US Privacy Shield (collectively, ‘Privacy<br />
<br />
Shield’). If the Privacy Shield applies to the data you provide and without limiting any<br />
agreement between you and Facebook, you acknowledge and agree to:<br />
— Facebook’s Privacy Shield Notice is available at<br />
www.facebook.com/about/privacyshield; he explains the certification of Facebook. In<br />
accordance with your obligations in connection with your use of the Services, you<br />
undertake to provide persons with reasonable and appropriate information about the<br />
Services.<br />
<br />
— Facebook may provide data subjects with contact information about you through the<br />
Services, allowing them, among other things, to contact you directly in order to exercise<br />
their rights under the Privacy Shield.<br />
— Facebook may receive requests or complaints from data subjects and may provide<br />
them with an independent mechanism for recourse and dispute resolution. However, you<br />
will remain responsible for resolving any complaints made to you by data subjects<br />
regarding your processing of the personal data subjects in connection with the Services<br />
<br />
(whether they are directly addressed to you or to us).<br />
— You undertake to take all reasonable steps (including those reasonably requested<br />
by Facebook) to enable Facebook to comply with its Privacy Shield obligations, including<br />
assistance to resolve complaints. In the event of a conflict between these Terms of Use<br />
and other Terms of Use that invoke these Terms of Use, these Terms of shall Use Prevail.<br />
<br />
<br />
Last change: September 29, 2017»<br />
<br />
43. On the basis of the above, it appears that due to the visit to the website, data may<br />
be transferred to the United States. However, the defendant does not acknowledge at all<br />
the possibility of transmission, nor has it answered the relevant questions put to it.<br />
Furthermore, it has not provided me with any evidence that no data transmission took<br />
place.<br />
<br />
<br />
44. Furthermore, it appears that at the material time, data transfers made due to the<br />
visit to the website were based on the EU-US Privacy Shield.<br />
<br />
45. Facebook Inc. is classified as a provider of electronic communications services<br />
within the meaning of 50 U.S. Code § 1881(b)(4) and is therefore subject to oversight by<br />
<br />
<br />
13U.S. intelligence services in accordance with 50 U.S. Code § 1881a (“FISA 702”), and is<br />
therefore obliged to provide U.S. authorities with personal data.<br />
<br />
46. Due to the transfer to the United States of America, access to the complainant’s<br />
<br />
personal data could be made by the U.S. authorities, which the defendant cannot ascertain.<br />
In this case, the defendant is not relieved of its responsibility for the protection of the<br />
complainant’s personal data. Moreover, the defendant continued to maintain the tool on its<br />
website, even after the judgment of the European Court of Justice, Case C-311/18, dated<br />
16 July 2020, declaring the ‘EU-US Privacy Shield’ invalid (Commission Implementing<br />
Decision (EU) 2016/1250 of 12 July 2016).<br />
<br />
<br />
47. In the case of transmission, the relevant obligations set out in Chapter V of the<br />
Regulation should be complied with. In particular, an adequate level of protection of the<br />
data transferred should be provided, as provided for in Article 44 of the Regulation.<br />
Therefore, one of the following conditions should be met:<br />
47.1. an adequacy decision pursuant to Article 45 of the Regulation,<br />
47.2. appropriate safeguards, pursuant to Article 46 of the Rules of Procedure,<br />
47.3. derogations for specific situations under Rule 49 of the Rules of Procedure.<br />
<br />
<br />
48. Due to the above ruling of the European Court of Justice, Case C-311/18, there was<br />
no U.S. adequacy decision at the material time.<br />
<br />
49. This Decision does not require a more detailed analysis of the legal situation of the<br />
United States (as a third country), since the CJEU has already dealt with it in its<br />
abovementioned judgment of 16 July 2020. Based on the CJEU ruling, it appears that the<br />
<br />
EU-US adequacy decision did not provide an adequate level of protection for individuals<br />
under the relevant U.S. legislation and the implementation of official surveillance<br />
programmes, including under section 702 FISA and Executive Order 12333 in conjunction<br />
with Presidential Policy Directive 28 (PPD-28).<br />
<br />
50. Furthermore, the defendant has not informed my Office of the existence of<br />
appropriate safeguards under Article 46 of the Regulation or of derogations for specific<br />
<br />
situations under Article 49 of the Regulation. In any event, one of the derogations provided<br />
for in Rule 49 of the Rules of Procedure cannot be invoked as a legal basis.<br />
<br />
51. On the basis of all the foregoing, I therefore find that the defendant has not shown<br />
that, as a result of the transfer, the level of protection of natural persons guaranteed by the<br />
Regulation is not undermined, contrary to Article 44 of the Regulation.<br />
<br />
<br />
52. Pursuant to Article 5(2) of the Regulation, the controller is responsible and is able to<br />
demonstrate compliance with paragraph 1 (‘accountability’). However, on the basis of the<br />
positions submitted by the defendant to my Office, I note that it has not only failed to<br />
demonstrate compliance with Article 5(1) of the Regulation, but also does not recognise<br />
the processing carried out as a result of its own decision to incorporate the tool.<br />
<br />
<br />
53. I therefore find that Article 5(2) has been infringed by the defendant. This would be<br />
the case even if the complainant’s data were not transferred to the United States.<br />
<br />
54. The complainant also requested that it be clarified whether the provisions of the<br />
Facebook Business Tools Terms and Facebook Data Processing Terms, at the time of<br />
<br />
<br />
<br />
14lodging the complaint and as to be amended as of 31 August 2020, met the requirements<br />
of Article 28 of the Regulation on the transfer of personal data to third countries.<br />
<br />
55. According to Article 5 of the Regulation, the controller is responsible for complying<br />
<br />
with the principles governing the processing of personal data. However, the possibility that<br />
Facebook Inc. will receive requests from U.S. security authorities does not automatically<br />
lead to the conclusion that it has determined the purposes and means of the processing,<br />
i.e. that it is considered a controller under Article 28(10) of the Regulation. Nor can<br />
Facebook Ireland or Facebook Inc. be held liable for a breach of Article 28, since, under<br />
that article, the controller bears such responsibility.<br />
<br />
<br />
56. In addition to the above, it will be necessary to examine whether Facebook Inc. is,<br />
in the present case, subject to the obligations set out in Chapter V of the Regulation. On<br />
the basis of Guidelines 5/2021 of the European Data Protection Board, a transfer exists<br />
where “The exporter communicates by means of a transfer or otherwise makes available<br />
personal data, which are subject to such processing, to another controller, joint controller<br />
or processor (‘importer’)”. Therefore, the requirements of Chapter V of the Regulation must<br />
be complied with by the data exporter, i.e. the defendant, but not the data importer, in this<br />
<br />
case Facebook Inc.<br />
<br />
57. Therefore, in assessing this transfer, no breach of Article 44 of the Regulation by<br />
Facebook Inc. can be established.<br />
<br />
<br />
D. Conclusion<br />
<br />
<br />
58. In the light of all the above elements, as set out above, and in the light of the powers<br />
conferred on me under Article 57(1)(f) of the Regulation, I find that there has been a breach<br />
by the defendant:<br />
58.1. Article 5(2) of Regulation (EU) 2016/679, by failing to demonstrate compliance with<br />
Article 5(1) of the Regulation, i.e. the principle of accountability; and<br />
58.2. Article 44 of Regulation (EU) 2016/679, because it did not ensure that the level of<br />
<br />
protection of the reporting person guaranteed by the Regulation is not undermined.<br />
<br />
59. After taking into account and taking into account:<br />
<br />
(a) the legal basis in force concerning the administrative penalties provided for in Article<br />
58(2) and Article 83 of the Regulation,<br />
<br />
<br />
(B) all the circumstances and factors which the complainant and the defendant brought<br />
before me on the basis of all existing correspondence,<br />
<br />
I consider that, in the circumstances, the imposition of an administrative fine is not justified.<br />
<br />
Also, in view of the new EU-US Data Protection Framework, Commission Implementing<br />
<br />
Decision (EU) 2023/1795 of 10 July 2023 on the adequacy of the level of protection of<br />
personal data under the EU-US Data Protection Framework, I consider that it is not justified<br />
to impose an immediate prohibition or suspension of any transfer of data by Defendant to<br />
Facebook Inc.<br />
<br />
<br />
<br />
<br />
1560. Nevertheless, having regard to the above facts, the legal aspect on which this<br />
Decision is based and the analysis as explained above, and exercising the powers<br />
conferred on me by Article 58(2)(b) of the Regulation,<br />
<br />
<br />
I decided<br />
<br />
in my opinion and in compliance with the above provisions, I should address to the<br />
ARKTInos Publications Ltd (“Politis” newspaper):<br />
<br />
Reprimand for the violation of Article 5(2) of Regulation (EU) 2016/679;<br />
Reprimand for the violation of Article 44 of Regulation (EU) 2016/679, and<br />
<br />
Order to ensure that, if it continues to use the tool, the transfer can take place on the basis<br />
of the new EU-US Data Protection Framework, Implementing Decision (EU) 2023/1795, or<br />
on the basis of an appropriate guarantee under Article 46 of the Regulation,and inform me<br />
thereof within one month of receipt of this Decision.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Irene Loizidou Nicolaidou<br />
Commissioner for<br />
<br />
Personal Data Protection 28 February 2024<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
16<br />
</pre></div>Imhttps://gdprhub.eu/index.php?title=DSB_(Austria)_-_DSB-D124.0701/23DSB (Austria) - DSB-D124.0701/232024-03-04T09:42:49Z<p>Marie04: Created page with "{{DPAdecisionBOX |Jurisdiction=Austria |DPA-BG-Color= |DPAlogo=LogoAT.png |DPA_Abbrevation=DSB |DPA_With_Country=DSB (Austria) |Case_Number_Name=DSB-D124.0701/23 |ECLI=ECLI:AT:DSB:2023:2023.0.772.005 |Original_Source_Name_1=DSB |Original_Source_Link_1=https://www.ris.bka.gv.at/JudikaturEntscheidung.wxe?Abfrage=Dsk&Dokumentnummer=DSBT_20231106_2023_0_772_005_00 |Original_Source_Language_1=German |Original_Source_Language__Code_1=DE |Original_Source_Name_2= |Original_So..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Austria<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoAT.png<br />
|DPA_Abbrevation=DSB<br />
|DPA_With_Country=DSB (Austria)<br />
<br />
|Case_Number_Name=DSB-D124.0701/23<br />
|ECLI=ECLI:AT:DSB:2023:2023.0.772.005<br />
<br />
|Original_Source_Name_1=DSB<br />
|Original_Source_Link_1=https://www.ris.bka.gv.at/JudikaturEntscheidung.wxe?Abfrage=Dsk&Dokumentnummer=DSBT_20231106_2023_0_772_005_00<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=05.04.2023<br />
|Date_Decided=06.11.2023<br />
|Date_Published=<br />
|Year=2023<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 4(7) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#7<br />
|GDPR_Article_2=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1a<br />
|GDPR_Article_3=Article 6(1)(a) GDPR<br />
|GDPR_Article_Link_3=Article 6 GDPR#1a<br />
|GDPR_Article_4=Article 6(1)(c) GDPR<br />
|GDPR_Article_Link_4=Article 6 GDPR#1c<br />
|GDPR_Article_5=Article 26(1) GDPR<br />
|GDPR_Article_Link_5=Article 26 GDPR#1<br />
|GDPR_Article_6=<br />
|GDPR_Article_Link_6=<br />
|GDPR_Article_7=<br />
|GDPR_Article_Link_7=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=§ 1(1) DSG<br />
|National_Law_Link_1=https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10001597&Artikel=1&Paragraf=1&Anlage=&Uebergangsrecht=<br />
|National_Law_Name_2=§ 1(2) DSG<br />
|National_Law_Link_2=https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10001597&Artikel=1&Paragraf=1&Anlage=&Uebergangsrecht=<br />
|National_Law_Name_3=§ 16(1) MeldeG<br />
|National_Law_Link_3=https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10005799&Artikel=&Paragraf=16&Anlage=&Uebergangsrecht=<br />
|National_Law_Name_4=§ 18(1) MeldeG<br />
|National_Law_Link_4=https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10005799&Artikel=&Paragraf=18&Anlage=&Uebergangsrecht=<br />
|National_Law_Name_5=§ 18(2) MeldeG<br />
|National_Law_Link_5=https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10005799&Artikel=&Paragraf=18&Anlage=&Uebergangsrecht=<br />
|National_Law_Name_6=§ 18(5) MeldeG<br />
|National_Law_Link_6=https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10005799&Artikel=&Paragraf=18&Anlage=&Uebergangsrecht=<br />
|National_Law_Name_7=§ 24(4) DSG<br />
|National_Law_Link_7=https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10001597&Artikel=2&Paragraf=24&Anlage=&Uebergangsrecht=<br />
|National_Law_Name_8=<br />
|National_Law_Link_8=<br />
|National_Law_Name_9=<br />
|National_Law_Link_9=<br />
<br />
|Party_Name_1=Dr. Franziska A.<br />
|Party_Link_1=<br />
|Party_Name_2=Marktgemeinde N.<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Marie04<br />
|<br />
}}<br />
<br />
The Austrian DPA decided that sharing personal data despite an existing prohibition of disclosure without informing the data subject violates the right to secrecy.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The data subject (Dr. Franziska A.) has an existing prohibition to disclose her registration data due to her occupation as a prosecutor. Nevertheless, an employee of the controller (Marktgemeinde N., a market town) passed said information to a detective agency upon their request on the 27 December 2021. The data subject was not informed. <br />
<br />
On 27 January 2023, as a consequence of the detective agency gaining access, the data was used in proceedings to which the data subject's mother was party. The mother informed the data subject shortly afterwards. <br />
<br />
Subsequently, the data subject demanded information from the municipal authority as to who had been given access to her registration data in the past three years on 31 January 2023. The authority's answer on 17 February 2023 included the the accessing and sharing of the registration data by the controller. On 2 March 2023 the controller confirmed this and referred to a decree of the ministry of the interior of 2015 as a legal basis.<br />
<br />
The data subject lodged a complaint with the data protection authority claiming a violation of the right to secrecy on 5 April 2023.<br />
Following that, the controller apologized on 14 April 2023 and stated that the decree from 2015 did not apply in this case and that they had made a mistake<br />
<br />
=== Holding ===<br />
The Austrian DPA stated that not the employee but the controller as an entity is responsible in their role as a public authority. As such, they need a legal basis for the processing of personal data that is in accord with the MeldeG (the Austrian law of registration). The prohibition of disclosure of the data subject's registration data requires the controller to either withhold the personal data from the requesting entity or to inform the data subject of the request and allow her to state her opinion on the matter according to § 18(5) MeldeG. Since neither was done, the processing of personal data was already unlawful and in violation of the GDPR and more specifically the right to secrecy according to § 1(1) DSG (the Austrian data protection act).<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
text<br />
<br />
GZ: 2023-0.772.005 from November 6, 2023 (Procedure number: DSB-D124.0701/23)<br />
<br />
[Editor's note: Names and companies, legal forms and product names, addresses (including URLs, IP and email addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated for pseudonymization reasons and/ or be changed. Obvious spelling, grammar and punctuation errors have been corrected.<br />
<br />
NOTICE<br />
<br />
SAYING<br />
<br />
The data protection authority decides on Dr. Franziska A*** (complainant) of April 5, 2023 against the market town of N*** (respondent) for alleged violation of the right to secrecy as follows:<br />
<br />
The complaint is upheld and it is determined that the respondent violated the complainant's right to secrecy by providing information about the complainant to a private detective agency despite the existence of a block on information, without informing the complainant in advance and giving her the opportunity to do so to admit utterance.<br />
<br />
Legal bases: Art. 5, Art. 6, Art. 51 Para. 1, Art. 57 Para. 1 lit. f and Art. 77 Para. 1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR ), OJ No. L 119, 4.5.2016, p. 1; §§ 1 paragraph 1 and paragraph 2, 18 paragraph 1 as well as 24 paragraph 1 and paragraph 5 of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; §§ 16 and 18 of the Federal Law on Police Reporting (Meldegesetz 1991 - MeldeG), StF: Federal Law Gazette No. 9/1992 as amended: Article 5, Article 6, Article 51, paragraph one, Article 57, paragraph one , Litera f, as well as Article 77, paragraph one, of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ No. L 119 of May 4, 2016, p. 1; Paragraph one, paragraph one and paragraph 2, 18 paragraph one, as well as 24 paragraph one and paragraph 5, of the Data Protection Act (DSG), Federal Law Gazette Part one, No. 165 from 1999, as amended; Paragraphs 16 and 18 of the Federal Law on Police Reporting (Reporting Act 1991 - Reporting Act), StF: Federal Law Gazette No. 9 from 1992, as amended.<br />
<br />
REASON<br />
<br />
A. Submissions of the parties and course of proceedings<br />
<br />
1. In a complaint dated April 5, 2023, the complainant complained about a violation of the right to confidentiality and argued that the respondent had requested her registration data and transmitted it to B*** & Co KG, regardless of the block on information available to her in the central registration register , without complying with the requirements of Section 18 Paragraph 5 of the Registration Act. The complainant is a public prosecutor and her blocking of information is based on this function. She found out about the alleged violation shortly after January 27, 2023, as on that day a detective report was presented in the GZ proceedings: *4 C *32/22f of the BG D*** in which her registration details were disclosed . The complainant's mother was a party to these proceedings and informed her of the disclosure. As a result, on January 31, 2021, she submitted an inquiry to the municipality of the city of C***, which is responsible as the registration authority for her main residence. He stated that her registration data had been requested by the municipality of N***, among others, but that she had to contact those authorities for inquiries from authorities other than the municipality of C***. Her request to the respondent for information as to why her registration data had been passed on despite the existence of a block on information was answered on March 2, 2023. The respondent admitted that the request was transmitted by B*** Co KG without complying with the requirements of Section 18, Paragraph 5, of the Reporting Act. The complainant is a public prosecutor and her blocking of information is based on this function. She found out about the alleged violation shortly after January 27, 2023, as on that day a detective report was presented in the GZ proceedings: *4 C *32/22f of the BG D*** in which her registration details were disclosed . The complainant's mother was a party to these proceedings and informed her of the disclosure. As a result, on January 31, 2021, she submitted an inquiry to the municipality of the city of C***, which is responsible as the registration authority for her main residence. He stated that her registration data had been requested by the municipality of N***, among others, but that she had to contact those authorities for inquiries from authorities other than the municipality of C***. Her request to the respondent for information as to why her registration data had been passed on despite the existence of a block on information was answered on March 2, 2023. The respondent admitted that B*** & Co KG's request for all of the intervener's registration data was answered despite the information ban, even though she knew that her data was subject to a information ban. It should be noted that the detective company commissioned by E***IMMOBILIEN AG had, like a general staff, requested all registration data not only of the complainant and her family, but also of the other tenants and presumably their family members in several houses in the municipality of N***. It is doubtful whether a legal interest has been proven anywhere here. The answer to the query shows that the municipality of N***, when failing to examine a legal interest - in its case completely wrongly - may have referred to a decree of the Federal Minister of the Interior dated August 3, 2015, which corresponds to the wording and the The meaning of Section 18 Paragraph 1b of the Registration Act is diametrically opposed. The involvement of a detective does not relieve the need to demonstrate a legal interest. Co KG about all of the intervener's reporting data were answered despite the information block, even though she knew that her data was subject to a information block. It should be noted that the detective company commissioned by E***IMMOBILIEN AG had, like a general staff, requested all registration data not only of the complainant and her family, but also of the other tenants and presumably their family members in several houses in the municipality of N***. It is doubtful whether a legal interest has been proven anywhere here. The answer to the query shows that the municipality of N***, when failing to examine a legal interest - in its case completely wrongly - may have referred to a decree of the Federal Minister of the Interior dated August 3, 2015, which corresponds to the wording and the The meaning of paragraph 18, paragraph one b, of the Registration Act is diametrically opposed. The involvement of a detective does not relieve the need to demonstrate a legal interest.<br />
<br />
2. In a submission dated April 14, 2023, the respondent replied and stated that there had been misconduct on the part of one of the respondent's employees and that she had apologized for the mistake of ignoring the information block. It was a one-off case of misconduct and all the information provided up to that point had been given lawfully. The legal basis is the BMI circular, which is written in a legally misleading manner. The respondent, as the reporting authority, is the last in this data chain to be subject to the requirements of the law and the legal opinion of the BMI.<br />
<br />
3. The data protection authority granted the complainant a hearing on September 29, 2023. The complainant made no further comment.<br />
<br />
B. Subject of the complaint<br />
<br />
The subject of the complaint is the question of whether the respondent violated the complainant's right to secrecy by providing information about the complainant to a private detective agency despite the existence of a block on information, without informing the complainant in advance and giving her the opportunity to comment.<br />
<br />
C. Findings of Fact<br />
<br />
The data protection authority has identified the following facts that are essential to the decision:<br />
<br />
1. The complainant works as a public prosecutor and there is a block on providing information about her in the central population register.<br />
<br />
2. Based on a request from the detective company B*** & Co KG on December 27, 2021, an employee of the respondent carried out a query and provided information about the complainant's main residence and subsequently transmitted this information to B*** & Co KG .<br />
<br />
3. The complainant was not informed before the information was provided to B*** & Co KG and the complainant was not given the opportunity to comment.<br />
<br />
4. The complainant's mother was a party to the proceedings on the GZ: *4 C *32/22f, at the BG D***. As part of these proceedings, a detective report was submitted on January 27, 2023, which contained registration details of the complainant. The complainant's mother informed the complainant about the submission of the detective report shortly after January 27, 2023.<br />
<br />
5. On January 31, 2023, the complainant requested information from the municipality of the city of C***, which is the registration authority responsible for her main residence, about who had accessed the complainant's data in the central registration register in the last three years.<br />
<br />
6. In a letter dated February 17, 2023, the **** of the magistrate of the city of C*** provided the complainant with the requested information and, among other things, this information indicated that the respondent had access to the complainant's data.<br />
<br />
7. In a letter dated March 2, 2023, the respondent's office manager confirmed access to the complainant's data and its transmission to B*** & Co KG by one of the respondent's employees. The respondent's head of office stated that the employee acted in querying and transmitting the complainant's data in relation to a communication from the BMI dated August 3, 2015 BMI-VA1500/0168-III/3/2015.<br />
<br />
Assessment of evidence: The findings made are based on the contents of the file and the arguments of the parties. The findings regarding the process of issuing the registration information result from the consistent submissions of the complainant and the respondent. The respondent itself admitted both in the present proceedings and in the letter of March 2, 2023 submitted by the complainant that an employee of the respondent gave the information without involving the complainant. The findings that the complainant only became aware of the query made about her and the information passed on to B*** & Co KG in the context of civil proceedings in which the complainant's mother is a party is also based on the complainant's submissions.<br />
<br />
D. In legal terms it follows:<br />
<br />
D.1. On the timeliness of the complaint<br />
<br />
According to Section 24 Para. 4 DSG, the right to have a complaint dealt with expires if the person intervening does not submit it within one year of becoming aware of the event causing the complaint, but at the latest within three years of the alleged event taking place. Late complaints must be rejected. According to paragraph 24, paragraph 4, DSG, the right to have a complaint dealt with expires if the intervener does not submit it within one year after he became aware of the event causing the complaint, but at the latest within three years after the event was alleged has taken place to a large extent. Late complaints must be rejected.<br />
<br />
The deadlines specified in Section 24 DSG are pre-exclusive deadlines (see OGH July 31, 2015, 6 Ob 45/15h and Jahnel, Data Protection Law, Update, p. 191 on the previous provision of Section 34 Paragraph 1 DSG 2000 as well as those in paragraph 24 , DSG are preclusive deadlines (see OGH July 31, 2015, 6 Ob 45/15h and Jahnel, Data Protection Law, Update, S 191 on the previous provision of paragraph 34, paragraph one, DSG 2000 as well as Bresich, Dopplinger, Dörnhöfer, Kunnert, Riedl, DSG, p. 190 to § 24 DSG), which must be taken into account ex officio, i.e. if the facts are established, without objection (cf. , DSG, p. 190 to paragraph 24, DSG), which must be taken into account ex officio, i.e If the facts are established, consideration must be given without objection (see Dohr/Pollirer/Weiss/Knyrim, Data Protection Law, Section 34, Note 2 to the previous provision of Section 34 Para. 1 DSG 2000). From , Data protection law, paragraph 34,, note 2 to the previous provision of paragraph 34, paragraph one, DSG 2000). Bresich, Dopplinger, Dörnhöfer, Kunnert, Riedl show that the limitation rule of Section 24 Para. 4 DSG with regard to the time limit for the expiry of the right to have a complaint dealt with largely corresponds to Section 34 Para. 1 DSG 2000 (subjective period of one year from knowledge of the facts and an objective period of three years from the occurrence of the event). It appears that the limitation rule in paragraph 24, paragraph 4, DSG with regard to the time requirements for the expiry of the right to deal with a complaint largely corresponds to paragraph 34, paragraph one, DSG 2000 (subjective deadline of one year from knowledge of the facts and objective deadline of three years from the occurrence of the event).<br />
<br />
As is clear from the findings, the complainant's data was queried from the central population register on December 27, 2021 and these were transmitted to B*** & Co KG. As further established, the complainant was not informed about the query and only became aware of this process on January 27, 2023 at the earliest as a result of the submission of a protocol in the GZ proceedings: *4 C *32/22f in which the complainant's mother was a party and she informed the complainant of the submission.<br />
<br />
The complainant's complaint of April 5, 2023 was made within the deadline specified in Section 24 (4) DSG. The complainant's complaint of April 5, 2023 was made within the deadline set in paragraph 24, paragraph 4, DSG.<br />
<br />
D.2. Regarding the alleged violation of the right to secrecy<br />
<br />
General information on the processing of personal data and the principles for their processing<br />
<br />
According to Section 1 Para. 1 DSG, everyone has the right to keep their personal data confidential if there is a legitimate interest in doing so. The existence of such an interest is excluded if data is not accessible to a confidentiality claim due to its general availability or because it cannot be traced back to the person concerned. According to paragraph one, paragraph one of the DSG, everyone has the right to confidentiality of the personal data concerning them, provided that this is worthy of protection There is interest in it. The existence of such an interest is excluded if data is not accessible to a confidentiality claim due to its general availability or because it cannot be traced back to the data subject.<br />
<br />
The GDPR and in particular the principles enshrined therein must be taken into account when interpreting the right to confidentiality (cf. the DSB's decision of October 31, 2018, GZ DSB-D123.076/0003-DSB/2018).The GDPR and in particular The principles enshrined therein must be taken into account when interpreting the right to secrecy (see the DSB's decision of October 31, 2018, GZ DSB-D123.076/0003-DSB/2018).<br />
<br />
As established, the complainant was blocked in the central population register at least at the time of the query in question.<br />
<br />
According to Section 16 Paragraph 1 of the Registration Act, the registration authorities, as jointly responsible parties, are authorized in accordance with Art. 4 Z 7 in conjunction with Art Any existing information blocks and associated deregistrations are to be processed jointly in such a way that each person responsible also has access to the data in data processing that was made available to them by the other persons responsible (central registration register). According to paragraph 16, paragraph one, of the Registration Act The registration authorities, as jointly responsible parties in accordance with Article 4, paragraph 7, in conjunction with Article 26, paragraph one, GDPR, are authorized to share their registration data - with the exception of information on religious belief - together with any existing information blocks and associated de-registrations for the purposes of maintaining the central registration register processed in such a way that each person responsible also has access to the data in data processing that was made available to them by the other persons responsible (central registration register).<br />
<br />
In accordance with Section 18 Paragraph 1 of the Registration Act, the registration authority shall, upon request, provide proof of identity within the scope of Section 16 Paragraph 1 of the Legislature. to provide information from the central registration register as to whether and, if applicable, where within the federal territory a clearly identifiable person is or was registered. According to paragraph 18, paragraph one, Registration Act, the registration authority must, upon request, provide proof of identity to the extent of paragraph 16, paragraph one, leg. cit. to provide information from the central population register as to whether and, if applicable, where within the federal territory a clearly identifiable person is or was registered.<br />
<br />
If the person you are looking for does not have a registered or last registered main residence or if there is a block on providing information in relation to them, the information from the registration authority must read: “There is no data available for registration information about the person you are looking for.” Can If the information provided by the person who made the request is not assigned to just one person who has been registered, the information from the registration authority must read: “Based on the identity information, the person being sought cannot be clearly identified; No information can be provided.” The residence (seat) or residence (Section 3 Z 3 AVG) of the person making the request is decisive for the responsibility for providing information. If the person you are looking for does not appear to have a registered or last registered main residence or if there is a block on information in relation to him, the information from the registration authority must read: “There is no data available for registration information about the person(s) being sought.” Can the information of the person who made the request not only If a person is assigned to a registered person, the information from the registration authority must read: “Based on the identity information, the person being sought cannot be clearly identified; No information can be provided.” The residence (seat) or residence (paragraph 3, number 3, AVG) of the person making the request is decisive for the responsibility to provide information.<br />
<br />
According to Section 18, Paragraph 2, leg ). The application must be granted if an interest worthy of protection can be credibly demonstrated. If such an interest is obvious, the block on information can also be ordered or extended ex officio. The ban on information can be imposed or extended for a maximum period of five years; During this time it also applies in the event of deregistration.<br />
<br />
According to Section 18 Paragraph 5 of the Registration Act, if there is a block on information regarding a person, the information from the registration authority must read: “There is no data available for registration information about the person(s) being sought”. In these cases, information in accordance with paragraph 1 must be provided if the applicant proves that he or she can assert a legal obligation on the part of the person concerned. In such a case, the registration authority must inform the person required to report before providing the information and give him the opportunity to make a statement. According to paragraph 18, paragraph 5, of the Registration Act, if there is a ban on providing information regarding a person, the information from the registration authority must read: “It “There is no data available for registration information about the person(s) being sought.” In these cases, information in accordance with paragraph one must be provided if the applicant proves that he can assert a legal obligation on the part of the person concerned. In such a case, the reporting authority must inform the person required to report before providing the information and give them the opportunity to comment.<br />
<br />
D.3. In the matter<br />
<br />
Regarding the complainant, there is a ban on providing information in accordance with Section 18 Paragraph 2 of the Registration Act. Accordingly, the respondent would have been obliged to inform that there is a block on information regarding the complainant as a wanted person in accordance with Section 18, Paragraph 2, Registration Act. Accordingly, the respondent would have been obliged to inform that there was no data available for registration information about the complainant as a wanted person or the respondent would have been obliged to do so in accordance with Section 18 Paragraph 5 of the Legislature. As a reporting authority, the obligation has been made to inform the complainant, as the person obliged to report, before providing information and to give her the opportunity to comment. However, as alleged by the respondent herself, the respondent's employee who carried out the questioned query failed to do so. or the respondent should have done so under paragraph 18, paragraph 5, leg. cit. As a reporting authority, the obligation has been made to inform the complainant, as the person obliged to report, before providing information and to give her the opportunity to comment. However, as alleged by the respondent herself, the respondent's employee who carried out the questioned query failed to do so.<br />
<br />
In this context, it should be noted that employees who have access to personal data within an organization are generally not to be seen as controllers or processors, but the processing is ultimately attributed to the controller (see, for example, the BVwG's decision of 27. April 2022, GZ: W214 2237072-1). In this context, it should be noted that employees who have access to personal data within an organization are generally not to be seen as controllers or as processors, but rather the processing is ultimately attributed to the controller (see, for example, the BVwG's ruling of April 27, 2022). , GZ: W214 2237072-1).<br />
<br />
The respondent is a “state authority” in accordance with Section 1 Para. 2 DSG, which means that the use of personal data requires a (formal) legal basis and the query also took place within the framework of the sovereign administration, namely when issuing a registration information in accordance with Section 18 Paragraph 1 Reporting Act. The respondent is a “state authority” according to paragraph one, paragraph 2, DSG, which means that the use of personal data requires a (formal) legal basis and the query was also carried out within the framework of the sovereign administration, namely when issuing a registration information Paragraph 18, paragraph one, Reporting Act.<br />
<br />
Especially since there was a ban on information about the complainant at the time of the query in question, such reporting information was only possible under the provisions of Section 18 Paragraph 5 Leg. Cit. permissible to grant. However, as the respondent herself argued, the complainant was not informed before the registration information was issued and was not given the opportunity to comment, which means the respondent violated the requirements of Section 18 Paragraph 5 Leg. Cit. has violated.Especially since there was a ban on information about the complainant at the time of the query in question, such reporting information was only possible under the conditions of paragraph 18, paragraph 5, leg. cit. permissible to grant. However, as the respondent herself argued, the complainant was not informed before the registration information was issued and was not given the opportunity to comment, which means the respondent was in breach of the requirements of paragraph 18, paragraph 5, leg. cit. has injured.<br />
<br />
In the absence of legal cover, the processing in question proves to be unlawful and the complaint had to be upheld.<br />
<br />
Given this result, it is unnecessary to go into the question in more detail as to whether there was a legal interest on the part of third parties to receive the registration information.<br />
<br />
The decision therefore had to be made in accordance with the verdict.<br />
</pre></div>Marie04https://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_4282/161/21Tietosuojavaltuutetun toimisto (Finland) - 4282/161/212024-03-04T08:47:36Z<p>Fred: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Finland<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFI.png<br />
|DPA_Abbrevation=Tietosuojavaltuutetun toimisto<br />
|DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland)<br />
<br />
|Case_Number_Name=4282/161/21<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Finlex<br />
|Original_Source_Link_1=https://finlex.fi/fi/viranomaiset/tsv/2021/20211244<br />
|Original_Source_Language_1=Finnish<br />
|Original_Source_Language__Code_1=FI<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=30.09.2019<br />
|Date_Decided=16.12.2021<br />
|Date_Published=27.01.2022<br />
|Year=2021<br />
|Fine=6500<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(f) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1f<br />
|GDPR_Article_2=Article 17(1) GDPR<br />
|GDPR_Article_Link_2=Article 17 GDPR#1<br />
|GDPR_Article_3=Article 25(1) GDPR<br />
|GDPR_Article_Link_3=Article 25 GDPR#1<br />
|GDPR_Article_4=Article 32(1) GDPR<br />
|GDPR_Article_Link_4=Article 32 GDPR#1<br />
|GDPR_Article_5=Article 32(2) GDPR<br />
|GDPR_Article_Link_5=Article 32 GDPR#2<br />
|GDPR_Article_6=Article 58(2)(b) GDPR<br />
|GDPR_Article_Link_6=Article 58 GDPR#2b<br />
|GDPR_Article_7=Article 58(2)(d) GDPR<br />
|GDPR_Article_Link_7=Article 58 GDPR#2d<br />
|GDPR_Article_8=Article 83 GDPR<br />
|GDPR_Article_Link_8=Article 83 GDPR<br />
|GDPR_Article_9=<br />
|GDPR_Article_Link_9=<br />
|GDPR_Article_10=<br />
|GDPR_Article_Link_10=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Fred fred]<br />
|<br />
}}<br />
<br />
The Finnish DPA imposed a fine of €6,500 on a travel agency for failing to adequately secure the personal data and for failing to comply with the data subject's request to erase their personal data.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The Finnish DPA was notified that a travel agency (the controller) processed visa application data without encryption and had not responded to the data subject's request to erase their personal data. The DPA had asked the controller to explain how it processed personal data and why it had refused to comply with the data subject's request.<br />
<br />
In response to the request, the controller clarified that it had provided visa application services, in connection with which various personal data had been collected, such as the name, contact details and passport number of the visa applicant. The operations of the controller had ceased in July 2021, and it had no staff who could have been in contact with the data subject.<br />
<br />
The controller stated that it was a part of a small travel industry group but emphasised that the other group companies did not supervise the personal data processing carried out by the controller. However, the controller considered that the personal data of the data subject had been partially erased from its system.<br />
<br />
=== Holding ===<br />
On the basis of the information provided by the controller, the DPA considered that the controller's website, including the visa application forms, was not encrypted. The information entered on the form was stored as a PDF file in the web server's file folder, which was accessible from the internet.<br />
<br />
The DPA emphasised that the passport number, especially when combined with other personal data, exposed the data subject to identity theft. The DPA found that the controller had neglected its duty to adequately protect and secure the personal data and had therefore processed the personal data in violation of the integrity and confidentiality principles.<br />
<br />
The DPA found that the controller had also violated its obligation to comply with the data subject's request to have their personal data erased. In light of this, the DPA stated that the controller should have erased the inappropriately protected files on its own initiative, even without the erasure request made by the data subject.<br />
<br />
On the basis of the information gathered, the DPA held that the controller had violated [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]], [[Article 17 GDPR#1|Article 17(1) GDPR]], [[Article 25 GDPR#1|Article 25(1) GDPR]], [[Article 32 GDPR#1|Article 32(1) GDPR]] and [[Article 32 GDPR#2|Article 32(2) GDPR]]. As a result, the DPA issued a reprimand to the controller in accordance with [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]]. Pursuant to [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], the DPA also ordered the controller to erase the unprotected files containing personal data from its system.<br />
<br />
In addition to the reprimand and the order, the Sanctions Board of the DPA imposed an administrative fine of €6,500 on the controller pursuant to [[Article 83 GDPR]]. The Board considered that the controller formed a group of undertakings with two other companies, and therefore the maximum amount of the fine was calculated based on the combined turnover of the group companies.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.<br />
<br />
<pre><br />
Thing<br />
<br />
Security of processing, principle of integrity and confidentiality, built-in and default data protection, right to data deletion<br />
Decisions of the Data Protection Commissioner and Sanctions Board<br />
<br />
On September 30, 2019, a complaint regarding the secure processing of personal data and the data subject's right to be forgotten was initiated in the office of the Data Protection Commissioner. The initiator has said that he suspects that the travel agency does not process the information in the electronic visa order form in the manner required by data protection regulations. The form is behind an unencrypted HTTP connection and generates a file with the applicant's personal data on the open network. The initiator has also requested the deletion of his data, but the controller has not reacted to this request.<br />
<br />
The travel agency has been declared bankrupt in January 2021. The district court has issued a decision on the bankruptcy ending in July 2021.<br />
The decision of the data protection officer in the matter concerning the security of processing, the principle of integrity and confidentiality and the right to have one's data deleted<br />
Explanation and consultation received from the registrar<br />
Request for clarification<br />
<br />
On December 17, 2019, the data protection commissioner's office sent a request for clarification to the travel agency. However, no response was received to the request for clarification, and on May 19, 2020, the chief inspector of the data protection authorized office has inquired about the situation by email and requested an answer to the request for clarification by May 26, 2020. No answer has been given.<br />
First hearing<br />
<br />
After not responding to the request for clarification, the travel agency has been reserved the opportunity referred to in § 34 of the Administrative Act (434/2003) to be heard and to express its opinion on the matter and to give its explanation of such requirements and explanations that may affect the resolution of the matter. At the same time, the data controller is given the opportunity to bring forward such matters referred to in Article 83, paragraph 2 of the General Data Protection Regulation, which, in the data controller's view, should be taken into account when making a decision. For this purpose, a consultation request has been sent to the controller on June 25, 2020 electronically and by ground mail, to which it has been asked to respond by July 15, 2020. On July 14, 2020, the inspector of the data protection authorized office contacted the data controller by phone, and reminded it to give an answer the next day at the latest. At that time, the representative of the data controller stated that the consultation request sent by e-mail had not been noticed (sent to both of the data controller's offices, Imatra and Lappeenranta), and the mail had not been picked up for a long time, because the company's offices had been closed since March. The registrar's representative has been helped to find the consultation request in the e-mail, but no response has been given to the clarification request or the consultation request submitted on June 25, 2020. In the consultation request, the data controller has been informed that the matter can be resolved, even if the data controller does not submit an answer by the end of the deadline.<br />
Second hearing<br />
<br />
On November 15, 2021, the travel agency as part of XX Oy's group has received another consultation request regarding the evaluation of the group of companies related to the travel agency as a group and as a single financial unit. In this way, the registry keeper is also provided with the opportunity referred to in § 34 of the Administrative Act (434/2003) to be heard and to express his opinion on the matter and to give his explanation of such demands and explanations that may affect the resolution of the matter. XX Oy, which belongs to the company group, has responded to the consultation request on November 30, 2021.<br />
<br />
In its response, XX Oy has stated that it has owned 40% of the travel agency's share issue, and it has not had control over the travel agency. According to XX Oy, section 5 subsection 1 point 3 of the Accounting Act does not support the interpretation that group regulation can be extended to all situations where companies have the same management or other business connections.<br />
<br />
XX Oy states that it has not actually managed the processing of personal data of a travel agency that has been engaged in travel agency business, and the travel agency has been a separate functional unit from XX Oy, which has had its own offices, separate staff, and separate information systems and customer registers. XX Oy considers that the group relationship according to the General Data Protection Regulation could only be applied to cases where the companies have a clear and verified common customer information system or other personal data processing method. YY Oy is a separate company from XX Oy.<br />
<br />
XX Oy considers the penalty payment consideration to be unreasonable. At the customer's request, the travel agency has immediately removed the relevant personal data and started to correct the information system error, which caused the customer data to be visible on the open network. The travel agency has had no staff at all who could have dealt with the customer in the requested measures.<br />
Other related clarification<br />
<br />
From spring 2021, the web search www.[matkatoimisto's name].fi will be on the website of another tour operator, ZZ Oy, which is why the Office of the Data Protection Commissioner has also requested an explanation from ZZ Oy. According to the statement given by ZZ Oy on 26 July 2021, it was only about the fact that ZZ Oy has bought the travel agency's domain name from the travel agency's bankruptcy estate, and it does not involve, for example, the handing over of customers' personal data. ZZ Oy has submitted an invoice document dated 11.3.2021 to the data protection authorized office, which shows the sale of the right to the [travel agency name] domain name from the bankruptcy estate of the travel agency to ZZ Oy.<br />
<br />
The Office of the Data Protection Commissioner has tried to hear the bankruptcy estate of the travel agency in the matter as well. For the hearing, a hearing request from the data protection authorized office has been submitted to the bankruptcy estate of the travel agency on July 13, 2021. The bankruptcy estate has stated to the data protection commissioner's office on July 13, 2021, that the travel agency's bankruptcy proceedings have expired and the bankruptcy estate has ceased, and therefore the bankruptcy estate cannot issue a statement on the matter.<br />
<br />
The CEO of the travel agency AA has been in contact with the data protection commissioner's office by phone on 17 November 2021. According to AA, all information about the initiator has been removed from the files, except for the information behind the link, which may still not be removed. In this connection, AA has pointed out that if there is a copy of the initiator's passport behind the link, the passport has already expired. During the call, it was also discussed with AA that the representative of the Data Protection Commissioner's Office helped AA's wife by phone to find the first consultation request in the email in July 2020, and that AA had told him in a previous phone conversation with the case representative on October 5, 2020, that the wife had shown him the consultation request at that time . AA has also said during the call that the mention of doing business as a group has now been removed from the website.<br />
Background information<br />
Service description<br />
<br />
Through its website, the travel agency offers the possibility to apply electronically for several different types of visas: one-, two- and three-year multiple-entry visas, single-entry and double-entry visas, and visas at the customer's own invitation. The website also offers visas for minors, but applying for them is not done directly via the online form, but the applicant is asked to contact the registrar. Group visas also primarily require contacting the registrar. Group visas are related to group travel services to Russia offered on the website, and an offer for a group trip is requested by sending an e-mail to the registrar. Visa types other than group visas and visas for minors are applied for by filling out an online form.<br />
Personal information to be filled in the visa application form<br />
<br />
Fill in the electronic visa application form with last name, first names, e-mail address, phone number, passport number, employer/place of study, work/position, home address, purpose of trip, travel insurance number and desired visa validity period. After submitting the online form information, the customer must print the order form and send or bring it to the travel agency together with the passport, passport photo and travel insurance certificate.<br />
Preliminary IT assessment of the case<br />
<br />
The travel agency's website, including the visa application forms, is not encrypted, but the registrar processes personal data using the unencrypted HTTP protocol. Thus, third parties' access to personal data has not been blocked, and the information transmitted to the form travels openly on the Internet.<br />
Site ownership and operating hours<br />
<br />
According to information obtained from Traficom's domain name register, the domain name [name of travel agency].fi was registered in February 2006 and has been with the same user since then. The website itself has been copyrighted 2013.<br />
Turnover and number of customers<br />
<br />
The travel agency's turnover in the fiscal year 1 July 2019 – 30 June 2020 was EUR 688,357.57.<br />
<br />
Since the data controller has not cooperated with the supervisory authority in any way, it has not been possible to determine the number of customers.<br />
Ownership of a travel agency<br />
<br />
According to trade register information, the CEO of the travel agency and the actual member of the board is AA. AA is also the CEO and board member of travel agency WW Oy, the CEO and board member of XX Oy, and the CEO and board member of Kuljetusliike YY Oy.<br />
<br />
According to the travel agency's business tax return, the travel agency's shareholders are XX Oy (100 shares), BB (100 shares) and CC (50 shares).<br />
<br />
In XX Oy's business tax return, AA is listed as the company's sole shareholder. In the tax declaration of YY Oy's business activities, XX Oy is listed as the sole shareholder of the company.<br />
<br />
According to YY Oy's website, XX Oy's group includes XX Oy and a travel agency.<br />
<br />
According to an update published on YY OY's social media in 2015, XX Oy and YY Oy belong to the same group of companies.<br />
Bankruptcy of a travel agency<br />
<br />
The travel agency has been declared bankrupt in January 2021. The district court has issued a decision on the bankruptcy ending in July 2021. According to the reasons for the district court's decision, the assets of the bankruptcy estate are not sufficient to cover the costs of the bankruptcy proceedings.<br />
On applicable legislation<br />
<br />
The General Data Protection Regulation (EU) 2016/679 of the European Parliament and the Council (data protection regulation) has been applied since 25 May 2018. As a regulation, the legislation is immediately applicable law in the member states. The Data Protection Regulation contains national leeway, on the basis of which national legislation can be used to supplement and clarify matters specifically defined in the regulation. The general data protection regulation is specified by the national data protection act (1050/2018), which has been applied since January 1, 2019. The previously valid Personal Data Act (523/1999) was repealed by the Data Protection Act.<br />
<br />
Article 5(1)(f) of the General Data Protection Regulation provides for the principle of integrity and confidentiality. The principle requires that personal data must be processed in a way that ensures appropriate security of personal data, including protection against unauthorized and unlawful processing and against accidental loss, destruction or damage using appropriate technical or organizational measures.<br />
<br />
According to Article 17(1) of the General Data Protection Regulation, the data subject has the right to have the data controller delete personal data concerning the data subject without undue delay, and the data controller has the obligation to delete personal data without undue delay, provided that one of the criteria listed in the article is met.<br />
<br />
According to Article 25(1) of the General Data Protection Regulation, taking into account the state-of-the-art technology and implementation costs, as well as the nature, scope, context and purposes of the processing, as well as the risks caused by the processing, which vary in probability and severity, to the rights and freedoms of natural persons, the controller must effectively implement the data protection principles in connection with the determination of the processing methods and the processing itself, such as data minimization, for the implementation of appropriate technical and organizational measures, such as pseudonymization of data and the necessary protective measures, in order to include them in the processing and so that the processing meets the requirements of this regulation and the rights of data subjects are protected.<br />
<br />
According to Article 32(1) of the General Data Protection Regulation, taking into account the latest technology and implementation costs, the nature, scope, context and purposes of the processing, as well as the risks to the rights and freedoms of natural persons, which vary in probability and severity, the controller and personal data processor must implement appropriate technical measures to ensure a level of security corresponding to the risk and organizational measures. According to paragraph 2 of the article, when assessing the appropriate level of security, special attention must be paid to the risks involved in the processing, especially due to the accidental or illegal destruction, loss, alteration, unauthorized disclosure or access to personal data of transferred, stored or otherwise processed personal data.<br />
A legal issue<br />
<br />
The Data Protection Commissioner assesses and resolves the matter on the basis of the aforementioned General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018).<br />
<br />
The following must be assessed:<br />
<br />
1) for the visa order form webpage: is the HTTP protocol without protection in this context a sufficient technical measure in accordance with the principle of integrity and confidentiality of Article 5(1)(f) of the General Data Protection Regulation, Article 25(1) (built-in and default data protection) and and Article 32(1) and to meet the requirements of paragraph 2 (security of processing);<br />
<br />
2) regarding the storage and maintenance of the completed online form: does the storage of personal data on a web server open to the Internet without access control meet the requirements from articles 5(1)(f), 25(1) and 32(1) and 32(2); and<br />
<br />
3) whether the data controller has properly exercised the registered person's right to have their personal data deleted in accordance with Article 17(1) of the General Data Protection Regulation<br />
Decision of the Data Protection Commissioner<br />
The notice and order bring processing operations into compliance with the General Data Protection Regulation<br />
<br />
The Data Protection Commissioner gives the data controller an order in accordance with Article 58(2)(d) of the General Data Protection Regulation to remove unprotected files containing personal data from the network<br />
<br />
Since the travel agency's website is no longer operational, the Data Protection Commissioner does not consider it appropriate to give the data controller an order in accordance with Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation to bring the processing operations into compliance with the provisions of the General Data Protection Regulation with regard to the protection of the visa order form website.<br />
<br />
The Data Protection Commissioner gives the data controller a notice in accordance with Article 58, paragraph 2, subparagraph b of the General Data Protection Regulation regarding processing actions contrary to the provisions of the General Data Protection Regulation regarding insufficient protection of the visa order form web page, failure to exercise the data subject's rights and storage of the online form containing personal data on a web server open to the Internet.<br />
<br />
The data protection commissioner leaves the appropriate measures to the discretion of the data controller, but orders a report on the measures taken to be submitted to the data protection commissioner's office by February 15, 2022, or no later than six weeks after notification of the decision, unless it applies for an amendment to this decision.<br />
Administrative penalty fee<br />
<br />
According to Section 24 of the Data Protection Act, the administrative fine stipulated in Article 83 of the General Data Protection Regulation (administrative penalty fee) is determined by the sanctioning board formed by the data protection commissioner and deputy data protection commissioners. The matter concerning the travel agency is given to the sanctioning board to decide, and the sanctioning board must therefore assess whether the controller must be ordered to pay an administrative penalty in accordance with Article 58, paragraph 2, subparagraph i of the General Data Protection Regulation, in addition to the notice and order given by the data protection commissioner.<br />
Reasons for the decision<br />
<br />
The travel agency's websites, including the visa application forms, are not properly encrypted, but the data controller processes personal data using the unencrypted HTTP protocol. Therefore, third parties' access to personal data has not been prevented in an appropriate manner, and the information transmitted to the form travels openly on the Internet. The mechanics of the form also collects the information written on the form and puts them as a PDF file in a file folder on the same web server, which is open to the web.<br />
<br />
Due to the negligence of the controller, personal data is particularly vulnerable to hackers. The average user's access to the data would require that he obtains a link through which the data of the visa form can be accessed on the registrar's web server. The Office of the Data Protection Commissioner has tested whether there is direct access to the travel agency's web server and found that this is not the case. Therefore, the contents of the file folder on the web server cannot be directly browsed, but the file requester must know or guess the name of the PDF file in order to get the information. However, the fact that the name of a file processed openly on the Internet is difficult to guess from the point of view of an average user cannot be considered an effective means of protection, because the process of going through the different file name options can be automated. The availability of data that is openly available online is therefore not under the sole control of the data controller. Regarding the controller's control, it is also clear that the controller is not the only entity that knows the names of the files in the folder and how they are formed: the folders exist specifically for the purpose of transmitting information to other parties.<br />
<br />
The data controller has not submitted to the data protection commissioner's office that it has other protection mechanisms in place, such as restricting traffic or access control. Consequently, the visa information is freely available on the public internet, which cannot be considered to meet the requirements for the protection of personal data from the General Data Protection Regulation. In addition, it can be noted that the responses given by the data controller to the initiator show a lack of awareness of the actual operation of their own service, and the data controller states in the e-mail conversation forwarded by the initiator, among other things, that the uploads folder is not public, and the information is not on the open network. The registrar also describes guessing the network path of the folder as "pretty much impossible". It should also be noted that the information to be filled in the visa application form includes the passport number, which, especially when combined with key personal information, exposes the registered person to identity theft. Personal data should be protected with measures determined in accordance with a risk-based approach throughout the life cycle of their processing, and in this case the controller has neglected to take care of protection both when storing the data on the web server and in connection with data transfer (transfer from the customer to the web server and transfer from the web server to the receiving entity).<br />
<br />
Based on the above, it must be considered that the controller's actions clearly violate Article 5 (principle of integrity and confidentiality) and Article 32 (security of processing) of the General Data Protection Regulation. The principle of integrity and confidentiality requires that personal data is processed in a way that ensures its appropriate security, including protection against unauthorized and unlawful processing and against accidental loss, destruction or damage using appropriate technical or organizational measures. The controller should therefore constantly evaluate its processing operations and their adequacy from the point of view of personal data protection. Article 32 on data security, on the other hand, requires the data controller to implement appropriate technical and organizational measures to ensure a level of security corresponding to the risk. In assessing the appropriate level of security, special attention must be paid to the risks involved in the processing, especially due to the accidental or illegal destruction, loss, alteration, unauthorized disclosure or access to personal data of transferred, stored or otherwise processed personal data. The concept of data security includes the elements of both integrity (preserving data in its correct form) and confidentiality (preventing outsiders from accessing data), and personal data registered in data secure processing should only be usable by persons authorized to use it, not openly available on the internet. Both articles are also connected to the requirement of built-in and default data protection (Article 25 of the General Data Protection Regulation), which is about a data protection-centric approach, and taking data protection into account right from the start of operations. Also regarding that, it can be stated that the controller has not implemented preventive measures that would correspond to the principles from this article.<br />
<br />
In addition to assessing the adequacy of protection measures, a position must be taken on the implementation of the data subject's rights. Regarding that, it can be stated, first of all, that Article 17 of the General Data Protection Regulation provides for the data subject's right to have his personal data held by the data controller deleted, and the initiator has submitted an appropriate request to the data controller to remove the insufficiently protected file containing his personal data from the network. However, the controller should delete such unprotected files already based on Articles 32 and 5 of the General Data Protection Regulation, even without a request made by the data subject on the basis of Article 17. However, the controller has not taken action on his own initiative, or even to implement the request made by the data subject. Thus, it has also violated Article 17 of the General Data Protection Regulation.<br />
<br />
According to Section 24 of the Data Protection Act, the administrative penalty fee is determined by the penalty panel formed by the data protection commissioner and deputy data protection commissioners, which has issued the following decision on imposing the penalty fee.<br />
Sanctions board's decision on an administrative fine (administrative penalty payment)<br />
Registrar<br />
<br />
Travel agency as part of the XX Oy group<br />
Decision of the Sanctions Board<br />
<br />
The Sanctions Board considers that the notice issued by the Data Protection Commissioner, the notice pursuant to Article 58, paragraph 2, subparagraph b, and the order pursuant to subparagraph d, of the General Data Protection Regulation are not a sufficient sanction, taking into account the nature and seriousness of the violation.<br />
<br />
The sanctioning board formed by the data protection commissioner and deputy data protection commissioners orders the data controller to pay the state an administrative penalty fee of 6,500 (six thousand five hundred) euros pursuant to article 58, paragraph 2, subparagraph i and article 83 of the general data protection regulation.<br />
Allocation of the administrative penalty fee<br />
Group structure<br />
<br />
According to company information, the travel agency has a close connection to XX Oy and YY OY, which is why it has been assessed in the case whether the companies form a group. According to Article 4, paragraph 19 of the General Data Protection Regulation, the group means a company exercising control and the companies under its control. Introductory paragraph 37 of the General Data Protection Regulation states as follows:<br />
<br />
The group should cover both the company exercising control and the companies controlled by it, so that the company exercising control is the one that has control over another company, for example based on ownership, participation in financing or the company's rules, or has the authority to enforce the rules on the protection of personal data. A company that manages the processing of personal data in companies connected to it should be considered a group.<br />
<br />
According to Chapter 8, Section 12 of the Limited Liability Companies Act (624/2006), if the limited liability company has controlling authority as referred to in Chapter 1, Section 5 of the Accounting Act, in another domestic or foreign entity or foundation, the limited liability company is the parent company and the controlling entity is a subsidiary. The parent company and its subsidiaries form the group. A limited liability company has control over another entity or foundation also when the limited liability company together with one or more of its subsidiaries or the subsidiary alone or together with other subsidiaries has the control referred to in Chapter 1 § 5 of the Accounting Act. According to Chapter 1 § 5 of the Accounting Act (1336/1997), the person responsible for accounting is considered to have control over another person responsible for accounting based on the number of votes or the right to appoint and dismiss members, or if the person responsible for accounting otherwise actually exercises control over the target company.<br />
<br />
In the case under review, the CEO of both the parent company (XX Oy) and the companies under its control (YY Oy and travel agency) is the same person, AA. In the tax declaration of parent company XX Oy's business activities, AA is listed as the company's sole shareholder. In the tax return of YY Oy's business activities, the company's sole shareholder is XX Oy, which, as stated above, is owned by AA. According to the travel agency's business tax return, the travel agency's shareholders are XX Oy (100 shares), BB (100 shares) and CC (50 shares). In the extract from the travel agency's trade register, the official member of the travel agency's board is AA and the deputy member is DD (no other members).<br />
<br />
Based on the report obtained in the case, it is not possible to evaluate the fulfillment of the criteria according to the first two paragraphs of Chapter 1, Section 5.1 of the Accounting Act. However, the ownership structure and the registrar's own declaration of the group formed by the companies found on YY Oy's website are a strong indication that the arrangement between the companies meets at least the requirements of Chapter 1, Section 5.1, Paragraph 3 of the Accounting Act, and XX Oy therefore has control over YY Oy and in a travel agency limited company. It must also be considered that the allocation of ownership and decision-making power to the same person and the consequent concentration of personal data management on the same entity fulfills the requirements of the General Data Protection Regulation to assess companies as a group and thus as a controller responsible for the processing of personal data. In the case, it is also justified to consider that the same body has the authority to implement the rules regarding the protection of personal data.<br />
<br />
The Sanction Board notes that no consolidated financial statements have been prepared for the companies in accordance with Chapter 8, Section 9 of the Limited Liability Companies Act. The Sanction Board further notes that a small group is considered to be a group that exceeds at most one of the limit values stipulated in Chapter 1 § 4 a of the Accounting Act, and there is no need to prepare consolidated financial statements for a small group. Therefore, based on the information obtained in the investigation of the case, it can be considered that the group built around XX Oy is a small group that does not have the obligation to prepare consolidated financial statements, and the absence of consolidated financial statements is therefore not relevant in resolving the matter.<br />
Allocation of the fine<br />
<br />
According to introductory paragraph 150 of the General Data Protection Regulation, "When fines are imposed on a company, the company should be understood as a company in accordance with Articles 101 and 102 EUT". In connection with the determination and allocation of the fine according to Article 83 of the General Data Protection Regulation, in the case under review, it is therefore justified to also examine the competition law jurisprudence and especially the definition of the company and the allocation of responsibility that comes from it.<br />
<br />
The Treaty on the Functioning of the European Union (TFEU) does not define the concept of a company, but the definition has been formulated in the jurisprudence of the EU courts. Therefore, the initial basic definition of a company can be considered a unit engaged in economic activity that offers goods or services in a certain market. The concept of a company can then mean an economic unit, even if the economic entity is made up of more than one natural person or legal entity.<br />
<br />
In assessing whether several different companies can be considered a single economic unit, the so-called Single Economic Entity doctrine is applied in EU competition law. This essentially includes an assessment of whether one company has the opportunity to influence the decision-making of another company to the extent that the latter does not have a real autonomous position when deciding on its commercial activities in the market. In this assessment, the parent company's ownership in the subsidiary, the company's management, and the extent to which the parent company influences the subsidiary's operations or instructs the subsidiary can be examined. In the review, it must also be taken into account that the fact that it is not a wholly owned subsidiary of the parent company does not mean that it cannot be a financial entity referred to in competition law.<br />
<br />
The industries and actual operations represented by XX Oy, YY Oy and the travel agency form a functional entity that serves travelers to Russia. The companies have a common interest, there are clear financial and organizational connections between the companies, and the management, ownership and decision-making power of the companies are largely concentrated in one person. Therefore, it is justified to consider that the travel agency is not an autonomous, independent operator, but rather the travel agency forms a unit that carries out economic activities with XX Oy and YY Oy. At this point, it can also be noted that the ruling practice of the EU Court has emphasized that the subsidiary's separate legal personality is not sufficient to rule out the possibility of attributing the subsidiary's activities to the parent company. This is especially the case when the subsidiary – even if it has a different legal personality – does not independently decide on its market behavior, but essentially follows the instructions given to it by its parent company.<br />
<br />
In this case, the Sanctions Board of the Office of the Data Protection Commissioner considers it justified to interpret the definition of a company in accordance with the intention of the European legislator as it is determined on the basis of articles 101 and 102 EUT. The sanctioning panel of the Office of the Data Protection Commissioner considers, based on the grounds presented above, that the administrative penalty payment should be aimed at the economic activity unit formed by XX Oy, YY Oy and the travel agency. The maximum amount of the administrative penalty fee should therefore also be calculated based on the combined turnover of the companies.<br />
<br />
In the resolution of the case, the sanctions panel of the data protection authorized office noted that the travel agency's turnover in the financial period 1.7.2019 – 30.6.2020 was 688,357.57 euros, XX Oy's turnover was 0 euros in the financial period 1.7.2020 – 30.6.2021, and YY Oy's turnover has been 210,767.48 euros in the financial period 1 July 2020 – 30 June 2021. The combined turnover is therefore EUR 899,125.05.<br />
Reasons for imposing an administrative penalty<br />
<br />
Article 83 of the General Data Protection Regulation provides for the general conditions for imposing administrative fines. According to the article, the imposition of administrative fines must be effective, proportionate and dissuasive in each individual case. Administrative fines are imposed according to the circumstances of each individual case in addition to or instead of the remedial powers provided for in Article 58. When deciding on the imposition of an administrative fine and the amount of the administrative fine, the factors listed in Article 83, paragraph 2 of the General Data Protection Regulation must be taken into account in each individual case.<br />
<br />
When evaluating the matter, the instructions of the data protection working group according to Article 29 on the application and imposition of administrative fines are also taken into account.<br />
<br />
In the case in question, it has been considered that the data controller has violated Articles 5(1)(f) (principle of integrity and confidentiality), 17(1) (right to delete data), 25(1) of the General Data Protection Regulation by not taking care of the data subject's rights and the website's security measures. (data protection by design and by default) and 32(1) and 32(2) (security of processing).<br />
The nature and seriousness of the breach<br />
<br />
The nature and seriousness of the violation is assessed in light of the factors according to Article 83(2)(a) of the General Data Protection Regulation.<br />
The nature and seriousness of the breach<br />
<br />
The matter is not a minor violation referred to in preamble paragraph 148 of the General Data Protection Regulation, and the violation aimed at the implementation of the data subject's rights and the security of the processing of personal data constitutes a significant risk to the data subject's rights in the case being evaluated and affects the essential content of the violated obligations. The scope and purpose of the data processing also support the evaluation of the violation as serious, so that the notice according to Article 58, paragraph 2, subparagraph b and the order according to subparagraph d of the General Data Protection Regulation cannot be considered as a sufficient sanction for the data controller.<br />
<br />
The domain name [name of the travel agency].fi was registered in February 2006. In this case, it must be considered very unlikely that the security measures would have been stronger before 2019 (the date of implementation) than they are now. The grievance has thus clearly existed longer than the period of application of the General Data Protection Regulation, and the period cannot be considered short. The long-term nature of the violation must be considered a justification for imposing an administrative penalty.<br />
<br />
The supervisory authority does not have information on the number of registered users, as the data controller has not responded to the data protection commissioner's request for clarification or consultation. According to the search engine results, the travel agency has several competitors that can be compared to it. When searching for example with the words "Visa to Russia", the travel agency's information typically does not appear on the first page in the search results of various search engines. In terms of pricing, the company does not stand out from its competitors, which are listed in the top results of search engines, of which there are several. Based on this information alone, the company cannot be considered, for example, a leading player in the field or the obvious choice for registered users who need a Russian visa. However, based on the nature of the violation, the long period of operation and turnover data, the sanctioning board considers that a significant amount of personal data has moved through the site and that the violation has been systematic, not isolated. The systematicity of the violation and the impact of the violation on numerous data subjects must be considered as grounds in favor of imposing an administrative penalty fee.<br />
<br />
According to the data available to the Data Protection Commissioner's office, the data subjects have not suffered concrete financial or other material damage as a result of the violation in question. However, the occurrence of material damage is not a condition for imposing a fine, and the data subject can also, for example, demand compensation according to Article 82 of the General Data Protection Regulation, regardless of the imposition of a fine.<br />
<br />
In the assessment of damages caused to registered persons, the decision of the Supreme Court KKO:1998:85 must also be taken into account, where informed self-determination has been emphasized and stated that the wording of the personal registration offense referred to in Section 43 of the Personal Registration Act (471/1987), which has since been repealed, showed that the violation of the protection of privacy of informed self-determination as a contrary procedure meant causing the damage or harm required by law. This is still true. A mere breach of privacy means causing harm or inconvenience. The condition is not the occurrence of financial or other material damage per se, although the occurrence of such damages is taken into account in accordance with the provisions of Article 83, paragraph 2, letter a of the General Data Protection Regulation, when imposing an administrative penalty fee and deciding on its amount.<br />
<br />
The controller must therefore be considered to have violated the rights of the data subjects according to the General Data Protection Regulation, as a result of which the data subjects have suffered damage.<br />
Assessment of aggravating and mitigating factors<br />
Intentional or negligent breach<br />
<br />
The problems related to the encryption of the website and personal data have been verifiably brought to the notice of the controller in July 2019, when the initiator contacted it. Despite this, it has not taken the necessary technical and organizational measures to remedy the matter. It can also be seen from the responses given by the controller to the initiator that it has not found out about the minimum requirements for the protection of the website acting as a channel for collecting personal data (the data has been reported to be protected and guessing the link has been described as "pretty much impossible"). It would seem to be a matter of lack of understanding and carelessness, as a result of which personal data has been available online without adequate technical protection. The registry keeper has not taken any action following the supervisory authority's contacts either, and therefore there are no mitigating grounds for its operation in this regard. The registrar's passivity in taking corrective measures and disregard for data protection regulations must be considered an aggravating factor in the case.<br />
Actions taken by the registrar to mitigate the damage caused to the data subjects<br />
<br />
In the assessment of damages caused to registered persons, the decision of the Supreme Court KKO:1998:85 must be taken into account, which emphasized informed self-determination and stated that the wording of the personal registration offense referred to in Section 43 of the Personal Registration Act (471/1987), which has since been repealed, showed that violating the protection of privacy as a violation of informed self-determination as a procedure meant causing the damage or harm required by law. This is still true. A mere breach of privacy means causing harm or inconvenience. The condition is not the occurrence of financial or other material damage per se, although the occurrence of such damages is taken into account in accordance with the provisions of Article 83, paragraph 2, letter a of the General Data Protection Regulation, when imposing an administrative penalty fee and deciding on its amount. In the selection of the type, it has therefore been taken into account that the data controller must be considered to have violated the rights of the data subjects according to the General Data Protection Regulation, as a result of which the data subjects have suffered damage.<br />
<br />
Regarding the measures taken by the data controller to mitigate the damage, it can be stated that the data controller has not taken any steps to mitigate the damage caused to the data subject. The registrar's inactivity in these respects must be considered an aggravating factor in the case.<br />
The degree of responsibility of the controller, taking into account the technical and organizational measures taken by it pursuant to Articles 25 and 32<br />
<br />
The controller has not implemented technical measures that specifically correspond to the principles of built-in and default data protection, and it has not ensured the implementation of built-in and default data protection at all organizational levels with technical and organizational measures. The controller has not ensured that it has appropriate procedures in place to ensure the security of personal data processing and for the effective implementation of the data subject's rights, and it has not taken into account the risk to the rights and freedoms of natural persons caused by the lack of procedures. It was a systematic error by the registrar. Neglect of appropriate technical and organizational measures must be considered an aggravating factor in the case.<br />
Previous similar violations by the controller<br />
<br />
No similar violations have come to the attention of the supervisory authority.<br />
Cooperation with the supervisory authority<br />
<br />
The registrant has not cooperated with the supervisory authority in any way, but during the investigation of the matter, it has not responded to all contacts with the exception of one phone call (July 14, 2020). At this point, the sanctioning board of the data protection authorized office pays special attention to the fact that the data controller's inactivity has already started before the corona pandemic and the start of the bankruptcy proceedings. The registry keeper's passivity in investigating the matter must be considered an aggravating factor.<br />
Personal data groups affected by the breach<br />
<br />
The applicant fills in the electronic visa application form with information about surname, first name, e-mail address, telephone number, passport number, employer/place of study, position/office, home address, purpose of trip, travel insurance number and desired visa validity period. After submitting the online form information, the customer must print the order form and send or bring it to the travel agency together with the passport, passport photo and travel insurance certificate. Insufficiently protected data is therefore not data according to Articles 9 or 10 of the General Data Protection Regulation, and judging from the information available on the website, the visa application forms have not included the personal data of minors or the applicants' personal identification numbers either. This must be considered a mitigating factor in the case. In this case, however, special attention must be paid to the fact that the information to be filled in on the form has included information about the passport number. The passport number, especially when combined with key personal data, is a risk factor that exposes the registered person to identity theft when it ends up in the wrong hands. This fact must be considered an aggravating factor in the case.<br />
The way in which information about the violation came to the attention of the supervisory authority<br />
<br />
The information has come to the supervisory authority through a complaint, not from the data controller's own notification. In accordance with a risk-based approach, the controller should independently assess whether its operations involve risks regarding the processing of personal data, and it is not possible to pass this responsibility on to customers or the supervisory authority. No mitigating factors can be found in this regard, and the neglect of risk-based assessment and the transfer of this responsibility to the registered and the supervisory authority in practice must be considered an aggravating factor in the case.<br />
Possible other aggravating or mitigating factors applicable to the case, such as possible financial benefits obtained directly or indirectly from the violation or losses avoided by the violation<br />
<br />
The registrar has saved costs by leaving the site's protection to minimum measures. For example, the appropriate certificate and computing capacity required by the HTTPS protocol, which is generally used to protect data traffic, bring clear additional costs to the data controller. In addition, the complexity of the online service may require financial investment in expertise and maintenance, among other things. However, the registrant cannot be considered to have achieved a financial profit with his method of operation.<br />
<br />
In this case, it must also be noted that the controller would have a huge number of different technical possibilities available to protect the customer's personal data. However, the secret links in use now are a significantly worse data security control than even a weak password.<br />
Summary<br />
<br />
According to Article 83(1) of the General Data Protection Regulation, the fine must be effective, proportionate and dissuasive. The assessment is made based on the circumstances of each individual case. When examining an individual case, it must be assessed whether the aim is only to change the activity to comply with the law, or whether it is justified to set the goal of punishing the controller for illegal activity. Regarding the amount of the fine, on the other hand, it must be taken into account whether the violation concerns the articles of the General Data Protection Regulation listed in Article 83(4) of the General Data Protection Regulation or Article 83(5) of the Regulation. Grading into two different categories forms the framework for setting the maximum amount of the fine, and the general data protection regulation does not specify fine amounts by type of violation, for example. In turn, the combined effect of all factors mentioned in Article 83(2) is taken into account in the assessment of the seriousness of the violation.<br />
<br />
In the case of the data controller, it is justified to set the goal of both making the operation legal and drawing the data controller's attention to the illegality of the operation with a financial penalty. Because the violation has been long-lasting and, taking into account the turnover data, it can also be reasonably assumed to have affected numerous data subjects, and because the data controller has not taken any measures after becoming aware of the shortcomings, and the reason behind the violation can therefore be considered to be either the data controller's lack of understanding or indifference to compliance with the data protection regulations, simply bringing the operation into compliance with the requirements of the data protection regulations cannot be considered sufficient in this individual case. This point of view is also strongly supported by the reluctance of the data controller to cooperate with the supervisory authority and the fact that it has been a violation of the regulation and data protection principles regarding the rights of the data subject. The registrar has also not taken any measures to correct the problems.<br />
<br />
In the case of the data controller, the upper limit of the fine in euros is formed in accordance with Article 83(5) of the General Data Protection Regulation, because the violation targets both those in accordance with 83(4) of the General Data Protection Regulation (violated articles: 25 and 32) and those in accordance with 83(5) of the General Data Protection Regulation (violated articles: 5 and 17) to regulations. Failure to fulfill the obligations arising from Articles 5 and 17 must thus be assessed as a more serious violation, and it is possible to apply Article 83(5) of the General Data Protection Regulation when determining the overall penalty. In the amount of the fine, it must be taken into account that it fulfills the requirement of Article 83(1) of the General Data Protection Regulation regarding the warning effect of an administrative fine.<br />
<br />
As aggravating factors, the controller's passivity in handling the case, the controller's passivity in taking corrective measures, the controller's disregard for data protection regulations, neglect of risk-based assessment of operations, the systematicity of the violation, the intent of the violation, the controller's passivity in taking measures to mitigate the damage caused to the data subject, the controller's passivity in taking appropriate technical measures must be taken into account in the assessment. and in the implementation of organizational measures, as well as targeting of the violation to data, the misuse of which will result in clear harm to the data subject. Mitigating factors can be taken into account that the personal data does not refer to information in accordance with Articles 9 and 10, and that the website has not collected information of minors or applicants' personal identification numbers. In evaluating the data controller's inactivity, the sanctioning board of the data protection commissioner's office has drawn attention to the fact that the industry represented by the data controller has suffered from exceptional circumstances due to the corona epidemic. However, the data controller's passivity in correcting the complaints reported to it by the initiator and cooperating with the supervisory authority began even before the exceptional circumstances, and the data controller has also not responded to the supervisory authority's phone call to provide an explanation. Therefore, in the case of the data controller, the exceptional circumstances do not form a basis for evaluating the data controller's activities differently.<br />
<br />
In accordance with Article 83(5)(b) of the General Data Protection Regulation, an administrative fine of up to EUR 20,000,000 or, in the case of a company, four percent of the leaked total global turnover of the previous financial year is imposed in accordance with paragraph 2 for the violation of the rights of registered persons according to Articles 12 to 22 , whichever of these amounts is greater. Even though the General Data Protection Regulation has been applied on 25 May 2018, and the Personal Data Act has not contained a corresponding fine provision, it is possible to impose a fine for a so-called continuous violation and thus it is also possible to take into account a violation prior to the start of the application of the General Data Protection Regulation.<br />
<br />
In the consultation request delivered to the data controller on June 25, 2020, the data controller has been informed that the matter can be resolved even if the data controller does not submit an answer by the end of the deadline.<br />
<br />
The decision to impose an administrative fine has been made by the members of the data protection commissioner's sanctioning board.<br />
</pre></div>Fredhttps://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_TSV/224/2023Tietosuojavaltuutetun toimisto (Finland) - TSV/224/20232024-03-04T08:42:47Z<p>Nzm: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Finland<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFI.png<br />
|DPA_Abbrevation=Tietosuojavaltuutetun toimisto<br />
|DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland)<br />
<br />
|Case_Number_Name=TSV/224/2023<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Finlex<br />
|Original_Source_Link_1=https://www.finlex.fi/fi/viranomaiset/tsv/2024/20242103<br />
|Original_Source_Language_1=Finnish<br />
|Original_Source_Language__Code_1=FI<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=07.06.2023<br />
|Date_Decided=19.02.2024<br />
|Date_Published=29.02.2024<br />
|Year=2024<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 5(1)(e) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1e<br />
|GDPR_Article_2=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1c<br />
|GDPR_Article_3=Article 12(2) GDPR<br />
|GDPR_Article_Link_3=Article 12 GDPR#2<br />
|GDPR_Article_4=Article 12(6) GDPR<br />
|GDPR_Article_Link_4=Article 12 GDPR#6<br />
|GDPR_Article_5=Article 25(2) GDPR<br />
|GDPR_Article_Link_5=Article 25 GDPR#2<br />
|GDPR_Article_6=Article 58(2)(c) GDPR<br />
|GDPR_Article_Link_6=Article 58 GDPR#2c<br />
|GDPR_Article_7=Article 58(2)(d) GDPR<br />
|GDPR_Article_Link_7=Article 58 GDPR#2d<br />
|GDPR_Article_8=<br />
|GDPR_Article_Link_8=<br />
|GDPR_Article_9=<br />
|GDPR_Article_Link_9=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Fred fred]<br />
|<br />
}}<br />
<br />
The DPA held that a controller cannot systematically request data subjects to submit a signed form and a copy of their ID for an access request, as facilitating the data subject's rights under the GDPR requires a case by case assessment.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The Finnish DPA was notified that a provider of first aid training ("controller") had requested the data subject to submit by email a signed form and a copy of their ID in order to exercise the right of access. The data subject made an access request but did not provide the filled in form and a copy of their ID. Therefore, the controller did not provide access to the personal data.<br />
<br />
The DPA had asked the controller to explain how it facilitated the exercise of data subject rights. In addition, the DPA also asked the controller to clarify how long it retained personal data.<br />
<br />
In response to the request, the controller clarified that it could not confirm the identity of the data subject because the access request had been submitted by email, which only contained the name and email address of the data subject. Therefore, the controller could not fulfill the request, because the data subject had not agreed to submit the signed information request form or to identify themselves as requested by the controller.<br />
<br />
Concerning the retention periods, the controller stated that the completed training was valid for three years and that the personal data would be erased two years after the end of the validity period.<br />
<br />
=== Holding ===<br />
On the basis of the information provided by the controller, the DPA considered that the controller's method of identifying the data subject was not based on a case-by-case assessment and that requesting a copy of the identity document was a standard means of identification.<br />
<br />
The DPA emphasised that the controller's possibility to request additional information to confirm the identity of the data subject in accordance with [[Article 12 GDPR#6|Article 12(6) GDPR]] must not lead to unreasonable requirements and the collection of personal data that is not necessary to verify the connection between the data subject and the personal data requested.<br />
<br />
The DPA found that the controller had not facilitated the exercise of data subject rights in accordance with [[Article 12 GDPR#2|Article 12(2) GDPR]], as the data subject an unreasonable effort when submitting a signed form and a copy of their ID.<br />
<br />
The DPA also noted that, based on the retention period determined by the controller, it should have erased the data subject's personal data even before the data subject's access request.<br />
<br />
On the basis of the information gathered, the DPA held that the controller had violated [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]], [[Article 12 GDPR#2|Article 12(2) GDPR]], [[Article 12 GDPR#6|Article 12(6) GDPR]] and [[Article 25 GDPR#2|Article 25(2) GDPR]]. <br />
<br />
In accordance with [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]], the DPA ordered the controller to comply with the data subject's access request. Pursuant to [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], the DPA also ordered the controller to amend its identity verification policy to comply with the aforementioned provisions of the GDPR and to erase personal data older than the specified retention period without undue delay.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.<br />
<br />
<pre><br />
Decision of the Deputy Data Protection Commissioner<br />
Thing<br />
<br />
Submitting a request for the registered right of inspection and confirming the registered person's identity, as well as the legality and storage period of the processing of the registered person's personal data<br />
Registrar<br />
<br />
First aid training organizer<br />
The requirements of the registered person with reasons<br />
<br />
The data subject has asked the data protection commissioner's office to assess whether the data controller is acting in accordance with the General Data Protection Regulation of the European Parliament and of the Council ((EU) 2016/679) when asking the data subject to send a signed information request form and a copy of the identity document by email in order to exercise the right of inspection to confirm the identity of the data subject.<br />
<br />
The data subject has considered that the additional information required by the data controller to confirm the identity is not justified and appropriate in relation to the personal data of the data subject that the data controller processes. The registered person has considered that the procedure of the controller is not in accordance with the principles regarding the processing of personal data. According to the registered opinion, the controller has also not made it easier for the data subject to exercise his rights.<br />
<br />
The registered person has also stated that, in his opinion, he has not received an appropriate explanation from the controller on the basis of the processing of his personal data. The registered person has doubts about the legality of the processing of his personal data. According to the information given by the controller to the registered person by e-mail, the basis for processing personal data is either a contract or a legitimate interest. The registered person has considered that neither of these processing grounds is applicable in his case.<br />
Statement received from the registrar<br />
<br />
The registrar has been requested to clarify the matter on June 7, 2023. The controller has submitted his report to the data protection commissioner's office on June 20, 2023.<br />
<br />
The controller has confirmed that he has received the information request submitted by the data subject. According to the controller, it has not been able to confirm the identity of the data subject, because the data subject has submitted a request for information by e-mail, which only shows the first and last name and e-mail address of the data subject. The registrar has stated that he instructed the registrant to send a signed information request form and to identify himself by sending a copy of his identity card by e-mail. The registrant has stated that he has offered the registrant an alternative option to identify himself electronically in the Visma Sign service. The data controller has stated that it has not been able to fulfill the data subject's request for access to the data, because the data subject has not agreed to submit a signed information request form and to identify himself as required by the data controller.<br />
<br />
The registrar has stated that requesting an identity document ensures that the requester is registered and that the request for information is addressed to the right person. The operation method of the registrar is evident from the register information request form submitted as an attachment to the registrar's statement, where it is stated that a copy of the identity document must be attached to the request.<br />
<br />
The controller has further stated that the processing of the personal data of the registered person is based on the contract. According to the registrar's report, the data subject has entered into a customer relationship when registering for training organized by the registrar. In addition, the controller has provided copies of the personal data of the data subject it processes to the data protection commissioner's office. According to its report, the controller processes the following information about the registered person: first and last name, address, e-mail address, telephone number and information about the completion of the training.<br />
<br />
The data protection commissioner's office has requested additional clarification from the data controller on 31 August 2023. The data controller has been asked whether and how the data controller has defined the retention period of personal data according to the data processing purposes. The controller has submitted his additional explanation to the data protection commissioner's office on 22 September 2023.<br />
<br />
The controller has stated in his supplementary report that he has determined the retention periods for the processing of personal data according to processing purposes. According to the registry keeper, information on storage periods is provided in the registry-specific privacy statements. The controller has stated that he considers that the necessity requirement for the processing of personal data ends when two years have passed since the expiration of the training course, or three years have passed since the last product purchase, or when the statutory retention period expires. According to the controller, the personal data will be anonymized or deleted at the end of the aforementioned retention period. The registrar has further stated that the trainings are valid for three years.<br />
The registered equivalent<br />
<br />
In this case, no consideration has been requested from the registered person. Based on the applicable legislation and the established interpretation practice, the matter is so clear that a decision can be given without the registrant's compensation based on Section 34, Subsection 2, Clause 5 of the Administrative Act. The matter can be resolved on the basis of the applicable legislation and the request brought to the attention of the data protection officer's office, as well as the explanations received from the data controller.<br />
Applicable legislation<br />
<br />
The processing of personal data is regulated in the General Data Protection Regulation. The Data Protection Regulation is specified in the Data Protection Act (1050/2018).<br />
<br />
According to Article 6 of the General Data Protection Regulation, the processing of personal data is lawful only when there is a basis for processing according to Article 6, paragraph 1. The principles regarding the processing of personal data are stipulated in Article 5 of the General Data Protection Regulation. Article 25 provides for built-in and default data protection. The right to access information is regulated in Article 15 and the procedure to be followed in exercising the right in Article 12.<br />
<br />
Paragraph 2 of Article 58 of the General Data Protection Regulation provides for the remedial powers of the supervisory authority. According to paragraph 2, subparagraph c of the article, the supervisory authority has the authority to order the controller or personal data processor to comply with the data subject's requests regarding the use of the data subject's rights based on the regulation. According to paragraph 2, subparagraph d of the article, the supervisory authority has the authority to order the controller or personal data processor to bring the processing activities into compliance with the provisions of the General Data Protection Regulation, if necessary, in a certain way and within a certain deadline.<br />
A legal question<br />
<br />
The issue is, first of all, whether the controller's procedure for submitting a request for the data subject's inspection right and identifying the data subject is in accordance with Article 12 paragraphs 2 and 6 and Article 5 paragraph 1 subparagraph c of the General Data Protection Regulation.<br />
<br />
This decision does not apply to the operations of the data controller in so far as it concerns an alternative method of identification of the data subject. It can be stated that if the data controller has different ways to confirm the identity of the registered person, the data controller must ensure that these methods are in accordance with the General Data Protection Regulation. In particular, it should be taken into account that alternative identification methods do not make it difficult to use the rights of the registered person.<br />
<br />
The Deputy Data Protection Commissioner must also assess whether the data controller has had a basis for processing the personal data of the registered person in accordance with Article 6, Paragraph 1 of the General Data Protection Regulation.<br />
<br />
The Deputy Data Protection Commissioner must also decide whether the procedure for storing the registered person's personal data has been in accordance with Article 5(1)(e) and Article 25(2) of the General Data Protection Regulation.<br />
<br />
The Deputy Data Protection Commissioner must decide whether an order according to Article 58(2)(d) of the General Data Protection Regulation must be issued to the data controller to bring the processing operations in line with the provisions of the General Data Protection Regulation and whether an order issued to the data controller pursuant to Article 58(2)(c) must comply with the data subject's request. In addition, the deputy data protection commissioner must assess whether other powers belonging to the data protection commissioner should be used in the case.<br />
Decision and reasons of the Deputy Data Protection Commissioner<br />
<br />
The Deputy Data Protection Commissioner gives the data controller an order in accordance with Article 58(2)(d) of the General Data Protection Regulation to change its policy regarding submitting a request for the registered person's right of inspection and confirming the registered person's identity to comply with Article 5(1)(c) and Article 12(2) and (6) of the General Data Protection Regulation.<br />
<br />
The deputy data protection commissioner leaves the appropriate measures to the discretion of the data controller, but orders a report on the measures taken to be submitted to the data protection commissioner's office by April 15, 2024, unless the data controller applies for an amendment to this decision.<br />
<br />
The Deputy Data Protection Commissioner also gives the data controller an order in accordance with Article 58, paragraph 2, subparagraph c of the General Data Protection Regulation to comply with the data subject's request, which concerns the data subject's right to access information about him/her.<br />
<br />
In addition, the Deputy Data Protection Commissioner gives the data controller an order in accordance with Article 58, paragraph 2, subsection d of the General Data Protection Regulation to delete customer data older than the retention period defined by the data controller without undue delay, including data of the data subject. Pursuant to § 25 subsection 3 of the Data Protection Act, the Deputy Data Protection Commissioner orders the data controller to comply with the order regarding the deletion of customer data despite the appeal. However, the deputy data protection commissioner draws the controller's attention to the fact that the controller must exercise the data subject's right to access information about him/herself before deleting the data.<br />
Reasoning<br />
Confirmation of the registered identity<br />
<br />
The General Data Protection Regulation has no provisions on how the identity of the data subject must be verified. The General Data Protection Regulation also does not regulate the way in which the data subject must make requests regarding his rights.<br />
<br />
According to Article 12, paragraph 2 of the General Data Protection Regulation, the data controller must facilitate the exercise of the data subject's rights according to Articles 15–22. If the controller has reasonable grounds to suspect the identity of the natural person who made the request, the controller can, according to Article 12, paragraph 6, ask the requester to provide additional information that is necessary to confirm the identity. If the data subject provides additional information that can be used to identify him, the controller may not refuse to perform the requested action.<br />
<br />
Personal data that has been used to register the person in question can also be used to confirm the identity of the registered person when the registered person exercises his rights. The possibility for the controller to request additional information for identity assessment cannot lead to unreasonable demands and the collection of personal data that are not essential or necessary to verify the connection between the person and the requested personal data. The European Data Protection Board has stated in its guideline on the right of inspection provided for in the General Data Protection Regulation (European Data Protection Board, Guidelines 01/2022 on data subject rights – Right of access. Version 2.0, Adopted on 28 March 2023.), that requesting additional information must not lead to irrelevant or to collect unnecessary personal data. (Ibid, p. 26.)<br />
<br />
The European Data Protection Board has further stated that, although identity is verified in some contexts with the help of an identity card, requiring the person who made the request to provide a copy of their identity card cannot generally be considered as a regular procedure for confirming the identity of the registered person. (Ibid, p. 27.)<br />
<br />
According to Article 5(1)(c) of the General Data Protection Regulation, personal data must be appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimization"). The principle of data minimization must also be followed when the data controller requires the data subject to provide additional information to confirm his identity.<br />
<br />
In this case, the practice of the registrar has been that in order to exercise the right to inspect the data, the registered person must submit a register information request form, which must be filled with name, date of birth, telephone number, e-mail address and local address. Such a form must also be signed. In order to identify the registrant, the registrant must attach a copy of his identity card to this form. The register information request form has instructions on the above-mentioned practice. Requesting a copy of the identity document has thus been the usual procedure of the registrar to implement the registered person's inspection right.<br />
<br />
Taking into account Article 5(1)(c), the data controller shall not request more information from the data subject than is necessary for his identification. In order for the controller not to collect information that is unnecessary for processing, it must carry out a necessity assessment, which can take into account, for example, the type of personal data being processed. In this case, the data controller mainly carries out first aid training activities. Due to its industry, the controller does not, as a rule, process information belonging to special personal data groups concerning customers. When assessing the necessity of the data to be collected, the controller should avoid excessive collection of personal data.<br />
<br />
The information on the identity card must be counted as additional information in accordance with Article 12, paragraph 6, which the controller should only request if it has reasonable grounds to suspect the identity of the data subject who made the request. According to the Deputy Data Protection Commissioner's assessment, the controller's method of identifying the data subject has not been based on a case-by-case consideration, but requiring a copy of the identity document has been a regular means of identification. A copy of the identity card has been required from all registered users who have wanted to exercise their right to access data according to the General Data Protection Regulation.<br />
<br />
The Deputy Data Protection Commissioner also draws attention to the fact that the data controller has not brought out the reasons why it has not been able to identify the data subject based on the information provided by the data subject in its report.<br />
<br />
The Deputy Data Protection Commissioner considers that the data controller has processed a wider set of personal data to identify the data subject than is necessary to identify the data subject, especially taking into account the fact that the data controller has not provided reasons why it has not been able to identify the data subject based on the information provided by the data subject, and thus has acted contrary to the General Data Protection Regulation the data minimization principle provided for in Article 5(1)(c). The Deputy Data Protection Commissioner considers that the data controller has processed personal data in violation of Article 5(1)(c) and Article 12(6) of the General Data Protection Regulation.<br />
<br />
The registrar has also required the form to be submitted signed. The deputy data protection commissioner considers that the controller's way of operating has resulted in an unreasonable burden for the data subject, when the data subject had to submit a copy of his or her identity card along with the signed register information request form.<br />
<br />
The deputy data protection commissioner considers that the method in question has not been a means in accordance with Article 12, paragraph 2, by which the controller could be considered to have tried to facilitate the use of the data subject's rights. The operation method of the register holder can therefore be considered to have made it unreasonably difficult to exercise the rights of the registered person.<br />
<br />
Based on the above, the Deputy Data Protection Commissioner gives the data controller an order in accordance with Article 58(2)(d) of the General Data Protection Regulation to change its policy regarding submitting a request for the data subject's inspection right and identifying the data subject to comply with Article 5(1)(c) and Article 12(2) and (6) of the General Data Protection Regulation.<br />
<br />
Finally, the deputy data protection commissioner notes that the data controller has delivered to the data protection commissioner's office copies of the data subject's personal data it processes. The deputy data protection commissioner therefore considers that the controller has been able to identify the data subject. According to the information provided to the Data Protection Commissioner's office, the data controller has not provided this information to the data subject. For this reason, the deputy data protection commissioner gives the data controller an order in accordance with Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation to deliver the data to the data subject as well.<br />
Lawfulness of the processing of registered personal data<br />
<br />
The data subject has stated that, in his opinion, the agreement or legitimate interest determined as the basis for processing based on the information provided by the controller is not applicable in his case. The registered person has therefore doubted the legality of the processing of his personal data. Based on the registrar's report, the data subject has only been given general information about the grounds for personal data processing, because according to his statement, the registrar has not been able to confirm the identity of the data subject and thus check whether the data subject's personal data can be found in the data controller's registers. The data controller's privacy statement states that the basis for processing personal data is either a contract or a legitimate interest.<br />
<br />
The processing of personal data is legal only when there is a basis for processing according to Article 6, paragraph 1 of the General Data Protection Regulation. According to the report given to the office by the data protection officer of the data controller, the basis for processing the personal data of the registered person is the contract that was created based on the customership when the registered person registered for the training. According to Article 6, paragraph 1, subparagraph b of the General Data Protection Regulation, the processing of personal data is lawful when the processing is necessary for the implementation of an agreement to which the data subject is a party.<br />
<br />
The deputy data protection commissioner considers that the data controller has had grounds to process the data subject's personal data, because the data subject has registered and participated in the training organized by the data controller. The Deputy Data Protection Commissioner therefore considers that the data controller had a basis for processing the personal data of the registered person in accordance with Article 6, Paragraph 1 of the General Data Protection Regulation.<br />
Storage period of personal data concerning the registrant<br />
<br />
Paragraph 39 of the introductory paragraph of the General Data Protection Regulation states that personal data should be sufficient and relevant and limited to what is necessary for the purposes of their processing. This requires in particular that the storage period of personal data is as short as possible. The controller must set deadlines for the deletion of personal data or for periodic review of the necessity of their storage, in order to ensure that personal data is not stored longer than necessary.<br />
<br />
Article 5(1)(e) of the General Data Protection Regulation provides for the principle of limiting storage. According to the article, personal data must be stored in a form from which the data subject can be identified only as long as it is necessary to fulfill the purposes of the data processing. The storage period for personal data must always be as short as possible, and the data subject must be informed of the storage period when personal data is collected, i.e. the controller must define the storage period for personal data even before taking steps to process personal data.<br />
<br />
Article 25 of the General Data Protection Regulation provides for built-in and default data protection. According to paragraph 1 of the article, taking into account the latest technology and implementation costs, as well as the nature, scope, context and purposes of the processing, as well as the varying probability and seriousness of the risks to the rights and freedoms of natural persons caused by the processing, the controller must, in connection with determining the processing methods and the processing itself, effectively implement data protection principles such as data minimization appropriate technical and organizational measures, such as pseudonymization of data and the necessary protective measures, so that they can be included as part of the processing and so that the processing complies with the requirements of the General Data Protection Regulation and the rights of data subjects are protected. According to Article 25, paragraph 2 of the General Data Protection Regulation, the controller must implement appropriate technical and organizational measures to ensure that by default only personal data necessary for each specific purpose of the processing is processed. This obligation applies to the amount of personal data collected, the extent of processing, storage time and availability. Article 25, paragraph 2 of the General Data Protection Regulation, together with Article 5, paragraph 1, subparagraph e, concerning the limitation of storage, imposes a clear obligation on the controller to make sure that personal data is stored only for the time necessary for the purpose of its processing.<br />
<br />
According to his report, the controller has defined the retention periods for the processing of personal data by purpose of use. The controller considers that the necessity requirement for the processing of personal data ends when two years have passed since the validity of the training completed or three years have passed since the last product purchase.<br />
<br />
According to the data controller's report, the processing of the data subject's personal data has been based on an agreement that was created when the data subject signed up for training organized in April 2017. Based on the report received, the data subject has not used other services provided by the data controller, i.e. the customership can be considered to be based only on the training organized in April 2017. The registrar has stated in his report that the attended trainings are valid for three years.<br />
<br />
The Deputy Data Protection Commissioner considers that, based on the retention period specified by the above-mentioned data controller, the data controller should have deleted the data subject's personal data five years after the organized training, i.e. in April 2022. However, according to the data protection commissioner's report to the office of the Data Protection Commissioner on 20 June 2023, the validity of the data subject's training would have been valid until the end of 2020, i.e. longer like three years. Based on this information, the personal data of the registered person should have been deleted at the end of 2022. The Deputy Data Protection Commissioner considers that the data controller has therefore not complied with the retention period he defined himself for the processing of personal data. Based on the information received by the Office of the Data Protection Commissioner, the data subject submitted a request to the data controller in February 2023. The Deputy Data Protection Commissioner considers that the processing of the data subject's request for the right of inspection could not therefore have been the basis for the prolonged storage of the data, but the data should have been deleted earlier.<br />
<br />
The Deputy Data Protection Commissioner therefore considers that the data controller has processed the data subject's personal data in violation of Article 5(1)(e) and Article 25(2) of the General Data Protection Regulation. The Deputy Data Protection Commissioner gives the data controller an order in accordance with Article 58, paragraph 2, subsection d of the General Data Protection Regulation to delete customer data older than the retention period defined by the data controller without undue delay, including data of the data subject. However, the deputy data protection commissioner draws the controller's attention to the fact that the controller must exercise the data subject's right to access information about him/herself before deleting the data.<br />
</pre></div>Fredhttps://gdprhub.eu/index.php?title=Helsingin_hallinto-oikeus_(Finland)_-_H5259/2022Helsingin hallinto-oikeus (Finland) - H5259/20222024-03-04T08:33:48Z<p>Fred: </p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Finland<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=Helsingin hallinto-oikeus<br />
|Court_Original_Name=Helsingin hallinto-oikeus (Finland)<br />
|Court_English_Name=Administrative Court of Helsinki<br />
|Court_With_Country=Helsingin hallinto-oikeus (Finland)<br />
<br />
|Case_Number_Name=H5259/2022<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Edilex<br />
|Original_Source_Link_1=https://gdprhub.eu/index.php?title=File:Helsingin_hallinto-oikeus_H5259-2022.pdf<br />
|Original_Source_Language_1=Finnish<br />
|Original_Source_Language__Code_1=FI<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Date_Decided=23.09.2022<br />
|Date_Published=28.09.2022<br />
|Year=2022<br />
<br />
|GDPR_Article_1=Article 6 GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR<br />
|GDPR_Article_2=Article 6(1)(c) GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR#1c<br />
|GDPR_Article_3=Article 6(2) GDPR<br />
|GDPR_Article_Link_3=Article 6 GDPR#2<br />
|GDPR_Article_4=Article 10 GDPR<br />
|GDPR_Article_Link_4=Article 10 GDPR<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
|GDPR_Article_6=<br />
|GDPR_Article_Link_6=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=§ 5 Act on Checking the Criminal Background of Persons Working with Children<br />
|National_Law_Link_1=https://www.finlex.fi/fi/laki/ajantasa/2002/20020504#P5<br />
|National_Law_Name_2=Child Welfare Act<br />
|National_Law_Link_2=https://www.finlex.fi/fi/laki/ajantasa/2007/20070417<br />
|National_Law_Name_3=Social Welfare Act<br />
|National_Law_Link_3=https://www.finlex.fi/fi/laki/ajantasa/2014/20141301<br />
|National_Law_Name_4=<br />
|National_Law_Link_4=<br />
|National_Law_Name_5=<br />
|National_Law_Link_5=<br />
<br />
|Party_Name_1=City of Helsinki<br />
|Party_Link_1=https://www.hel.fi/en<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_From_Body=Tietosuojavaltuutetun toimisto (Finland)<br />
|Appeal_From_Case_Number_Name=6689/186/20<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=https://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_6689/186/20<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Fred fred]<br />
|<br />
}}<br />
<br />
The Administrative Court of Helsinki upheld a Finnish DPA decision, which found that the social and health authority of a city to had breached [[Article 6 GDPR]] and [[Article 10 GDPR]] by requesting data subjects to provide it with personal data that it had no legal basis for processing.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The social and health authority of the city of Helsinki (the controller) had asked the Administrative Court of Helsinki (the Court) to overturn [[Tietosuojavaltuutetun toimisto (Finland) - 6689/186/20|the Finnish DPA's decision]], according to which the controller had no legal basis to process the background information of applicants applying to volunteer as a child support person.<br />
<br />
The controller filed the appeal claiming that the processing of personal data was necessary to comply with its legal obligations under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]]. The controller claimed that [https://www.finlex.fi/fi/laki/ajantasa/2014/20141301 the Finnish Social Welfare Act] and [https://www.finlex.fi/fi/laki/ajantasa/2007/20070417 the Finnish Child Welfare Act] oblige and entitle it to extensively process the background information of support person applicants, on the basis of which it can be assessed if they pose a threat to the child's physical and psychological integrity.<br />
<br />
=== Holding ===<br />
The Court agreed with the controller that determining the background of volunteers working with children could be considered necessary in order to fulfil its obligations under [https://www.finlex.fi/fi/laki/ajantasa/2014/20141301 the Finnish Social Welfare Act] and [https://www.finlex.fi/fi/laki/ajantasa/2007/20070417 the Finnish Child Welfare Act].<br />
<br />
However, the Court noted that pursuant [[Article 6 GDPR#2|Article 6(2) GDPR]], the processing of personal data related to the organisation of support person activities is regulated in more detail in [https://www.finlex.fi/fi/laki/ajantasa/2002/20020504#P5 Section 5 of the Finnish Act on Checking the Criminal Background of Persons Working with Children], according to which the municipality may only request an extract from the criminal record from the applicant.<br />
<br />
In light of this, the Court agreed with the DPA that the personal data processed by the controller had exceeded what was necessary and relevant for the original purpose of the processing, therefore violating [[Article 6 GDPR]] and [[Article 10 GDPR]].<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.<br />
<br />
<pre><br />
HELSINKI ADMINISTRATIVE COURT 23 September 2022<br />
<br />
DECISION H5259/2022<br />
<br />
ID number 20903/03.04.04.04.01/2021<br />
<br />
Case A complaint regarding a data protection case<br />
<br />
Appellant City of Helsinki<br />
<br />
You can appeal the decision by appealing to the Supreme Administrative Court, if the Supreme Administrative Court grants an appeal permit (HOL appeal permit 30).<br />
<br />
Decision to be appealed<br />
<br />
Deputy data protection officer 15 January 2021 ID number 6689/186/20<br />
<br />
On August 28, 2020, the data subject has submitted a request for action to the data protection commissioner's office, in which he has asked the data protection commissioner to take a position on the legality of the processing of his personal data in the social and health sector of the city of Helsinki (later the controller). The processing of personal data has taken place when the data subject has applied to be a voluntary child support person. On August 20, 2020, in an interview with the social worker of support staff, he gave a power of attorney to request his information from the police authority. The registered person has understood that the power of attorney gives consent to request a criminal record extract. According to the interviewer, you also get information about home alarms.<br />
<br />
In his response on December 14, 2020, the registered person has pointed out that he has come as a surprise that the City of Helsinki's support staff has received from the police investigation notices registered in .2015, .2016 and .2018, in which he is the interested party. In a message sent on August 28, 2020, the employee of the support person operation has stated that the matters mentioned in the notifications in question have nothing to do with acting as a support person, but has nevertheless inquired about the registrant's desire to discuss the notifications in a previous message. The registrar's representative has also stated that with the power of attorney signed by the data subject, the police will provide copies of reports on all the applicant's cases.<br />
<br />
In its decision under appeal, the Deputy Data Protection Commissioner has assessed the matter regarding the processing of registered personal data on the basis of the Act on investigating the criminal background of volunteers working with children (148/2014) and the Act on the status and rights of social care clients (812/2000).<br />
<br />
In its decision under appeal, the Deputy Data Protection Commissioner has issued a notice to the data controller in accordance with Article 58, paragraph 2, subparagraph b of the Data Protection Regulation, because the data controller's personal data processing activities have been in violation of Articles 5, 6, 10, 12 and 25 of the Data Protection Regulation, and ordered in accordance with Article 58, paragraph 2, subparagraph d of the Data Protection Regulation the data controller to bring the personal data processing operations into compliance with the provisions of this regulation within 30 days of notification of this decision so that personal data is no longer processed in violation of articles 5, 6, 10, 12 and 25 of the data protection regulation.<br />
<br />
The decision states, among other things, the following regarding the violation of Articles 6 and 10:<br />
<br />
The registrar has implemented a procedure in which it requests information from the police about the possible criminal and penal records of a person seeking to be a child's support person, based on § 20 of the Act on the Status and Rights of Social Care Clients. Instead of this procedure, the registrar should implement the measures prescribed in Section 4 of the Act on investigating the criminal background of volunteers working with children. The investigation of the criminal background of volunteers working with children and the procedure related to it is regulated by a special law, and the registrar cannot introduce regular parallel procedures based on more general legislation and process criminal data more widely than the special law allows. Such a procedure renders the special law on the matter meaningless and would, among other things, supersede the strictness, precision and proportionality requirements of this law.<br />
<br />
Section 20 of the Act on the Status and Rights of Social Care Clients provides for the possibility of obtaining necessary information that is essentially related to the social care client relationship. According to Section 3, Subsection 1, Clause 2 of the Social Welfare Act (1301/2014), a social welfare client means a person who applies for or uses social welfare or is subject to it regardless of their will. A person who wants to be a volunteer support person is therefore not a client of social care. Criminal information regarding a person working as a support person is not mentioned in the law or its preambles, and there are no other special provisions on the matter other than the law on investigating the criminal background of volunteers working with children. Section 20 of the Act on the Status and Rights of Social Care Clients allows access to personal data only in individual cases where it has been determined to be necessary based on consideration.<br />
<br />
The processing of personal data in question is regulated in the Act on investigating the criminal background of volunteers working with children (148/2014) as referred to in Article 10 of the Data Protection Regulation. In addition to this special provision, the controller has, in other than justified individual cases, implemented practices in which personal data is processed more widely than is stipulated in the relevant special law. There have been no grounds for such processing as referred to in Article 6 of the Data Protection Regulation. By acting in this way, the controller has processed personal data in violation of Articles 6 and 10 of the Data Protection Regulation.<br />
Claims presented in the complaint<br />
<br />
The decision must be annulled to the extent that it has been deemed that the controller acted in violation of Articles 6 and 10 of the Data Protection Regulation.<br />
<br />
In his decision on the processing of information related to the investigation of criminal background, the Deputy Data Protection Commissioner has considered that the data controller has acted in violation of, among other things, articles 6 and 10 of the Data Protection Regulation in his practice of processing personal data in other than justified individual cases to a greater extent than is stipulated in the special law. In addition to a criminal record extract, regular information requests to the police in accordance with Section 20, subsection 1 of the Act on the Status and Rights of Social Care Clients, when evaluating the suitability of volunteers who aspire to be child support workers.<br />
<br />
The data protection commissioner does not have the authority to legally assess the social care authority's use of the right to access information based on the law. The basis for the information requests has been the necessity of the personal data in question to comply with the legal obligation of the controller, so the processing of the personal data has been lawful based on Article 6, Section 1, Subsection c of the Data Protection Regulation.<br />
<br />
Paragraph 1 of Section 4 of the Child Protection Act obliges child protection authorities to take the child's best interests into account when organizing child protection. When evaluating this interest of the child, it must be taken into account how the different solution options secure for the child, for example, balanced development, a safe growth environment and physical and mental integrity.<br />
<br />
Support person activity is a social service that the municipality must organize on the basis of Section 14 subsection 1 and Section 28 of the Social Welfare Act. The obligation to organize is also based on section 36 subsection 1 of the Child Protection Act. Support person activities are aimed at children in need of special support as referred to in section 3, paragraph 6 of the Social Welfare Act, who are in a vulnerable position and who, in addition, are clients of child welfare services due to the endangerment of their growing conditions or behavior that endangers their own health and development (section 27 subsection 1 of the Child Protection Act).<br />
<br />
The aforementioned provisions oblige and entitle the child protection authorities to process background information of persons applying for support person activities other than those that may appear from the criminal record extract, on the basis of which it can be assessed that they pose a threat to the child's physical and psychological integrity.<br />
<br />
Insofar as it has been, for example, information about police home alarms concerning a person intending to be a support person, the procedure has not been in violation of Article 10 of the Data Protection Regulation, because the information in question does not relate to criminal convictions or violations referred to in Article 10, or related security measures.<br />
<br />
The controller considers, unlike the deputy data protection commissioner, that the right of access to information stipulated in section 20 subsection 1 of the Social Care Customer Act does not only apply to the data of a person who is a customer of social care. The regulation requires that the requested information has a significant impact on the customer relationship and is necessary for the authority due to the task stipulated in the law, for example to organize social care.<br />
<br />
The information held by the police regarding the background of those who apply to be support persons is essential for the child's customer relationship. The obligation to organize support person activities is based on Section 28 of the Social Welfare Act and Section 36 of the Child Protection Act. Ensuring the child's safety is a necessary condition for organizing support person activities, which also requires obtaining information that is not reflected in the criminal record extract.<br />
Case handling and investigation<br />
<br />
The Deputy Data Protection Commissioner has presented the following in his statement, among other things:<br />
<br />
The duties of the data protection officer are stipulated in Article 57 of the Data Protection Regulation (EU) 2016/679 and in Section 14 of the Data Protection Act (1050/2018). According to Article 57, paragraph 1, subparagraph a of the Data Protection Regulation, the data protection authority must supervise the application of this regulation in its territory. The statement also refers to introductory paragraph 122 of the data protection regulation. The data protection regulation can be supplemented with special legislation on the processing of personal data. To the extent that the Act on the Status and Rights of Social Care Clients (812/2000) contains provisions regarding the processing of personal data, it is a provision in accordance with Article 6, Section 2 of the Data Protection Regulation, which supplements the provisions of the Data Protection Regulation. Most of the processing of personal data in the activities of the authorities is otherwise regulated by special laws, the supervision of which is the responsibility of the Data Protection Commissioner.<br />
<br />
Home alarm is not a precise concept defined in the law. As a rule, the issue is the performance of a task related to maintaining public order and security. Section 5 of the Act on the Processing of Personal Data in Police Operations (616/2019) applies to the processing of personal data related to such a task. The information provided to the City of Helsinki related to the police's investigation and surveillance tasks falls within the scope of Article 10 of the Data Protection Regulation.<br />
<br />
In the decision under appeal, a position has been taken on the application of Section 20, subsection 1 of the Social Care Customer Act, insofar as the issue is the processing of personal data related to the investigation of criminal background in connection with the activities of children's support staff. The decision has not evaluated the application of the aforementioned provision more widely.<br />
<br />
In its counter-explanation, the city of Helsinki has presented, among other things, the following:<br />
<br />
In its decision under appeal, the Deputy Data Protection Commissioner considered that the social and health sector acted in violation of Article 10 of the Data Protection Regulation regulating the processing of personal data regarding criminal convictions and violations when it requested information from the police on the basis of Section 20 of the Social Care Customer Act about home alarms for persons intending to be support workers. In his statement, the Deputy Data Protection Commissioner states that Section 5 of the Act on the Processing of Personal Data in Police Operations applies to the personal data in question and considers that the data in question falls within the scope of Article 10 of the Data Protection Regulation. In criminal convictions and violations, there is a question of behavior that violates the norm and the penalty resulting from it according to the law, while, for example, the police's home alarm duties are generally only related to safeguarding public order without being involved in crimes or violations.<br />
<br />
A criminal record extract is not sufficient when trying to ensure the safety of a child or young person. Also, the instructions and procedures for protecting the integrity of clients referred to in Section 4 of the Act on investigating the criminal background of volunteers working with children are not comprehensive to ensure the suitability of persons applying to be support staff. For this reason, the police are asked for registry information about the background of the person who wants to become a volunteer support person. Based on the above, the regular request for background information from the police on the basis of Section 20 subsection 1 of the Social Care Customer Act of those applying to become a support person applies to information that has a material effect on the customer relationship, as intended in the provision, which is necessary for the industry's support person activities due to the task stipulated in the law in order to organize the customer's social service. The procedure does not conflict with Article 6 or 10 of the Data Protection Regulation.<br />
<br />
The registrant has given an explanation.<br />
<br />
The city of Helsinki has given a counter-explanation.<br />
<br />
Administrative law solution<br />
<br />
The administrative court rejects the appeal.<br />
<br />
Reasoning<br />
<br />
Applicable legal guidelines<br />
<br />
According to Article 5(1)(a) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons in the processing of personal data and on the free movement of such data and the repeal of Directive 95/46/EC (General Data Protection Regulation), personal data must be processed in accordance with the law, properly and transparently for the data subject.<br />
<br />
Article 6 of the General Data Protection Regulation provides for the legality of personal data processing. According to paragraph 1 of the article, processing is lawful only if and only to the extent that at least one of the following conditions is met:<br />
a) the data subject has given his consent to the processing of his personal data for one or more specific purposes;<br />
b) the processing is necessary for the implementation of an agreement to which the data subject is a party, or for the implementation of measures prior to the conclusion of the agreement at the request of the data subject;<br />
c) the processing is necessary to comply with the legal obligation of the controller;<br />
d) the processing is necessary to protect the vital interests of the data subject or another natural person;<br />
e) the processing is necessary for the performance of a task in the public interest or for the exercise of public authority vested in the controller;<br />
f) the processing is necessary for the realization of the legitimate interests of the controller or a third party, except when the interests of the data subject requiring the protection of personal data or fundamental rights and freedoms supersede such interests, especially if the data subject is a child.<br />
<br />
Subparagraph f of the first subparagraph does not apply to data processing carried out by public authorities in connection with their duties.<br />
<br />
According to paragraph 2 of the article, Member States may maintain or introduce more detailed provisions to adapt the application of the rules laid down in this Regulation to the processing carried out to comply with points (c) and (e) of paragraph 1 by specifying more precisely the specific requirements for data processing and other measures that ensure the legal and appropriate processing of data, inter alia in other special processing situations as stipulated in Chapter IX.<br />
<br />
According to paragraph 3 of the article, the basis of the processing referred to in points c and e of paragraph 1 above must be determined either<br />
a) in Union law; or<br />
b) in the legislation of the Member State applicable to the data controller.<br />
<br />
The purpose of the processing is defined in the relevant legal basis for the processing or, in the processing referred to in point 1, point e, it must be necessary for the performance of a task in the public interest or for the exercise of a public authority vested in the controller. The legal basis for the processing in question may contain special provisions that adjust the application of the rules of this regulation, including: general conditions regarding the legality of the data processing performed by the data controller; the type of data processed; relevant data subjects, entities to which and purposes for which personal data may be disclosed; purpose-relatedness; retention periods; and processing actions and procedures, including measures intended to ensure legal and appropriate data processing, such as measures for other special data processing situations presented in Chapter IX. Union law or Member State legislation must fulfill an objective in the public interest and be proportionate to the legitimate aim it pursues.<br />
<br />
Article 10 of the General Data Protection Regulation provides for the processing of personal data related to criminal convictions and violations. According to the article, the processing of personal data related to criminal convictions and violations or related security measures, on the basis of Article 6 paragraph 1, is carried out only under the supervision of an authority or when it is permitted by Union law or the legislation of a Member State, which provides for appropriate safeguards to protect the rights and freedoms of the data subject. A comprehensive criminal record is only kept under the supervision of a public authority.<br />
<br />
According to Article 58(2) of the General Data Protection Regulation, each supervisory authority has, among other things, the authority to:<br />
b) issue a notice to the controller or personal data processor if the processing operations have been in violation of this regulation; d) order the controller or personal data processor to bring the processing activities into compliance with the provisions of this regulation, if necessary in a certain way and within a certain deadline.<br />
<br />
According to Section 6, Subsection 1, Clauses 1, 2 and 7 of the Data Protection Act, Article 9, Clause 1 of the Data Protection Regulation does not apply:<br />
1) information obtained in the course of the insurance business, processed by the insurance institution, about the state of health, illness, or disability of the insured and the claimant, or about the treatment measures applied to him or comparable actions, which are necessary to clarify the liability of the insurance institution;<br />
2) for the processing of data, which is stipulated by law or which directly results from the task prescribed by law for the controller;<br />
7) for data processing for scientific or historical research or statistics.<br />
<br />
According to Section 7, subsection 1 of the Data Protection Act, personal data related to criminal convictions and violations referred to in Article 10 of the Data Protection Regulation or related security measures may be processed if: 1) the processing is necessary for the investigation, preparation, presentation, defense or settlement of a legal claim; or 2) the data is processed for the purpose stipulated in section 6 subsection 1, section 1, 2 or 7.<br />
<br />
According to Section 20(1) of the Act on the Status and Rights of Social Care Clients, a state and municipal authority and other public law entity, the National Pension Institute, pension insurance center, pension foundation and other pension institution, insurance institution, training provider, social service provider, entity or operating unit engaged in health and medical care activities and health care the professional person is obliged to provide the social care authority, at its request, free of charge and without prejudice to confidentiality regulations, the information and reports in their possession that have a material effect on the social care customer relationship, which are necessary for the authority to determine the customer's need for social care, to organize the social care and to implement related measures, and to check the information given to the authority due to the task set out in the law.<br />
<br />
According to Section 2, subsection 1 of the Act on investigating the criminal background of volunteers working with children, this law provides for a procedure for investigating the criminal background of volunteers working with minors.<br />
<br />
According to § 4 of the same law, the organizer of a volunteer task must create instructions or procedures for their activities that are necessary to fulfill the purpose of this law and evaluate the volunteer tasks for which the criminal background of the volunteers to be selected is to be investigated.<br />
<br />
According to Section 5, subsection 1 of the same act, the organizer of a volunteer task has the right to request from the Legal Registry Center a criminal record extract referred to in Section 6, subsection 2 of the Criminal Records Act (770/1993) of the volunteer, if the organizer of the volunteer task is giving the volunteer a task that includes: 1) regularly and essentially a minor teaching, guidance, care, care or other contact with a minor; 2) personal interaction with the minor; and 3) performing the task alone or in such circumstances where the personal integrity of the minor cannot be reasonably protected despite the actions referred to in Section 4 of this Act.<br />
<br />
According to Section 6, subsection 1 of the same law, the issuance of a criminal record extract requires that the volunteer has given prior written consent to the extract. According to section 2, the consent must state that, before giving consent, the volunteer has received information about the purpose of the criminal record extract and its use, the information relevant to the criminal record extract and related data processing, the obligation of the organizer of the volunteer task to hand over the extract to the volunteer, and, if necessary, that the criminal record extract is requested on behalf of the organizer of the volunteer task 8 association referred to in subsection 1 of §.<br />
<br />
Claim regarding the competence of the data protection officer<br />
<br />
In its appeal, the City of Helsinki's social and health department has submitted that the data protection commissioner does not have the authority to legally assess the social welfare authority's use of the right to access information based on the law.<br />
<br />
The Administrative Court notes that Article 57 of the Data Protection Regulation (EU) 2016/679 provides for the duties of the data protection officer and Article 58 provides for the investigative powers of the supervisory authority. According to Article 57, paragraph 1, subparagraph a of the Data Protection Regulation, the data protection authority must supervise the application of this regulation in its territory. The duties and powers of the data protection officer are also stipulated in Section 14 of the Data Protection Act (1050/2018).<br />
<br />
The data protection regulation applies to the processing of personal data carried out by the social welfare authority in question, but also the provisions of the national legislation regarding the processing of personal data, which in part supplement the regulation of the data protection regulation. Such are, for example, § 20 of the Act on the Status and Rights of Social Care Clients and the Act on Criminal Background Investigation of Volunteers Working with Children. Even when it comes to the application of the mentioned provisions supplementing the General Data Protection Regulation, it is still a matter of personal data processing falling within the scope of the Data Protection Regulation.<br />
<br />
The Administrative Court considers that, based on the above, the data protection commissioner has the right to evaluate the processing of personal data carried out by the social authority in question and to monitor compliance with the data protection regulation, regardless of whether the processing takes place on the basis of the law on the status and rights of social care clients or the law on investigating the criminal background of volunteers working with children. There is no reason to overturn the decision under appeal based on the argument about jurisdiction.<br />
<br />
Issue<br />
<br />
The registrant has initiated a case at the data protection commissioner's office, which is about whether the processing of his personal data by the City of Helsinki's child welfare support staff has been lawful. The registered person had applied to be a voluntary child support person and gave a power of attorney in the interview to request his information from the police. He had understood that the power of attorney gives consent to request a criminal record extract. According to the report given by the registrar on December 9, 2020, written consent has been requested from the person applying to become a support person, that the support person activities can ask the police authority for possible criminal and punishment records concerning the applicant. It has come as a surprise to the registered person that the support person operation has received information from the police about three investigation reports from the years 2015, 2016 and 2018, in which he has been an interested party.<br />
<br />
In its decision under appeal, the Deputy Data Protection Commissioner has issued a notice to the City of Helsinki in accordance with Article 58(2)(b) of the Data Protection Regulation, because the data controller's personal data processing activities have, among other things, been contrary to Articles 6 and 10 of the Data Protection Regulation and ordered the data controller to send the personal data in accordance with Article 58(2)(d) of the Data Protection Regulation processing operations to comply with the provisions of this regulation within 30 days of notification of this decision, so that personal data is no longer processed in violation of the mentioned articles of the data protection regulation.<br />
<br />
In the matter, following a complaint from the Social and Health Department of the City of Helsinki, it is being assessed whether the data controller has acted in accordance with Articles 6 and 10 of the Data Protection Regulation when processing the data subject's personal data.<br />
<br />
According to the complaint, support staff activities are social services that the municipality must organize based on Section 14 subsection 1 and Section 28 of the Social Welfare Act and Section 36 subsection 1 of the Child Welfare Act. Support person activities are aimed at children in need of special support referred to in section 3, paragraph 6 of the Social Welfare Act and children who are clients of child protection referred to in section 27, paragraph 1 of the Child Welfare Act. The city of Helsinki has considered that the aforementioned provisions entitle the child welfare authorities to process information other than the criminal record extract of persons applying for support worker activities, on the basis of which they can be assessed as a threat to the child's integrity.<br />
<br />
According to the City of Helsinki, the processing of personal data received from the police related to criminal convictions and violations is permitted on the basis of Section 7, Subsection 1, Subsection 2 of the Data Protection Act, because the data is processed immediately due to the duties stipulated in the Act referred to in Section 6, Subsection 1, Subsection 2. Personal data other than those related to criminal convictions or violations received from the police are processed in accordance with Article 6, paragraph 1, subparagraph c of the Data Protection Regulation for the performance of a task in the public interest, and the processing is necessary and proportionate for the performance of tasks in the social and health sector.<br />
<br />
According to the City of Helsinki, the criminal record extract requested on the basis of Section 5 of the Act on Investigating the Criminal Background of Volunteers Working with Children or the instructions and procedures referred to in Section 4 of the Act to protect the integrity of minors are not comprehensive enough to ensure the suitability of those applying to become support staff. For this reason, the police are asked to obtain other information about the applicant that is more detailed and necessary for the organization of social care with written consent. The police will deliver to the City of Helsinki copies of the notices regarding all matters of the applicant in question. An agreement has not been made with the police about the procedure, but the procedure is based on § 20 of the Act on the Status and Rights of Social Care Clients.<br />
<br />
According to the General Data Protection Regulation, there must be a legal basis referred to in Article 6 for the processing of personal data. The Administrative Court states that support staff activities are stipulated as an obligation of the municipality in the Social Welfare Act and the Child Protection Act. The Administrative Court also states that finding out the backgrounds of volunteers working with children is necessary to fulfill the authority's statutory task. The processing of personal data for this purpose is therefore based on Article 6(1)(c) of the Data Protection Regulation. The processing of personal data related to the organization of support staff activities is regulated in more detail as referred to in Article 6, paragraph 2, among other things, in the law on the status and rights of social care clients and in the law on investigating the criminal background of volunteers working with children.<br />
<br />
The Administrative Court further states that the primary procedure for finding out the background of volunteer support persons working with children is the procedure in accordance with the Act on investigating the criminal background of volunteers working with children, in which the organizer of the volunteer activity can request the criminal record of the person in question from the Legal Registry Center. Based on its precedents, the aforementioned law is also applied to volunteer support staff working in the municipality's child protection (HE 149/2013 vp, detailed justification of § 3). According to Section 5 of the Act on investigating the criminal background of volunteers working with children, a criminal record extract can be requested from the Legal Records Center with the volunteer's prior written consent. However, the criminal record extract only shows the person's convictions at the time the extract is requested. The law does not provide for the investigation of other criminal information.<br />
<br />
On the basis of Section 20 of the Act on the Status and Rights of Social Care Clients, the social care authority has the opportunity to obtain necessary information that is essentially related to the social care client relationship. Based on this, the social authority can obtain confidential personal information in a single situation where the information in question is deemed necessary. The Administrative Court considers that, based on the wording of the legal section and its justification, the legal section is primarily intended to provide information about social care clients. In the decision under appeal, only the fact that the city of Helsinki has regularly requested information from the police about persons applying to be support staff under the mentioned legal section has been addressed. In the matter, no position has been taken on whether it is at all possible, in individual cases, to hand over information deemed necessary also about persons applying to be support staff, based on the mentioned legal section.<br />
<br />
The Administrative Court states that data from the police's information systems, other than the criminal record extract, can in themselves be relevant on a case-by-case basis in terms of assessing the suitability of a person applying to be a support person and ensuring the safety of children. However, based on the report presented in the case, the city has not limited the information it requests or receives on the basis that it must be necessary or necessary for this purpose.<br />
<br />
According to the report received, based on § 20 of the Act on the Status and Rights of Social Care Clients, the City of Helsinki has regularly requested information from the police about the criminal records and punishment records of the applicant as a support person, using a form that does not specify the time or subject limits of which information the request applies to. In connection with the request for information, it has not been assessed which information is necessary or necessary due to the task stipulated in the City of Helsinki Act and to fulfill the stated purpose of the City of Helsinki, i.e. to ensure the safety of children. Consequently, due to the procedure it followed in requests for information, the city has also processed information that was not necessary or necessary for the stated purpose. In the case of the registered person, the city of Helsinki has received investigative reports from the police, in which the registered person is the interested party. An opportunity has been reserved for the registered person to discuss the investigation notices, but he was later informed that the matters mentioned in the notices are not relevant to working as a support person. In the case of the registered person, the personal data in question has therefore not been necessary or necessary for the authority to carry out the task set out in the law.<br />
<br />
Based on the above, the administrative court states that the City of Helsinki has processed the personal data of the persons applying to be support persons more widely than the legal basis for the processing (the Act on investigating the criminal background of volunteers working with children and § 20 of the Act on the status and rights of social care clients) allows. The processing must therefore be considered to have violated Article 6 of the Data Protection Regulation. Since the information referred to in Article 10 has also been in question, at least in part, the City of Helsinki must also be considered to have violated Article 10 when handling such information more widely than is allowed in national legislation.<br />
<br />
Therefore, the deputy data protection commissioner has been able, as far as it is now a matter, to give the data controller a notice according to Article 58, paragraph 2, subparagraph b of the data protection regulation, and an order according to subparagraph d, to bring personal data processing activities into compliance with the provisions of the data protection regulation, so that personal data is no longer processed in violation of articles 6 and 10.<br />
<br />
Applied legal guidelines<br />
<br />
• The and<br />
• Act on the status and rights of social care clients Section 2 and Section 3<br />
• Section 14 and Section 28 of the Social Welfare Act<br />
• Section 36 of the Child Protection Act<br />
<br />
Administrative law judge * voting statement<br />
<br />
I revoke the decision of the Deputy Data Protection Commissioner.<br />
<br />
Regarding jurisdiction and legal basis, I agree with the majority.<br />
<br />
In other respects, I state the following:<br />
<br />
The primary procedure for finding out the background of volunteer support persons working with children is the procedure according to the Act on investigating the criminal background of volunteers working with children, in which the organizer of the volunteer activity can request the criminal record of the person in question from the Legal Registration Center. However, the criminal record extract only shows the person's convictions at the time the extract is requested. The fact that the law does not expressly provide for criminal information other than the criminal record extract, in my opinion, the possibility given to the social welfare authority to obtain essential information essentially related to the social welfare client relationship based on Section 20 subsection 1 of the Act on the Status and Rights of Social Welfare Clients cannot be excluded. Based on this, the social authority can obtain confidential personal information from a person other than the client himself in a situation where the information in question is deemed necessary to assess the suitability of the client relationship, i.e. in this case the support person, for children in need of special support and in a vulnerable position, who are clients of child protection due to the risk of their growing conditions or behavior that endangers their own health and development. due to.<br />
<br />
The registrar has adopted a procedure where, based on Section 20, subsection 1 of the Act on the Status and Rights of Social Care Clients, with the consent of the person aspiring to be a child's support person, he has requested information from the police about the person's possible criminal record and punishment. The fact that the police have provided the city of Helsinki with information about the person other than what was requested, such as information about the person concerned, is not decisive, because the city has announced that it will not use this information.<br />
<br />
I believe that the city of Helsinki has sufficiently limited the information it requests and that the time and subject limitations of the criminal and punishment records do not provide enough information to ensure the suitability of the person and the safety of the children. The information requested about the possible criminal and penal records of the person aspiring to be a support person has thus been necessary or necessary for the purpose of the authority to carry out the task set out in the law.<br />
<br />
Since the City of Helsinki has not requested information more widely than is allowed in national legislation, it has not violated Articles 6 and 10 of the Data Protection Regulation. Thus, the deputy data protection commissioner has not been able to issue a notice to the controller in accordance with Article 58, paragraph 2, subparagraph b of the data protection regulation, nor an order in accordance with subparagraph d to bring personal data processing operations into compliance with the provisions of the data protection regulation. I therefore set aside the decision under appeal.<br />
<br />
As collateral *"<br />
</pre></div>Fredhttps://gdprhub.eu/index.php?title=HDPA_(Greece)_-_47/2023HDPA (Greece) - 47/20232024-03-03T19:19:47Z<p>Nzm: Thank you for the summary! I just added a few details to make it more relevant for our audience!</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Greece<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoGR.jpg<br />
|DPA_Abbrevation=HDPA<br />
|DPA_With_Country=HDPA (Greece)<br />
<br />
|Case_Number_Name=47/2023<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=HDPA<br />
|Original_Source_Link_1=https://www.dpa.gr/sites/default/files/2024-02/47_2023%2520anonym.pdf<br />
|Original_Source_Language_1=Greek<br />
|Original_Source_Language__Code_1=EL<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Partly Upheld<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=<br />
|Year=<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 12(1) GDPR<br />
|GDPR_Article_Link_1=Article 12 GDPR#1<br />
|GDPR_Article_2=Article 12(2) GDPR<br />
|GDPR_Article_Link_2=Article 12 GDPR#2<br />
|GDPR_Article_3=Article 15(1) GDPR<br />
|GDPR_Article_Link_3=Article 15 GDPR#1<br />
|GDPR_Article_4=Article 15(3) GDPR<br />
|GDPR_Article_Link_4=Article 15 GDPR#3<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
|GDPR_Article_6=<br />
|GDPR_Article_Link_6=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Iliana Papantoni<br />
|<br />
}}<br />
<br />
The DPA reprimanded a controller for failing to give a reasoned explanation for refusing to grant a copy of the data subject's personal data.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The data subject filed multiple access requests with a Cultural Association ("controller") she was a part of: she submitted a first request in September 2017 requesting copies of the meetings of the board of directors regarding the termination of the cooperation with her, since they concerned her personally. In October 2017, the cooperation with the data subject was renewed, therefore, the controller felt that the justification for the request evolved and therefore they did not respond to the request. <br />
<br />
In November 2019, the data subject repeated her request, seeking a response to her previous demand. The controller replied to this request indicating that the Association's statutes could not receive copies of the minutes of the meetings, but could however read the minutes. They therefore invited the data subject in their offices to read the minutes of the meetings concerning her personally, which she did.<br />
<br />
In May 2021, the data subject requested copies of the general meetings of the association, as well as minutes of the meetings that the association had held during the last 7 years. The controller refused this request and gave an oral explanation to this refusal. <br />
<br />
In October 2021, the data subject requested "copies of the notes from the minutes of the board meetings concerning her person". This was also rejected by the controller stating that the request had already been answered previously. <br />
<br />
The data subject therefore lodged a complaint with the Hellenic DPA ("HDPA"). <br />
<br />
=== Holding ===<br />
The HDPA ruled on each one of these requests. Firstly, regarding the request from May 2021, the DPA held that the request did not contain a reference to the data subject's personal data and that therefore, it was not a request for a copy of personal data under [[Article 15 GDPR#3|Article 15(3) GDPR]]. <br />
<br />
Secondly, regarding the request from September 2017, the HDPA noted that it was submitted before the entry into force of the GDPR. Therefore, the DPA examined the request in light of the previous regime of Directive 95/46/EU. The DPA found that taking into account the interpretation of Article 12 Directive 95/46/EU by the CJEU, a on-the-spot examination of the minutes of the Association would be considered a satisfactory way of responding to the data subject's access request. <br />
<br />
Finally, regarding the request from October 2021, the HDPA pointed out that the lack of provision in the statutes of the Association concerning the possibility for members to receive copies of the minutes does not prevent the right of access from being satisfied by providing a copy of the data held in those records. It added that the absence of such a provision cannot be regarded as a waiver by members of their right under [[Article 15 GDPR#3|Article 15(3) GDPR]] to receive copies of their processed data either. The HDPA considered that an on-the-spot examination examination of the minutes of the Association was considered to be sufficient to comply with [[Article 15 GDPR#3|Article 15(3) GDPR]].<br />
<br />
However, the HDPA noted that the controller has an obligation to give a reasoned reply to an access request. In the event that it is a refusal to comply with the request, a detailed statement and adequate documentation of the relevant reasons of the refusal should be made, under [[Article 12 GDPR#3|Article 12(3) GDPR]]. The DPA considered that in the present case, regarding the request made in May 2021, the controller gave oral information to the data subject regarding the reasons for the rejection of her request but this could not be considered as sufficiently reasoned. Regarding the request made in October 2021, the controller simply rejected the request without giving any reasons.<br />
<br />
The HDPA therefore addressed a reprimand to the controller for infringing [[Article 12 GDPR#3|Article 12(3) GDPR]] in conjunction with the provisions of [[Article 15 GDPR#3|Article 15(3) GDPR]]. <br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.<br />
<br />
<pre><br />
Athens, 29-01-2024 Prot. No. 424 A P O F A S H 47 /2023 (Department) The Personal Data Protection Authority met as a Department following the invitation of its President via teleconference on Wednesday, October 4, 2023 in order to examine the case referred to in the present history. The Deputy President of the Authority, Georgios Batzalexis, who was in the way of the President of the Authority, Constantinos Menoudakos, and the alternate members of the Authority, Demosthenes Vougioukas and Maria Psalla, were present, replacing the regular Members Constantinos Lambrinoudakis and Grigorio Tsolias, who, although legally summoned, did not attend. due to disability, as well as George Kontis, as a substitute Member as rapporteur. Present without the right to vote were Anastasia Tritaki, legal scientist, as assistant rapporteur and Irini Papageorgopoulou, employee of the administrative affairs department, as secretary. The Authority took into account the following: With the no. Authority prot. C/EIS/3569/08-03-2022 complaint to the Authority A complained before the Authority that despite the multiple requests she submitted to Cultural Association X to receive copies of minutes 1-3 Kifisias Ave., 11523 Athens T: 210 6475 600 E: contact@dpa.gr www.dpa.gr 1 meetings of the board of directors and the general assembly concerning it, the complained association did not satisfy its request. In particular, the complainant states that on 22/9/2017 she submitted the first request to the board of directors of the association to obtain copies of minutes, which according to her claims was not answered. With her request on 28/11/2019, the complainant repeated her request, requesting a response to the previous request from 22/9/2017, and received a negative response from the board of directors on 29/12/2019. The complainant claims that she then submitted a new request for copies on 9/5/2021, which was also rejected by a letter from the association dated 7/6/2021. Following this, he submitted a new application on 3/10/2021, which was rejected with a letter from the association dated 2/11/2021, where it is stated that the request had already been answered with the 7/6/2021 response of the board of directors. The Authority, in the context of examining the above complaint, with the no. prot. C/EXE/1107/11-05-2022 her document, invited the defendant Cultural Association X to present their views on it. With the no. (No. Authority's request C/EIS/7437/26-05-2022) in its response, the defendant Cultural Association X argued before the Authority, among other things, the following: a) that from 22/ 9/2017 the complainant's request was not satisfied, as it concerned the granting of copies regarding the decision of the Board of Directors to terminate the cooperation with her as ..., however, one month later, in October 2017, the cooperation with her was renewed, therefore in accordance with the in the above response, the justifying basis of the request disappeared, b) that the complainant's request from 28/11/2019 was a resubmission of her request from 22/9/2017, upon which the Board of the Association called, with the from 29/12/2019 his response, the complainant to his offices, in order to read the minutes of the meetings that concerned her, in accordance with article 6 of the association's statutes, based on which it is provided that members can read the minutes (and not to receive copies); according to the claims of the 2nd defendant, the complainant came to the association's offices, read the minutes of the meetings that concerned her personally and left, d) that this also took place on 9/7/ 2021, following a new request from the complainant, e) that the complainant's other requests have been answered and brought to the attention of the Authority by the complainant. The defendant pointed out that in his opinion, the complainant's right of access to the records concerning her was fully satisfied twice, while the continued submission of requests "is checked as abusive". After examining the details of the file, the Authority sent letter no. Prot. Authority C/EXE/2801/07-11-2022 summons for hearing to the accused and the no. Authority letter C/EXE/2802/07-11-2022 to the complainant, in order to attend, via teleconference, a hearing before the Department of the Authority on Wednesday, November 16, 2022 at 12:00 p.m. regarding the discussion of the aforementioned complaint. During the above meeting, the complainant did not attend, either in person or through a lawyer's proxy, nor did she submit a memorandum until the beginning of the meeting, declaring her appearance before the Authority without being present at the meeting, in accordance with article 9 par. 1 of Regulation of Operation of the Authority. On behalf of the defendant Cultural Association X, the attorney of Hadzipemos Christos appeared. The Authority, after examining and determining that the complainant was summoned legally and in a timely manner, in accordance with article 9 par. 5 of the Regulation of Operation of the Authority, proceeded to the discussion of the case. During the above meeting, the defendant, through his attorney-at-law, orally developed his views on the complaint under consideration and answered the questions raised by the President and the Members of the Authority. The defendant was given a deadline to submit a memorandum to further support their claims until November 30, 2022, but no relevant memorandum was submitted by the defendant association. During the above meeting, the defendant Association argued, among other things, that it cannot provide copies of the minutes of the Board of Directors to the 3rd complainant, as this is not provided for by the Association's statutes, while these minutes contain a lot of personal data of third parties, while he pointed out that on multiple occasions, the complainant was notified through the Board of Directors that she can learn about the Association's practices that concern her by on-site study at the Association's offices. Furthermore, the defendant was asked to provide explanations regarding the fact that with her last request of 3/10/2021, the complainant requested the provision of copies of the points of the Board of Directors minutes that concerned her and were "necessary for the exercise of her legal rights" and in this regard the defendant claimed that the complainant did not specify the intended way of exercising her rights, so that the defendant would be able to respond more specifically to the said request. The Authority, after examining the elements of the file and what emerged from the hearing before it, after hearing the rapporteur and the clarifications from the assistant rapporteur, who was present without the right to vote, after a thorough discussion, DECIDED IN ACCORDANCE WITH THE LAW 1) Since the provisions of Articles 51 and 55 of the General Data Protection Regulation 2016/679 (GDPR) and Article 9 of Law 4624/2019 (Government Gazette A΄ 137) show that the Authority has the authority to supervise the implementation of the provisions of the GDPR, of Law 4624/2019 and other regulations concerning the protection of the individual from the processing of personal data. In particular, from the provisions of articles 57 par.1 item. f of the GDPR and 13 par. 1 item g΄ of Law 4624/2019 it follows that the Authority has the authority to deal with A's complaint against Cultural Association X, since the complaint under consideration concerns a request for access to personal data kept in the association's books, therefore included in an archiving system against the meaning of article 4 par. 2) and 6) GDPR, under processing under the regulatory scope of articles 2 par. 1 of the GDPR and 2 of Law 4624/2019. 4 2) Since, in relation to the complainant's submitted requests to the defendant association, the following should be noted first: a) With her request of 22/9/2017, the complainant requested copies of the decisions of the board of directors of on behalf of the association, regarding the termination of the cooperation with her as ..., since they concern her "personally", b) with her request of 28/11/2019, the complainant requested a response to the request of 22/9/2017, c) with her request of 9/5/2021, the complainant requested, among other things, copies of the general meetings of the association and copies of the minutes kept from the meetings of the board of directors of the association during the last 7 calendar years, without connection to the above of her request with her person, d) with her request from 3/10/2021, the complainant requested "copies of the notes from the minutes of the meetings of the board of directors concerning her person". From the above it is concluded that the complainant submitted on 22/9/2017 and 3/10/2021 to the Board of Cultural Association X requests to receive copies of the minutes of the Board, which contain data concerning her, while from 28/11 /2019 request, is not a new request, but a reminder of the 22/9/2017 request and the 9/5/2021 request does not contain a request to receive copies with reference to the complainant's data, therefore it is not a request to receive a copy in the sense of article 15 par. 3 GDPR and its examination is beyond the competence of the Authority. Therefore, the examination of the present complaint concerns the requests of the complainant to the defendant from 22/9/2017 and 3/10/2021. 3) Because, according to the provisions of article 4 par. 7 GDPR, as data controller means "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and manner of processing personal data; when the purposes and manner of such processing are determined by Union law or the law of a Member State, the controller or the specific criteria for his appointment may be provided for by Union law or the law of a Member State". According to the Guidelines 07/2020 of the EDPS regarding the concepts 5 of the controller and the processor1, in cases where the law establishes an obligation or imposes on an entity the duty to collect and process specific data, the purpose of processing is often determined by law and the controller is usually appointed by law to achieve this purpose. Legislation may also impose an obligation on public or private entities to retain or provide certain data. The entities in question are generally considered responsible for processing in relation to the processing deemed necessary for the fulfillment of the specific obligation2. In this case, access to personal data is requested from the complainant, which are included in books that the club is required to keep under the relevant legislation , therefore in this case the legal entity Cultural Association X is the data controller. 4) Because, according to the provisions of article 5 paragraph 2 of the GDPR, the data controller bears the responsibility and must be able to prove his compliance with the processing principles established in paragraph 1 of article 5. As the Authority3 has judged, with the GDPR a new model of compliance was adopted, the central dimension of which is the principle of accountability in the context of which the data controller is obliged to plan, implement and generally take the necessary measures and policies, in order for the processing of data to be in accordance with the relevant legislative provisions. In addition, the controller is burdened with the further duty to prove himself and at all times his compliance with the principles of article 5 par. 1 GDPR. 5) Because with regard to the complainant's request of 22/9/2017, it should first of all be noted that it was submitted before the start of application of the General Data Protection Regulation 2016/679/EU, therefore the request in question will 1 EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 2.0, Adopted on 07 July 2021, https://edpb.europa.eu/system/files/2021-07/eppb_guidelines_202007_controllerprocessor_final_en.pdf 2 As above, par. 24. 3 Indicative Decision 26/2019 APDPH, available on its website. 6 must be examined in the light of the previous regime of Directive 95/46/EU, as incorporated into the Greek legal order with the previous Law 2472/1997 (Government Gazette A' 50). From the overview of the provisions on the subject's right of access to data concerning him, as guaranteed by article 12 of Law 2472/1997 (Government Gazette A' 50) and the corresponding provision of article 12 of Directive 95/46/EU, it follows that the right to obtain a copy of the data, as a way of satisfying the right of access, was not expressly provided for under the previous data protection legal framework. Interpreting the right of access under Directive 95/46/EU, the CJEU pointed out that "Directive 95/46 obliges the Member States to ensure to the interested parties the possibility to receive from the person responsible for the processing of personal data notification of all of the processed data concerning them, but leaves the Member States free to determine the specific material form of this notification, provided that it is carried out in an "intelligible way", i.e. in a way that allows the interested party to ascertain the accuracy of these data and for their processing in accordance with the directive, so that it can possibly exercise the rights granted to it by articles 12, items b΄ and c΄, 14, 22 and 23 of this directive (…) Therefore, as long as the purpose pursued by the right of access is fully served by another form of disclosure, the person to whom the data relate cannot project, neither on the basis of Article 12, point a', of Directive 95/46 nor on the basis of Article 8, paragraph 2, of the Charter, right to obtain a copy of the document or the original file in which this data is included. In order for the interested party not to have access to other information, apart from the personal data concerning him, he can be granted a copy of the original document or file with the said other information hidden. (..). In order to exercise this right, it is sufficient to provide the applicant with a complete picture of these data in an understandable manner, i.e. in a way that allows the interested party to ascertain the accuracy of these data and their processing in accordance with the 7 directive, so that to possibly be able to exercise the rights deriving from that directive.' 4 6) Because in the present case, based on what emerged from the examination of the elements of the file and the hearing procedure, the defendant Association did not respond to the complainant's request of 22/9/2017, before her relevant reminder, which took place on 28/11/2019, at which time the Board of Directors of the Association invited, with its reply from 29/12/2019, the complainant to take cognizance of the practices of the association by studying them on the spot. Taking into account the interpretation of Article 12 of Directive 95/46/EU by the CJEU, the satisfaction of the complainant's request with an on-site study of the records is considered a satisfactory way of responding to the complainant's access request. However, with regard to the deadline for satisfying the request from 22/9/2017, it is pointed out that in accordance with article 12 par. 4 of Law 2472/1997 (Government Gazette A' 50), as it was in force at the time the request was submitted: ". If the data controller does not respond within fifteen (15) days or if his response is unsatisfactory, the data subject has the right to appeal to the Authority (...)." In the present case, the defendant did not respond in any way to the complainant's request of 22/9/2017, before her relevant reminder, which took place on 28/11/2019, when the Board of the Association called, with his reply of 29/12/2019, the complainant to take cognizance of the club's practices by studying them on the spot, therefore the defendant did not comply with the requirement of article 12 par. 4 of Law 2472/1997 ( Official Gazette A' 50), deadline for reply. However, the aforementioned law has already been repealed and therefore any violation of the aforementioned provision on the part of the defendant as data controller no longer entails any sanction. 7) Because with regard to the complainant's request from 3/10/2021, the following must be taken into account: article 15 GDPR states that: "1. The data subject has the right to receive from the controller confirmation as to whether or not 4 CJEU, Joined Cases C-141/12 and 372/12, YS and Others, paras. of a nature concerning him are being processed and, if this is the case, the right to access the personal data and the following information: (…) . 2. (…) 3. The data controller provides a copy of the personal data being processed. For additional copies that may be requested by the data subject, the controller may charge a reasonable fee for administrative costs. If the data subject submits the request by electronic means, and unless the data subject requests otherwise, the information shall be provided in a commonly used electronic format. 4. The right to receive a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others." . Furthermore, in accordance with recital 63 of the GDPR "A data subject should have the right to access personal data collected and concerning him and be able to exercise this right easily and at reasonably regular intervals, in order to is aware of and to verify the legality of the processing. (…)" 8) Because further, according to Article 12 para. 1 GDPR "The data controller shall take the appropriate measures to provide the data subject with any information referred to in Articles 13 and 14 and any communication in the context of Articles 15 to 22 and of article 34 regarding the processing in a concise, transparent, comprehensible and easily accessible form, using clear and simple wording, especially when it comes to information addressed specifically to children. The information is provided in writing or by other means, including, if appropriate, electronically. When requested by the data subject, the information may be given verbally, provided that the identity of the data subject is proven by other means.", while according to paragraph 2 of the same article above: "The data controller facilitates the exercise of the rights of the data subjects provided for in articles 15 to 22.(...)" 9 9) Because, in the present case, from the examination of the elements of the file and the hearing procedure, it appears that from 3/10/ 2021, the complainant's request, in which she requested copies of "the notes from the minutes of the Board of Directors' meetings concerning her", in order, as she states, to exercise her rights, was rejected by the defendant's letter dated 2/11/ 2021. With the said letter, the defendant informed the complainant that the Board of Directors of the Association unanimously decided that her request had already been answered with its response letter of 7/6/2021 and with which the previous one of 9/5/2021 had been rejected 2021 request of the complainant to receive copies of the minutes of the Board of Directors and the General Meeting for the last 7 calendar years. Furthermore, during the above hearing, the defendant asserted that on multiple occasions, the board of the defendant association informed the complainant, through oral information, that she could obtain knowledge of the Association's practices concerning her through an on-site study at the Association's offices, refusing to satisfy her request to obtain copies of the minutes of the Board of Directors, due to a non-relevant provision in the association's statutes, as well as due to the reference to them of a large number of personal data of third parties, while regarding the "exercise of her rights" , the defendant association still argued during the hearing before the Authority, that the complainant should sufficiently specify the manner of the intended exercise of her rights, in order to be able to satisfy her request by providing a copy of her data. 10) Since, with regard to the reasons for the refusal of the controller from 3/10/2021 to comply with the complainant's request to obtain copies of the minutes of the Board of Directors concerning her, the following should be noted: denounced provision of the association's statutes (article 6 letter e of the Statutes) for the possibility of its members to read the minutes and the lack of a relevant provision for receiving copies of the minutes from the members, it is pointed out that the lack of a provision of the statutes for the possibility of the members to receive copies of the minutes, 10 in no way prevents the satisfaction of the right of access by providing a copy of the data kept in the books in question, according to the above analysis contained in the Guidelines of the ESPD. Nor can the absence of a provision in the articles of association for the possibility of members to receive copies of the minutes be considered as a waiver by the members of their right, guaranteed by Article 15 para. 3 GDPR, to receive copies of their data that is being processed. It should be noted that based on the hierarchy of the rules of law, legal acts - and therefore the statutory acts of the associations5 - constitute, according to the teaching that accepts the character of the latter as sources of Law, the lowest basis of the rules of law6. 11) Because, according to the Guidelines 1/2022 of the EDPS regarding the right of access7, the main way of providing access to the data to the subject is to provide a copy of the data8, but the obligation to provide a copy of the data should not be considered as an additional right of the subject, but as a way of providing access to his data. At the same time, the obligation to provide a copy of the data does not extend the purpose of the right of access, as it only concerns the copying of the data being processed and not necessarily the reproduction of original documents. The obligation to provide a copy serves the purpose of the right of access to enable the data subject to obtain knowledge and verify the legality of the processing (See also Recital 63 of the GDPR). In some circumstances, there may be other appropriate ways to satisfy the right of access9, and the controller may ensure the subject's right of access, through other 5 A.S. Georgiadis, General Principles of Civil Law, Publications Ant. N. Sakkoula, 3rd ed. 2002, p. 170. 6 K. Tsatsos, The problem of the sources of law, Ed. Ant. N. Sakkoula, rev. 1993, pp. 220-221. 7 European Data Protection Board, Guidelines 01/2022 on data subject rights - Right of access version.2.0, available at: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022 - data-subject-rights-right-access_en 8 As above, p. 4 9 As above, par. 26, p. 14. 11 alternatives, for example through oral information, through study of files, through on-site or remote access, no downloadable10. The right to receive a copy of the data is not always understood as the right of the subject to receive a copy of the documents containing his data, but as the right to receive an exact copy of his data processed in these documents. Such a copy can be created by collecting in it all the data concerning the right of access, provided that the collection makes it possible to know and verify the legality of the processing for the data subject. 11. 12) Because with Decision C-487/2112, the Court of Justice of the EU also ruled that in the event of a conflict between, on the one hand, the exercise of the right of full access to personal data and, on the other hand, the rights or freedoms of third parties, the rights at issue must be weighed and "Whenever possible, methods of sharing personal data should be chosen that do not infringe the rights or freedoms of third parties, taking into account, however, that, as follows from Recital 63 GDPR, such factors must not "result in the denial of any information to the data subject"13. Further, as the Court held, “With regard to the purposes pursued by Article 15 of the GDPR, it is noted that, as specified in Recital 11, the purpose of the GDPR is to strengthen and specify in detail the rights of data subjects. Article 15 of this regulation provides, in this regard, the right to receive a copy, (...). Recital 63 of the GDPR clarifies that “[t]he data subject should have the right to access personal data collected and concerning him and to be able to exercise this right freely and at reasonably regular intervals, in order to is aware and 10 Ibid., para. 131, p. 41. 11 Ibid., para. 150, p. 46. 12 CJEU, C-487/21, F.F. v. Österreichische Datenschutzbehörde, 4 May 2023. 13 Ibid. sc. 44. 12 to verify the legality of the processing". (…) Therefore, the right of access provided for in Article 15 of the GDPR must provide the data subject with the possibility to ensure that the personal data concerning him is accurate and that it is processed in a legal manner (…)14" , while finally, the Court concludes "The right of the data subject to obtain from the data controller a copy of the personal data being processed presupposes the right to obtain copies of excerpts of documents or even entire documents or excerpts from databases containing, among others, the data in question, if the provision of such a copy is necessary for the interested party to effectively exercise the rights granted by the regulation, noting that the rights and freedoms of third parties must be taken into account in this regard"15. 13) Because based on the aforementioned in paragraphs 11 and 12, the purpose served by the provision of article 15 par. 3 GDPR, consists in providing transparency to the data subject, in order to enable the awareness and verification of the legality of the processing. From this, it follows that the right to receive a copy of article 15 par. 3 GDPR is not granted, in principle, for the purpose of protecting other rights or legal interests, such as for example the exercise of the right to judicial protection, which can however be achieved by other means (see AK 902 and KPolD 450-451 for the presentation of documents, KPolD 683-<br />
703 for the special procedure of interim measures). Accordingly, the alternative proposal of the controller for an on-site study of the Association's records, as presented and documented before the Authority, is judged in this case to be sufficient and not contrary to the purpose of the provisions serving articles 15 par. 1 and 3 GDPR. 14 Ibid., sk. 33-34 and CJEU C-154/21 RW v. Österreichische Post AG, 12 January 2023, sc. 37. 15 CJEU, C-487/21, F.F. v. Österreichische Datenschutzbehörde, 4 May 2023, para. 45. 13 14) Because however, as the Authority has repeatedly judged, for the correct and complete observance of the provisions of Article 12 GDPR regarding the right of access of Article 15 GDPR, the data controller has the obligation to give a reasoned response to the complainant's access request, even in the negative16, while the refusal to satisfy the exercised right of access should take place in writing, with a detailed statement and sufficient documentation of the relevant reasons for rejection on the part of the data controller17, in order to meet the condition transparent information, according to article 12 par. 1 GDPR. In this case, the rejection of the complainant's request by the association's letter of 2/11/2021 does not contain the above-required reasoning and documentation of the reasons for rejecting the complainant's request, which is not contained in the letter of 7/6 /2021 response, even in the case that it wanted to be considered relevant to the substantially different request of the complainant being examined in this case from 3/10/2021, while her verbal information regarding the reasons for the rejection of her request cannot be considered as sufficient reasoned and documented rejection of her request for access to data concerning her. Furthermore, as has been judged by the Authority18, in the event that the provision of a copy may adversely affect the rights and freedoms of other persons according to article 15 par. 4 GDPR, as in this case is presented by the defendant association, it may be considered necessary the specificity of the access request, in order for the data controller to be able to examine, within the framework of the principle of accountability, whether there is a question of an adverse effect on the rights and freedoms of others, and therefore whether there is a legitimate reason for not granting the data. However, based on the principle of accountability, in accordance with Article 5 para. 2 GDPR, it is the duty of the controller to facilitate the exercise of the subject's right, in accordance with Article 12 para. 2 GDPR, by inviting him to specify the access request, 16 Decision 20/2023, available on the website of the Authority. See also StE (StE 2627/2017). 17 Decisions 36/2021 and 39/2021, available on its website. 18 Decision 19/2022 APDPH, available on its website. 14 in order to be able to satisfy the exercised right while at the same time preserving any data of third parties19. In this particular case, the defendant Association, as already established above, with its reply dated 2/11/2021 to the complainant, rejected the request for access to the parts of the minutes of the Board of Directors that concern her, without citing reasons and presented the said claim only before the Authority. Accordingly, a violation of the provisions of article 12 para. 1, 2 GDPR in combination with the provisions of article 15 para. 1, 3 GDPR is established on the part of the controller. Following all of the above, in view of the above-mentioned repeal of Law 2472/1997, only the violation of the provisions of article 12 par. 1, 2 GDPR in combination with the provisions of article 15 par. 1, 3 GDPR, regarding the complainant's access request from 3/10/2021. The Authority considers that in relation to the violations described in detail above, there is a case of exercising its corrective powers under article 58 paragraph 2 GDPR, as the content of this is supplemented by recital 148 GDPR. In particular, the Authority, taking into account all the circumstances of the case under consideration, considers that in relation to the violations reported in detail above, there is a case of application of the provision of article 58 par. 2 item. b) GDPR, and the Authority should address a reprimand to the responsible controller for the violation of the above provisions of the GDPR. FOR THESE REASONS, the Authority 19 Ibid.. see also Decision 26/2021, regarding the facility to exercise the right of access, available on its website. 15 finds that the defendant Cultural Association X violated the right of access of the complainant, in violation of the provisions of article 12 para. 1, 2 GDPR in combination with the provisions of article 15 para. 1, 3 GDPR, and addresses a reprimand according to article 58 par. 2 item. b) GDPR to the defendant Cultural Association X, for the reasons that are extensively analyzed in the rationale of this present. The President The Secretary Georgios Batzalexis Irini Papageorgopoulou 16<br />
</pre></div>Ilianapapantonihttps://gdprhub.eu/index.php?title=Pers%C3%B3nuvernd_(Island)_-_2022040716Persónuvernd (Island) - 20220407162024-03-01T08:16:54Z<p>Gauravpathak: Created page with "{{DPAdecisionBOX |Jurisdiction=Iceland |DPA-BG-Color= |DPAlogo= |DPA_Abbrevation=Persónuvernd |DPA_With_Country=Persónuvernd (Island) |Case_Number_Name=2022040716 |ECLI= |Original_Source_Name_1=Persónuvernd (Iceland) |Original_Source_Link_1=https://www.personuvernd.is/urlausnir/vinnsla-personuupplysinga-af-halfu-haskola-islands |Original_Source_Language_1=Icelandic |Original_Source_Language__Code_1=IS |Original_Source_Name_2= |Original_Source_Link_2= |Original_Sour..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Iceland<br />
|DPA-BG-Color=<br />
|DPAlogo=<br />
|DPA_Abbrevation=Persónuvernd<br />
|DPA_With_Country=Persónuvernd (Island)<br />
<br />
|Case_Number_Name=2022040716<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Persónuvernd (Iceland)<br />
|Original_Source_Link_1=https://www.personuvernd.is/urlausnir/vinnsla-personuupplysinga-af-halfu-haskola-islands<br />
|Original_Source_Language_1=Icelandic<br />
|Original_Source_Language__Code_1=IS<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=07.02.2022<br />
|Date_Decided=22.01.2024<br />
|Date_Published=22.02.2024<br />
|Year=2024<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=Act on Data Protection and the Processing of Personal Data<br />
|National_Law_Link_1=https://www.personuvernd.is/media/uncategorized/Act_No_90_2018_on_Data_Protection_and_the_Processing_of_Personal_Data.pdf<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
<br />
|Party_Name_1=University of Iceland <br />
|Party_Link_1=https://english.hi.is/university_of_iceland<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Gauravpathak<br />
|<br />
}}<br />
<br />
The Icelandic DPA held that the University examining a student’s use of a learning website in a course supervision system violated the transparency requirement in Art. 5(1)(a) GDPR. The lack of information regarding peer assessment violated Art. 12-13 GDPR.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A student at the University of Iceland complained to the Icelandic DPA that a teacher was monitoring their use of a teaching website in the Canvas student management system. In a subsequent complaint, the student also alleged that the University did not provide sufficient information about using peer evaluation as a method. <br />
<br />
The Icelandic DPA combined both the complaints and asked the University of Iceland to reply. In reply, the University of Iceland stated that the University's processing of student's personal data is based upon authorisation granted under the Act on Data Protection and the Processing of Personal Data. The University also stated that the examination of student's use of a teaching website was necessary for the assessment and was as per Art. 6(1) GDPR. However, one of the web pages which would have provided the necessary information to the student about the examination of the use of the learning website on Canvas was inactive. With respect to peer assessment, the University provided no evidence claiming that the student was informed in this regard.<br />
<br />
=== Holding ===<br />
The Icelandic DPA held that the University's examination of student's use of the learning website on the Canvas platform violated Art. 5(1)(a) GDPR. It also held that as the University violated Article 12-13 GDPR because it failed to provide the student the required information about examination of their use of the learning website and peer assessment.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.<br />
<br />
<pre><br />
Solutions<br />
<br />
Processing of personal information by the University of Iceland<br />
<br />
Case no. 2022040716<br />
<br />
22.2.2024<br />
<br />
All processing of personal information must be covered by one of the authorized provisions of the Personal Protection Act, as well as being compatible with all the principles of the law, i.a. that personal data is processed in a lawful, fair and transparent manner towards the data subject. In this case, the complainant was not sufficiently well informed about the possibility of teachers at the University of Iceland to process personal information about him and the university's processing was therefore not considered to have been compatible with the transparency requirement of the privacy legislation.<br />
<br />
----<br />
<br />
Privacy has ruled in a case where a complaint was made about the electronic monitoring of teachers at the University of Iceland. More specifically, it was complained that the teacher had monitored the use of the complainant, who was a student in a course with the teacher, on the teaching website in the Canvas learning management system. The complaint was also based on the fact that the teacher had used the peer assessment of the complainant's fellow students when grading the course.<br />
<br />
The conclusion of the Personal Protection Agency was that there was no electronic monitoring, according to the definition of the term in the Personal Protection Act, as the teacher's assessment of the complainant's activity in the learning management system was not sustained or repeated regularly. It was also considered that the said processing of personal information about the complainant had been necessary for the university in connection with statutory tasks entrusted to the university by law and therefore can be based on authorization in section 5. Article 9 Act no. 90/2018, on personal protection and the processing of personal data, which stipulates that processing may be permitted if it is necessary for work carried out in the public interest or in the exercise of official authority exercised by the responsible party.<br />
<br />
However, it was not considered that the complainant had been sufficiently informed of the teacher's possibilities to examine his activity in the course, by examining his use of the Canvas learning management system and making it the basis for grading, and the use of peer assessment for grading. The University of Iceland's processing was therefore not considered to have complied with the transparency requirement of the Personal Data Protection Act and the university was not considered to have provided the complainant with appropriate training on the processing of personal information.<br />
<br />
Ruling<br />
<br />
about a complaint about the processing of personal data by the University of Iceland in case no. 2022040716:<br />
<br />
i<br />
<br />
Procedure<br />
<br />
On April 7, 2022, Personal Data Protection received a complaint from [A] (hereinafter the complainant) about the processing of personal information about him by the University of Iceland. More specifically, the complaint relates to the fact that a teacher at the University of Iceland engaged in illegal electronic monitoring of the complainant by examining his activity in a course by examining his use of a teaching website in the Canvas learning management system. During the course of the case, the complainant filed a new complaint against the same teacher at the University of Iceland, with a letter of the day. September 13, 2023. The second complaint concerned the instructor's use of peer evaluation by the complainant's fellow students in grading the course. The complainant's second complaint was combined with his previous complaint under case number 2022040716 at Personal Protection.<br />
<br />
Personal Protection invited the University of Iceland to comment on the complaint in a letter dated 26 June 2023, and the university's answers were received on 1 September 2023. By letter, dated 5 p.m., the Data Protection Authority requested more information from the University of Iceland and received it by letter dated 26. s.m. The University of Iceland was then informed that the complainant had added to his complaint and the university was invited to comment on the subject of the complaint by letter dated 12 October s.á The university's answers were received by letter, dated 28 November s.á At the same time, the complainant was given the opportunity to submit comments to the answers of the University of Iceland by letter, dated 4 September 2023 and 30 November 2023, and the complainant's comments were received by letter, dated 17 December s.á.<br />
<br />
When resolving the case, all the above-mentioned documents have been taken into account, although not all of them are separately explained in the following ruling.<br />
<br />
The processing of the case has been delayed due to the heavy workload at Personal Protection.<br />
<br />
___________________<br />
<br />
There is a dispute over the authorization of a teacher at the University of Iceland to examine the complainant's activity in a course, by examining his use of the Canvas learning management system, but the complainant was at the time a student of the teacher in a course taught at the university. There is also a dispute about the teacher's authority to use peer assessment when grading the course.<br />
<br />
The complainant is based on the fact that the teacher in question engaged in illegal electronic monitoring of him as a student by monitoring what he viewed in the University of Iceland's Canvas learning management system, without him having been informed about it or given consent for such electronic monitoring. The complainant also believes that the teacher has violated the principles of the privacy legislation on reliability, transparency, fairness and proportionality by using peer assessment for grading in a course that the complainant sat with the teacher.<br />
<br />
In the response letter of the University of Iceland, it is stated that according to the syllabus in the course that the complainant sat at the university and the teacher in question taught, there was a three-part assessment, i.e. (1) group project, (2) participation and activity, and (3) final exam. One part of the assessment "participation and activity" consisted in the fact that students were asked to watch videos during class and post suggestions and questions through the Canvas learning management system. The teacher therefore checked the complainant's activity in the course by checking his use of the teaching website in the Canvas system. The University of Iceland is based on the fact that the processing of students' personal information in the Canvas student management system is based on authorization according to section 3. Article 9 Act no. 90/2018, on personal protection and processing of personal information. It is pointed out that according to paragraph 1. Article 2 law on universities, no. 63/2006, a university is an independent educational institution that carries out teaching, research, preservation of knowledge, knowledge seeking and creation in the fields of science, studies, technological development or art. In paragraph 1 Article 7 it is stipulated that universities decide on the arrangement of teaching. According to the above, the University of Íslands uses the Canvas learning management system to manage student teaching. The university also points out that the feature of the Canvas system is designed so that assessment in distance learning and grading can be based on the students' practice and the teacher can therefore decide that it is important for the grading that the students look at files, recordings, documents, pages and more. According to the answers of the University of Iceland, the complainant, on the other hand, was not instructed about the processing of his personal information in the Canvas student management system.<br />
<br />
With regard to the teacher's use of peer assessment as the basis for grading the course, the University of Iceland did not provide substantive answers to the questions of the Data Protection Authority during the investigation of the case, but referred to an attachment with the decision of the dean [at] the University of Iceland in a case regarding the complainant's complaint about the assessment in the course, pursuant to Article 50. of the rules of the University of Iceland no. 569/2009, as well as to the opinion of the appeals committee in student affairs in case no. [....] on the occasion of the complainant's complaint.<br />
<br />
II.<br />
<br />
Conclusion<br />
<br />
1.<br />
<br />
Lawfulness of processing<br />
<br />
This case concerns the authorization of a teacher at the University of Iceland to examine the complainant's activity in a course, by examining his use of a specific teaching website in the Canvas learning management system, as well as the teacher's authorization to use the peer assessment of the complainant's fellow students when grading the course. It concerns the processing of personal data that falls under the authority of the Personal Protection Agency.<br />
<br />
The person responsible for the processing of personal information is compatible with Act no. 90/2018, on personal protection and processing of personal data, and Regulation (EU) 2016/679 is the named responsible party. According to number 6 Article 3 of the Act, it refers to an individual, legal entity, government or other entity that alone or in cooperation with others determines the purposes and methods of processing personal data, cf. Number 7. Article 4 of the regulation. The University of Iceland is considered to be the responsible party for the processing in question according to the aforementioned provisions of the law and the regulation, as it is generally understood that the responsible party is the institution or company concerned and not individual employees, whether it is managers or ordinary employees.<br />
<br />
Electronic monitoring is monitoring that is persistent or regularly repeated and includes monitoring of individuals with remote or automatic equipment and is carried out in public or in an area that is normally visited by a limited group of people, cf. Number 9. Article 3 Act no. 90/2018. As the incidents have been described by the parties, the examination of teachers at the University of Iceland on the activity of students in courses, by examining their use of a specific teaching website in the Canvas learning management system, was not ongoing or repeated regularly. In the opinion of the Data Protection Authority, this is not a case of electronic monitoring according to the referenced legal provision.<br />
<br />
All processing of personal information must nevertheless fall under one of the authorization provisions of Article 9. Act no. 90/2018, cf. Paragraph 1 Article 6 of regulation (EU) 2016/679. When the government and public institutions work with personal data, it is best to refer to item 3. of the legal article, cf. Section c of the regulatory clause, which stipulates that processing may be permitted if it is necessary to fulfill a legal obligation incumbent on the responsible party, and section 5. of the legal article, cf. Clause e of the regulatory clause, which prescribes that processing may be permitted if it is necessary for work carried out in the public interest or in the exercise of official authority exercised by the responsible party. When assessing whether the processing of personal data is based on the 3rd or 5th item. Article 9 of the law, it is important to keep in mind that according to item 3 it is assumed that the legislator has decided clearly in the law that certain processing shall take place. When based on number 5. on the other hand, it is assumed that the government has a certain scope to assess what processing is necessary to implement the statutory tasks of the relevant government authority with reference to the public interest and the exercise of public authority.<br />
<br />
In addition to authorization according to the above, the processing of personal data must be compatible with all the principles of paragraph 1. Article 8 Act no. 90/2018, cf. Paragraph 1 Article 5 of regulation (EU) 2016/679. Among other things, it is stipulated that personal data must be processed in a lawful, fair and transparent manner towards the data subject, cf. Number 1. of the legal provision and point a of the regulatory provision. In connection with the assessment of transparency during processing, according to the above-mentioned principle, provisions on the responsible party's educational obligation towards the data subject must also be taken into account, cf. Article 17 Act no. 90/2018 and 12.-14. art. of regulation (EU) 2016/679.<br />
<br />
When evaluating authorization for processing, provisions in other laws that are applicable in each case must also be taken into account. In particular, law no. 63/2006 on universities. In Article 7 The law states that universities determine the arrangements for teaching, research, study and assessment. The comments to the draft law also state that the law is intended to continue to ensure flexibility in the organization of universities, where flexibility and independence are paramount.<br />
<br />
In its answers, the University of Iceland has referred to the fact that the assessment in the course the complainant sat with the teacher was three-part and that one part was "participation and activity" and the other "group project". The university is based on the fact that it was necessary to examine the complainant's activity in a specific course, by looking at his use of the teaching website in the Canvas learning management system, as a basis for grading the evaluation component "participation and activity". It is also clear from the documents of the case that the peer evaluation of the complainant's fellow students in a group project was one of the factors that formed the basis of the grading of the "group project" evaluation component. When the processing of personal information is carried out by the government in connection with their statutory tasks, the Data Protection Authority has considered that the processing can mainly rely on item 5. Article 9 Act no. 90/2018, cf. point e, paragraph 1 Article 6 of regulation (EU) 2016/679. In the opinion of the Data Protection Authority, it will be considered that the University of Iceland can base the said processing of personal information on this basis, in light of the tasks assigned to the university by law no. 63/2006.<br />
<br />
However, the University of Iceland has agreed with the complainant that he was not sufficiently informed of the teacher's potential to examine his effectiveness in the course by examining his use of the teaching website in the Canvas course management system and using this as the basis for grading. It was also stated in the response letter of the University of Iceland that when the complainant logged into the Canvas learning management system, the information page about processes in the system, which appears to individuals when they connect to the system, was inactive. There is also no evidence that the University of Iceland provided the complainant with information that peer assessment would be used as a basis for grading.<br />
<br />
With reference to the above, it will therefore be considered that the University of Iceland's processing of the complainant's personal information, which included an examination of the complainant's use of a specific teaching website in the Canvas learning management system and the use of peer assessment for grading, did not comply with the transparency requirement of item 1. Paragraph 1 Article 8 Act no. 90/2018, cf. point a, paragraph 1 Article 5 of regulation (EU) 2016/679. Then it will not be considered that the University of Iceland has provided the complainant with appropriate education according to 1.-2. paragraph Article 17 of the Act and 12.-13. art. of the regulation.<br />
<br />
Ruling:<br />
<br />
The University of Iceland's processing of personal information about [A] did not comply with the provisions of Act no. 90/2018, on personal protection and processing of personal data, and Regulation (EU) 2016/679 on fair and transparent processing and education obligation.<br />
<br />
Privacy, January 22, 2024<br />
<br />
Valborg Steingrímsdóttir Edda Úríður Hauksdóttir<br />
</pre></div>Gauravpathakhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202306257AEPD (Spain) - EXP2023062572024-02-29T13:22:18Z<p>Im: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=EXP202306257<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/documento/reposicion-ps-00349-2022.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=AEPD<br />
|Original_Source_Link_2=https://www.aepd.es/documento/ps-00349-2022.pdf<br />
|Original_Source_Language_2=Spanish<br />
|Original_Source_Language__Code_2=ES<br />
|Original_Source_Name_3=<br />
|Original_Source_Link_3=<br />
|Original_Source_Language_3=<br />
|Original_Source_Language__Code_3=<br />
<br />
|Type=Complaint<br />
|Outcome=Rejected<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=<br />
|Year=<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 44 GDPR<br />
|GDPR_Article_Link_1=Article 44 GDPR<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=VACACIONES EDREAMS, S.L.<br />
|Party_Link_1=https://www.edreams.es/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=AEPD (Spain)<br />
|Appeal_To_Case_Number_Name=PS/00349/2022<br />
|Appeal_To_Status=Appealed - Confirmed<br />
|Appeal_To_Link=https://www.aepd.es/documento/ps-00349-2022.pdf<br />
<br />
|Initial_Contributor=mgrd<br />
|<br />
}}<br />
<br />
In another of the 101 complaints filed by noyb, the Spanish DPA also found that the controller unlawfully transferred personal data to the U.S. in violation of Chapter V GDPR. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
On 20 August 2020 the data subject, represented by noyb, filed a complaint against eDreams, the controller, with the Spanish DPA. The data subject stated that he visited the eDreams website, while connected to his Google account. His IP address and cookies information were collected and transferred to Google U.S. through the services of Google Analytics and Google Ads, contractualized by eDreams.<br />
<br />
The Spanish DPA started an investigation. Based on the documents and the requests made by the Spanish DPA, it was confirmed that Google Analytics statistics were collected from stakeholders in other Member States where eDreams concentrates its activity. The data of the Google Analytics tool is accessed mainly from eDream's offices in Spain, led by the head of the Analytics team, but also from France and Germany by their country management teams in each country. <br />
<br />
eDreams stated that they only communicate the data collected through Google Analytics to Google. In the event that the user provides their consent for advertising cookies and does not block cookies in its browser, Google Ad Manager and Google Ads tools will also be recipients of the data. The controller specified that legal basis for the incorporation of the Google Analytics tool was legitimate interest, based on the need to understand how their website is used as well as to provide a better service to users.<br />
<br />
Concerning the international transfer of data to the U.S., the controller was using the Privacy Shield Certificate until the latter was declared invalid and subsequently the Standard Contractual Clauses adopted by the Commission, together with the appropriate complementary measures provided by Google. Additionally, eDreams did not have the option to opt-out from transferring data outside the EEA when using Google Analytics, since the configuration of the tool does not allow it.<br />
<br />
The browsing and behavioral data of customers were pseudonymized by means of a cookie identifier "Cookie ID" that allowed eDreams to analyze how the user accessed and interacted with their website. The Cookie ID was also their internal identifier to analyze the results at a statistical level. The controller claimed that no processing of special categories of personal data took place as defined in [[Article 9 GDPR]], nor any processing of personal data of particularly vulnerable persons. The data storage was 26 months, which allowed the controller to make comparisons with the previous year data. <br />
<br />
On 12 October 2020, in response to the DPA’s requests, Google stated that customers using Google Analytics can enable IP anonymization immediately after the data is collected. When data collected through Google Analytics transferred by Google's customers are personal data, they would have to be pseudonymised (as mandated by Google Analytics Terms of Service). Also, Google highlighted that they obtained ISO 27001 certification and will allow customers or customer-appoint third-party auditor to conduct audits of Google Analytics and verify Google's compliance with its obligations.<br />
<br />
Google also claimed that if any government request access to personal data stored in Google's systems in the course of an investigation, a dedicated team of Google lawyers and specially trained personnel will carefully review the request to verify that it is lawful, proportionate, and complies with Google's policies. Their infrastructure is not designed to, and does not, give the U.S. government or any other government "backdoor" access to customer data or its servers. In addition, they highlighted that it uses strong technical measures (such as encryption) to protect against interception, including surveillance attempts by government authorities around the world.<br />
<br />
Despite all the arguments, on 26 July 2023, the DPA ordered eDreams to comply with [[Article 44 GDPR]], specifically to adapt its data processing with Google Analytics to ensure no international data transfers to U.S. occur without adequate safeguards. The Spanish DPA determined the measures implemented by eDreams were insufficient to address the core issue of unlawful data transfers and the risk it posed to EU citizens' data protection rights.<br />
<br />
=== Holding ===<br />
eDreams contested the Resolution, leading to the appeal, based on the following arguments.<br />
<br />
Firstly, eDreams claimed that the DPA infringed their right of defense, as the controller affected by the delay on the access to the case file. These circumstances limited their time for presenting allegations, and for not granting a requested trial period. They highlighted that further technical proof was unnecessary, since Google's terms allow data storage and processing in any country with Google facilities and all data collected via Google Analytics is hosted in the U.S. The DPA attributed the delays to technical issues and miscommunication rather than procedural fairness, and argued that the extension of deadlines to submit allegations was sufficient, countering claims of unjustified period limitation.<br />
<br />
Secondly, eDreams contested the decision for failing to technically demonstrate international data transfers to the U.S and claimed that their privacy settings prevent such transfers. The DPA refuted these claims, stating that regardless of the eDream's ability to technically demonstrate international data transfers to the USA, these transfers have been documented and confirmed by the Terms of Use clause which allows Google to store and process citing customer personal data in any country where Google or its sub-processors have facilities, including the U.S. <br />
<br />
Thirdly, eDreams argued that the decision did not consider the new U.S. legal framework and the European Commission's Adequacy Decision, claiming it is unfair and legally improper. The DPA disagreed, stating that the legal framework at the time of the infraction applies, and compliance with GDPR was required at the time of the complaint.<br />
<br />
Fourthly, At the same time, eDreams contends that the imposed sanction presents an unattainable requirement. This is because EDREAMS would be compelled to administer and regulate a service that belongs to a third party (Google), and thus falls outside its sphere of control. The DPA disagrees that the decisions should be considered unattainable as it orders precise adaptation of data processing activity of the Google Analytics service with the provisions of [[Article 44 GDPR]], in particular by ceasing the international transfer of data until it is established that the Google Analytics service complies with the GDPR provisions.<br />
<br />
In light of the above, the DPA decided to dismiss the appeal by eDreams against the decision made on 26 July 2023, since eDreams did not provide new facts or legal arguments to reconsider the original decision.<br />
<br />
== Comment ==<br />
In this case, the Spanish DPA was the lead supervisory authority and the Austrian, French and Italian DPA's concerned supervisory authorities.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/29<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
File no.: EXP202306257 (RR/00640/2023)<br />
<br />
<br />
IMI Reference: A56ID 438120 – A60DD 448732 – Case Register - 448157<br />
<br />
<br />
RESOLUTION OF REPLACEMENT APPEAL<br />
<br />
<br />
Examined the appeal for reconsideration filed by VACACIONES EDREAMS, S.L.<br />
(hereinafter, the appellant) against the resolution issued by the Director of the<br />
Spanish Data Protection Agency dated July 26, 2023, and based on<br />
the following<br />
<br />
<br />
FACTS<br />
<br />
FIRST: On July 26, 2023, a resolution was issued by the Director of the<br />
Spanish Data Protection Agency in file EXP202306257, under<br />
of which VACACIONES EDREAMS, S.L. was ordered for a violation of the<br />
<br />
Article 44 of the GDPR, typified in Article 83.5 of the GDPR, adapt the activity of<br />
data processing carried out through the Google Analytics service as provided<br />
in articles 44 et seq. of Parliament Regulation (EU) 2016/679<br />
European Parliament and of the Council of 27 April 2016, in particular by cessation of the<br />
international data transfer until it is proven that the Google service<br />
<br />
Analytics complies with the aforementioned provisions of the Regulation.<br />
<br />
Said resolution, which was notified to the appellant on July 31, 2023,<br />
was issued prior to the processing of the corresponding sanctioning procedure,<br />
in accordance with the provisions of Organic Law 3/2018, of December 5, of<br />
Protection of Personal Data and guarantee of digital rights (LOPDGDD), and<br />
<br />
supplementarily in Law 39/2015, of October 1, on Administrative Procedure<br />
Common of Public Administrations (hereinafter, LPACAP), in matters of<br />
processing of sanctioning procedures.<br />
<br />
SECOND: As proven facts of the aforementioned sanctioning procedure,<br />
<br />
PS/00349/2022, the following were recorded:<br />
<br />
FIRST: A.A.A. (the complaining party) on 08/14/2020 at 4:44:00 a.m., visited the site<br />
***URL.1 website while logged in to the Google account associated with the<br />
address ***EMAIL.1 belonging to the complaining party.<br />
<br />
<br />
Through HTML code embedded in the web page “***URL.1”, data have been collected<br />
personal data (at least, the IP address and "cookies") of the complaining party and<br />
have transferred to Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043,<br />
USA, through the Google Analytics and Google Ads services contracted by the<br />
responsible for the portal, EDREAMS.<br />
<br />
<br />
When the complaining party visited the aforementioned website, the following actions were carried out:<br />
requests:<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 2/29<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
1. A GET request to the URL ***URL.2, which includes cookies and fields<br />
the request with, among others, the following values:<br />
<br />
Field Value<br />
<br />
User-Agent (…)<br />
<br />
_ga (…)<br />
__gads (…)<br />
_gid (…)<br />
<br />
<br />
<br />
2. A GET request to the URL ***URL.3, which includes cookies and fields.<br />
the request with, among others, the following values:<br />
<br />
Field Value<br />
User- (…)<br />
<br />
agent<br />
NID (…)<br />
accept-<br />
language (…)<br />
u1 (…)<br />
<br />
<br />
<br />
<br />
3. A POST request to URL ***URL.4 with the following header and parameters<br />
encoded in the payload, among others:<br />
<br />
<br />
Headboard<br />
(…)<br />
<br />
<br />
<br />
<br />
Field Value<br />
User- (…)<br />
<br />
agent<br />
gjid (…)<br />
cid (…)<br />
tid (…)<br />
_gid (…)<br />
<br />
accept- (…)<br />
language<br />
<br />
<br />
SECOND: As stated in your response of 12/10/2020, in response to<br />
requirement of this Agency, EDREAMS has introduced the tool code<br />
<br />
Google Analytics on your website ***URL.1 and is currently still embedding it.<br />
<br />
THIRD: As stated in your response of 12/10/2020, in response to<br />
requirement of this Agency, Google Analytics statistics were collected<br />
of interested parties in the Member States where EDREAMS concentrates its activity;<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 3/29<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Germany, Austria, Czechia, Denmark, Spain, France, Finland, Greece, Hungary,<br />
Italy, Netherlands, Poland, Portugal, Romania, Sweden.<br />
<br />
<br />
FOURTH: As stated in your response of 12/10/2020, in response to request<br />
of this Agency, the data from the Google Analytics tool is accessed<br />
mainly from the EDREAMS offices in Spain led by the<br />
responsible for the Analytics team, but also from France and Germany for the<br />
management team from each country.<br />
<br />
<br />
FIFTH: As stated in your response of 10/12/2020, in response to request<br />
of this Agency, EDREAMS only communicate the data collected through Google<br />
Analytics to GOOGLE. And in the event that the user provides consent<br />
for advertising cookies and do not block cookies in your browser, they will also be<br />
Recipients are the Google Ad Manager and Google Ads tools.<br />
<br />
<br />
SIXTH: As stated in your response of 10/12/2020, in response to request<br />
of this Agency, the legal basis for the incorporation of the Tool is double<br />
legitimate interest in understanding how the EDREAMS website is used and providing a<br />
better service to users.<br />
<br />
<br />
SEVENTH: As stated in your response of 12/10/2020, in response to<br />
requirement of this Agency, the initial legal basis for the international transfer of<br />
data by EDREAMS fell on the Privacy Shield Certificate until<br />
its nullity and the standard data protection clauses adopted by the Commission<br />
("Standard Contractual Clauses", or "CCT"), since August 2020, together with the<br />
<br />
appropriate complementary measures provided by Google.<br />
<br />
EIGHTH: As stated in your response of 10/12/2020, in response to request<br />
of this Agency, EDREAMS did not have the option of whether or not to transfer data outside the EEA<br />
when using Google Analytics, since the tool's configuration does not allow it.<br />
<br />
<br />
NINTH: As stated in your response of 10/12/2020, in response to request<br />
of this Agency, EDREAMS processes the navigation and behavior data of the<br />
clients on their pseudonymized websites using a cookie identifier “Cookie<br />
ID” that allows you to analyze how the user accesses and<br />
interacts with your website and your internal identifier to analyze the results at the level<br />
<br />
statistical.<br />
<br />
The “Booking ID” (internal reservation identifier) is used by EDREAMS to<br />
Identify the sales conversion ratio. As well as the “Checked Booking ID”<br />
allows you to know how many people have entered the “Manage my reservation” section and<br />
<br />
have selected to cancel or modify it.<br />
<br />
The "Session, Session or eDOuser ID" allow you to limit the amount of data as much as possible<br />
that EDREAMS has in Google Analytics and uses them to solve problems<br />
technicians.<br />
<br />
<br />
For all these reasons, the data is limited to how users, through their<br />
devices, interact with the EDREAMS website (internal browsing data<br />
to the website).<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 4/29<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In no case are special categories of data defined in article 9.1 processed.<br />
of the GDPR, nor are data of particularly vulnerable people processed. I do not know<br />
<br />
process non-pseudonymized data.<br />
<br />
TENTH: As stated in your response of 10/12/2020, in response to request<br />
of this Agency, GOOGLE may have knowledge of the personal data of the<br />
users automatically, by saving the information on its own platform. He<br />
Google Analytics tool code is integrated directly when the user<br />
<br />
access the EDREAMS website. Any purpose that moves away from analyzing the use<br />
of the aforementioned website, such as the advertising, will not be activated until there is<br />
the prior consent of the user. That is, in the case in which the user does not<br />
provide consent, Google Analytics will not connect with Google Ad<br />
Manager and Google Ads in any way.<br />
<br />
<br />
ELEVENTH: As stated in your response of 12/10/2020, in response to<br />
requirement of this Agency, the data is stored for a period of 26 months, which<br />
It is the period that allows them to make comparisons against the previous year.<br />
<br />
TWELFTH: As stated in your response of 12/10/2020, in response to<br />
<br />
requirement of this Agency, the data was stored according to clause 10.3 of the<br />
current document “Conditions for the processing of Google Ads data”, whose<br />
terms or configuration did not allow the change by EDREAMS.<br />
<br />
THIRTEENTH: As stated in your response of 10/12/2020, in response to<br />
<br />
requirement of this Agency, of the five purposes for sharing data with GOOGLE<br />
Only EDREAMS had the GOOGLE technical service activated so that<br />
can resolve any incident, without GOOGLE being able to use it for other purposes.<br />
<br />
FOURTEENTH: As stated in your response of 12/10/2020, in response to<br />
<br />
requirement of this Agency, the cookies are not refreshed even though the user<br />
Please revisit the website so the 13 month duration is static.<br />
<br />
FIFTEENTH: As stated in your response of 10/12/2020, in response to<br />
requirement of this Agency, apart from the Google tool service itself<br />
Analytics, data is connected with other services when prior<br />
<br />
consent with:<br />
<br />
Google Ads Linking: which links the Google Ads account to the Analytics account, allowing<br />
see the full customer cycle, from how users interact with marketing<br />
to how the objectives that have been established on the site are finally achieved<br />
<br />
Web.<br />
<br />
Adsense Linking: which allows you to see AdSense data in Analytics, as well as the<br />
Key Analytics metrics on AdSense homepage cards.<br />
<br />
<br />
Google Ad Manager Linking: Once the Ad Manager accounts are linked and<br />
Analytics, Ad Manager metrics will be available in Analytics.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 5/29<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Optimize and Tag Manager linking: Google Optimize allows you to test and customize the<br />
website using Google Analytics data for measurement and targeting.<br />
<br />
<br />
Ad Exchange Linking: which allows you to receive data from the Ad Exchange within the account<br />
of Analytics regarding statistical advertising data.<br />
<br />
Campaign Manager 360 Linking: which allows you to enable the import to Analytics 360<br />
of campaign statistical data from Campaign Manager 360 and cost data.<br />
<br />
<br />
SIXTEENTH: As of 10/12/2020, EDREAMS had the following linked services<br />
with the Google Analytics tool:<br />
<br />
to. “AdSense. Actively linked. Receiving data. AdSense helps you<br />
earn money by displaying ads on your website that are relevant to your<br />
<br />
audience.[…]"<br />
<br />
b. “Google Adds. Actively linked. Sending and receiving information.<br />
Google Ads is an online advertising program that helps you reach your<br />
customers and grow your business, improve your ad campaigns and analyze the journey<br />
of the client – from clicking on the ad to conversion.”<br />
<br />
<br />
c. “Ad Exchange. Actively linked. Receiving data. Ad Exchange<br />
helps you earn money by displaying ads on your website that are relevant to your<br />
audience. Correlate key AdExchange metrics such as eCPM and<br />
unit impressions, with more Analytics data.”<br />
<br />
<br />
d. “Campaign Manager 360. Actively linked. Receiving data.<br />
Campaign Manager 360 is an ad management and serving solution that<br />
helps agencies and advertisers manage the full reach of advertising programs<br />
digital advertising. This integration allows Google Analytics 360 customers to view and<br />
<br />
analyze Campaign Manager 360 data in Analytics.”<br />
<br />
and. “Google Optimize and Tag Manager for website and app optimization.<br />
Actively linked. Receiving data. Google Optimize allows you to test and<br />
Personalize your website using Google analytics to measure and personalize. […]”<br />
<br />
<br />
F. “Search Console. Actively linked. Receiving data. Search<br />
Console can help you understand how users find your website<br />
through Google searches, identify ways to attract more attention to your website and<br />
prioritize development efforts.”<br />
<br />
<br />
SEVENTH: As of 10/12/2020, EDREAMS had the following configuration of the<br />
Google Analytics account in the “Data Sharing Settings” section:<br />
<br />
to. “Google product&services”. Not selected.<br />
<br />
<br />
b. “Benchmarking”. Not selected.<br />
<br />
c. “Technical Support”. Selected.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 6/29<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
d. “Account specialists”. Not selected.<br />
<br />
and. “Give all Google sales experts Access to your data and account so you can get<br />
<br />
more in Depth analysis, insights and recommendations across Google products.” No<br />
selected.<br />
<br />
26 months was the retention period with the minimum selectable period being 14<br />
months and the maximum of 50 months. And there was the selectable option of not deleting<br />
automatically the data after a specific period, but it was not selected.<br />
<br />
<br />
EIGHTEENTH: AS OF 12/10/2020, GOOGLE IRELAND LTD. acted as manager<br />
of the treatment.<br />
<br />
NINETEENTH: As of 10/12/2020, in the Adhesion Contract proposed by<br />
<br />
GOOGLE “Conditions for the processing of Google Ads data”, from the link<br />
https://privacy.google.com/businesses/processorterms/, it was stated that:<br />
<br />
“[…]<br />
2.5 In the event that these Data Processing Conditions were translated into<br />
any other language and there is any discrepancy between the English version and the<br />
<br />
translated text, the English version will be applicable.<br />
[…]”<br />
<br />
TWENTIETH: As stated in your response of 12/10/2020, in response to<br />
requirement of this Agency, from the same day that the STJUE C-<br />
<br />
311/18, EDREAMS considered that they should update their contracting by eliminating the base<br />
legal provisions of the Privacy Shield and including the Standard Contractual Clauses, which<br />
They had to analyze the risks for the interested parties taking into account the type of data<br />
treated personnel, who had to review the additional measures to those already contained<br />
in the Standard Contractual Clauses. And, regarding the Privacy Shield, GOOGLE<br />
<br />
proposed in a month (August 16, 2020) its new version with the changes in the<br />
“Conditions for the processing of Google Ads data”. And the<br />
transfer of the IP of whoever visits the website.<br />
<br />
TWENTY-FIRST: As stated in your response of 12/10/2020, in response to<br />
requirement of this Agency, in an email sent between EDREAMS and GOOGLE in<br />
<br />
On September 24, GOOGLE declared that it had implemented the following<br />
Additional safeguards to ensure Google Analytics data protection:<br />
<br />
Yo. Google Analytics ensures the secure transmission of your content libraries.<br />
Javascript and measurement data via HTTP Strict Transport protocol<br />
<br />
Security (HSTS). ***URL.5.<br />
<br />
ii. IP anonymization. GOOGLE offered the possibility of anonymizing IPs. Whether<br />
activate this option, IPs are deleted immediately after collection and never<br />
are stored on disk. That this measure was implemented from eDreams.<br />
<br />
***URL.6<br />
<br />
iii. Google has obtained ISO 27001 certification in relation to Google Analytics.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 7/29<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
iv. According to GOOGLE, they have a team that carefully reviews each request<br />
of user data they receive from government authorities. Report<br />
<br />
transparency in ***URL.7 and its policies in ***URL.8.<br />
<br />
v. Encryption to protect personal data against interception in<br />
transit.<br />
<br />
<br />
TWENTY-SECOND: As stated in your response of 10/12/2020, in response to<br />
requirement of this Agency, the legal basis for the international transfer of<br />
data has as its legal basis the Privacy Shield until its nullity and the clauses<br />
standard contractual agreements adopted by the Commission since August 2020, together with the<br />
appropriate complementary measures provided by GOOGLE. The clauses<br />
<br />
standard contractual agreements are located at ***URL.9.<br />
<br />
TWENTY-THIRD: As stated in your response of 12/10/2020, in response to<br />
requirement of this Agency, in the event that any US agency<br />
security would like to obtain access to the data collected by EDREAMS in the<br />
<br />
Google Analytics tool, first of all, could not do it directly, without<br />
send request to Google, since said data is encrypted. Likewise, Google<br />
has internal processes to question any management requirement<br />
American that it considers disproportionate or incompatible with the regulations of<br />
European data protection or with the Standard Contractual Clauses.<br />
<br />
<br />
But in the hypothetical case that the corresponding US agency<br />
ends up accessing the data, you will not be able to know which specific person is<br />
behind the data collected in the Tool through identifiers, since<br />
only personal data that would allow direct identification are protected<br />
<br />
by EDREAMS and stored within the European Economic Area.<br />
<br />
TWENTY-FOURTH: As stated in your response of 12/10/2020, in response to<br />
requirement of this Agency, “OE 12333 (...) organizes and assigns functions and<br />
responsibilities to the United States intelligence community and articulates<br />
<br />
high-level principles that all intelligence activities must comply with. The activities<br />
Specific intelligence actions carried out under OE NO 12333 are subject to<br />
more specific application procedures (which can be classified) than<br />
include safeguards and protections appropriate for that type of activity<br />
intelligence. OE 12333 mainly governs intelligence activities that are carried out<br />
<br />
performed outside the United States. It is understood that OE 12333 allows the<br />
United States to conduct electronic surveillance outside the United States of<br />
compliance with United States legal requirements; does not authorize surveillance<br />
electronics within the United States nor does it impose requirements on providers of<br />
services inside or outside the United States.<br />
<br />
<br />
Section 702 of the FISA Amendments Act, which also requires the Government of<br />
the United States that minimizes the use and dissemination of data, has two<br />
components:<br />
<br />
<br />
Section 702 "Upstream" authorizes United States authorities to collect<br />
data that travels through the Internet "backbone" infrastructure controlled by the<br />
1United States Executive Order 12333 (hereinafter EO 12333 or EO 123333)<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 8/29<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
United States electronic communications service providers (e.g.<br />
example, telecommunications providers in the United States). As far<br />
in which the data of any user or client crosses the networks subject to the<br />
Upstream section 702 collection, that data is encrypted in transit as<br />
has described previously.<br />
<br />
<br />
Section 702 "Downstream" authorizes United States authorities to<br />
obtain specific data directly from service providers<br />
electronic communication. To the extent Google LLC may be subject to<br />
specific requests related to Google customer data under<br />
section 702 Downstream, we carefully review every request we receive<br />
<br />
under FISA regulations in accordance with the guidelines described below<br />
to ensure that you comply with all applicable legal requirements and policies<br />
of Google".<br />
<br />
TWENTY-FIFTH: As stated in your response of 12/10/2020, in response to<br />
<br />
requirement of this Agency, Google declares that if any government requested<br />
access personal data stored in Google systems in the course of<br />
an investigation, a dedicated team of Google lawyers and staff<br />
specially trained person will carefully review the application to verify that it is<br />
legal, proportionate and that complies with Google policies.<br />
<br />
<br />
Google states that Google's infrastructure is not designed for, and does not give the<br />
United States government or any other government "back door" access to<br />
customer data or to its servers that store customer data. Besides,<br />
Google states that it uses strong technical measures (such as encryption) to<br />
protect against interception in transit, including surveillance attempts<br />
government authorities around the world.<br />
<br />
<br />
Google declares that Google Analytics uses the HTTP Strict protocol by default<br />
Transport Security (HSTS), which tells browsers that they support HTTP over<br />
SSL (HTTPS) that use that encryption protocol for all<br />
communications between end users, websites and Google servers<br />
Analytics.<br />
<br />
<br />
Google states that it protects service-to-service communications at the<br />
applications through a system of mutual authentication and encryption of<br />
<br />
Google states that after a handshake protocol between the client and the<br />
server completes and the client and server negotiate cryptographic secrets<br />
<br />
required to encrypt and authenticate network traffic, AL TS ensures<br />
RPC (Remote Procedure Call) traffic forcing integrity, and encryption<br />
optional, using negotiated shared secrets. Google supports multiple<br />
protocols to ensure integrity, for example, AES-GMAC (Advanced<br />
Encryption Standard) with 128-bit keys. Whenever traffic leaves a<br />
<br />
physical border controlled by or on behalf of Google, for example, in transit through<br />
of WAN (Wide Area Network) between data centers, all protocols are<br />
automatically update to provide encryption as well as security guarantees.<br />
integrity.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 9/29<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Google states that it encrypts Google Analytics data that is stored at rest<br />
in your data centers using the advanced encryption standard. Each center of<br />
data is protected with six layers of physical security designed to prevent<br />
<br />
Unauthorized access.<br />
<br />
"At rest" encryption in this section means the encryption used to<br />
protect user data that is stored on a disk (including hard drives<br />
solid-state drive) or backup media. All user data is<br />
encrypt at the storage level, typically using the encryption standard<br />
<br />
advanced (AES256). Data is typically encrypted at multiple levels in the stack.<br />
Google production storage in data centers, including at the level of<br />
hardware, with no action required by Google customers.<br />
<br />
Google states that it uses common cryptographic libraries that incorporate the<br />
<br />
Google FIPS 140-2 validated module, to implement encryption in a way<br />
consistent across all products. Consistent use of common libraries<br />
means that only a small team of cryptographers need to implement and maintain<br />
this code closely controlled and reviewed.<br />
<br />
Google states that it builds dedicated servers for its data centers and<br />
<br />
maintains an industry-leading security team to ensure that<br />
Google data is among the most secure in the world. The centers of<br />
Google production data is protected by multiple layers of security to<br />
prevent any unauthorized access to data.<br />
<br />
<br />
Google declares that it limits access to personal data for advertising and analysis of<br />
Google to Google people who need them to do their jobs.<br />
<br />
Google states that customers who use Google Analytics can activate the<br />
IP anonymization to tell Google to anonymize all IP addresses<br />
<br />
immediately after they are collected. If activated, at no time will<br />
writes the full IP address to disk, since all anonymization occurs<br />
in memory almost instantly after receiving the request.<br />
<br />
Google declares that to the extent that Google Analytics data for the<br />
measurements transferred by customers are personal data, they would have to be<br />
<br />
considered pseudonyms. Google Analytics Terms of Service<br />
order that no data that Google can use or recognize be transferred to Google<br />
as personally identifiable information (PII).<br />
<br />
Google has obtained ISO 27001 certification and will allow customers or an auditor<br />
<br />
third party designated by a client to perform audits (including inspections) to<br />
verify compliance with Google's obligations.<br />
<br />
TWENTY-SIXTH: As of February 3, 2021, at the link ***URL.1 in the policy<br />
privacy of EDREAMS stated that:<br />
<br />
<br />
“[…]<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 10/29<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
V. Marketing activities. We use your information for marketing purposes, including<br />
others:<br />
<br />
<br />
[…]<br />
II. Information we collect automatically when you use our services.<br />
<br />
to. Information about your device (for example, your IP address, browser type,<br />
Internet service providers, geographic location, information<br />
technique of the device, the time and duration of the request and the visit and the method<br />
<br />
used to send your request to the server). When you visit our websites or<br />
our app, we automatically collect certain information from your device.<br />
Please note that we may associate this information with your account.<br />
<br />
b. Other technical information, for example how your device has interacted with<br />
<br />
our website or our app (for example, the pages you have accessed, the<br />
links you have clicked, etc.) or other means.<br />
<br />
[…]<br />
<br />
If you register on our website with a social network account, you link the account<br />
<br />
that you use on our website with your social network account or use any other<br />
our social media features, we may access information about you through<br />
of such social media provider, in accordance with such provider's policies.<br />
The information may include your name, email address, profile photo, gender, list<br />
from friends and any other information that you authorize us to receive.<br />
<br />
<br />
Some of this information may be collected through cookies or technology.<br />
similar tracking. The processing of information collected through cookies is<br />
based on different legal grounds (for example, it may be necessary to<br />
provide our services based on your consent). to get more<br />
<br />
information, consult our Cookies Policy.<br />
<br />
[…]<br />
<br />
III. International data transfers. Our servers are located in the<br />
European Union. However, to facilitate our global operations<br />
<br />
(carried out by external service providers) the transmission of personal data<br />
to the recipients described above may include international transfers<br />
of personal data to countries whose data protection regulations are not as<br />
complete as that of the countries within the European Union. In this situations,<br />
As required, we make contractual arrangements to ensure that your data<br />
<br />
personal data continue to be protected in accordance with European standards.<br />
<br />
[…]”<br />
<br />
TWENTY-SEVENTH: As of February 3, 2021, in the url ***URL.10 it was stated that<br />
<br />
(unofficial translation, in English in the original):<br />
<br />
“Google Ads Data Processing Terms: Model Contract Clauses<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 11/29<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Standard Contractual Clauses (Processors)<br />
<br />
For the transfer of personal data to third party processors<br />
<br />
countries that do not ensure an adequate level of data protection<br />
<br />
Name of the organization exporting the data: the entity identified as the<br />
“Client” in the Data Processing Terms (the data exporter)<br />
<br />
and<br />
<br />
<br />
Name of the organization importing the data: Google LLC, 1600 Amphitheater<br />
Parkway, Mountain View, California 94043 USA (the data importer)<br />
<br />
[…]<br />
<br />
<br />
Clause 4<br />
<br />
Obligations of the data exporter<br />
<br />
The data exporter agrees and warrants:<br />
<br />
<br />
(a) that the processing, including the transfer itself, of the personal data has been and<br />
will be carried out in accordance with the relevant provisions of the legislation of<br />
applicable data protection (and, where applicable, has been notified to the authorities<br />
relevant to the Member State where the data exporter is established) and not<br />
<br />
violates the relevant provisions of that State;<br />
<br />
(b) that you have instructed and for the duration of the data processing services<br />
personal data will instruct the data importer to process the personal data<br />
transferred only at the expense of the data exporter and in accordance with the legislation of<br />
<br />
applicable data protection and Clauses;<br />
<br />
(c) that the data importer will provide sufficient guarantees regarding the security measures<br />
technical and organizational security specified in Appendix 2 of this contract;<br />
<br />
(d) that after analyzing the requirements of data protection legislation<br />
<br />
applicable, security measures are adequate to protect the data<br />
personal property against accidental or unlawful destruction or accidental loss, alteration,<br />
unauthorized disclosure or access, in particular if the processing involves the transmission<br />
of data over a network, and against all other forms of illicit processing, and that these<br />
measures ensure a level of security appropriate to the risks presented by the<br />
<br />
treatment and the nature of the data to be protected taking into account the state of the<br />
art and the cost of its implementation;<br />
<br />
[…]<br />
<br />
<br />
Clause 5<br />
<br />
Obligations of the data importer<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 12/29<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The data importer agrees and warrants:<br />
<br />
(a) process personal data only on behalf of the data exporter and in<br />
compliance with your instructions and the Clauses; if I could not comply for any<br />
reason, you agree to duly inform the data exporter of your inability to<br />
<br />
fulfill, in which cso the data exporter can suspend the transfer of the<br />
data and/or finalize the contract;<br />
<br />
(b) that you have no reason to believe that applicable law prevents you from complying with<br />
the instructions received from the data exporter and its obligations under the contract<br />
and that in the event of a change in this legislation which is likely to have a<br />
<br />
substantial adverse effect on the guarantees and obligations established by the<br />
Clauses, will immediately notify the data exporter of the change as soon as<br />
as it becomes aware of, in which case the data exporter may suspend the<br />
transfer of data and/or terminate the contract;<br />
<br />
<br />
(c) that has implemented technical and organizational security measures<br />
specified in Appendix 2 before processing the transferred personal data;<br />
<br />
(d) that it will immediately notify the data exporter of:<br />
(i) any legally binding request for disclosure of personal data by<br />
part of a law enforcement authority unless prohibited,<br />
<br />
as a prohibition under […]<br />
<br />
[…]<br />
<br />
Clause 8<br />
<br />
<br />
Cooperation with supervisory authorities<br />
<br />
1. The data exporter agrees to deposit a copy of this contract with the authority<br />
of supervision if this request or deposit would be mandatory under the legislation of<br />
applicable data protection.<br />
<br />
<br />
2. The parties agree that the supervisory authority has the right to carry out<br />
an audit of the data importer, and any sub-processor, who has the<br />
same scope and is subject to the same conditions that would apply to an audit<br />
of the data exporter under applicable data protection legislation.<br />
[…]<br />
<br />
<br />
Appendix 2 to the Standard Contractual Clauses<br />
<br />
This Appendix is part of the Clauses.<br />
<br />
Description of the technical and organizational security measures implemented by<br />
<br />
the data importer in accordance with Clauses 4(c) and 5(c) (or<br />
attached document/legislation):<br />
<br />
The data importer currently complies with Security Measures<br />
established in Appendix 2 of the Data Processing Terms in ***URL.11.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 13/29<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
[…]”<br />
<br />
<br />
TWENTY-EIGHTH: As of February 3, 2021, the url ***URL.12 contained:<br />
<br />
“Conditions for the processing of Google Ads data<br />
<br />
<br />
Google and the counterparty that accepts these Terms (the "Customer"), have<br />
entered into a contract for the provision of the Services of the person in charge of the<br />
treatment (as amended from time to time, the "Contract")<br />
<br />
These Conditions for the processing of data from Google ads, (the<br />
<br />
"Conditions of data processing") are entered into by Google and the Client and<br />
complement the Contract.<br />
<br />
[…]<br />
<br />
<br />
Introduction<br />
<br />
These Data Processing Conditions reflect the agreement of the parties<br />
on the conditions governing the processing of certain personal data in<br />
relationship with European data protection legislation and certain<br />
<br />
<br />
Non-European data protection legislation.<br />
<br />
Definitions and interpretation<br />
<br />
<br />
[…]<br />
<br />
"European or National Laws": as applicable: (a) the laws of the EU or its<br />
Member States (if the EU GDPR applies to the processing of Personal Data of the<br />
Customer); and/or (b) the law of the United Kingdom or a part of the United Kingdom (if the GDPR of<br />
<br />
United Kingdom applies to the processing of Customer Personal Data).<br />
<br />
[…]<br />
"Google": the Google Entity that is a party to the Agreement.<br />
<br />
<br />
"Google subsidiaries data processors" has the meaning<br />
given in Section 11.1 (Consent for Hiring of the<br />
Sub-processor of data processing).<br />
<br />
"Google Entity": Google LLC (formerly known as Google Inc.), Google<br />
<br />
Ireland Limited or any other Affiliate of Google LLC.<br />
<br />
[…]<br />
<br />
5. Data processing<br />
<br />
<br />
5.1 Roles and regulatory compliance; authorization.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 14/29<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
5.1.1 Responsibilities of the person in charge of the treatment and of the person responsible for the<br />
treatment. The parties acknowledge and agree that:<br />
<br />
<br />
(a) Appendix 1 describes the purpose and details of the processing of the Data<br />
client's personal<br />
<br />
(b) Google is a processor of Customer Personal Data with<br />
in accordance with European data protection legislation;<br />
<br />
<br />
(c) The Client is a data controller or processor, according to<br />
applicable, of Personal Data of the client in accordance with the European Legislation of<br />
Data Protection; and<br />
<br />
(d) each party will comply with its obligations under the<br />
<br />
European data protection legislation regarding the processing of Data<br />
client's personal<br />
<br />
[…]<br />
<br />
5.2. Client instructions. By celebrating these Conditions of the processing of<br />
<br />
data, the Client instructs Google to process the Data<br />
personal data of the client only in accordance with applicable legislation: (a)for<br />
provide the Processor Services and any technical support<br />
related; (b) as further specified through Customer's use of<br />
the Processor Services (including configuration and other<br />
<br />
functionalities of the Data Processor Services) and any support<br />
related technical; (c) as documented by the Contract, including the<br />
these Data Processing Conditions; and (d) as documented in<br />
other instructions provided in writing by the Client and acknowledged by Google<br />
as constitutive instructions for the purposes of these Conditions of the<br />
<br />
data treatment.<br />
<br />
5.3. Compliance with instructions by Google. Google will comply with the<br />
instructions described in Section 5.2 (Customer Instructions) (including<br />
relating to data transfers), unless European or National Laws<br />
which Google is subject to requires other processing of personal data by<br />
<br />
Google, in which case Google will inform the Customer (unless any of such<br />
laws prohibit Google from doing so for important reasons of public interest).<br />
<br />
[…]<br />
<br />
<br />
10. Data transfers<br />
<br />
10.1 Data storage and processing facilities. The Client accepts that<br />
Google, without prejudice to Section 10.2 (Data Transfers), stores and performs<br />
the processing of Customer Personal Data in any country in which Google or<br />
<br />
any of its Subprocessors maintain facilities.<br />
<br />
10.2 Data Transfers. If the storage and/or processing of the Data<br />
Customer's personal data involves transfers of Customer's Personal Data from the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 15/29<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
EEA, Switzerland or the United Kingdom to any third country that is not subject to a<br />
adequacy decision under European data protection legislation:<br />
<br />
<br />
(a) The client (as data exporter) will be deemed to have signed the Clauses<br />
Type Contractual with Google LLC (as data importer);<br />
<br />
(b) transfers will be subject to the Standard Contractual Clauses;<br />
<br />
and<br />
<br />
<br />
(c) Google will ensure that Google LLC fulfills its obligations under<br />
said Standard Contractual Clauses with respect to said transfers.<br />
<br />
[…]<br />
<br />
<br />
11. Subprocessors of data processing.<br />
<br />
11.1 Consent for hiring the Subprocessor of data processing.<br />
The Client specifically authorizes the contracting of Google affiliates as<br />
Subprocessors of data processing ("Subprocessors of data processing of<br />
<br />
Google affiliates"). In addition, Customer generally authorizes the hiring of other<br />
third parties as Subprocessors of the data processing ("Subprocessors of the data").<br />
processing of third party data"). If the Standard Contractual Clauses are applied in<br />
Under Section 10.2 (Data Transfers), the above authorizations<br />
constitute the Client's prior written consent to subcontracting by<br />
<br />
part of Google LLC of the processing of the Customer's Personal Data.<br />
<br />
[…]<br />
<br />
TWENTY-NINTH: As of February 3, 2021, the url ***URL.8 contained:<br />
<br />
<br />
“[…]<br />
Requests from US government agencies in cases involving<br />
National security<br />
<br />
In investigations related to national security, the U.S. government<br />
<br />
You can use a National Security Letter (NSL) or one of the authorizations<br />
granted under the Foreign Intelligence Surveillance Act (FISA) to<br />
force Google to provide user information.<br />
<br />
An NSL does not require judicial authorization and can only be used to force us to<br />
<br />
provide limited subscriber information.<br />
<br />
FISA Orders and Authorizations Can Be Used to Compel Surveillance<br />
electronic and disclosure of stored data, including the content of services<br />
like Gmail, Drive and Photos.”<br />
<br />
<br />
[…]” (unofficial translation, in English in the original)<br />
<br />
THIRTYTH: As of February 3, 2021, the url ***URL.13 contained:<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 16/29<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
“[…]<br />
<br />
<br />
Basic concepts about personally identifiable information in contracts and<br />
Google policies.<br />
<br />
In many contracts, terms of service, and advertising product policies and<br />
Google measurement is referred to as "personally identifiable information" (PII).<br />
This is a categorization of data different from what the General Regulations of<br />
<br />
Data Protection (GDPR) considers "personal data".<br />
<br />
Please note that although Google does not identify certain data as information<br />
personally identifiable, it is possible that the GDPR does or that data may be<br />
considered personal information in accordance with the Privacy Law of the<br />
<br />
California Consumer Protection Act (CCPA), and may be subject to those laws.<br />
[…]<br />
Google considers "personally identifiable information" information that can be<br />
used alone to accurately identify or locate a person, or to contact<br />
in contact with her directly. Among other information, it includes the following:<br />
• Email addresses<br />
<br />
• Postal mailing addresses<br />
• Telephone numbers<br />
• Precise locations (for example, GPS coordinates, except where specified)<br />
mentioned below)<br />
• Full names (first and last names) or usernames.<br />
<br />
[…]<br />
Among others, Google does not consider the following personally identifiable information:<br />
data:<br />
• Pseudonymous cookie IDs<br />
• Pseudonymous advertising IDs<br />
<br />
• IP addresses<br />
• Other pseudonymous end-user identifiers<br />
For example, if an IP address is sent with an advertisement request (something that<br />
It happens with almost all ad requests as a result of the<br />
Internet protocols), such shipment will not violate any prohibition related to the<br />
sending personally identifiable information to Google.<br />
<br />
Please note that although Google does not identify certain data as information<br />
personally identifiable information, the GDPR, CCPA or other privacy laws may<br />
consider them personal data or personal information.<br />
[…]”<br />
<br />
<br />
THIRTY-FIRST: As of February 1, 2021, after visiting the website ***URL.1 while<br />
logged into a Google test account, was reflected in the section<br />
“Activity on the Web and Applications” the visit made to said website.<br />
<br />
THIRTY-SECOND: On February 17, 2021, after deleting cookies, it is confirmed that<br />
<br />
that:<br />
<br />
1. After logging in to a Google account, they are installed on the<br />
browser cookies like NID, LSID, SID, __Secure-3PSID, __Secure-3PAPISID all<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 17/29<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
They are more than 30 alphanumeric characters where capital letters and<br />
lowercase letters and an expiration period from 6 months to several years. They do not appear<br />
cookies like _ga, _gid installed.<br />
<br />
<br />
2. Being logged into the Google account and after visiting ***URL.1, rejecting<br />
all your cookies and perform a navigation corresponding to a search for a<br />
rental car from Madrid-Airport to Málaga-Airport with start date<br />
of the rental on 02/25/2021 and end date on 02/28/2021 it is verified that they are installed<br />
cookies _ga, _gid among others. It is also verified that there is a request<br />
<br />
HTTP GET to the domain google-analytics.com in whose parameters within the url of the<br />
request includes, among others, data such as:<br />
<br />
to. the _ga cookie inside the cid parameter and the _gid cookie.<br />
<br />
<br />
b. the url visited (***URL.14) and, among other data, the operation carried out within<br />
the same, coded as:<br />
<br />
“pickupDateTime”: “2021-02-25”<br />
“returnDateTime”: “2021-02-28”<br />
“pickupName”: “%3DMadrid%2520-%2520Airport”<br />
<br />
“returnName”: “%3DM%25C3%25A1laga%2520-%2520Airport”<br />
c. the “sr” parameter.<br />
<br />
3. That the HTTP GET headers also contain data such as “user-<br />
agent” and “accept-language”.<br />
<br />
<br />
THIRTY-THIRD: On March 4, 2021, it is verified that, after logging in<br />
in a Google account, followed by a logout and then followed by a<br />
navigation in ***URL.1 corresponding to a flight plus hotel search from the 19th to<br />
March 21 and selecting Madrid as origin and destination Malaga:<br />
<br />
<br />
1. There is an HTTP POST request to the google-analytics.com domain where<br />
sends data as payload, among others:<br />
<br />
“***URL.1”<br />
“sr=1920x1080”<br />
<br />
the “cid” parameter that matches the value of the _ga cookie<br />
the _gid parameter that matches the value of the _gid cookie<br />
the date of departure and return, as well as the city of departure and arrival.<br />
<br />
2. That the HTTP POST headers also contain data such as “user-<br />
<br />
agent” and “accept-language”.<br />
<br />
THIRTY-FOURTH: On June 23, 2021, it is verified that, after logging in to<br />
a Google account, then browse the web ***URL.1:<br />
1. Which consists of an HTTP GET request to the domain adservice.google.com where<br />
<br />
sends as parameter u1 the same value as the content in the _ga cookie as well as<br />
the “user-agent” and “accept-language” parameters. That in this same HTTP request<br />
GET also sends the NID cookie.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 18/29<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
It is verified, on different dates, that the domain 18oogle-analytics.com as well as<br />
several IP addresses corresponding to that domain are assigned to GOOGLE<br />
LLC<br />
<br />
<br />
THIRTY-FIFTH: As stated in your letter of May 12, 2021, the figure<br />
total users in the period from April 1, 2020 to March 31, 2021<br />
the website ***URL.1 as well as other versions of the page aimed at others<br />
countries is, for example, in the German market 1,623,842 visits, in the Spanish<br />
13,344,019 visits and in the French market 12,682,624 visits. And the number of users<br />
<br />
total in the period described is 72,648,400 visits.<br />
<br />
THIRTY-SIXTH: As stated in your letter of May 12, 20212, the version<br />
that EDREAMS used was Google Analytics 360, since July 2012.<br />
<br />
<br />
THIRTY-SEVENTH: As stated in your letter of May 28, 2021, the<br />
EDREAMS establishments in which they process personal data in the context of the<br />
present claim are Germany, Spain, France, Italy, United Kingdom.<br />
<br />
THIRTY-EIGHTH: As stated in your letter of May 28, 2021, (…).<br />
<br />
<br />
THIRTY-NINTH: On October 27, 2021, it is confirmed that in the plenary session of the<br />
European Data Protection Committee dated September 2, 2020, it was decided<br />
create a working group to ensure a coherent approach between the<br />
European data authorities to handle the 101 NOYB complaints, which<br />
deal with similar issues (whoever claims has visited a website of a<br />
<br />
controller while you were logged in to your Google account or<br />
Facebook, linked to your email address. And the person responsible for<br />
treatment had embedded code from Google or Facebook services, which had<br />
transferred your personal data to the United States, without having a legal basis for it).<br />
<br />
<br />
FORTIETH: According to the diligence of October 27, 2021, GOOGLE LLC sent<br />
to the Austrian data protection authority a document dated April 9,<br />
2021, which shares it with the rest of the authorities through the Working Group<br />
for NOYB's 101 claims in the context of the CJEU ruling<br />
Schrems II (“101 taskforce”, hereinafter, task force TF101). In the document<br />
in question includes the following information and statements (its translation is not<br />
<br />
English official):<br />
<br />
(…).<br />
<br />
FORTY-FIRST: As of November 2, 2021, the website ***URL.1 is<br />
<br />
Also available for the following EEA countries: Czech Republic, France,<br />
Italy, Romania, Germany, Greece, Holland, Poland, Hungary, Portugal.<br />
<br />
FORTY-SECOND: As of November 2, 2021, at url ***URL.15<br />
The existence of requests for FISA (Foreign Intelligence<br />
<br />
Surveillance Act) and NSL (National Security Letters) addressed to GOOGLE regarding<br />
user information.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 19/29<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
FORTY-THIRD: On March 24 and 25, 2022, in the description of<br />
Google Analytics located at the URLs ***URL.16 and ***URL.17 included, among other things,<br />
information, that the _ga and _gid cookies were used to distinguish users and that the<br />
<br />
“sr” parameter referred to the screen resolution.<br />
<br />
And that, by executing tracert commands towards multiple IP addresses<br />
assigned to GOOGLE LLC in relation to the domain google-analytics.com, the times<br />
RTT are too low for said destination IPs to be geographically located<br />
in United States.<br />
<br />
<br />
<br />
THIRD: On August 30, 2023, the appellant has presented<br />
appeal for reconsideration before this Agency, basing it, basically, on the fact that<br />
defenseless, with infringement of the right of defense, with a denial<br />
<br />
unjustified trial period. Furthermore, it considers that the sanctioning resolution<br />
is incongruent and lacks the necessary motivation, and that the sanction imposed has<br />
illegal effects and impossible content. Finally, the lack of purpose is alleged<br />
of the sanctioning procedure and the subjective element and guilt.<br />
<br />
<br />
<br />
FOUNDATIONS OF LAW<br />
<br />
Yo<br />
Competence<br />
<br />
<br />
The Director of the Spanish Agency is competent to resolve this appeal.<br />
of Data Protection, in accordance with the provisions of article 123 of the Law<br />
39/2015, of October 1, of the Common Administrative Procedure of the<br />
Public Administrations (hereinafter LPACAP) and article 48.1 of the Law<br />
<br />
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of<br />
digital rights (hereinafter, LOPDGDD).<br />
<br />
II<br />
Response to the allegations presented in the appeal for reconsideration<br />
<br />
<br />
In relation to the allegations made by the appellant in the appeal for<br />
replacement, we proceed to respond to them according to the order set forth by<br />
EDREAMS:<br />
<br />
“FIRST.- Helplessness. Violation of the right of defense. Unjustified denial<br />
<br />
of the probationary period.”<br />
<br />
According to EDREAMS, this Agency has made EDREAMS defenseless by delaying<br />
unjustifiably access to the File, by unjustifiably limiting the deadlines for<br />
extension for the presentation of allegations and, even more so, by not agreeing to this AEPD<br />
<br />
the opening of the trial period expressly requested by EDREAMS in several<br />
occasions.<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 20/29<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Next, we proceed to give a due response to these arguments. With respect to<br />
rejection of the request for evidence formulated by EDREAMS, it ignores in its<br />
approach the provisions of point 10 of the “Terms of Data Processing<br />
<br />
of Google Ads”, according to which the controller has agreed that Google<br />
can store and process personal data of the client (in this case, data<br />
of the complaining party) in any country in which Google or any of<br />
its subprocessors maintain facilities. When<br />
collects this information, it is transmitted to Google Analytics servers.<br />
Specifically, the document in the file sent by Google LLC with<br />
<br />
date April 9, 2021, in the last paragraph to the answer to question 8, Google<br />
declares that all data collected through Google Analytics is hosted<br />
in the U.S. Therefore, the data collected on the website «***URL.1» to<br />
through Google Analytics are transferred to the United States.<br />
Documentally accredited the international transfer of personal data to the<br />
<br />
United States, it was not necessary to carry out technical proof of a fact that has been<br />
recognized by Google, and is that, ultimately, all the data processed by<br />
Google Analytics are hosted in the USA in accordance with the provisions of the<br />
article 77.3 of the LPACAP, “the instructor of the procedure may only reject the<br />
evidence proposed by the interested parties when they are manifestly inappropriate<br />
or unnecessary, through a reasoned resolution”, in this way, a<br />
<br />
“omnimode” right to the taking of evidence, which EDREAMS claims, but rather<br />
can be rejected with reasons, as was done in the resolution, in the<br />
terms that have been reproduced again in this paragraph.<br />
<br />
Regarding what EDREAMS calls “unjustified delay in access to the<br />
<br />
File”, the form of delivery of the file was motivated by the impossibility<br />
technique of making it available to EDREAMS through the electronic headquarters, due to<br />
to the size of the document, therefore it was decided to send the copy of the file in<br />
electronic support through messaging. It was the will of this Agency that<br />
EDREAMS had access to the copy of the EDREAMS file as soon as possible, to<br />
<br />
which the personnel in charge of your shipment confirmed the address by telephone to<br />
that had to be sent to EDREAMS personnel who, at that time, included<br />
the database of this Agency, to which the shipment was sent on December 12,<br />
2022.<br />
<br />
Despite the aforementioned verification, as stated in the receipt issued by the<br />
<br />
courier company on file, on December 13, 2022, when<br />
There were still 6 business days left until the end of the period to submit allegations,<br />
The delivery man of the courier company could not deliver the shipment for the following reason:<br />
cause: “Unknown recipient at the delivery address.” After this first attempt<br />
delivery, EDREAMS was contacted again to confirm the address.<br />
<br />
Therefore, the delay in delivering the copy of the file is due to the fact that<br />
EDREAMS had not notified this Agency of the change of address.<br />
<br />
On December 15, 2022, EDREAMS personnel appeared before this<br />
Agency, when there were four business days left for the last day of submission of<br />
<br />
allegations. The EDREAMS representation was provided with a copy of the file<br />
in person, and the copy cannot be provided two days before, when<br />
appeared before this Agency without proving said representation. Without a doubt, this<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 21/29<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
This circumstance was also the cause of the delay in the delivery of the copy of the<br />
proceedings.<br />
<br />
<br />
In any case, since December 15, 2022, the day on which the<br />
copy of the file, EDREAMS has had a fairly long period of time to<br />
review the documents in the file; proof of this, as an example,<br />
is constituted by the expert report that he attaches to his allegations (attached document no.<br />
3), where in 134 pages technical issues of some of the<br />
documents on file.<br />
<br />
<br />
Finally, regarding what EDREAMS calls “unjustified limitation” of the<br />
extension of the deadline to present allegations to the proposed resolution, provides<br />
Article 32.1 of the LPACAP that “The Administration, unless otherwise provided,<br />
may grant... an extension of the established deadlines...", so it is not<br />
<br />
obliged to do so.” In the present case, the deadline for allegations to the initiation agreement was<br />
extended five business days, the maximum period allowed by article 32.1 of the<br />
LPACAP, taking into account that the initial period was ten business days, and, within the period<br />
of allegations to the proposed resolution, two business days have been granted<br />
additional, so it has been guaranteed that EDREAMS has a term longer than<br />
sufficient to make allegations.<br />
<br />
<br />
For all the above reasons, this allegation is rejected.<br />
<br />
<br />
“SECOND.- Lack of motivation for the Sanctioning Resolution.”<br />
<br />
<br />
In this section EDREAMS reiterates the lack of proof of the facts constituting the<br />
infringement, without this Agency having been able to technically demonstrate that<br />
cause international data transfers to the USA. EDREAMS considers<br />
that the privacy settings with which you use the Google Analytics service<br />
<br />
prevents international data transfers. Likewise, according to EDREAMS, in the<br />
appealed resolution is sanctioned by the future prohibition of treatment, without<br />
having carried out this risk analysis of what the risk is like today. By<br />
Lastly, other arguments already supported in the previous sections are repeated, such as the<br />
absence of proof in the procedure and configuration of Privacy in use<br />
of Google Analytics by EDREAMS, which have already been the subject of a response.<br />
<br />
<br />
In response to this allegation, first of all, it must be clarified in relation to the<br />
assessment carried out by the Inspector who carried out in the previous actions of<br />
investigation (page 5373 of the file) to which EDREAMS alludes in its appeal for<br />
replacement that, regardless of whether this Agency has been able to demonstrate<br />
<br />
Technically, international data transfers to the US occur,<br />
These have been documented, as has been reasoned in the<br />
response to EDREAMS' allegation in the section preceding this one, in which<br />
refers to point 10 of the “Google Data Processing Terms<br />
Ads”, according to which the controller has agreed that Google may<br />
<br />
store and process customer personal data in any country in which Google or<br />
any of its subprocessors maintain facilities and<br />
that, specifically, the document in the file sent by Google LLC<br />
dated April 9, 2021, in the last paragraph to the answer to question 8,<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 22/29<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Google states that all data collected through Google Analytics is<br />
hosted in the United States.<br />
<br />
<br />
It was already justified in the appealed resolution that the configuration of Google Analytics<br />
used by EDREAMS on its website, without having Google Signal enabled, did not prevent the<br />
processing of personal data. In the document dated April 9, 2021 that<br />
GOOGLE LLC refers to the Austrian data protection authority, in which<br />
GOOGLE LLC answers a series of questions asked by the Austrian authority<br />
in connection with a claim substantially similar to this<br />
<br />
procedure, and to which EDREAMS has had access since it is incorporated into the<br />
proceedings; In point number 9 (page 5234 of the file), the following is stated:<br />
(unofficial translation):<br />
<br />
“In this claim, the complaining party was logged into his account<br />
<br />
Google when visiting the specific website of the site owner. Does the implementation of<br />
Google services (including Google Analytics) allow Google to receive<br />
information that a specific user of a Google account has visited a<br />
specific website? If yes, please describe how and what information<br />
about the user's Google account is collected.<br />
<br />
<br />
No, the implementation of Google Analytics as such does not allow Google to receive the<br />
information that a specific Google user has visited a specific website.<br />
Implementing Google Analytics on a website allows Google to receive the<br />
information that a certain Google user has visited a website<br />
specific, only if the following additional conditions are met:<br />
<br />
<br />
(1) The user has activated activity on the Internet and in their Google account and, in addition,<br />
you have visited the website;<br />
(2) The user has chosen to include the activity of companies that use the<br />
Google services;<br />
<br />
(3) The user has activated ad personalization;<br />
(4) and the user logs in to their Google account in the same browser while<br />
visit the website.<br />
<br />
If Google Signals (see our answer to question 6(ii)) is activated in that<br />
website, Google will then be able to visit the user to said website in the activity<br />
<br />
of the user's Google account on the Internet and applications. “<br />
<br />
As can be seen, again by Google's own response, it is not<br />
It is necessary to have Google Signals activated for Google to receive information from a<br />
Google user if the four transcribed conditions are met, being a function<br />
<br />
optional whose deactivation does not prevent Google from receiving information that a<br />
A certain user of a Google account has visited a specific website. In the<br />
answer 6 (ii), Google says: “Google Signals is an optional feature of Google<br />
Analytics that, when enabled, adds supplemental reports that are based on the<br />
data from Google users who have activated ad personalization on<br />
<br />
your account."<br />
<br />
On the other hand, EDREAMS regarding the collection of IP Addresses: “The<br />
IP addresses would be anonymized at the time of collection and such anonymization,<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 23/29<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
As confirmed by Google, it is produced within the European region for<br />
users browsing from the EEA. Consequently, data that could be<br />
potentially transferred to the USA is not personal data, but has undergone<br />
<br />
a solid and irreversible anonymization process.” Neither Google nor EDREAMS have<br />
accredited in any way - that the IPs are anonymized within the territory of the<br />
European Union.<br />
<br />
We can take as good the statements made by Google that IPs are<br />
anonymized within the territory of the EU just as we have reproduced<br />
<br />
previously how they treat cookies and their use to distinguish users, but,<br />
They could be subject to treatment once collected. As an example, in<br />
Google Analytics, according to Google's “Privacy and Data in the EU” document<br />
(available at https://support.google.com/analytics/answer/12017362?<br />
hl=es&ref_topic=2919631), “…IP address data is used only for<br />
<br />
obtain the geolocation data and it is immediately discarded”, so it is<br />
uses information that may be provided by the IP before anonymization.<br />
EDREAMS, uses as proof that IPs are always anonymized in<br />
territory of the European Union an email from a Google worker, therefore<br />
that there is no technical evidence to prove it.<br />
<br />
<br />
Consequently, in accordance with the most widely developed in the<br />
Legal basis IV of the appealed resolution, especially in point 2,<br />
“On the classification of the data subject to processing as personal data”,<br />
EDREAMS carries out international transfers of personal data through<br />
Google Analytics.<br />
<br />
<br />
Finally, as expressed by EDREAMS, in the appealed resolution there has been no<br />
taken into account the risk analysis of what the risk is like today. Without<br />
However, the modification of the framework cannot be applied to this procedure<br />
regulations on data protection that have taken place in the USA, which<br />
<br />
has occurred after the events in question.<br />
<br />
On the date on which the events object of the claim occurred, it was<br />
application of the grounds of the CJEU ruling in case C-311/18 (Schrems<br />
II), which declared Commission Implementing Decision (EU) 2016/1250 invalid,<br />
July 12, 2016, on the adequacy of the protection conferred by the Shield of the<br />
<br />
EU-US Privacy USA<br />
<br />
In paragraphs 184 and 185 of this ruling it is established: “Therefore, it is evident<br />
that neither section 702 of the FISA nor the E.O. 12333, interpreted in relation to the<br />
PPD-28, satisfy the minimum requirements established by Union Law<br />
<br />
with respect to the principle of proportionality, so that it cannot be considered<br />
that surveillance programs based on these provisions be limited to what<br />
strictly necesary.<br />
<br />
In these circumstances, the limitations of the protection of personal data that are<br />
<br />
derive from the domestic regulations of the United States relating to access and<br />
use, by US authorities, of data transferred from the<br />
Union to the United States, which the Commission assessed in the EP Decision, are not<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 24/29<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
regulated in accordance with requirements substantially equivalent to those required, in the<br />
Union law, in Article 52, paragraph 1, second sentence, of the Charter.”<br />
<br />
<br />
Google LLC (as importer of the data to the USA) should be qualified as<br />
electronic communications service provider within the meaning of paragraph (b)<br />
of point 4 of article 1881 of title 50 of the United States Code and, therefore,<br />
Therefore, it is subject to surveillance by the US intelligence services of<br />
in accordance with section (a) of article 1881 of title 50 of the State Code<br />
United States ("FISA 702"). Therefore, Google LLC has the obligation to provide<br />
<br />
personal data to the United States government when requested<br />
pursuant to section (a) of article 1881 of title 50 of the United States Code<br />
United States (FISA 702). As can be seen in the Transparency Report of<br />
Google, Google LLC is regularly subject to access requests from<br />
United States intelligence services. The report can be consulted at:<br />
<br />
https://transparencyreport.google.com/user-data/us-national-security?hl=en<br />
<br />
Consequently, international data transfers carried out by<br />
EDREAMS through the Google Analytics tool at the time of the<br />
claim did not comply with the provisions of article 44 of the RGPD, without the<br />
application of the new adequacy decision “EU-Data Privacy Framework<br />
<br />
“USA” can solve.<br />
<br />
For all the above reasons, this allegation is rejected.<br />
<br />
<br />
<br />
“THIRD.- Inconsistency of the Sanctioning Resolution. Sanction with effects<br />
illegal and of impossible content.”<br />
<br />
EDREAMS argues that it is incongruous that the appealed resolution does not analyze the<br />
new US legal framework and the European Commission's Adequacy Decision<br />
<br />
because it is not automatic nor does it apply to this procedure, but at the same time,<br />
Precisely in the sanction that is imposed, reference is made to the current moment and to<br />
adaptation to the applicable regulations that necessarily include the new framework<br />
US legal and Adequacy Decision. According to EDREAMS, the sanction<br />
generates disproportionate and unfair harm, and is illegal because they would be<br />
prohibiting future treatments that are lawful. Finally, EDREAMS estimates that the<br />
<br />
sanction imposed has an impossible content since it would be forcing<br />
EDREAMS to impose and modulate a service that is not its own but that of a third party<br />
(Google), and therefore does not fall under its sphere of control.<br />
<br />
In response to the allegation about the new US legal framework and the new<br />
<br />
Adequacy Decision “EU-US Data Privacy Framework.” “U.S.”, just as it is<br />
Agency maintained in the appealed resolution and once again justified itself in the allegation<br />
above, for the purposes of determining responsibility for the commission of the infraction, it is not<br />
the current legal framework is applicable, but rather the legal regime in force on the date of the<br />
facts constituting the infringement, in particular as established by the CJEU in the<br />
<br />
judgment in case C-311,/18 (Schrems II), which declared invalid the Decision of<br />
Commission Implementation (EU) 2016/1250 of 12 July 2016 on adequacy<br />
of the protection conferred by the EU-US Privacy Shield. USA<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 25/29<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Since Google LLC is required to provide personal data to the<br />
United States Government when requested pursuant to section<br />
(a) of section 1881 of title 50 of the United States Code (FISA 702), as<br />
can be seen in its Transparency Report<br />
(https://transparencyreport.google.com/user-data/us-national-security?hl=en), it is your<br />
<br />
full application of the doctrine established by the CJEU in the aforementioned ruling.<br />
<br />
Furthermore, in order to ensure that international data transfers<br />
to the US comply with the GDPR, the approval of the Implementing Decision of the<br />
Commission dated July 10, 2023, in accordance with Regulation (EU)<br />
2016/679 of the European Parliament and of the Council on the appropriate level of<br />
<br />
protection of personal data in the “EU-US Data Privacy Framework”,<br />
establishes in its Annex I, “Principles of the EU-US Data Privacy Framework.<br />
issued by the United States Department of Commerce” the following<br />
(unofficial translation):<br />
<br />
<br />
"2. In order to rely on the EU-US Data Privacy Framework. for<br />
transfer personal data from the EU, an organization must<br />
self-certify your adherence to the Principles to the Department (or your person<br />
designated). Although the decisions of the organizations to thus enter the Framework<br />
EU-US Privacy Policy are completely voluntary, effective compliance is<br />
mandatory: organizations that self-certify before the Department and declare<br />
<br />
publicly their commitment to adhere to the Principles must fully comply<br />
with the Principles…<br />
<br />
3. …The benefits of the EU-US Privacy Framework are insured from<br />
the date the Department places the organization on the Framework List of<br />
Data Privacy.”<br />
<br />
<br />
However, at the time the resolution was issued, Google had not self-certified<br />
its adherence to the Principles of the EU-US Data Privacy Framework. USA so<br />
international data transfers could not be considered to be carried out with<br />
sufficient guarantees and under the protection of the new Adequacy Decision.<br />
<br />
<br />
The appealed resolution cannot be considered “illegal” when what it orders is<br />
precisely compliance with current regulations, that is, adapting the activity of<br />
data processing at the service of Google Analytics in accordance with the provisions of articles 44 and<br />
following Regulation (EU) 2016/679 of the European Parliament and of the Council, of<br />
April 27, 2016, in particular by cessation of the international transfer of<br />
data until it is proven that the Google Analytics service complies with the aforementioned<br />
<br />
provisions of the Regulation. Compliance with this mandate was not proven before<br />
of issuing a resolution in the sanctioning procedure, without the adaptation<br />
carried out subsequently determines the invalidity of that, on the contrary, it means that<br />
The imposed measure has been complied with.<br />
<br />
<br />
On the other hand, the mandate included in the appealed resolution does not have a content<br />
impossible. Let us remember that, regardless of whether the current Clauses<br />
Type Contractual Clauses (Google Ads and Measurement: Standard Contractual Clauses (Module 3:<br />
Processor to Processor) consider Google Ireland as data exporter.<br />
EDREAMS, as data controller, assumes, together with the other<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 26/29<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
conditions of contracting the services of Google LLC, the relative agreements<br />
to data processing and the Standard Contractual Clauses that allow the data<br />
are transferred to Google LLC, based in the United States.<br />
<br />
Specifically, EDREAMS assumes point 10 of the “Terms of Treatment of<br />
<br />
Google Ads Data”, so the data controller has agreed that<br />
Google may store and process personal data of the customer (i.e. data<br />
personal of the complaining party and of any user who visits the website in question)<br />
in any country in which Google or any of its “subprocessors”<br />
data processing facilities, including the USA, as declared by the<br />
Google LLC itself in the document dated April 9, 2021.<br />
<br />
<br />
Consequently, having contracted the services of GOOGLE, assuming its<br />
contracting conditions, EDREAMS, as responsible for the treatment, is the one<br />
You must take the necessary measures so that the data of those who visit your website<br />
are treated in accordance with the GDPR.<br />
<br />
<br />
For all the above reasons, this allegation is rejected.<br />
<br />
“FOURTH.- Lack of purpose of the sanctioning procedure.”<br />
<br />
In this allegation he summarizes what has already been argued in the allegations.<br />
<br />
preceding this one: Application of the new Framework Adaptation Decision of<br />
EU-US Data Privacy In the US, there are no international data transfers to<br />
cannot be technically proven and due to the privacy settings of<br />
Google Analytics selected by EDREAMS (IP anonymization and deactivation<br />
of Google Signals). A novel argument is included: The European Committee of<br />
Data Protection has confirmed “that all the guarantees that the<br />
<br />
US government regulations apply to all data transfers to<br />
"United States, regardless of the transfer mechanism used" and, in its<br />
default, “even if the EU-US Privacy Framework were not applicable.” USA, the<br />
European Commission and the EDPB have clearly confirmed that the Decision of<br />
Adequacy is fully applicable to all transfers to the US.”<br />
<br />
<br />
In response to this argument, it is worth highlighting that the adoption by the Commission of the<br />
EU-US Data Privacy Framework Adequacy Decision. UU does not come but to<br />
confirm that international data transfers carried out by EDREAMS<br />
prior to the approval of that, represented a violation of the rights and<br />
<br />
freedoms of European citizens in terms of data protection, through the<br />
indiscriminate access to your personal data by the intelligence services of the<br />
USA, from the moment in which the aforementioned Adequacy Decision was<br />
justified based on the new guarantees regarding data protection<br />
established by the U.S. These guarantees include the limitation of the<br />
access by US intelligence services to data<br />
<br />
of EU citizens to what is necessary and proportionate, and the<br />
establishment of a Data Protection Appeal Court, to which<br />
EU citizens will have access.<br />
<br />
Well, none of these guarantees existed on the date of the events referred to.<br />
refers to the appealed resolution, when EDREAMS, through its website, and because<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid Seeagpd.gob.es 27/29<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
operates in other Member States of the Union, transferred personal data of<br />
citizens of the European Union to the USA in violation of the current regulatory framework<br />
according to the ruling of the CJEU in case C-311/18 (Schrems II), which declared invalid<br />
<br />
Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 on<br />
the adequacy of the protection conferred by the EU US Privacy Shield.<br />
<br />
In this ruling, the Court considered that the requirements of national law<br />
American, and in particular, some programs that allowed the authorities<br />
Public authorities in the United States access personal data transferred from the<br />
<br />
EU to the US for national security purposes, imposed limitations on the<br />
protection of personal data that were not circumscribed in a way that<br />
offered guarantees substantially equivalent to those required by the Law of the<br />
Union, and that this legislation did not provide any means of judicial recourse against<br />
the United States authorities to the data subjects.<br />
<br />
<br />
However, EDREAMS maintains in its appeal for reconsideration the non-existence of the<br />
infringement, and that your international data transfers to the US have complied<br />
at all times with the legal system, even prior to the new<br />
Adequacy Decision, through which the Commission concludes the existence of<br />
guarantees in the US that ensure a level of protection equivalent to that of the EU for<br />
<br />
European citizens, and considers that the questions have been answered<br />
elucidated by the CJEU in the Schrems II ruling. This reasoning, according to which<br />
EDREAMS defends the validity of its actions regardless of the legal framework<br />
applicable, is completely incongruous. Furthermore, it is worth remembering that, among others<br />
arguments, EDREAMS has defended ideas such as that the data sent is not<br />
<br />
It was personal data, he has even questioned whether the data is sent to the US.<br />
USA, when this has been recognized by Google itself. Consequently, it<br />
maintains the validity of the appealed resolution and the need for the established mandate<br />
in the same of “adapting the data processing activity to the Google service<br />
Analytics in accordance with the provisions of articles 44 et seq. of Regulation (EU) 2016/679<br />
<br />
of the European Parliament and of the Council of 27 April 2016, in particular by<br />
the cessation of international data transfer until it is proven that the service<br />
“Google Analytics complies with the aforementioned provisions of the Regulation.” that in the<br />
Nowadays, there are new circumstances that allow treatments previously<br />
contrary to the RGPD, can now be compliant with it, it does not prevent attributing to<br />
EDREAMS the responsibility in the commission of the infraction, nor does it invalidate the order<br />
<br />
imposed, without prejudice to the fact that, having recognized the facts and foundations of the right of<br />
the sanctioning resolution, and in accordance with the measures adopted, allows<br />
consider that EDREAMS has complied with the measure imposed in the resolution<br />
appealed.<br />
<br />
<br />
Furthermore, EDREAMS has not justified that it has signed with Google,<br />
as a data processor, the standard contractual clauses adapted to the<br />
Decision (EU) 2021/914 of June 4, 2021 regarding contractual clauses<br />
type for the transfer of personal data to third countries, which, together with<br />
the guarantees contemplated in the EU-US Data Privacy Framework. USA,<br />
<br />
would allow the international transfer of data to the USA to be considered to be in accordance with<br />
data protection regulations.<br />
<br />
For all the above reasons, this allegation is rejected.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 28/29<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
“FIFTH.- Lack of subjective element and guilt.”<br />
<br />
<br />
As EDREAMS already maintained in the Briefs of Allegations, the requirement of<br />
guilt of the subject who carries out the illicit conduct is necessary for the imposition of<br />
an administrative sanction.<br />
<br />
In response to this allegation, as already stated in the response to the Fourth allegation<br />
<br />
of the replacement appeal, EDREAMS assumes point 10 of the “Terms of the<br />
Google Ads Data Processing”, so the person responsible for the treatment has<br />
agreed that Google may store and process customer personal data (i.e.<br />
personal data of the complaining party and of any user who visits the website in<br />
issue) in any country in which Google or any of its “subprocessors”<br />
<br />
data processing facilities, including the US, regardless of whether<br />
the Standard Contractual Clauses have been modified with respect to those in force in the<br />
moment of the events subject to claim, attributing the status of exporter<br />
to Google Ireland. Thus, the actions of Google LLC. adheres to what is stipulated and, therefore,<br />
EDREAMS account, carrying out the processing of personal data<br />
necessary for the correct provision of the service, which determines the responsibility<br />
<br />
administrative of the person responsible for the treatment.<br />
<br />
For all the above reasons, this allegation is rejected.<br />
<br />
<br />
<br />
<br />
III<br />
Conclusion<br />
<br />
Consequently, in the present appeal for reconsideration, the appellant has not<br />
<br />
provided new facts or legal arguments that allow reconsideration of the validity<br />
of the contested resolution.<br />
<br />
<br />
<br />
Considering the aforementioned precepts and others of general application, the Director of the Agency<br />
<br />
Spanish Data Protection RESOLVES:<br />
<br />
FIRST: DISMISS the appeal for reconsideration filed by VACATIONS<br />
EDREAMS, S.L. against the resolution of this Spanish Agency for the Protection of<br />
Data issued on July 26, 2023, in file EXP202306257.<br />
<br />
<br />
SECOND: NOTIFY this resolution to VACACIONES EDREAMS, S.L.<br />
<br />
<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
<br />
Resolution will be made public once it has been notified to the interested parties.<br />
<br />
Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the<br />
LOPDGDD, and in accordance with the provisions of article 123 of Law 39/2015, of 1<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 29/29<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
October, of the Common Administrative Procedure of Public Administrations<br />
<br />
(LPACAP), interested parties may file a contentious-administrative appeal before<br />
the Contentious-Administrative Chamber of the National Court, in accordance with the<br />
provided in article 25 and in section 5 of the fourth additional provision of the<br />
Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction,<br />
<br />
within a period of two months counting from the day following notification of this act,<br />
as provided in article 46.1 of the aforementioned Law.<br />
<br />
Finally, it is noted that in accordance with the provisions of art. 90.3 a) LPACAP, it may be<br />
<br />
provisionally suspend the final resolution through administrative channels if the interested party<br />
expresses its intention to file a contentious-administrative appeal. If this is<br />
the case, the interested party must formally communicate this fact in writing<br />
addressed to the Spanish Data Protection Agency, presenting it through the<br />
Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or<br />
<br />
through any of the other records provided for in art. 16.4 of the aforementioned<br />
LPACAP. You must also transfer to the Agency the documentation that accredits the<br />
effective filing of the contentious-administrative appeal. If the Agency did not have<br />
knowledge of the filing of the contentious-administrative appeal within the period of<br />
<br />
two months from the day following the notification of this resolution, it would be considered<br />
the precautionary suspension has ended.<br />
<br />
<br />
180-111122<br />
Sea Spain Martí<br />
<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
</pre></div>Mgrdhttps://gdprhub.eu/index.php?title=AN_-_SAN_487/2024AN - SAN 487/20242024-02-29T11:58:16Z<p>Im: </p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=AN<br />
|Court_Original_Name=Audiencia Nacional<br />
|Court_English_Name=National Audience<br />
|Court_With_Country=AN (Spain)<br />
<br />
|Case_Number_Name=SAN 487/2024<br />
|ECLI=ECLI:ES:AN:2024:487<br />
<br />
|Original_Source_Name_1=CENDOJ<br />
|Original_Source_Link_1=https://gdprhub.eu/images/6/63/SAN_487_2024.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Date_Decided=05.02.2024<br />
|Date_Published=<br />
|Year=2024<br />
<br />
|GDPR_Article_1=<br />
|GDPR_Article_Link_1=<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=19.7 III Convenio colectivo de ámbito estatal del sector de contact center<br />
|National_Law_Link_1=https://www.boe.es/diario_boe/txt.php?id=BOE-A-2023-13741<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Teresa.lopez<br />
|<br />
}}<br />
<br />
A court held that an employer cannot process their employees’ personal phone numbers for 2-factor authentication purposes, as Spanish law imposes on the controller an obligation to provide working devices for the said purpose. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
On 29 November 2023, the Spanish trade union CCOO initiated legal action against the controller concerning a collective labor dispute.<br />
<br />
In response to the pandemic, some employees of the controller transitioned to telecommuting arrangements. The controller proposed a telecommuting agreement, which the Workers' Legal Representation did not accept, ending the negotiation process without consensus. The controller then entered into individual agreements with the employees regulating, among other topics, the use of personal devices of employees for 2-factor authentication purposes (2FA).<br />
<br />
The Worker’s Legal Representation brought proceedings before the court seeking annulment, among others, of the clause that mandated the employees to provide their cell phone numbers for receiving SMS messages and/or accessing applications to confirm identity during established working hours. The controller justified this requirement based on cybersecurity reasons and their legitimate interest in ensuring information and system security. <br />
<br />
=== Holding ===<br />
The court held that the clause was void since, according to [https://www.boe.es/diario_boe/txt.php?id=BOE-A-2023-13741 Article 19.7 of the Collective Bargaining Agreement of State Scope for the Contact Center Sector], companies shall provide tools, applications, or devices especially in the event where a 2FA system is necessary. The controller should furnish the requisite tools and means, rather than relying on workers' personal devices. In exceptional cases and exclusively for this purpose, if the employee refuses the tool provided by the company, they may consent to use devices or tools of their own. <br />
<br />
== Comment ==<br />
''”Legitimate interest” to which the controller refers to process personal phone numbers seems to be legitimate interest under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] – in particular, guarantee security measures linked to [[Article 32 GDPR]]. However, Spanish national law, due to the opening clause under [[Article 88 GDPR]], sets specific rules conflicting with the controller’s practice.''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
The resolutions that make up this database are disseminated for the purposes of knowledge and consultation of the decision criteria of the Courts, in compliance with the competence granted to the General Council of the Judiciary by art. 560.1.10º of the Organic Law of the Judiciary. The user of the database may consult the documents as long as they do so for their own personal use. The use of the database for commercial uses, nor the massive downloading of information, is not permitted. The reuse of this information for the creation of databases or for commercial purposes must follow the procedure and conditions established by the CGPJ through its Judicial Documentation Center. Any action that contravenes the above indications may give rise to the adoption of appropriate legal measures.<br />
</pre></div>Teresa.lopezhttps://gdprhub.eu/index.php?title=H%C3%A4meenlinnan_hallinto-oikeus_(Finland)_-_2548/2023Hämeenlinnan hallinto-oikeus (Finland) - 2548/20232024-02-29T10:23:33Z<p>Fred: </p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Finland<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=Hämeenlinnan hallinto-oikeus<br />
|Court_Original_Name=Hämeenlinnan hallinto-oikeus (Finland)<br />
|Court_English_Name=Administrative Court of Hämeenlinna<br />
|Court_With_Country=Hämeenlinnan hallinto-oikeus (Finland)<br />
<br />
|Case_Number_Name=2548/2023<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Hämeenlinnan hallinto-oikeus<br />
|Original_Source_Link_1=https://gdprhub.eu/index.php?title=File:H%25C3%25A4meenlinnan_hallinto-oikeus_2548-2023.pdf<br />
|Original_Source_Language_1=Finnish<br />
|Original_Source_Language__Code_1=FI<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Date_Decided=14.12.2023<br />
|Date_Published=19.12.2023<br />
|Year=2023<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 32 GDPR<br />
|GDPR_Article_Link_2=Article 32 GDPR<br />
|GDPR_Article_3=Article 85(2) GDPR<br />
|GDPR_Article_Link_3=Article 85 GDPR#2<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=§ 27(1) Data Protection Act<br />
|National_Law_Link_1=https://www.finlex.fi/fi/laki/ajantasa/2018/20181050#L5P27<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
<br />
|Party_Name_1=Sanoma Media Finland Oy<br />
|Party_Link_1=https://www.sanoma.fi/en/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_From_Body=Tietosuojavaltuutetun toimisto (Finland)<br />
|Appeal_From_Case_Number_Name=9970/163/2019<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=https://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_9970/163/2019<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Fred fred]<br />
|<br />
}}<br />
<br />
The Administrative Court of Hämeenlinna upheld a DPA decision, which found that media outlets are not obliged to erase the personal tax information published in tax information portals due to journalistic exemption.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The data subject had asked the Administrative Court of Hämeenlinna (the Court) to overturn [https://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_9970/163/2019 the Finnish DPA's decision], according to which the media outlets owned by Sanoma Media Finland Oy (the controller) are not obliged to erase personal tax information because it was processed for journalistic purposes.<br />
<br />
The data subject filed the appeal claiming that the controller had processed their personal data unlawfully, and claimed that, unlike individual news that utilises public tax information, the tax information portals published by the controller do not contribute to the emergence of an important social debate.<br />
<br />
The data subject considered that the tax information portals contained information covered by the protection of people's privacy, which enabled the precise identification of individuals, and which had caused harm to the data subject and their family. The data subject also stated that if the Court considered that the tax information had been processed solely for journalistic purposes, the processing of personal data in the tax information portals had in any case violated [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and [[Article 32 GDPR]], because the large-scale and permanent publication of personal data of a large number of people did not meet the requirements set for the security of processing.<br />
<br />
The controller emphasised that the tax information portals enable public debate on socially significant topics related to taxation, such as income disparity. The publication of tax information promotes opportunities to make observations related to society, especially when the information is available to everyone free of charge.<br />
<br />
The DPA pointed out that the question is not whether tax information can be published, but whether [https://www.finlex.fi/fi/laki/ajantasa/2018/20181050#L5P27 Section 27(1) of the Finnish Data Protection Act] applies, according to which certain provisions of the GDPR do not apply to the processing of personal data solely for journalistic purposes.<br />
<br />
=== Holding ===<br />
The Court noted that the purpose of publishing tax information could reasonably be considered to be disclosure of information to the public. In the tax information portals published by the controller, public tax information concerning the data subject has been processed solely for journalistic purposes in accordance with [https://www.finlex.fi/fi/laki/ajantasa/2018/20181050#L5P27 Section 27(1) of the Finnish Data Protection Act]. <br />
<br />
In this respect, the Court considered that information published on the tax information portals consisted of accurate public tax information and did not reveal sensitive details of the data subject's private life. Therefore, the exemptions provided for in [https://www.finlex.fi/fi/laki/ajantasa/2018/20181050#L5P27 Section 27(1) of the Finnish Data Protection Act] could be deemed necessary to reconcile the right to the protection of personal data with the freedom of expression and information in accordance with [[Article 85 GDPR#2|Article 85(2) GDPR]].<br />
<br />
The Court held that the provisions on the security of processing in [[Article 32 GDPR]] are not intended to limit the publication of information resulting from the purpose of the processing of personal data, and they may not be interpreted together with [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] as restrictions on such processing.<br />
<br />
In light of this, the Court agreed with the DPA that the controller had not violated the GDPR or the Finnish Data Protection Act.<br />
<br />
== Comment ==<br />
The Administrative Court of Helsinki has issued a similar decision in case 7353/2023.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.<br />
<br />
<pre><br />
ADMINISTRATIVE COURT OF HÄMENLINNA<br />
<br />
DECISION 2548/2023<br />
<br />
14/12/2023<br />
<br />
ID number 22121/03.04.04.04.01/2021<br />
<br />
Case A case concerning the processing of tax data<br />
<br />
Appellant<br />
<br />
Decision to be appealed<br />
<br />
Decision of the Data Protection Commissioner 27 October 2021 ID number 9970/163/2019<br />
<br />
The processing of the case at the data protection commissioner's office has required Sanoma Media Finland Oy to remove his information in its entirety from the tax machines published on the websites of Helsingin Sanomat and Ilta-Sanom, and after the company refused to do so, the matter was referred to the data protection commissioner. has considered that the processing of personal data in tax machines is contrary to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons in the processing of personal data and on the free movement of this data and repealing Directive 95/46/EC (General Data Protection Regulation) and the Data Protection Act, and the data is not processed only for journalistic purposes as referred to in Section 27 of the Data Protection Act.<br />
<br />
In its decision under appeal, the Data Protection Commissioner has considered the data controller's processing actions to be in accordance with the law.<br />
Among other things, the following has been stated in the reasons for the decision:<br />
<br />
In the current case, the issue has been the publication of tax information of natural persons whose annual income has exceeded the limit of 100,000 or 150,000 euros. Such persons can be considered to have high incomes in Finland. Only less than two percent of Finnish income earners reach the mentioned incomes. Tax information is presented in tax machines in an objective way. It is already a question of public information to which anyone has access. In the evaluation, it is also important that the tax information processed in the tax machine has been expressly stipulated to be public, although the application of Section 27 of the Data Protection Act cannot be justified solely on the basis of this fact. The information has been obtained legally from official sources.<br />
<br />
Information on high-income individuals has been published in the tax machines. The tax information of individual persons can be considered to promote a socially interesting discussion about both taxes and income distribution. Questions about income differences and, among other things, the individual reasons for income differences are almost always the subject of social debate and also the subject of research. Positions and opinions on income inequality are presented in public, for example from the perspective of justice and economic equality. Reporting on income differences serves the public debate, and it's not just about satisfying the curiosity of certain people.<br />
<br />
On the basis of the above and other grounds in its decision, the Data Protection Commissioner has considered that the processing of personal data carried out in connection with Helsingin Sanomat's and Ilta-Sanomit's tax machines falls within the scope of the journalistic exception provided for in Section 27(1) of the Data Protection Act and that Article 17 and Article 21 of the General Data Protection Regulation therefore do not apply in the case to be applied. The Data Protection Commissioner has further considered that the case does not involve processing of personal data contrary to Article 5, Paragraph 1, Subsection a or Article 32 of the General Data Protection Regulation.<br />
<br />
Claims in the administrative court<br />
<br />
has demanded that the administrative court overturn the data protection commissioner's decision and confirm that Sanoma Media Finland Oy processed personal data concerning him unlawfully or secondarily return the case to the data protection commissioner for re-processing. The Data Protection Commissioner must be obliged to compensate the parties involved and court costs with legal default interest.<br />
<br />
The decision differs in its outcome and reasoning from the data protection commissioner's previous interpretation practice and from the decision given by the Supreme Administrative Court in the so-called Veropörssi case, KHO 2009:82. Deviation from the established interpretation practice is not justified in any way. The decision has only referred to the amount of information, which cannot be considered as a sufficient basis for the opposite interpretation. The Data Protection Commissioner has also completely ignored the fact that the information of the so-called editorial background register has been published almost as is in Sanoma Media Finland Oy's tax machines. In accordance with the interpretation line made by the Supreme Administrative Court in the Veropörssi case, this cannot be considered to meet the requirements of the journalistic exception. When assessing the extent of the publication of information, the Supreme Administrative Court primarily referred to how much of the information received from the Tax Administration had been published, and not just to the number of published information. Despite the income limit, in this case too, the issue is a very significant amount of personal data. Verokone responds to an individual's request for another person's personal data, and in this respect it is not a matter of disclosing the information to the public.<br />
<br />
Unlike individual news stories that use public tax data, tax machines do not contribute to the emergence of an important social debate. The information that emerges from them is insufficient to draw conclusions about, for example, the income level of certain occupations. The European Court of Human Rights has also drawn attention to this in its judgment in the case of Satakunn Markkinapörssi Oy and Satamedia Oy v. Finland, stating that the companies that published tax information had not explained how the readers of their publications could draw conclusions, for example, about the development of income and wealth differences based on the raw data published in bulk.<br />
<br />
The publication of income tax information does not create an automatic right to the processing of the information or its publication. Even in the publication of public information, questions related to data protection and privacy should always be evaluated on a case-by-case basis. Information covered by the protection of people's privacy is available from the tax machines, which together enable the exact identification and identification of a person. The tax machines also indirectly provide information about the wealth of those persons whose taxable income has not exceeded the income limits defined for publication in the tax machines, because the absence of a person's information from the tax machine reveals that his income fell below the income limit.<br />
<br />
The right to privacy, which is protected as a fundamental right of people who have exceeded a certain income limit, cannot be restricted categorically without a case-by-case consideration. is not a public figure, nor in a socially significant position. He is not involved in politics, and his work does not involve any public or general interests. Also, the fact that he owns shares in a private limited company does not make him a socially significant person. Through Verokone, information has been permanently and easily made available to the general public. This has caused harm and suffering to his family as well.<br />
<br />
asked in the fall of 2019 that the taxman would not hand over income tax information. The taxman complied with the request, but despite this, the newspapers published by Sanoma Media Finland Oy have acquired the information as part of their tax machines published on the internet. The income limits of Helsingin Sanomat's and Ilta-Sanomit's tax machines are not based on a separate consideration, but on pre-compiled information received from the tax accountant. The data protection commissioner's decision does not show how persons exceeding a certain income limit can be considered socially significant power users, without a case-by-case assessment. In the decision, the importance of a case-by-case assessment in determining a socially significant position or a public position has been emphasized contradictory on several occasions, but on the other hand, the decision also outlines that, regardless of the specific circumstances of the case, the social position of all those who earned more than 100,000 euros is such that their privacy can be restricted.<br />
<br />
Contrary to what was stated in the data protection commissioner's decision, the possible existence of other means of legal protection is not relevant in the assessment of whether the processing took place solely for journalistic purposes. Privacy protection can be limited only to the extent that it is absolutely necessary. Tax machines are not absolutely necessary to process income tax information in the media.<br />
<br />
has also announced that it will renew its earlier submission to the Data Protection Commissioner. At that time, he had, among other things, considered that if the data is considered to have been processed only for journalistic purposes, the processing of his personal data in the tax machines has in any case been against Article 5(1)(a) and Article 32 of the General Data Protection Regulation. If Section 27 of the Data Protection Act is considered to be applicable to the processing of personal data in tax machines, the persons listed in the tax machine do not have any legal recourse in matters related to the processing of their personal data. In this situation, the data controller has, based on Article 5(1)(a) and Article 32 of the General Data Protection Regulation, an emphasized obligation to ensure that its actions are proportionate to the goal they aim for and that the processing does not pose a risk to the data subjects. The large-scale and permanent publication of the personal data of a very large group of people does not meet the requirements laid down in Article 32 of the General Data Protection Regulation for the security of data processing and the consideration of the rights and freedoms of registered users.<br />
<br />
Statements and explanations<br />
<br />
In his statement, the Data Protection Commissioner has revised his earlier statement on the matter and stated, among other things, that the complaint should be rejected as unfounded.<br />
<br />
The statement states, among other things, that the tax machines are available to anyone free of charge and that they do not contain tax information to the same extent as the text message service in the so-called Veropörssi case. As presented in the complaint, the Data Protection Commissioner has not based his decision only on the amount of published information. In addition to the limitedness of published tax data, importance has been given to social interest, i.e. the ratio of published income to the median income of Finns.<br />
<br />
The decision to publish public and confidential information is an editorial decision of the media, the evaluation of which is guided by, among other things, journalistic guidelines. The case is not about whether public information can be published, but whether Section 27 of the Data Protection Act will be applied to the processing referred to in the case.<br />
<br />
in his explanation, he referred to his earlier statement on the matter and stated, among other things, that the data protection legislation has not changed with regard to the journalistic exception. Sanoma Media Finland Oy has not presented any concrete reasons for how the listing of tax machines in the form of a list contributes to the general public's ability to follow the social development of income and wealth differences. Since it is a matter of reconciling two fundamental rights, the journalistic processing exception must be interpreted narrowly. In this case, it is not justified to publish the entire income information listing in the name of a journalistic exception, when the desired social discussion can be secured with less invasive actions.<br />
<br />
As far as the search function is concerned, the tax machines are parallel to the text message service of the Tax Exchange case. The tax machines are free of charge and available to anyone, which leads to an even harsher result in terms of the privacy of the person listed in the tax machine and must be taken into account when reconciling conflicting basic rights.<br />
<br />
Sanoma Media Finland Oy has given an explanation. Sanoma Media Finland Oy's explanation has been given for information.<br />
<br />
Administrative law decision and reasons<br />
<br />
The administrative court rejects the appeal with legal costs.<br />
<br />
Reasoning<br />
<br />
Applicable Rules and Regulations<br />
<br />
According to Article 7 of the Charter of Fundamental Rights of the European Union, everyone has the right to have their private life respected. According to Article 8, paragraph 1 of the Charter of Fundamental Rights, everyone has the right to the protection of their personal data. According to paragraph 2 of the same article, the processing of such data must be appropriate and must take place for a specific purpose and with the consent of the person concerned or on the basis of another legal justification provided by law.<br />
<br />
According to Article 11, paragraph 1 of the Charter of Fundamental Rights of the European Union, everyone has the right to freedom of expression. This right includes freedom of opinion and the freedom to receive and disseminate information or ideas without interference by the authorities and regardless of territorial boundaries. According to paragraph 2 of the article, the freedom and pluralism of the media is respected.<br />
<br />
Article 6 of Chapter II of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons in the processing of personal data and on the free movement of such data and the repeal of Directive 95/46/EC (General Data Protection Regulation) provides for the conditions under which the processing of personal data is lawful . Article 17 of Chapter III of the Regulation provides for the data subject's right to delete data and Article 21 of the same chapter provides for the data subject's right to object to the processing of personal data concerning him.<br />
<br />
According to Article 85(1) of the General Data Protection Regulation, Member States must by legislation reconcile the right to the protection of personal data in accordance with this Regulation and the right to freedom of expression and freedom of communication, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.<br />
<br />
According to paragraph 2 of the same article, for processing for journalistic purposes or for the purposes of academic, artistic or literary expression, Member States must provide for exemptions or exceptions to the provisions of Chapter II (principles) and Chapter III (data subject's rights), if they are necessary to reconcile the right to the protection of personal data with freedom of expression and with freedom of communication.<br />
<br />
According to section 27 subsection 1 of the Data Protection Act, in order to protect freedom of expression and freedom of communication, the processing of personal data solely for journalistic purposes or for the purposes of academic, artistic or literary expression does not apply to, for example, Article 5, Paragraph 1, Subsections c–e, Article 6 and 12–22 of the Data Protection Regulation article.<br />
<br />
According to subsection 3 of the same section, in order to protect freedom of expression and freedom of information transmission, the processing of personal data only for journalistic purposes or for the purposes of academic, artistic or literary expression, Article 5, paragraph 1, subparagraphs a and b of the data protection regulation shall apply only in the applicable parts.<br />
<br />
The jurisprudence of the European Court of Human Rights<br />
<br />
According to the jurisprudence of the European Court of Human Rights, the level of protection of personal data depends, among other things, on the nature and importance of the right guaranteed in the human rights treaty relevant to the case and on the nature and purpose of interference with it. The Court of Human Rights has held that purely financial information, which does not involve intimate details or information closely related to the identity of an individual, does not deserve enhanced protection (G.S.B. v. Switzerland, 22/12/2015, paragraph 93). In another case, the Human Rights Court did not consider the publication of tax debt information on the authority's website to be problematic in itself, but considered it to be in violation of Article 8 of the Human Rights Convention in the circumstances of the case, among other things, due to the fact that when enacting the law, it was not considered whether the publication of all information to be published, especially the taxpayer's home address, was necessary to achieve the intended goal (L.B. v Hungary, 9 March 2023, paragraphs 130 and 136).<br />
<br />
The Human Rights Court has considered that restricting the processing of tax information by the media constitutes interference with freedom of speech and is therefore only permitted under the conditions set out in Article 10, Paragraph 2 of the European Convention on Human Rights (Satakunnan Markkinapörssi ja Satamedia Oy v. Finland, 27 June 2017, paragraphs 139–141). In its jurisprudence, the Human Rights Court has emphasized that the public's right to receive information is an essential right in a democratic society, and there are few opportunities to restrict freedom of speech when it comes to political speech or a discussion on a topic of public interest (paragraphs 167 and 169 of the above-mentioned judgment with references to jurisprudence). Such a discussion cannot be considered to be promoted by newspaper articles whose sole purpose is to satisfy the curiosity of a certain readership about a person's private life (paragraph 169 of the same judgment). The Court of Human Rights has also emphasized that it is not for it or the national courts to define which method of reporting journalists should use and which details should be published to ensure the credibility of the article, and that journalists are free to choose what issues they report on and how, as long as this is done in accordance with the ethical rules of their profession framework (paragraph 186 of the judgment with case law references).<br />
<br />
In its jurisprudence, the European Court of Human Rights has emphasized the importance of internet archives maintained by the media in terms of the preservation and availability of news and information, and pointed out that such digital archives are important sources for education and historical research, especially because they are easily accessible to the public and usually free of charge (M.L. and W.W. v. Germany, 28.6. 2018, para 90 and Times Newspapers Ltd v United Kingdom (Nos 1 and 2), 10 March 2009, para 45).<br />
<br />
When assessing whether interference with freedom of speech has been necessary in a democratic society as referred to in Article 10, paragraph 2 of the European Convention on Human Rights, the human rights court has examined whether the national authorities have found a fair balance between freedom of speech and the right to respect for private life (Delfi AS v. Estonia, 16.6.2015, paragraphs 110 and 138 and Satakunta Markkinapörssi and Satamedia Oy v. Finland, 27 June 2017, paragraphs 123 and 160). In this assessment, the human rights court has paid attention to, among other things, the significance of the published information in terms of a discussion of public interest, the method of obtaining the information, the reliability and content of the information, the effects of the publication and how well-known the person who is the subject of the news is (Axel Springer AG v. Germany, 7 February 2012, paragraphs 90–95 and Satakunta Markkinapörssi and Satamedia Oy v. Finland, 27 June 2017, paragraph 165). In the case Satakunta Markkinapörssi ja Satamedia Oy v. Suomi, the human rights court paid attention to the latter criterion, among other things, to the fact that the published tax information concerned persons, of whom very few had high incomes (paragraph 180 of the judgment). In the same case, the Human Rights Court gave significance to the fact that the companies that had published tax information had withdrawn their request for information on tax information after the tax board had asked them for additional clarification due to the position of the data protection officer and had hired people to collect the information from local tax offices, thereby circumventing the restrictions set by law on the release of personal information (paragraphs 12, 184 and 185 of the judgment). . When evaluating the necessity of interfering with the publication of a person's income information, the Human Rights Court has also given importance to the fact that it was possible for the public to get the same information to see the authority (Fressox and Roire v. France, 21.1.1999, paragraph 53).<br />
<br />
The Human Rights Court has applied the same evaluation criteria in cases where the expression of information, opinions or ideas has allegedly violated the right to enjoy respect for private and family life (for example, Fürst-Pfeifer v. Itävältä, 17.5.2016, paragraphs 36–42 and Karakó v. Hungary, 28.4. .2009, paragraphs 20, 25 and 26).<br />
<br />
Explanation presented<br />
<br />
The newspapers Helsingin Sanomat and Ilta-Sanomat, published by Sanoma Media Finland Oy, publish public tax information in the tax machines on their websites. Helsingin Sanomat publishes information on the earnings and capital income of an individual natural person and the taxes paid to him, if he has earned at least 150,000 euros during the tax year. Helsingin Sanomat also publishes the information of a person who has earned at least 100,000 euros, if he has earned at least 150,000 euros in one or more years in the last five years, or has earned more than one million euros in any one year. Ilta-Sanomat publishes the tax information of those persons who have earned at least 100,000 euros during the previous year. The income mentioned above is annually about two percent of the income earners. In addition to tax information, published information includes, among other things, the person's first and last name, year of birth and the province where he lives.<br />
<br />
has demanded Sanoma Media Finland Oy to remove all information about him from the tax calculators published on the websites of Helsingin Sanomat and Ilta-Sanom and, after the company's refusal, brought the matter to the data protection commissioner for resolution. In its decision under appeal, the Data Protection Commissioner has not ordered the data controller to delete the data in question.<br />
<br />
The editors of Helsingin Sanomat and Ilta-Sanomit, in their response to the data protection commissioner's request for clarification, have justified the publication of public taxation data of other high-income earners, among other things, on the grounds that the tax data is related to the social debate on income distribution, the financing of the welfare state, and the encouragement of work and entrepreneurship, and their publication provides an opportunity to evaluate the structure and fairness of taxation, income the fairness of the distribution and how fairly all Finns participate in financing the welfare society. In the response, it has been pointed out that in addition to media editorials, readers of their publications can also make such observations related to society from the tax information of individual persons, which the editorials could not produce for the public without the interaction between them and the readers. In their response, the editors have stated that they publish only a small part of the material they receive from the Tax Administration and that they select the material to be published based on journalistic judgment. In addition, the response justifies the publication of tax information on the grounds that he earns 27 times as much as the average wage earner and his significant capital income indicates that he likely has power in the companies from which he receives capital income.<br />
<br />
Legal assessment<br />
<br />
The issue is whether there is a right to object to the processing of public tax information about him in the so-called tax machines on the websites of Helsingin Sanomat and Ilta-Sanomit and the right to have the information removed from these services. According to § 27 subsection 1 of the Data Protection Act, the provisions of the general data regulation concerning the rights of the data subject are not applied to the processing of personal data for journalistic purposes only. Therefore, the first step to be taken in the case is whether the mentioned legal section can be applied to the processing of personal data referred to above.<br />
<br />
The enactment of Section 27 of the Data Protection Act is based on Article 85 of the General Data Protection Regulation, according to which member states must provide for exemptions or exceptions to the provisions of that regulation for processing for journalistic purposes, if they are necessary to reconcile the right to the protection of personal data with freedom of expression and freedom of communication. According to paragraph 153 of the preamble of the General Data Protection Regulation, this should apply especially to the processing of personal data in the audiovisual sector and in news and magazine archives. According to the same paragraph, concepts related to freedom of expression, such as journalism, must be interpreted broadly in order to take into account the importance of the right to this freedom in all democratic societies. The right to protect personal data is closely related to the fundamental right to respect for private and family life. In the interpretation of the provisions of Articles 7 and 11 of the Charter of Fundamental Rights of the European Union concerning this fundamental right and freedom of expression and freedom of communication, due to the provisions of Article 52, paragraph 3 of the Charter of Fundamental Rights, Articles 8 and 10 of the Convention for the Protection of Human Rights and Fundamental Freedoms (European Convention on Human Rights) and the jurisprudence on their interpretation must also be taken into account (judgment in the case C-345/17, Buivids, EU:C:2018:780, paragraphs 65 and 66). According to its Article 53, the provisions of the Charter of Fundamental Rights may not otherwise be interpreted in such a way that they would limit or violate the human rights and fundamental freedoms recognized in the European Convention on Human Rights.<br />
<br />
As is clear from the general reasoning of the government's presentation on the Data Protection Act, the processing of data for journalistic purposes means the same in the Data Protection Act as in the General Data Protection Regulation, and its interpretation must therefore take into account the jurisprudence of the Court of Justice of the European Union. According to the jurisprudence of the Court of Justice of the European Union, concepts related to freedom of expression, including the concept of journalism, must be interpreted broadly in order to take into account the importance that freedom of expression has in all democratic societies. In order to find a harmonious balance between the two fundamental rights, the protection of the fundamental right to privacy has, on the other hand, been considered to require that the exceptions and limitations stipulated in the protection of data must be implemented within the limits of absolute necessity. The Court of Justice of the European Union has considered that the processing of personal data takes place only for journalistic purposes, if the sole purpose of the processing is to express information, opinions and thoughts to the public using any means of data transmission. The fact that the publication of information is related to the pursuit of profit does not in principle prevent it from being considered only for journalistic purposes. (Judgment in case C‑73/07, Satakunta Markkinapörssi ja Satamedia, EU:C:2008:727, paragraphs 55–62 and judgment in case C-345/17, Buivids, EU:C:2018:780, 50–53, 63 and paragraph 64.)<br />
<br />
In the general reasoning of the government's proposal regarding the law on the disclosure and confidentiality of tax information (HE 149/1999 vp), it has been stated that it is considered that public information on taxation can also be important from the point of view of citizen control and not only from the point of view of satisfying human curiosity. The public tax information published on the tax machines in question includes, among other things, the taxpayer's name and year of birth and the province in which the taxpayer's domicile is located, as well as information about his earned and capital income and the total amount of taxes paid. In Helsingin Sanomat's tax machine, information about the amount of taxes is expressed as a tax percentage.<br />
<br />
The editorial offices of Helsingin Sanomat and Ilta-Sanomat have emphasized in their response to the Data Protection Commissioner's request for clarification that they select the material published in tax machines based on journalistic consideration. There is no reason to doubt the accuracy of this announcement based on the facts presented in the complaint. The editorial offices of Helsingin Sanomat and Ilta-Sanomat have stated in their response to the Data Protection Commissioner's request for clarification that they publish only part of the public tax information they receive. The information handed over to the media by the Tax Administration consists of data materials produced on request pursuant to Section 21 of the Act on the Publicity of Public Activities of Public Authorities and information separately requested by the media. Pursuant to the aforementioned legal section, the Tax Administration produces for the media, among other things, materials that contain public tax information from the entire country on those persons who received a total of at least 100,000 euros in earned income and capital income taxable in state taxation during the tax year. Helsingin Sanomat does not publish tax information to this extent in its tax engine, and the lower availability of tax information for persons with lower incomes than mentioned above is not in itself sufficient evidence that the selection of relevant tax information to be published in Ilta-Sanomat's tax engine was not based on journalistic judgment.<br />
<br />
In their response, the editors have justified the publication and the limitations of the published material with aspects related to the importance of the information in the social debate and the public's right to receive information relevant to the social debate. Based on the information obtained from the tax machines, it is possible to discuss socially relevant issues related to taxation, such as income differences and the fairness of the distribution of the tax burden. The publication of tax information can rightly be assumed to promote the public's opportunities to make observations related to society and thereby be able to promote the opportunities of information media to receive useful tips from the public in editorial work. These conclusions are not invalidated by the fact that making observations relevant to the social debate about published tax information also requires the utilization of information obtained from other sources and is therefore presumably only possible for some of the users of tax machines. The aforementioned goals of publication are promoted by the fact that the published tax information is available to everyone free of charge in the public information network. It is not possible to reliably state in advance what all the tax information can have in terms of promoting the social debate in these circumstances. For the reasons mentioned in the Data Protection Commissioner's decision, the public tax information of high-income taxpayers is significantly more likely to have such significance than public tax information on average.<br />
<br />
has referred in his appeal to the fact that the publication of data in the tax machines of Helsingin Sanomat and Ilta-Sanomat can be compared to the case presented in the Supreme Administrative Court's yearbook decision KHO 2009:82, where the processing of the data was not deemed to have taken place for editorial purposes. In the case in question, however, the issue was a much wider publication of tax information than in the case being decided now. The tax information of approximately 1.2 million people per municipality had been published in the Veropörssi magazine and the related SMS service. Only a few of these people had high incomes, a fact that the European Court of Human Rights specifically drew attention to in its judgment on the same case. Helsingin Sanomat's tax machine has published information on people who have earned more than 150,000 euros per year. In Ilta-Sanomie's tax machine, the corresponding limit is 100,000 euros. At least two percent of income earners have incomes this high. The editors of Helsingin Sanomat and Ilta-Sanomit have presented previously explained reasons related to the public interest for the limitations of the material to be published and the publication of information about him, due to which the purpose of publishing information about him can be rightly considered to be the disclosure of information to the public.<br />
<br />
The comments made in the complaint about the presentation of published taxation information in tax machines do not change the fact that the information in question is available to an unlimited number of people on the public road network. The information in question must therefore be deemed to have been expressed to the public. In the evaluation of the case, it cannot be given essential importance to whether the search for information in the service takes place by browsing a static list or by using the search function intended to facilitate the search for information.<br />
<br />
The Administrative Court considers, on the grounds presented above, that the processing of relevant public tax information on the websites of Helsingin Sanomat and Ilta-Sanomat has taken place in the manner referred to in Section 27 of the Data Protection Act only for journalistic purposes. In the matter, it is still necessary to assess whether the application of the exceptions provided for in paragraph 1 of the above-mentioned section can be considered necessary in Article 85, paragraph 2 of the General Data Protection Regulation in order to reconcile the right to the protection of personal data with freedom of expression and freedom of communication. This assessment must take into account the jurisprudence of the European Court of Human Rights explained above in this decision. Prohibiting the processing of relevant tax information in Helsingin Sanomat's and Ilta-Sanomat's tax machines on the basis of the case law in question would mean limiting freedom of speech. According to paragraph 2 of Article 10 of the European Convention on Human Rights, such restrictions are only permitted if they are provided for by law and are necessary in a democratic society to protect the rights of other persons or for another reason mentioned in the same paragraph.<br />
<br />
When evaluating the necessity of restrictions on freedom of speech and freedom of communication, it must be taken into account, among other things, that the information published in the tax machines of Helsingin Sanomat and Ilta-Sanomit consists of accurate public tax information and does not reveal sensitive details of private or family life. The need to protect the taxpayer's private and family life has been taken into account in the provisions regarding the disclosure of tax information, for example, in such a way that the disclosure of information does not apply to information about the address and municipality of residence of the taxpayer. Nor has such information been published in the tax machines of Helsingin Sanomat and Ilta-Sanomit. In contrast to the case concerning Veropörssi magazine, in the case at hand, in the acquisition of personal data, the restrictions on the release of personal data stipulated in Section 16, subsection 3 of the Act on the Publicity of the Activities of Circumventive Authorities have not even been claimed. Taking into account, in addition to these points, the reasons presented for the publication of information and the aspects of their evaluation presented above, it is not necessary to limit freedom of speech and freedom of communication in the way presented in order to protect his rights. For this reason, Article 85(2) of the Data Protection Regulation cannot be considered to require that the exceptions provided for in Section 27(1) of the Data Protection Act should be applied in this case more limitedly than what was done in the decision of the Data Protection Commissioner under appeal.<br />
<br />
to the processing of public tax data in Helsingin Sanomat's and Ilta-Sanom's tax machines, the exceptions provided for in section 27 subsection 1 of the Data Protection Act must therefore be applied, and he therefore does not have the right to demand the deletion of the data in question and to object to their processing pursuant to Articles 17 and 21 of the General Data Protection Regulation.<br />
<br />
has considered that Article 5, Paragraph 1, Subsection a and Article 32 of the General Data Protection Regulation have also been violated in the processing of personal data concerning him. According to Section 27, subsection 3 of the Data Protection Act, the first mentioned subsection applies to the processing of personal data only for journalistic purposes only to the extent applicable. As can be seen from the detailed justifications of the government's motion (HE 9/2018 vp) regarding the above-mentioned paragraph, application in the applicable parts means in this context that the application of Article 5, paragraph 1, subparagraph a of the General Data Protection Regulation is linked to whether a closely related article is applied to the processing operations. Article 32 of the General Data Protection Regulation applies to the processing of personal data for journalistic purposes only. however, the arguments presented in support of their demands are not related to the questions regulated in the article in question, i.e. whether the data controller has ensured the protection of the personal data it processes against unauthorized or illegal processing or against accidental loss or damage. The provisions of Article 32 of the General Data Protection Regulation concerning the security of processing are not intended to limit the publication of information resulting from the purpose of processing personal data, and when interpreted together with Article 5, paragraph 1, subparagraph a of the regulation, restrictions on such processing operations cannot be derived from them.<br />
<br />
The Data Protection Commissioner has thus been able to consider that Sanoma Media Finland Oy has not acted in violation of the General Data Protection Regulation and the Data Protection Act. The Data Protection Commissioner may have decided not to use his remedial powers. The appeal must therefore be rejected.<br />
</pre></div>Fredhttps://gdprhub.eu/index.php?title=Commissioner_(Cyprus)_-_11.17.001.008.147Commissioner (Cyprus) - 11.17.001.008.1472024-02-28T22:10:27Z<p>Nikolaos.konstantis: Created page with "{{DPAdecisionBOX |Jurisdiction=Cyprus |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoCY.jpg |DPA_Abbrevation=Commissioner |DPA_With_Country=Commissioner (Cyprus) |Case_Number_Name=11.17.001.008.147 |ECLI= |Original_Source_Name_1=Office of the Commissioner for Personal Data Protection |Original_Source_Link_1=https://www.dataprotection.gov.cy/DATAPROTECTION/DATAPROTECTION.NSF/F880C7270072D4E0C2258AAE0049CEAB/$file/%CE%91%CE%A0%CE%9F%CE%A6%CE%91%CE%A3%CE%97%2520%CE..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Cyprus<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoCY.jpg<br />
|DPA_Abbrevation=Commissioner<br />
|DPA_With_Country=Commissioner (Cyprus)<br />
<br />
|Case_Number_Name=11.17.001.008.147<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Office of the Commissioner for Personal Data Protection<br />
|Original_Source_Link_1=https://www.dataprotection.gov.cy/DATAPROTECTION/DATAPROTECTION.NSF/F880C7270072D4E0C2258AAE0049CEAB/$file/%CE%91%CE%A0%CE%9F%CE%A6%CE%91%CE%A3%CE%97%2520%CE%A5%CF%80%CE%B7%CF%81%CE%B5%CF%83%CE%AF%CE%B1%2520%CE%95%CE%BE%CE%B5%CF%84%CE%AC%CF%83%CE%B5%CF%89%CE%BD.pdf<br />
|Original_Source_Language_1=Greek<br />
|Original_Source_Language__Code_1=EL<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=<br />
|Date_Decided=05.12.2023<br />
|Date_Published=25.01.2024<br />
|Year=2023<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 4 GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR<br />
|GDPR_Article_2=Article 28 GDPR<br />
|GDPR_Article_Link_2=Article 28 GDPR<br />
|GDPR_Article_3=Article 36(4) GDPR<br />
|GDPR_Article_Link_3=Article 36 GDPR#4<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1= Article 13 of 125(Ι)/2018 Law<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Nikolaos. Konstantis<br />
|<br />
}}<br />
<br />
The DPA held a violation of the Regulation and its Protection of Natural Persons Against Data Processing<br />
of a Personal Character and the Free Circulation of this Data Law of 2018, Law 125(I)/2018, by the Examinations Service of Directorate of Higher Education of the Ministry of Education, Sports and Youth in relation to Statistical Processing Methods of the scores of the candidates who took part in the 2019 Written Examinations for Registration and Ranking in the Appointment Tables.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The Examinations Service of the Directorate of Higher Education of the Ministry of Education, Sports and Youth is the controller for the processing of personal data which is carried out in the context of the statistical processing of the results of the Examinations.In order to be registered in the list of appointments, it is necessary to record the qualifications of the candidates themselves and to submit certificates / proofs, so that they receive a relevant score. In order for a candidate to be included in the appointment list, success in the Examinations is required. In each specialty, a list of appointments is created, which includes successful Exams of various years. In specified periods, the appointment table of each specialty is renewed, by adding the successful candidates of the new Examinations and/or by differentiating the scoring of the qualifications and/or the score of each successful candidate. Comparability of Exam scores from different years is therefore required. Therefore, statistical processing is applied for the purposes of uniform ranking of candidates.<br />
The application of statistical processing methods aims to create an index that reflects the degree of difficulty of the 2019 Exam in relation to the degree of difficulty of the corresponding Exam of 2017. These methods include methods that require the processing of personal data. Apart from the existence of a relevant legal basis, since the statistical processing is provided for in the relevant Regulations, the DPA judged that the application of such methods does not come out, but instead is part of actions to achieve the intended purpose, namely the ranking of candidates in the appointment tables.<br />
<br />
=== Holding ===<br />
The DPA held that the Service assigned the application of the statistical processing to processors, without the execution of a relevant contract of assignment, as provided for in article 28(3) of the GDPR.Furthermore , the Service did not conduct a prior consultation with the DPA for Registration and Ranking in the Appointment Tables in violation of Article 36(4) of the Regulation and Article 13(1) of Law 125(I)/2018. Hence the DPA reprimanded the Service for these two violations.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.<br />
<br />
<pre><br />
REPUBLIC OF CYPRUS OFFICE OF THE COMMISSIONER FOR PROTECTION OF PERSONAL DATA Kypranoros 15, 1061 NICOSIA / PO Box 23378, 1682 NICOSIA. Tel: 22818456, Fax: 22304565 E-mail: commissioner@dataprotection.gov.cy, Website: http://www.dataprotection.gov.cy No. Fac.: 11.17.001.008.147 DECISION Complaint regarding the Statistical Processing Methods of the scores of the candidates who took part in the 2019 Written Examinations for Registration and Ranking in the Appointment Tables Based on the duties and powers conferred on me by Article 57(1) (f) of Regulation (EU) 2016/679 on the protection of natural persons against the processing of personal data and on the free movement of such data (hereinafter the "Regulation"), I examined a complaint submitted to my Office regarding the processing of personal data during the application of statistical processing methods of the scores of the candidates who took part in the 2019 written exams for registration and ranking in the appointment tables. Based on the investigation, I found a violation of the Regulation and the Law on the Protection of Natural Persons Against the Processing of Personal Data and the Free Circulation of such Data of 2018, Law 125(I)/2018, by the Examinations Service (hereinafter the "Service") of the Directorate of Higher Education of the Ministry of Education, Sports and Youth (hereinafter the "Ministry"). A. Incident Positions of the complainant 2. In the complaint it is requested that the use, during the processing of the results of the written examinations for registration and classification in the appointment tables of the New Appointment System in Education (hereinafter the "Exams"), be investigated, of personal data which , form the index which reflects the degree of difficulty of the 2019 Exam in relation to the degree of difficulty of the corresponding Exam of 2017, i.e. the Exam which is the reference point. 2.1. Also, other elements are listed in the complaint, such as, for example, the statistical processing methods used when processing the results of the Examinations, comments on the scoring system, positions which, as stated, show the unreliability of the results, as well as the 2 position that the necessity of statistical processing of Examination scores should be reconsidered. Positions of the Examinations Service 3. On 1 September 2021, I sent a letter to the Service, asking, inter alia, questions about the role of the Service, the role of the Education Service Committee and the role of the Tripartite Supervisory Body, the legal basis of the processing, carrying out an impact assessment and due prior consultation with my Office. In addition, questions were raised regarding the existence of a processing outsourcing contract with the contracting company that undertook the statistical processing, the terms of the mandate, instructions and/or directions given to it, as well as questions related to the processing methods used. 3.1. I note that the above letter was communicated to the Education Service Committee, without however receiving any official response. 4. The Service, in a letter dated December 27, 2021, stated, among other things, the following: 4.1. the conduct of the Examinations is provided for in the Public Education Service Law of 1969, Law 10/1969, as amended. The application of statistical processing on the scores of the candidates appearing in the Examinations is provided for in the 2017 Regulations on Written Examinations for Registration and Ranking in the Appointment Tables and in the 2019 Amending Regulations on Written Examinations for Registration and Ranking in the Appointment Tables, which were issued pursuant to article 76 of Law 10/1969. Specifically, the application of statistical processing is foreseen based on the relevant amendments that occurred, in 2019, to Regulations 4 and 8 of the above Regulations of 2017, 4.2. my Office was not consulted, because the application of statistical processing, in the context of the Examinations, does not involve the handling of personal data. The data provided by the Service, for the implementation of statistical processing, are characterized by pseudo codes and no personal data is shared, 4.3. the Ministry carried out an "impact assessment" ("impact analysis questionnaire") both during the submission to the House of Representatives of the Draft Regulations for the 2017 Regulations, and during the submission of the Draft Regulations for the 2019 Amending Regulations. The " impact assessments' were attached with the said letter to my Office, 4.4. during the 2019 Examinations, the sponsoring company, namely CITO, used the following methods to apply statistical processing: 4.4.1. common persons method, 4.4.2. propensity score matching method, 4.4.3. method omens of common questions (pseudo anchor method), 4.4.4. Angoff weighting method (Angoff standard setting), and 4.4.5. 3DC weighting method (3DC standard setting). 3 No personal data was used for the implementation of the methods, only pseudocodes. The copy of the agreement with the contracting company is attached to the letter, 4.5. the role of the Service and the role of the Three-member Supervisory Body is defined in the 2017 and 2019 Regulations on Written Examinations for Registration and Ranking in the Appointment Tables. Also, according to these Regulations, the results of the respective Examinations are approved by the Minister of Education, of Sports and Youth, and the Three-member Supervisory Body. 5. Despite the fact that the letter of the Service, dated December 27, 2021, did not answer all the questions of my Office's letter, dated September 1, 2021, I considered it necessary to focus on the essence of the processing carried out, in order to properly ensure the legitimacy of it. Therefore, in my letter dated June 1, 2022, I requested that the Service enter into a processing outsourcing contract with the contracting company, as provided for in article 28 of the Regulation, and an impact assessment, as provided for in article 35 of the Regulation. 6. On August 30, 2022, I received a response from the Service, which stated the following: 6.1. given that the contracting company, which undertook the implementation of the statistical processing of the scores of the candidates who took part in the Examinations in the years 2019 and 2021, has already completed its work, on the basis of a relevant contract, it is not possible to prepare, retrospectively, "new processing contract with her". The sponsoring company is not going to undertake the implementation of the statistical processing of the scores of the candidates for the Examinations for the year 2023 or for future Examinations. In the future, the statistical processing of the scores of the candidates in the Examinations will be carried out by the Service, which has been trained by the sponsoring company on how to apply the processing, 6.2. an impact assessment has been carried out, as requested in my letter dated 1 June 2022. As mentioned, the said assessment constitutes a personal data impact assessment for the process, in general, of the weighting of the Examinations, which are conducted every two years, in accordance with the relevant Legislation and the 2017 and 2019 Regulations on Written Examinations for Registration and Ranking in the Appointment Tables. The impact assessment includes, among others, the following: 6.2.1. the processing concerns the use of candidates' personal data in the process of weighting the difficulty of the Exams, 6.2.2. the "Ministry of Education, Sports and Youth (Ministry of Education, Sports and Youth) through the Directorate of Higher Education, through the Examinations Service (HE) (Head of HE: XXX)" is defined as the controller. 6.2.3. those performing the processing are employees of the Service and/or other employees of the Ministry of Internal Affairs (processing team and processing execution team), 4 6.2.4. the weighting of the difficulty of the papers is a process that includes five statistical methods of a quantitative and qualitative nature, 6.2.5. the propensity score matching method uses information such as degree grade (good, very good and excellent), additional academic qualifications (e.g. MA, PhD) and teaching experience of candidates, 6.2.6 . the remaining four methods are published on the website of the Service (https://diorisimoi.moec.gov.cy/index.php/el/) and do not concern impact assessment as they do not use personal data, 6.2.7. data provided by the Education Service Commission. The transfer of the data will be done by usb and all the files will be locked with codes handled only by the above Committee and the Service. The data remain within Cyprus, for use / processing exclusively by the competent officers of the Service, and are kept exclusively in the systems of the Service, 6.2.8. the data will be stored, meeting all insurance requirements according to the Regulation. The data will then be pseudonymised with a double coding system developed by the Service's staff and delivered to its team of staff, who will carry out the processing. The aim of this process is that the team performing the statistical processing cannot link the data to the candidates, 6.2.9. in order to establish the necessity of carrying out the impact assessment, it was a criterion that the relevant data is processed on a large scale, since the processing will be done on the data of all the candidates who will participate in the Examinations. Also, the fact that the process includes data sets was a criterion which have been matched or combined, since the data is compared with the data of participants in previous examination periods to determine the difficulty of the papers of different examination periods. It is not a criterion that the process includes evaluation or grading, 6.2.10. for the legality of the processing it is valid that the data subject has consented to the processing of his personal data for one or more specific purposes, since the candidates during the submission of an application to participate in the Exams, they will be informed about the provision of their data by the Educational Service Committee and about the purpose of using this data and their consent will then be requested. It is also true that the processing is necessary for the fulfillment of a task carried out in the public interest or in the exercise of a public authority delegated to the controller, since the processing is part of a wider process of weighting the difficulty of the documents and contributes to the optimization of the process according to the existing literature, 6.2.11. reference is made to the technical and organizational security measures, such as for example the way the data is transferred by the Education Service Committee, the coding with a double coding process, the data storage process which will be carried out after the weighting of the documents, the keeping of backup copies and the physical access control, 5 6.2.12. the following risks have been identified: 6.2.12.1. the incomplete information of the data subjects regarding the processing of personal data involved in the conduct of this procedure (low risk), 6.2.12.2. the transmission of personal data (within and outside Europe) without the necessary security measures (low risk), 6.2.12.3. unauthorized access to personal data (low risk), 6.2.12.4. the identification of data with data subjects (low risk), 6.12.2.5. the disappearance of personal data (low risk); 7. On the special website of the Ministry, which concerns the Examinations and which refers to the impact assessment carried out by the Service, there is the document "Methods of Statistical Processing of the scores of the candidates who took part in the 2019 Written Examinations for Registration and Ranking in the Appointment Tables ». The statistical processing methods applied are recorded in this document. As mentioned, it was not practically possible to utilize all weighting methods for all specialties due to practical difficulties. However, every effort was made to combine as many methods as possible for each specialty, to have multiple sources of information and to minimize error through triangulation of results. The methods recorded in this document are: 7.1. "common persons method" method in which for each candidate who participated in the Examinations in 2017 and in the Examinations in 2019, the difference of his score was calculated separately, 7.2. propensity score matching method, in which the performance of candidates with the same profile is compared in the 2017 Exams and in the 2019 Exams. Additional information was used to create the profiles, such as gender, degree grade (good, very good and excellent), additional academic qualifications (e.g. MA, PhD), teaching experience, etc., 7.3. method of quasi-common questions (pseudo anchor method), in which any difference in the degree of difficulty of the essays of the 2017 Exams and the 2019 Exams can be attributed, mainly, to the difference in the overall degree of difficulty of the questions, which have not characterized as common (i.e. questions of the Exams in the years 2017 and 2019 which have similar characteristics, such as for example examining the same content, receiving the same number of credits, having approximately the same degree of difficulty, having the same way of presentation etc.), 7.4. Angoff weighting method (Angoff standard setting), in which the panel of experts estimates the expected score of "inexperienced" candidates on each of the questions of an examination paper and it is assumed that the differences in the expected performance of an "inexperienced" candidate in the two examination periods can attributed to the different degree of difficulty of each exam, 7.5. 3DC weighting method (3DC standard setting), in which experts estimate the expected performance of "infinite" candidates on groups of questions. 6 8. On April 5, 2023, I sent the Service a prima facie Decision, after finding that there is a prima facie violation of: (a) Article 24(1) of the Regulation, since as the data controller he did not prove that the processing was carried out in accordance with Regulation, (b) of article 28(1) of the Regulation, since no processor was used, which provides sufficient assurances for the application of appropriate technical and organizational measures, and (c) of article 36(4) of the Regulation and of article 13(1) of Law 125(I)/2018, since no prior consultation was carried out with my Office, before the adoption of the Regulations which include provisions for statistical processing. 8.1. Also, before taking a Decision on the possible imposition of an administrative fine, the Service was invited to submit within four weeks, from the taking of the prima facie Decision, the reasons and circumstances that should be taken into account in the context and for the purposes imposing an administrative sanction, pursuant to Article 58(2) of the Regulation and Article 32(1) and (3) of Law 125(I)/2018. 9. In the context of the right to a hearing provided for the reasons and circumstances that should be taken into account for the purposes of imposing an administrative sanction, pursuant to article 58(2) of the Regulation and article 32(1) and (3) of the Law 125(I)/2018, and after the Service requested that the right to be heard be satisfied orally, the Service submitted the following positions on September 28, 2023: 9.1. the Service acknowledges the fact that there has been processing of the candidates' personal data. However, at the material time, it considered that there was no transfer of personal data, because pseudo-codes were used, 9.2. due to the above position of the Service, no prior consultation was carried out with my Office. Furthermore, due to the tight timetables that had to be met for the conduct of the Examinations, it would not have been feasible to have a prior consultation with my Office, 9.3. despite the fact that no personal data assignment contract was signed with the contracting company, provisions for data protection are included in the initial agreement - contract of the Service with the contracting company. I note that during the oral hearing, the Service submitted to my Office, the special terms of the agreement, as well as an extract from Part A "Instructions to Economic Operators", as well as Annex I "General Conditions of Contract" of the agreement with the contractor company. 9.3.1. In section 10.6. Handling of Data, of Part A' Instructions to Economic Operators, of the agreement with the contracting company, the following text is mentioned: "1. All data given to the Contractor should be handled with all due diligence, specifically regarding confidentiality. The data will be consisted (amongst others) with the personal 7 data of the examinees and thus all steps should be taken by the Contractor in order to protect them and adhere to all relevant clauses of the REGULATION (EU) 2016/679 of the European Parliament and of the Council as of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)." 9.3.2. In article 7 - Compliance Obligations and Legal Liability, of the section Obligations of the contractor, of Appendix I "General Conditions of Contract" of the agreement with the contracting company, the following text is included: "2. In the case of Contracts relating to matters relevant to the processing of personal data, the Contractor warrants that it will respect and comply with all applicable laws and regulations on the protection of individuals with regard to the processing of personal data and that it will assume responsibility and will be able to prove compliance to such laws and regulations. In addition, it will ensure that its personnel and any subcontractors of affiliates and persons under its control will also respect and comply with these laws and regulations. (Relevant is EU Regulation 2016/679 of 27 April 2016 of the European Parliament and of the Council)." 9.4. regarding the Examinations which will be conducted in the month of November of this year, the foreseen statistical processing will be assigned again to the contracting company. Also, the Service referred to the expertise of the contracting company and assured that it will comply with all its obligations as a data controller, provided by the Regulation and Law 125(I)/2018. B. Legal Framework 10. According to Article 4 of the Regulation, personal data is interpreted as "any information concerning an identified or identifiable natural person ("data subject"); an identifiable natural person is one whose identity can be ascertained, directly or indirectly, in particular by reference to an identifier such as a name, an identity number, location data, an online identifier or one or more factors that characterize the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person person". Pursuant to the same article, processing is defined as "any act or series of acts carried out with or without the use of automated means, on personal data or sets of personal data, such as the collection, registration, organization, structuring , the storage, adaptation or alteration, retrieval, retrieval of information, use, disclosure by transmission, dissemination or any other form of disposal, association or combination, restriction, deletion or destruction”. In the same article, the controller is defined as "the natural or legal person, public authority, agency or other entity that, alone or jointly with others, determines the purposes and manner of personal data processing; when the purposes and manner of such processing are determined by Union law or the law of a Member State, the controller or the specific criteria for his appointment may be provided for by Union law or the law of a Member State". 8 Also, the processor in the same article is defined as "the natural or legal person, public authority, agency or other body that processes personal data on behalf of the data controller". 11. Regarding the delegation of processing of personal data to processors, article 28 of the Regulation provides, among other things, that: "1. Where the processing is to be carried out on behalf of a controller, the controller shall only use processors who provide sufficient assurances for the implementation of appropriate technical and organizational measures, in such a way that the processing meets the requirements of this Regulation and ensures the protection of the rights of the data subject. 2. The processor does not hire another processor without the prior specific or general written permission of the controller. In the case of general written consent, the processor informs the controller of any intended changes concerning the addition or replacement of other processors, thus providing the controller with the possibility to object to these changes. 3. The processing by the processor is governed by a contract or other legal act governed by Union or Member State law, which binds the processor in relation to the controller and determines the object and duration of the processing, the nature and the purpose of the processing, the type of personal data and the categories of data subjects and the obligations and rights of the controller. The contract or other legal act in question provides in particular that the processor: a) processes the personal data only on the basis of recorded instructions of the controller, including with regard to the transfer of personal data to a third country or international organization, unless obliged to to this end on the basis of Union law or the law of the Member State to which the processor is subject; in this case, the processor shall inform the controller of such legal requirement prior to processing, unless such law prohibits this type of information for serious reasons of public interest, b) ensures that the persons authorized to process the personal data have undertaken an obligation of confidentiality or are subject to the appropriate regulatory obligation of confidentiality, c) takes all the necessary measures pursuant to article 32, d) observes the conditions referred to in paragraphs 2 and 4 for the employment of another processor, e) takes into account the nature of the processing and assists the controller with the appropriate technical and organizational measures, to the extent that this it is possible, for the fulfillment of the controller's obligation to 9 respond to requests to exercise the data subject's rights provided for in chapter III, f) assist the controller in ensuring compliance with the obligations arising from articles 32 to 36 , taking into account the nature of the processing and the information available to the processor, g) at the option of the controller, delete or return all personal data to the controller after the end of the provision of processing services and delete existing copies, unless the law of the Union or the Member State requires the storage of personal data, h) makes available to the data controller any necessary information to demonstrate compliance with the obligations established in this article and allows and facilitates controls, including inspections, carried out by the controller or by another controller commissioned by the controller. With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, any order infringes this Regulation or other Union or national data protection provisions.' 12. Pursuant to Article 36(4) of the Regulation, it is provided that: "36(4) Member States request the opinion of the supervisory authority when preparing proposals for legislative measures to be adopted by national parliaments or regulatory measures based on such legislative measures, which concern the processing." 13. Additionally, article 13 of Law 125(I)/2018, mandates that: "13.-(1) Before the enactment of a law or Regulations issued pursuant to a law, which provide for a specific act or series of processing acts, it is required that impact assessment and prior consultation with the Commissioner.' 14. Pursuant to Article 58(2) of the Regulation, the Personal Data Protection Commissioner has the following corrective powers: "a) to issue warnings to the data controller or processor that intended processing operations are likely to violate the provisions of this Regulation . of his rights in accordance with this regulation, d) to instruct the data controller or the processor to make the processing operations comply with the provisions of this regulation, if necessary, in a specific way and within a certain period, 10 e) to give order the controller to notify the personal data breach to the data subject, f) to impose a temporary or definitive restriction, including the prohibition of processing, g) to order the correction or deletion of personal data or the restriction of processing pursuant to articles 16 . articles 42 and 43 or to order the certification body not to issue certification if the certification requirements are not met or are no longer met, i) to impose an administrative fine under article 83, in addition to or instead of the measures referred to in this paragraph, depending on the circumstances of each individual case, j) to give an order to suspend the flow of data to a recipient in a third country or an international organization." 15. Article 83 of the Regulation, regarding the general conditions for imposing administrative fines, provides that: "1. Each supervisory authority shall ensure that the imposition of administrative fines in accordance with this article against violations of this regulation referred to in paragraphs 4, 5 and 6 is effective, proportionate and dissuasive in each individual case. 2. Administrative fines, depending on the circumstances of each individual case, are imposed in addition to or instead of the measures referred to in Article 58 paragraph 2 points a) to h) and Article 58 paragraph 2 point j). When deciding on the imposition of an administrative fine, as well as on the amount of the administrative fine for each individual case, the following shall be duly taken into account: a) the nature, gravity and duration of the infringement, taking into account the nature, extent or purpose of the relevant processing, as well as the number of data subjects affected by the breach and the degree of damage they suffered, b) the fraud or negligence that caused the breach, c) any actions taken by the controller or the processor to mitigate the damage suffered by the data subjects, d) the degree of responsibility of the controller or the processor, taking into account the technical and organizational measures they apply pursuant to articles 25 and 32, e) any relevant previous violations of the controller or processor, f) the degree of cooperation with the control authority to remedy the violation and limit its possible adverse effects, g) the categories of personal data affected by the violation, 11 h) the the manner in which the supervisory authority was informed of the breach, in particular whether and to what extent the data controller or processor notified the breach, i) in the event that the measures referred to in Article 58 paragraph 2 were previously ordered to be taken against the data controller involved processing or of the processor in relation to the same object, compliance with said measures, j) compliance with approved codes of conduct in accordance with Article 40 or approved certification mechanisms in accordance with Article 42 and k) any other aggravating or mitigating factor arising from the circumstances of the particular case, such as the financial benefits obtained or losses avoided, directly or indirectly, from the infringement. 3. In the event that the controller or processor, for the same or related processing operations, violates several provisions of this regulation, the total amount of the administrative fine does not exceed the amount set for the most serious violation." 16. Regarding the imposition of an administrative fine, article 32 of Law 125(I)/2018 provides that: "(1) In compliance with the provisions of article 83 of the Regulation, the Commissioner shall impose an administrative fine. (…) (3) An administrative fine imposed on a public authority or public body and related to activities of a non-profit nature may not exceed two hundred thousand euros (€200,000). 17. In the Public Education Service Law of 1969, Law 10/1969, as amended, regarding the Examinations Service, the following are mentioned: "2. In this Law, unless otherwise provided in the text, "Commission" means the Education Service Commission; (...) 23. For the purposes of this Part, unless otherwise provided in the text, "Commission Ex tension" has the meaning attributed to this term in article 2 of the 2006 and 2007 Laws on the Conduct of All-Cypriot Examinations." 18. Regarding the compilation of the list of appointments, i.e. the compilation of the list for which the Examinations are conducted, article 28BB of Law 10/1969 provides, among other things, that: "28BB.-(1) The lists of appointments are drawn up by registration to those of the candidates, in order of priority and based on the following criteria- 12 (a) Success in a written examination and its grading, as provided for in paragraph (a) of subsection (3), (b) the grade of the first degree and its limitation, as provided for in paragraph (b) of subsection (3), (c) the possession and degree of additional academic qualifications which are relevant to the training or specialty of the candidate or the duties of the position and their limitation, as provided for in paragraph (c) of subsection (3), (d) the educational experience of the candidate and its classification, as provided for in paragraph (d) of subsection (3), (e) the date and year of submission of the first degree is submitted together with the candidate's application and his qualification, as provided for in paragraph (e) of subsection (3), (f) the service in the National Guard or the armed forces of a member state and its limitation, as provided for in paragraph (f) of subsection (3). (…) (3) The scoring in each of the criteria provided for in subsection (1) based on the weight of each one as provided for in subsection (2) is calculated as follows: (…) (vi) a candidate who is registered in a list of appointees , if he wishes to be registered on the appointment list, he must submit an expression of interest and also submit an application together with the relevant fee for participation in a written examination: Provided that, the Commission posts on its official website the relevant expression of interest form and the form submitting an application for participation in a written examination; (…) (ix) the Examination Service is responsible for preparing the examination essays, conducting the examinations, extracting the results and forwarding them to the Committee; (…) (5) The Committee accepts applications or expressions of interest, as the case may be, for registration in the appointment list, from the date of entry into force of the Public Education Service (Amendment) (No. 2) Law of 2015." 19. According to the Law of 2006 on the Conduct of Pan-Cypriot Examinations, Law 22(I)/2006, as amended, Examination Service means "the department of the Ministry of Education and Culture which is responsible for the conduct of Pan-Cypriot Examinations" . 13 20. The 2017 Regulations on Written Examinations for Registration and Ranking in Appointment Tables, as amended, provide in the first and third proviso respectively of Regulation 4 that: of a statistically processed score of at least 50% in each of the three (3) examination subjects during the same examination period:", and that: "It is further understood that, in the above branches/specialties, for registration and ranking of candidates in appointment lists it is required to secure a statistically processed score of at least 50% in each of the individual academic subjects." 20.1. Also, Regulation 8 provides that: "For the purposes of uniform ranking of candidates participating in the written examinations in different examination periods, statistical processing is applied." C. Rationale 21. I must point out that the investigation I am carrying out concerns exclusively personal data protection issues. Therefore, based on the duties with which I am charged, I cannot investigate issues concerning, among other things, the reliability or otherwise of the results, the appropriateness of the statistical processing methods that were applied, the correctness of the scoring system as well as whether the necessity of statistical processing must be considered. 22. Taking into account that, by virtue of Law 10/1969, the Service is responsible for "the preparation of the examination papers, the conduct of the examinations, the extraction of the results and their transmission to the Commission", I consider that the Service is the data controller for the processing of personal data which is carried out in the context of statistical processing of the results of the Examinations. 22.1. The fact that the agreement with the contracting company was made between the latter and the Ministry does not affect the above conclusion. 23. On the website of the Education Service Committee (EYS), which concerns the application for registration on a list, i.e. the list of appointees and/or the list of appointees, it is stated that: "Along with the application, you MUST present all the necessary certificates/ supporting documents as indicated in the instructions of the form. You must present both the originals and the copies so that the relevant certification of the copies can be done by an employee of the EIF upon receipt of the EIF01X application, at the EIF Office." 14 23.1. On this website, the necessary certificates / evidence, which must be accompanied by the application, are listed. In particular, the following are mentioned: birth certificate, political identity card or passport, high school diploma, degree/s, proof of studies, photocopy of the Study Guide of the educational institution where the applicant attended, full certificate of enlistment status type "A" , certificate of clean criminal record, certificate of educational experience and certificate of technical experience (for technology instructors and teachers only). In addition to these, which are explained in detail on the relevant website, a recent original medical certificate must be presented for applications for registration in the special lists for people with disabilities. 24. Based on the above, it follows that applicants must record their qualifications and relevant information, such as degree level, possession or not of additional academic qualifications (postgraduate degrees, including doctorate degrees) and their teaching experience. They must also present the relevant certificates/evidence to the Educational Service Committee themselves. By submitting the specific certificates / proofs, the applicants receive, as expected, a relevant score. It is, therefore, self-evident that the fulfillment of the above obligations is a necessary condition for registration in the list of appointments and receiving the relevant points. 25. The sole purpose of conducting the Examinations is to draw up the list of appointments. In order for a candidate to be included in the appointment list, success in the Examinations is required. In each specialty, a list of appointments is created, which includes successful Exams of various years. At specified periods, the list of appointments of each specialty is renewed, with the addition of the successful candidates of the new Examinations and/or with the differentiation of the scoring of the qualifications and/or the score of each successful candidate. Comparability of Exam scores from different years is therefore required. Therefore, as stated in Regulation 8 of the 2017 Regulations on Written Examinations for Registration and Ranking in the Appointment Tables, as amended, statistical processing is applied for the purposes of uniform ranking of candidates. 26. The statistical processing methods, which were applied, include methods that require the processing of personal data. Apart from the existence of a relevant legal basis since the statistical processing is provided for in the relevant Regulations, I consider that the application of such methods does not arise, but instead is part of actions to achieve the intended purpose, namely the ranking of candidates in the appointment lists. After all, the submission of the certificates/evidence was carried out by the candidates themselves, for their registration in the list of appointments of the relevant specialty or for their grading. Therefore, I consider that the application of the relevant statistical methods, which include the processing of personal data, specifically include the processing of data that the candidates themselves supplied to the Education Service Committee and/or data that resulted from the Examination process. 27. However, I have to point out that the processing of personal data does not only require the trend score matching method, as mentioned in the impact assessment carried out by the Service. Processing of personal data 15 is also carried out in other methods that were applied. By studying the document "Methods of Statistical Processing of the scores of the candidates who took part in the Written Examinations in 2019 for Registration and Ranking in the Appointment Tables", it appears that in the "common candidates" method (common persons method), for each candidate, the overall score received in the Exams in 2017 and 2019 is processed, while in the quasi-common questions method (pseudo anchor method), the scores received in specific questions in the 2017 and 2019 Exams. 27.1. However, the above conclusion, i.e. the processing of personal data beyond the propensity score matching method, does not affect the framework of legality of the application of the relevant statistical methods. 28. As provided in article 28 of the Regulation, the data controller "uses only processors who provide sufficient assurances for the implementation of appropriate technical and organizational measures, in such a way that the processing meets the requirements of this regulation and ensures the protection of rights of the data subject". The delegated processing is governed by a contract or other legal act and determines "the object and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects and the obligations and rights of the controller processing". Article 28(3) of the Regulation mentions all the elements that are required to be included in the contract in question. It is further provided that this contract must precede the communication of the data by the controller to the processor and/or any processing of such data by the processor. 29. In this case, the Service assigned to the company CITO, the application of the statistical processing of the scores of the candidates who took part in the Examinations in the years 2019 and 2021. Therefore, the contracting company CITO is the processor for the processing in question data. 30. Pseudonymization, or as the Service mentioned, the use of pseudo codes, is a security measure for personal data, and does not change the nature of such data into non-personal data. That is, personal data that has been pseudonymized continues to be classified as personal data. 31. It follows, therefore, that the communication of the data to the contracting company constitutes an act of processing and, therefore, the position of the Service that personal data is not shared is not valid since the information, which is given by it, is characterized by pseudo codes, as formulated in a letter dated December 27, 2021. I remind you that the Service, when exercising the right to be heard, on September 28, 2023, reversed the above position and acknowledged the fact that there was processing of the candidates' personal data. 32. Studying the copy of the agreement, which was carried out between the Ministry and the contracting company, which was submitted to my Office with the letter of the Service dated December 27, 2021, it appears that this agreement does not constitute a processing outsourcing contract, as provided for in article 28(3) 16 of the Regulation. Therefore, the reason why the Service, in the letter dated August 29, 2022, stated that it is not possible to prepare, retroactively, a "new processing outsourcing agreement" with the contracting company. 33. Despite the fact that no contract of assignment was signed with the contracting company, as finally the admission of the Service, I recognize the fact that in the initial agreement - contract of the Service with the contracting company, provisions for data protection were included, as they are presented in paragraph 9.3.1. herein, and which were submitted to my Office in the context of the exercise of the right to be heard. 34. The non-existence of a signed contract of assignment between the Service and the contracting company, as provided for in article 28(3) of the Regulation, shows that the Service, as the controller, cannot prove that the processor, i.e. the contracting company, provided sufficient assurances for the implementation of appropriate technical and organizational measures, in such a way that the processing meets the requirements of the Regulation and ensures the protection of the rights of the data subjects, as provided for in article 28(1) of the Regulation. 35. Additionally, the non-existence of an assignment contract, as provided for in article 28(3) of the Regulation, shows that the Service cannot prove that the processing was carried out in accordance with the Regulation, as provided for in article 24(1) of the Regulation. 36. As follows from article 36(4) of the Regulation, there is the obligation of prior consultation with the Personal Data Protection Commissioner, when preparing proposals for legislative measures or regulatory measures based on such legislative measures, which concern processing. The same obligation is imposed by article 13(1) of Law 125(I)/2018. The consultation must take place in order to ensure that the planned processing is compliant with the Regulation and, in particular, to mitigate the risks to the data subjects. 37. Therefore, taking into account that the 2017 Regulations on Written Examinations for Registration and Ranking in the Appointment Tables, as amended, provide for statistical processing for the purposes of uniform classification of candidates, which requires the processing of personal data, the Service was obliged to carry out in prior consultation with my Office, before including the relevant provision. 38. It cannot be considered that the previous consultation is related in any way to the impact assessments ("impact analysis questionnaire") carried out by the Ministry both when submitting to the House of Representatives the Draft Regulations for the 2017 Regulations, and the filing of the Draft Regulations for the Amending Regulations of 2019. 39. As analyzed in paragraph 30 hereof, the use of pseudo codes does not change the nature of the data. Therefore, I do not accept the Service's position that my Office was not consulted due to the fact that the application of statistical processing does not involve the processing of personal data. I remind you that this position was mentioned in a letter from the Service, dated December 27, 2021, 17 while, in the context of the exercise of the right to be heard, on September 28, 2023, the Service acknowledged the processing of personal data that was carried out. 40. I also do not accept the Service's position that prior consultation with my Office would not have been feasible because of the tight timescales that had to be met. I consider that there was sufficient time for consultation, since the relevant amendments to Regulations 4 and 8 of the 2017 Written Examinations for Registration and Ranking in the Boards of Appointment Regulations were published in the Government Gazette on 30 July 2019, i.e. at least three months before the Examinations were held , the grading of the answers and the communication of the data to the sponsoring company. 41. Regarding the impact assessment that the Service carried out, following my instructions, and sent to my Office on August 30, 2022, I consider it appropriate to mention the following: 41.1. the assessment does not assess whether there is an impact based on the use of statistical methods, but is mainly devoted to the reception, implementation of technical measures and the maintenance of data by the Service, 41.2. the role of controller is held by the Service and not, as mentioned, the "Ministry of Education, Sports and Youth (YPAN) through the Directorate of Higher Education, through the Examinations Service (HE) (Head of HE: XXX)", 41.3. the statement that the role of processing is held by the Service's officials and/or other officials of the Ministry is not valid. The employees of the Service are part of the controller and, in any case, perform processing under his supervision, 41.4. as analyzed in paragraph 27 hereof, processing of personal data exists not only with the application of the data trend matching method, but also in other methods used, 41.5. bearing in mind that the statistical processing is provided for in the 2017 Regulations on Written Examinations for Registration and Ranking in the Appointment Tables, as amended, the legal obligation of the Service must be considered as the legal basis, i.e. article 6(1)(c) of the Regulation , and not, as mentioned, the fulfillment of a duty performed in the public interest or in the exercise of a public authority delegated to the controller, i.e. Article 6(1)(e) of the Regulation. For the same reason, the consent of the candidates, i.e. Article 6(1)(a) of the Regulation, should not be considered as a legal basis. However, I point out that candidates should be fully and transparently informed about the processing of their data. D. Conclusion 42. Taking into account all the above elements, as they have been set, and based on the powers granted to me by virtue of articles 33(5) and 57(1)(f) of Regulation 18, I find that there is a violation by the Examination Service of the Higher Directorate of Education of the Ministry of Education, Sports and Youth: (a) of article 24(1) of the Regulation, since as a data controller he did not prove that the processing was carried out in accordance with the Regulation, (b) of article 28(1) of the Regulation, since he did not was used by the processor, who provides sufficient assurances for the application of appropriate technical and organizational measures, and (c) Article 36(4) of the Regulation and Article 13(1) of Law 125(I)/2018, since no a prior consultation was carried out with my Office, prior to the adoption of the Regulations which include provisions for statistical processing. 43. Based on the provisions of article 83 of the Regulation, regarding the conditions for imposing administrative fines, insofar as they are applied in this particular case, when measuring the administrative fine, I took into account the following mitigating factors (a) - (c) and aggravating ( d) factor: (a) the taking of technical measures, specifically the pseudonymization, which the Service carried out before sending the personal data of the candidates to the contracting company, (b) the absence of fraud on the part of the Service, (c) the categories of data that were processed, which do not include special categories of data, (d) the fact that the detection of the violations in question arose after a complaint was submitted to my Office, and not after a relevant communication and/or information from the Service . 44. After taking into account and taking into account: (a) the current legislative basis regarding the administrative sanctions provided for in the provisions of article 58(2) and article 83 of the Regulation, (b) all the circumstances and factors that the complainant and Service placed before me based on all existing correspondence, (c) the above mitigating and aggravating factors, I consider that, under the circumstances, the imposition of an administrative fine is not justified. 45. Nevertheless, having regard to the aforementioned facts, the legal aspect on which this Decision is based and the analysis as explained above, and exercising the powers granted to me by Article 58(2)(b) of the Regulation, I have decided against my judgment and in compliance with the above provisions, to direct the Examination Service of the Directorate of Higher Education of the Ministry of Education, Sports and Youth a reprimand for the violation of articles 28(1) and 24(1) of Regulation (EU) 2016/679, and 19 Reprimand for the violation of Article 36(4) of Regulation (EU) 2016/679 and Article 13(1) of Law 125(I)/2018. Irini Loizidou Nikolaidou Commissioner for Personal Data Protection<br />
</pre></div>Nikolaos.konstantishttps://gdprhub.eu/index.php?title=HDPA_(Greece)_-_6/2024HDPA (Greece) - 6/20242024-02-28T21:33:55Z<p>Nzm: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Greece<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoGR.jpg<br />
|DPA_Abbrevation=HDPA<br />
|DPA_With_Country=HDPA (Greece)<br />
<br />
|Case_Number_Name=6/2024<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Hellenic Data Protection Authority <br />
|Original_Source_Link_1=https://www.dpa.gr/sites/default/files/2024-02/6_2024%2520anonym.pdf<br />
|Original_Source_Language_1=Greek<br />
|Original_Source_Language__Code_1=EL<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=23.07.2022<br />
|Date_Decided=10.01.2024<br />
|Date_Published=16.02.2024<br />
|Year=2024<br />
|Fine=2.000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 4(7) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#7<br />
|GDPR_Article_2=Article 5(1) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1<br />
|GDPR_Article_3=Article 5(2) GDPR<br />
|GDPR_Article_Link_3=Article 5 GDPR#2<br />
|GDPR_Article_4=Article 12(1) GDPR<br />
|GDPR_Article_Link_4=Article 12 GDPR#1<br />
|GDPR_Article_5=Article 13 GDPR<br />
|GDPR_Article_Link_5=Article 13 GDPR<br />
|GDPR_Article_6=<br />
|GDPR_Article_Link_6=<br />
|GDPR_Article_7=<br />
|GDPR_Article_Link_7=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Nikolaos.Konstantis<br />
|<br />
}}<br />
<br />
The DPA fined a controller €2,000 for illegally using geolocation data of their employee outside the latter’s working hours.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The data subject was called on the phone by his employer ("controller") during their regular leave. The controller used the data from the geolocation system installed in the company car because the data subject did not answer their phone calls for 3 times. The controller declared that they were concerned for the employee's health due to a previous accident. <br />
<br />
The data subject lodged a complaint with the Hellenic DPA ("HDPA") considering that this processing was illegal and that he was not given clear information regarding the use of this geolocation data.<br />
<br />
The controller argued that the use of the car had been granted to the data subject for meeting official needs and only within working hours. The controller brought to the attention of the DPA the actions it took after the incident was reported, in order to exclude any possible future misuse of the tracking systems in question. These actions included the installation of new geolocation systems, with the ability to be disabled by users, the designation of a responsible operator, the updating of the user instructions and the drafting of new installation and operation notification documents.<br />
<br />
=== Holding ===<br />
The DPA held that the company failed to comply with [[Article 5 GDPR#1|Article 5(1) GDPR]] as they processed the data subject's personal data illegally, due to the use of his vehicule tracking outside of working hours and for the purpose of locating the data subject for the lack of legal basis.<br />
<br />
The DPA also found a breach of [[Article 12 GDPR|Article 12]] and [[Article 13 GDPR|13 GDPR]] as the controller gave incomplete information regarding the function of the system installed in the vehicule, as well as the fact that he was not entitled to use it outside of working hours.<br />
<br />
The HDPA therefore imposed a €2,000 fine on the controller.<br />
<br />
== Comment ==<br />
''Comment from the initial contributor'': The DPA took into account the Opinion 2/2017 of the Article 29 Working Party, according to which "''there is likely to be no legal basis for monitoring the location of employees' vehicles outside of agreed working hours. However, if such a need exists, a use that is commensurate with the risks should be considered. For example, this could mean that, to prevent vehicle theft, the location of the vehicle is not recorded outside of working hours, unless the vehicle leaves a wider location (region or even country). In addition, the location will only be displayed in emergency situations – the employer activates location visibility, accessing data already stored by the system, when the vehicle leaves a pre-defined area.''”<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.<br />
<br />
<pre><br />
DECISION 6/2024 (Department) The Personal Data Protection Authority convened, upon the invitation of its President, in a regular meeting in the composition of the Department at its headquarters on 10/01/2024, in order to examine the case referred to in the history of this . The meeting was attended by teleconference by Georgios Batzalexis, Deputy President, in opposition to the President of the Authority, Konstantinos Menoudakos, and was attended by the alternate member Georgios Kontis, as rapporteur, as well as the alternate members Demosthenes Vougioukas and Maria Psalla, in place of the regular members Konstantinos Lambrinoudakis and Grigorio Tsolia who did not attend due to disability although they were legally summoned in writing. The meeting was attended, by order of the President without the right to vote, Georgia Panagopoulou, specialist scientist - auditor as assistant rapporteur and Irini Papageorgopoulou, employee of the Authority's administrative affairs department, as secretary. The Authority took into account the following: With the no. prot. C/EIS/9056/23-07-2022 his complaint, A (hereinafter the complainant), is directed against the company "X", (hereinafter the complainant). According to the complaint, the complainant was an employee of the complainant in the position of employee-salesperson and complains of illegal processing of his personal data through the geolocation system operating in a vehicle provided to him by the complainant. More specifically, he states that during his regular leave he was called by the complainant at 1-3 Kifisias Ave., 11523 Athens T: 210 6475 600 E: contact@dpa.gr www.dpa.gr and he did not answer the calls calls. The complainant's sales manager used the data from the geolocation system installed in the company car and appeared at the supermarket where the complainant had gone shopping. He states in the complaint that the installation and updating of the geolocation system in the car had taken place two weeks before. The Authority sent the complainant with no. prot. C/EXE/2101/24-08-<br />
2022 document with which it informed about the content of the submitted complaint and invited her to submit in writing her views on the complaint, with special reference to the issues of informing employees and operating the system outside of working hours. The company with no. prot. C/EIS/10069/13-09-2022 replied that he had properly informed the complainant about the geolocation system and that the vehicle was not allowed to be used out of hours. The alleged use of the geolocation system was made because the complainant did not answer their phone calls for three days, and there was concern for the employee's health due to a previous health incident. Then the Authority, in order to complete the examination of the case, called with no. prot. C/EXE/2800/07-11-2022, C/EXE/2737/31-10-<br />
2022 documents, the complainant and the complained company, respectively, at the meeting of the Department on 16/11/2022. At the meeting of 11/16/2022, A, and on behalf of company "X" Theodoros Sidiropoulos with AMDS ..., and George A. Kastritseas with AMDS ... attended the meeting via video conference. During the hearing the parties developed their views and were given a deadline to submit a memorandum. Subsequently, the complainant filed the no. prot. C/EIS/12031/24-11-2022 her memorandum, while the complainant did not file a memorandum. During the hearing, the complainant repeated what was stated in his complaint. The accused, both during the hearing and with the from with 2 no. prot. C/EIS/12031/24-11-2022 her memorandum argued that since the use of the car that had been granted to the complainant referred to the coverage of official and only needs within working hours, there was no technical possibility of deactivating the geolocation system in question car. He states that the complainant was informed about the installation of the GPS system in question with the letter of 12/07/2022, which is attached to the memorandum. The memorandum also mentions the actions taken by the complainant after reporting the incident, in order to exclude any possible future misuse of the above geolocation systems: 1. The existing geolocation systems were removed so that new ones were installed, which will allow the disabling them by their users. 2. The manager-legal representative of the company was designated as the responsible operator of the geolocation systems, given that the alleged act committed by the defendant against the complainant was done without the knowledge of the complainant and without any prior advice. 3. The instructions for the use of the geolocation system by its users were updated and 4. New documents were drawn up informing the users of the installation and operation of the system, where they are informed about a) the purposes for which they were installed and operate and regarding b) the retention time of the data collected per day through the above geolocation systems and c) the rights of the users. The Authority, after examining the elements of the file and after hearing the rapporteur and the clarifications from the assistant rapporteur, who was present without the right to vote, after a thorough discussion, DECIDED IN ACCORDANCE WITH THE LAW 1. From the provisions of articles 51 and 55 of General Data Protection Regulation (Regulation (EU) 2016/679 - hereinafter, GDPR) and Article 9 of Law 4624/2019 (Government Gazette A΄ 137) it follows that the Authority has the authority to supervise the implementation of the provisions of the GDPR, this law and other regulations that 3 concern the protection of the individual from the processing of personal data. In particular, from the provisions of articles 57 par. 1 item f of the GDPR and 13 par. 1 item g΄ of Law 4624/2019 it follows that the Authority has the authority to take charge of the complainant's complaint against the complainant and to exercise, respectively, the powers granted to it by the provisions of Articles 58 of the GDPR and 15 of Law 4624/2019. 2. Article 5 par. 1 of the General Regulation (EU) 2016/679 for the protection of natural persons against the processing of personal data (hereinafter GDPR) sets out the principles that must govern a processing. According to article 5 par. 1 a) and f) GDPR "1. Personal data: a) are processed lawfully and legitimately in a transparent manner in relation to the data subject ("legality, objectivity and transparency"), [...] f) are processed in a way that guarantees appropriate data security of a personal nature, including their protection from unauthorized or illegal processing and accidental loss, destruction or damage, by using appropriate technical or organizational measures ("integrity and confidentiality")", while as pointed out in the Preamble of the Regulation, "The data personal data should be processed in a way that ensures the appropriate protection and confidentiality of personal data, including to prevent any unauthorized access to such personal data and the equipment used to process it or the use thereof of the personal data and the equipment in question" (App. Sk. 39 in fine). Furthermore, according to the principle of accountability which is expressly defined in the second paragraph of the same article and constitutes a cornerstone of the GDPR, the data controller "bears the responsibility and is able to demonstrate compliance with paragraph 1 ("accountability")". This principle entails the obligation of the controller to be able to demonstrate compliance with the principles of art. 5 par. 1. 4 3. Because according to the provisions of article 4 par. 7) GDPR, as controller means "the natural or legal person, public authority, agency or other entity that, alone or jointly with others, determines the purposes and manner of processing personal data; when the purposes and manner of such processing are determined by Union law or the law of a Member State, the controller or the specific criteria for his appointment may be provided for by Union law or the law of a Member State". According to the EDPS Guidelines 07/2020 regarding concepts, any processing of personal data carried out by employees in the field of activities of an organization can be considered to be carried out under the control of that organization. Employees who have access to personal data within an organization are generally not considered "controllers" or "processors", but "persons acting under the supervision of the controller or processor" within the meaning of Art. 29 of the GDPR, therefore in this case the complainant is the data controller. 4. Regarding the transparency of processing, Article 12 para. 1 GDPR states that: "The controller shall take the appropriate measures to provide the data subject with any information referred to in Articles 13 and 14 and any communication in the context of Articles 15 to 22 and of article 34 regarding the processing in a concise, transparent, understandable and easily accessible form, using clear and simple wording, especially when it comes to information addressed specifically to children. The information is provided in writing or by other means, including, if appropriate, electronically. When requested by the data subject, the information may be given orally, provided that the identity of the data subject is proven by other means.' Mandatory information provided is provided for in Article 13 GDPR for the case where the data is collected by the subject and in Article 14 GDPR for the case where the data has not been collected by the subject. In particular, this information includes at least "a) the identity and contact details of the data controller and, where applicable, of his representative, b) the contact details of the data protection officer, where applicable, c) the purposes of the processing for the for which the personal data are intended, as well as the legal basis for the processing, d) the relevant categories of personal data, e) the recipients or categories of recipients of the personal data, f) as the case may be, that the data controller intends to transmit personal data to a recipient in a third country or international organization and related information, g) the period for which the data will be stored, or, if this is impossible, the criteria that determine said period, h) information about the rights of the subject according to articles 15-22 GDPR. As long as the data has not been collected by the subject, in accordance with article 14 par. 2 sec. f) GDPR, it is required to provide the data subject as information "the source from which the personal data originates and, as the case may be, whether the data originated from sources to which the public has access". The information is provided either at the time of collection of the data, when this is done by the subject (Article 13 GDPR) or within the time period defined in par. 3 of Article 14 GDPR, in the event that the data has not been collected by the subject.<br />
5. In Opinion 2/2017 of the Article 29 Working Group on processing<br />
data at work1<br />
, paragraph 5.7 states that due to<br />
sensitive nature of location data, there is unlikely to be a legal<br />
basis for tracking the location of employees' vehicles outside of it<br />
agreed working hours. However, if there is such a need, you should<br />
to consider use that will be proportionate to the risks. For example, this will<br />
could mean that, to prevent vehicle theft, its location<br />
vehicle is not recorded outside working hours, unless the vehicle<br />
leave a wider location (region or even country). Furthermore, the<br />
https://www.dpa.gr/el/enimerwtiko/thematikes_enotites/eidikoiskopoi/ergasiakess<br />
xeseis/sxetika_eur<br />
1<br />
6<br />
location will only be displayed in emergency situations – the employer<br />
enables location visibility by accessing data they already have<br />
stored by the system when the vehicle exits a predetermined<br />
area.<br />
6. The complainant, as controller for his location data<br />
employee's vehicle must be able to demonstrate compliance<br />
with the principles of art. 5 par. 1 of the GDPR, observing the appropriate provision<br />
documentation. The Authority did not check this documentation, but examined it<br />
contained in said complaint concerning the specific use of<br />
given these in the specific incident.<br />
7. From the facts presented above it follows that an employee<br />
of the complainant made use of his geolocation data<br />
vehicle apparently outside working hours, since the complainant was in<br />
lawful license for the purpose of locating the place where the complainant was, such as<br />
evidenced by the fact that said employee appeared in that position.<br />
8. Therefore, the Authority finds the following violations on its part<br />
complainant, as controller:<br />
a) illegal processing of the complainant's personal data, due to<br />
of the use of his vehicle tracking data outside of working hours and<br />
for the purpose of locating the complainant.<br />
b) incomplete information of the complainant, in violation of articles 5 par. 1 sec.<br />
a and of articles 12 and 13 and 5 par. 2 sec. b of the GDPR, regarding the function<br />
of the system installed in the vehicle granted to him,<br />
notwithstanding that he was not entitled to use it outside working hours,<br />
a fact that the complainant admitted and took corrective actions<br />
henceforth.<br />
9. Based on the above, the Authority considers that there is a case to exercise the v<br />
the article 58 par. 2 of the GDPR corrective powers in relation to<br />
found violations and that should, based on the circumstances that<br />
7<br />
were established, to impose, pursuant to the provision of article 58 par. 2 sec.<br />
i of the GDPR, effective, proportionate and dissuasive administrative money<br />
fine according to article 83 of the GDPR, both to restore compliance, as<br />
and for the punishment of unlawful conduct. Furthermore, the Authority took into account<br />
the criteria for measuring the fine defined in article 83 par. 2 of the GDPR,<br />
paragraph 5 sec. a' of the same article that applies to the present<br />
case, the Guidelines for implementation and determination<br />
administrative fines for the purposes of Regulation 2016/679 issued<br />
on 03-10-2017 by the Article 29 Working Group (WP 253) and<br />
Guidelines 04/2022 of the European Protection Board<br />
Data for the calculation of administrative fines under the General<br />
Regulation, as well as the actual data of the case under consideration and<br />
in particular the criteria listed below.<br />
a) that the violation of the legality of the processing falls under the provision of par.<br />
5 of article 83 GDPR,<br />
b) that the incident appears to be isolated, as it has not been imposed by<br />
the Authority sanctioning the accused for a similar violation in the past,<br />
c) that the breach directly affected a data subject;<br />
d) that the violation is due to an individual action of an employee,<br />
FOR THOSE REASONS<br />
THE BEGINNING<br />
A. It imposes, on "X" as controller, based on article 58 par. 2 sec.<br />
i) of the GDPR, an administrative fine of two thousand (€2,000) euros, for the<br />
established violation of the principles of the legality of the processing according to art<br />
5 par. 1 a) of the GDPR.<br />
B. Addresses, based on article by article 58 par. 2 item II GDPR, reprimand, at<br />
"X", as controller for the incomplete information in violation of<br />
of articles 5 par. 1 sec. a and of articles 12 and 13 and 5 par. 2 sec. b of the GDPR.<br />
8<br />
The President The Secretary<br />
Georgios Batzalexis Irini Papageorgopoulou<br />
</pre></div>Nikolaos.konstantishttps://gdprhub.eu/index.php?title=AN_-_136/2019AN - 136/20192024-02-28T13:46:02Z<p>Sfl: </p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=AN<br />
|Court_Original_Name=Audiencia Nacional<br />
|Court_English_Name=National Audience<br />
|Court_With_Country=AN (Spain)<br />
<br />
|Case_Number_Name=136/2019<br />
|ECLI=ECLI:ES:AN:2019:136<br />
<br />
|Original_Source_Name_1=CENDOJ<br />
|Original_Source_Link_1=https://www.poderjudicial.es/search/AN/openDocument/8ed60e51766c4e3e/20190219<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Date_Decided=06.02.2019<br />
|Date_Published=<br />
|Year=2019<br />
<br />
|GDPR_Article_1=<br />
|GDPR_Article_Link_1=<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=20.3 Estatuto de los Trabajadores<br />
|National_Law_Link_1=https://www.boe.es/buscar/act.php?id=BOE-A-2015-11430<br />
|National_Law_Name_2=5 LOPD<br />
|National_Law_Link_2=https://www.boe.es/buscar/pdf/1999/BOE-A-1999-23750-consolidado.pdf<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
|National_Law_Name_4=<br />
|National_Law_Link_4=<br />
<br />
|Party_Name_1=TELEPIZZA, S.A.U.<br />
|Party_Link_1=https://www.telepizza.es<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=TS (Spain)<br />
|Appeal_To_Case_Number_Name=STS 518/2021<br />
|Appeal_To_Status=Appealed - Confirmed<br />
|Appeal_To_Link=https://www.poderjudicial.es/search/AN/openCDocument/e5e0cf323aea82ebeb9f320e282b0b426fc1fe0a6a91fc8d<br />
<br />
|Initial_Contributor=Teresa.lopez<br />
|<br />
}}<br />
<br />
Spanish Audiencia Nacional invalidated contractual clauses obliging employees of a pizza delivery chain to supply their personal phones for geolocation purposes in updating customers about their delivery status.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
On November 26, 2018, a lawsuit was filed by UGT (Spanish trade union) regarding a collective labor conflict. Another lawsuit was filed on December 12, 2018, by CCOO (Spanish trade union) concerning the same collective labor conflict.<br />
<br />
TELEPIZZA S.A.U., a pizza delivery chain, wanted to implement the "Proyecto Tracker" (Tracker Project), which required delivery drivers to provide their personal cell phones with internet connection for geolocation purposes during their working hours. Telepizza's purpose was to ensure that customers ordering their pizzas were aware of the status of their order at all times. The company argued that its main competitor, as well as other digital food delivery platforms, offered geolocation systems for orders, which made its implementation necessary to maintain a similar offer.<br />
<br />
The Collective Agreement for cooked product manufacturers for home delivery did not regulate the requirement for workers to provide mobile phones. Telepizza initiated an amendment of working contracts to be signed by new employees to include the mandatory provision of personal devices and the installation of a company-developed app for this purpose. Employees would be responsible for activating the app at the beginning of their shift so geolocation would start, as well as for its deactivation at the end of the shift. The trade unions also complained about the app accessing the phone's gallery. In compensation, the employer was to pay a monthly amount that it determined unilaterally.<br />
<br />
The repeated refusal or supervening impossibility of providing the personal phone by the employee was foreseen to be sufficient cause for the termination of the employment contract. The company explained that the acceptance of this system would be voluntary in the case of delivery drivers already contracted.<br />
<br />
=== Holding ===<br />
The Court declared the nullity of the "Tracker Project" as well as the nullity of the clauses introduced in the contracts that required the contribution of the cell phone with internet connection of the worker for the benefit of the company.<br />
<br />
The Court considered that the information provided to the workers' representatives was insufficient to have an informed opinion since it omitted essential data. The Court held that it is necessary to explain the specific operation of the application, including how it is installed on the cell phone, what data of the terminal it must access, what specific data the worker must provide to access the application, what data, if any, the application must store and how they will be processed. Said information, along with the possibility to exercise the rights of access, rectification, limitation of processing, and erasure, must be provided to workers and their representatives prior to the installation of geolocation systems.<br />
<br />
The Court also noted that even if there is a judicial doctrine admitting that employers may impose geolocation systems on workers, the implementation of such a measure must pass the proportionality test. Any limitations or modulations must be those indispensable and strictly necessary to satisfy a business interest worthy of protection. If there are other possibilities for satisfying this interest that are less aggressive and affect the right in question, those alternatives must be used.<br />
<br />
The Court held that Telepizza's intended processing did not pass the necessary proportionality test. The same purpose could have been achieved with measures that involve less interference in the fundamental rights of employees, such as the implementation of geolocation systems in the motorcycles in which orders are transported or bracelets with such devices that do not imply the need for the employee to provide their own means and personal data.<br />
<br />
Moreover, the Court asserted that the mandate for employees to provide a cell phone with a data connection for work purposes is a clear abuse of law. This requirement not only disregards the essential detachment of resources typically associated with the employment contract but also shifts the responsibility of providing necessary tools for work from the employer to the employee. Consequently, any hindrance in activating the geolocation system results in, at the very least, the suspension of the employment contract and subsequent loss of wages. Furthermore, the compensation offered for this provision is deemed entirely inadequate. The valuation of a basic mobile device, priced at 110 euros and expected to last three years, along with the internet data contract, which is reimbursed solely based on work-related usage, fails to account for whether the employee desires such services for personal use.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
The resolutions that make up this database are disseminated for the purposes of knowledge and consultation of the decision criteria of the Courts, in compliance with the competence granted to the General Council of the Judiciary by art. 560.1.10º of the Organic Law of the Judiciary. The user of the database may consult the documents as long as they do so for their own personal use. The use of the database for commercial uses, nor the massive downloading of information, is not permitted. The reuse of this information for the creation of databases or for commercial purposes must follow the procedure and conditions established by the CGPJ through its Judicial Documentation Center. Any action that contravenes the above indications may give rise to the adoption of appropriate legal measures.<br />
</pre></div>Teresa.lopezhttps://gdprhub.eu/index.php?title=Helsingin_hallinto-oikeus_-_3620/2023Helsingin hallinto-oikeus - 3620/20232024-02-28T09:16:54Z<p>Fred: Fred moved page Helsingin hallinto-oikeus - 3620/2023 to Helsingin hallinto-oikeus (Finland) - 3620/2023: corrected the name</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Finland<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=Helsingin hallinto-oikeus<br />
|Court_Original_Name=Helsingin hallinto-oikeus (Finland)<br />
|Court_English_Name=Administrative Court of Helsinki<br />
|Court_With_Country=Helsingin hallinto-oikeus (Finland)<br />
<br />
|Case_Number_Name=3620/2023<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Helsingin hallinto-oikeus<br />
|Original_Source_Link_1=https://gdprhub.eu/index.php?title=File:Helsingin_hallinto-oikeus_3620-2023.pdf<br />
|Original_Source_Language_1=Finnish<br />
|Original_Source_Language__Code_1=FI<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Date_Decided=16.06.2023<br />
|Date_Published=16.06.2023<br />
|Year=2023<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 12 GDPR<br />
|GDPR_Article_Link_2=Article 12 GDPR<br />
|GDPR_Article_3=Article 13 GDPR<br />
|GDPR_Article_Link_3=Article 13 GDPR<br />
|GDPR_Article_4=Article 15 GDPR<br />
|GDPR_Article_Link_4=Article 15 GDPR<br />
|GDPR_Article_5=Article 25(1) GDPR<br />
|GDPR_Article_Link_5=Article 25 GDPR#1<br />
|GDPR_Article_6=Article 83(1) GDPR<br />
|GDPR_Article_Link_6=Article 83 GDPR#1<br />
|GDPR_Article_7=<br />
|GDPR_Article_Link_7=<br />
|GDPR_Article_8=<br />
|GDPR_Article_Link_8=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Lääkäriklinikka Estetic Oy<br />
|Party_Link_1=https://clinicestetic.fi/en/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_From_Body=Tietosuojavaltuutetun toimisto (Finland)<br />
|Appeal_From_Case_Number_Name=8493/161/21<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=https://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_8493/161/21<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Fred fred]<br />
|<br />
}}<br />
<br />
The Administrative Court of Helsinki upheld a Finnish DPA decision imposing a fine of €5,000 on a medical clinic for not implementing the data subject's access request and failing to inform data subjects about the processing of personal data.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The controller (Lääkäriklinikka Estetic Oy, a medical clinic) had asked the Administrative Court of Helsinki (the Court) to overturn the €5,000 administrative fine imposed by the Finnish DPA and [[Tietosuojavaltuutetun toimisto (Finland) - 8493/161/21|the DPA's decision]], according to which the controller had not implemented the data subject's access request.<br />
<br />
The controller filed the appeal claiming that it had already fulfilled the data subject's access request as far as it concerned the personal data it processed. The controller emphasised that it did not have access to the patient records of another company whose surgeon had treated the data subject at the controller's premises.<br />
<br />
The controller argued that the DPA should have requested an explanation from the other company as well, because the data subject was not a patient of the controller, but a patient of the other company. The controller also stated that the DPA's actions had not been based on a sufficient and appropriate investigation.<br />
<br />
The DPA emphasised that the data subject had received treatment from the controller at the controller's premises and that the controller had not informed the data subject that their patient records are in the possession of another company. The DPA also stated that the controller had not instructed the data subject to request their personal data from another company or otherwise informed the data subject about the matters related to the controllership of their personal data.<br />
<br />
=== Holding ===<br />
The Court noted that, despite the opportunity reserved for it, the controller had not sufficiently demonstrated that some other entity had acted as a controller of the personal data generated in connection with the treatment that took place on its premises. In its appeal, the controller had not denied that the data subject had received treatment from the controller. Thus, the Court stated that the controller had to be considered as a controller within the meaning of the GDPR.<br />
<br />
In light of this, the Court agreed with the DPA that the controller had violated [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], [[Article 12 GDPR]], [[Article 13 GDPR]], [[Article 15 GDPR]] and [[Article 25 GDPR#1|Article 25(1) GDPR]] by not implementing the data subject's access request and failing to inform data subjects about the processing of personal data. The Court also considered that the administrative fine issued by the DPA had been effective, proportionate and dissuasive in accordance with [[Article 83 GDPR#1|Article 83(1) GDPR]].<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.<br />
<br />
<pre><br />
HELSINKI ADMINISTRATIVE COURT DECISION<br />
<br />
16/06/2023<br />
<br />
3620/2023<br />
<br />
ID number 1094/03.04.04.04.01/2022<br />
<br />
Case A complaint regarding a data protection case<br />
<br />
Appellant Lääkäriklinikka Estetic Oy<br />
<br />
Decision to be appealed<br />
<br />
Deputy data protection commissioner and sanctions panel 16 December 2021 ID number 8493/161/21<br />
<br />
In its decision under appeal, the Deputy Data Protection Commissioner has given the data controller (later also Lääkäriklinikka Estetic Oy) an order in accordance with Article 58, paragraph 2, subparagraph c of the General Data Protection Regulation to comply with the initiator's request for access to data insofar as it concerns data whose data controller is Lääkäriklinikka Estetic Oy.<br />
<br />
The Deputy Data Protection Commissioner has also given the data controller an order in accordance with Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation to bring the processing activities into compliance with the provisions of the General Data Protection Regulation regarding procedures related to the exercise of data subjects' rights and information to data subjects. In addition, the Deputy Data Protection Commissioner has given the data controller a notice in accordance with Article 58, paragraph 2, subsection b of the General Data Protection Regulation regarding processing activities that violate the provisions of the General Data Protection Regulation in exercising the data subject's rights and informing data subjects.<br />
<br />
In its decision under appeal, the Sanctions Board has ordered the data controller to pay the state an administrative penalty fee of 5,000 (five thousand) euros pursuant to Article 58(2)(i) and Article 83 of the General Data Protection Regulation.<br />
<br />
In the case in question, it has been considered that the data controller, by not taking care of the data subject's rights and obligation to inform, has violated Article 5, Section 1, Subsection a (principle of transparency), Article 12, Sections 1-4 (transparent information, communication and detailed rules for exercising the data subject's rights) of the General Data Protection Regulation. , Article 13 paragraphs 1 and 2 (information to be provided when personal data is collected from the data subject), Article 15 paragraphs 1 and 3 (the data subject's right to access data) and Article 25 (built-in and default data protection).<br />
<br />
Claims presented in the complaint<br />
<br />
The notice given by the Deputy Data Protection Commissioner and the administrative penalty imposed by the Sanctions College must be cancelled. The initiator has already received access to his data insofar as it concerns data for which Lääkäriklinikka Estetic Oy is the data controller. Lääkäriklinikka Estetic Oy has already brought the processing operations into compliance with the General Data Protection Regulation. The state must be ordered to pay the appellant's legal costs.<br />
<br />
On February 3, 2021, Lääkäriklinikka Estetic Oy has informed the data protection commissioner that the initiator has been operated on and consulted as a patient of a separate company, Valete Oy, which operated on the premises of Estetic Oy. Valete Oy is owned by a surgeon. The initiator's medical report and related photos are under the control of Valete Oy.<br />
<br />
Lääkäriklinikka Estetic Oy has forwarded to the initiator and the data protection officer all information related to the initiator's customer relationship with Lääkäriklinikka Estetic Oy. Lääkäriklinikka Estetic Oy does not have any other information about the initiator, because it does not have access to Valete Oy's patient data. On 14 December 2020, Lääkäriklinikka Estetic Oy submitted the following information about the initiator to the Data Protection Commissioner:<br />
<br />
- name<br />
- personal identification number<br />
- phone number<br />
- address<br />
- the date of the call request<br />
- the date of the call<br />
- the date of the reception visit<br />
- the date of the procedure (two different procedure dates)<br />
- the date of the reception visit (two different dates of the reception visit).<br />
<br />
Lääkäriklinikka Estetic Oy has taken care of forwarding patient data to the initiator to the extent that it is possible within the framework of the law, and its system corresponds to the EU's general data protection regulations.<br />
<br />
Lääkäriklinikka Estetic Oy has also sufficiently informed the data protection commissioner about the matter. The data protection officer should have also requested an explanation from Valete Oy, because the initiator was not a patient of Lääkäriklinikka Estetic Oy, but a patient of Valete Oy. The data protection officer's actions have not been based on a sufficient and appropriate investigation, so the decision is not based on objectively and impartially acquired information.<br />
<br />
Case handling and investigation<br />
<br />
The Office of the Data Protection Commissioner has issued a statement and submitted a rejection of the complaint and legal costs claim. The statement states, among other things, the following:<br />
<br />
The initiator has said that he visited the reception of the owner of Lääkäriklinikka Estetic Oy for, among other things, laser treatment. In the initiator's basic information, a copy of which Lääkäriklinikka Estetic Oy has delivered to the data protection commissioner's office, three reception visits and two procedure times have been recorded. Based on the records, the visits are not limited to the consultation and procedure time of the surgeon (Valete Oy). According to the information available from the central register of healthcare professionals maintained by Valvira, the Social and Health Licensing Agency, she has a professional qualification as a nurse, and there is a blog on Lääkäriklinikka Estetic Oy's website, from which it appears that she receives patients at Lääkäriklinikka Estetic Oy. The Office of the Data Protection Commissioner has clarified the matter specifically with<br />
<br />
According to his account, the initiator has not received information from Lääkäriklinikka Estetic Oy that his patient documents are available from Valete Oy, and Lääkäriklinikka Estetic Oy has not presented an explanation in the case that it directed the initiator to request information from Valete Oy or otherwise informed the initiator to the record keeping related matters.<br />
<br />
The claim for court costs is not a claim for compensation in accordance with Section 95 of the Act on Litigation in Administrative Matters. It is therefore not necessary to comment on the matter.<br />
<br />
The initiator has given an explanation.<br />
<br />
Lääkäriklinikka Estetic Oy has given a counter-explanation.<br />
<br />
Administrative law solution<br />
<br />
The administrative court rejects the appeal and the claim for legal costs.<br />
<br />
Reasoning<br />
<br />
Applicable legal guidelines<br />
<br />
Article 12, paragraph 1 of the General Data Protection Regulation stipulates the obligation of the data controller to take appropriate measures to provide the data subject with the information in accordance with Article 13 and the processing information in accordance with Article 15 in a concise, transparent, easily understandable and accessible form in clear and simple language.<br />
<br />
Paragraphs 2 and 3 of Article 12 of the General Data Protection Regulation, on the other hand, provide for the duty of the data controller to facilitate the exercise of the data subject's rights in accordance with Article 15, as well as the time limits within which the data controller must inform the data subject of what measures have been taken in response to the data subject's request to exercise the rights. Furthermore, paragraph 4 of that article provides for the duty of the data controller to inform the data subjects of the reasons if it does not implement measures based on the data subject's request and of the legal remedies available.<br />
<br />
Article 13 of the General Data Protection Regulation regulates the information to be provided when personal data is collected from the data subject. This information includes, among other things, information about the identity of the data controller and the data subject's right to request access to personal data concerning him from the data controller.<br />
<br />
Article 15 of the General Data Protection Regulation provides for the data subject's right to access his personal data. Paragraph 3 of that article stipulates the obligation of the data controller to deliver the information in electronic form if the data subject submits the request electronically and the data subject has not requested otherwise.<br />
<br />
Article 25 of the General Data Protection Regulation provides for built-in and default data protection.<br />
<br />
Legal evaluation of the decision of the Deputy Data Protection Commissioner<br />
<br />
According to the report presented in the case, the initiator has stated that he visited the reception of the owner of Lääkäriklinikka Estetic Oy for, among other things, laser treatment. Estetic Oy did not dispute this in its appeal to the administrative court, nor did it deny this when the matter was previously discussed at the data protection commissioner's office, and the administrative court has no reason to doubt the notice of the initiator. Furthermore, when Lääkäriklinikka Estetic Oy, despite the opportunity reserved for it, has not notified that another party is in the position of data controller with regard to the personal data generated in connection with the reception visits that take place with its owner, and no other reason has appeared in the matter, the administrative court states that Lääkäriklinikka Estetic Oy must be considered as intended by the data protection regulation as a registrar in connection with the aforementioned reception visits. Considering that Lääkäriklinikka Estetic Oy has not provided the initiator with the actual patient data requested by the initiator in addition to the basic information identified above, nor has it informed the initiator of the reasons why the request could not be implemented in its entirety, it has acted contrary to Article 15, paragraphs 1 and 3 of the General Data Protection Regulation and Article 12, paragraph 4. Furthermore, Lääkäriklinikka Estetic Oy has acted in violation of Article 12, paragraph 3 of the General Data Protection Regulation, when it has not informed the initiator within the deadlines according to the mentioned article, which measures it has taken in response to the latter's request.<br />
<br />
Lääkäriklinikka Estetic Oy has informed the data protection commissioner's office that personal patient information can be obtained on site and that it will not be sent by e-mail. The Administrative Court states that Lääkäriklinikka Estetic Oy's procedure in this respect does not correspond to the obligation of the data controller to facilitate the exercise of the data subject's rights set out in Article 12, paragraph 2 of the General Data Protection Regulation, taking into account that the reported method requires the data subject to visit the data controller's office in order to exercise their rights. The Administrative Court also points out that, according to Article 15, Section 3 of the Data Protection Regulation, information about the personal data being processed must be submitted in electronic form when the data subject submits the request electronically.<br />
<br />
Lääkäriklinikka Estetic Oy has not presented an explanation of how it informs registered users about matters related to the processing of personal data, such as the identity of the data controller or the data subject's right to request access to personal data concerning themselves from the data controller. Because of this and because the mentioned information could not be found on the company's website either, Lääkäriklinikka Estetic Oy must be considered to have failed to fulfill its obligation to provide data subjects with the information required by Article 13, paragraphs 1 and 2 of the regulation, in accordance with Article 12, Paragraph 1 of the General Data Protection Regulation. In doing so, the company has also acted in violation of the principle of transparency stipulated in Article 5(1)(a) of the General Data Protection Regulation and Article 25(1) of the regulation.<br />
<br />
Based on the above, the administrative court considers that Lääkäriklinikka Estetic Oy's procedure regarding the exercise of the registered person's right of inspection and the information provided to the registered person has not met the requirements of the data protection regulation. The Deputy Data Commissioner has thus been able to give the company a notice in accordance with Article 58, Section 2, Subsection b of the General Data Protection Regulation. The Deputy Data Commissioner has been able to further order, on the basis of subparagraph c of the said article, Lääkäriklinikka Estetic Oy to comply with the initiator's request for access to his personal data insofar as the request has concerned information that was generated when the initiator visited the company owner's reception, and to issue an order according to subparagraph d of the article to bring the processing operations under the general data protection in accordance with the provisions of the regulation regarding the procedures related to the exercise of the rights of the registered and the information of the registered.<br />
<br />
Legal evaluation of the Sanctions Board's decision<br />
<br />
According to introductory paragraph 63 of the General Data Protection Regulation, the data subject's right of inspection includes the data subject's right to access his or her own health information. The administrative court considers that Lääkäriklinikka Estetic Oy's conduct in handling the initiator's request has significantly affected the initiator's right to access his own personal data, which is why the violation cannot be considered minor. As an aggravating factor, it has also been possible to take into account the fact that the violation has targeted health information. Regarding the other violations found in the decision of the Deputy Data Protection Commissioner, it should be noted that they have targeted the essential content of the data controller's obligations and, based on the report on the turnover and operating hours of Lääkäriklinikka Estetic Oy, a large number of people, so the violation cannot be considered minor in this respect either. On the other hand, based on the report presented in the case, the violations have not resulted in financial or other material damage to the initiator or other registered parties.<br />
<br />
Regarding the duration of the violations, the administrative court states that no explanation has been presented in the case that the information of the data subjects was taken care of in accordance with the provisions of the data protection regulation or that the data subjects' access to their own personal data was carried out in a different way than stated in the reasons for the decision under appeal. Taking into account that, based on the report presented in the case, Lääkäriklinikka Estetic Oy's operations have already started before the entry into force of the General Data Protection Regulation, the violation must be considered to have continued for quite a long time after the entry into force of the regulation.<br />
<br />
Lääkäriklinikka Estetic Oy has also not demonstrated that it has appropriate procedures in place to implement the registrant's right of inspection or processes for properly informing registrants regarding the processing of personal data. The above-mentioned facts can be considered to show disregard for the requirements regarding the protection of registered rights and the transparency of data processing.<br />
<br />
Furthermore, the administrative court states that the violations have come to the attention of the supervisory authority first through a registered contact and then during a more detailed investigation of the processing of personal data carried out by Lääkäriklinikka Estetic Oy. The matter has thus not come to the attention of the supervisory authority through the company's own notification. Lääkäriklinikka Estetic Oy has also not responded appropriately to the supervisory authority's requests for clarification, as a result of which the processing of the case has been partly delayed. The company has also not taken steps without delay to implement the registered rights or to bring the procedures related to informing the registered to the provisions of the data protection regulation.<br />
<br />
Taking into account the number and seriousness of the violations noted above, the administrative court considers that the fact that similar violations have not previously been discovered in the case of Lääkäriklinikka Estetic Oy and that control measures have not previously been applied to the company's operations, or that it has not come to light, that the violations would have explicitly sought or achieved a financial advantage or avoided losses.<br />
<br />
Evaluating the aspects described above as a whole, the administrative court considers that the sanctioning board could have imposed a penalty payment on Lääkäriklinikka Estetic Oy. The company has been ordered to pay a fine of 5,000 euros, which is less than one percent of its 2019–2020 turnover. Taking into account the above, the administrative court considers that the administrative fine imposed by the sanctions panel is proportionate, effective and a warning. There is therefore no reason to overturn the administrative fine.<br />
<br />
Claim for reimbursement of court costs<br />
<br />
The Administrative Court states that, considering the decision given in the case, it is not unreasonable that Lääkäriklinikka Estetic Oy has to bear its legal costs.<br />
<br />
Applied legal guidelines<br />
<br />
Mentioned in the justifications and<br />
<br />
Data protection regulation article 5 and article 58 paragraph 2 b, c, d and i<br />
<br />
Section 24 of the Data Protection Act<br />
<br />
Act on proceedings in administrative matters Section 95<br />
</pre></div>Fredhttps://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_8493/161/21Tietosuojavaltuutetun toimisto (Finland) - 8493/161/212024-02-28T09:08:29Z<p>Fred: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Finland<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFI.png<br />
|DPA_Abbrevation=Tietosuojavaltuutetun toimisto<br />
|DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland)<br />
<br />
|Case_Number_Name=8493/161/21<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Finlex<br />
|Original_Source_Link_1=https://www.finlex.fi/fi/viranomaiset/tsv/2021/20211303<br />
|Original_Source_Language_1=Finnish<br />
|Original_Source_Language__Code_1=FI<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=23.10.2019<br />
|Date_Decided=16.12.2021<br />
|Date_Published=28.02.2022<br />
|Year=2021<br />
|Fine=5000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 12(1) GDPR<br />
|GDPR_Article_Link_2=Article 12 GDPR#1<br />
|GDPR_Article_3=Article 12(2) GDPR<br />
|GDPR_Article_Link_3=Article 12 GDPR#2<br />
|GDPR_Article_4=Article 12(3) GDPR<br />
|GDPR_Article_Link_4=Article 12 GDPR#3<br />
|GDPR_Article_5=Article 12(4) GDPR<br />
|GDPR_Article_Link_5=Article 12 GDPR#4<br />
|GDPR_Article_6=Article 13(1) GDPR<br />
|GDPR_Article_Link_6=Article 13 GDPR#1<br />
|GDPR_Article_7=Article 13(2) GDPR<br />
|GDPR_Article_Link_7=Article 13 GDPR#2<br />
|GDPR_Article_8=Article 15 GDPR<br />
|GDPR_Article_Link_8=Article 15 GDPR<br />
|GDPR_Article_9=Article 15(1) GDPR<br />
|GDPR_Article_Link_9=Article 15 GDPR#1<br />
|GDPR_Article_10=Article 15(3) GDPR<br />
|GDPR_Article_Link_10=Article 15 GDPR#3<br />
|GDPR_Article_11=Article 25(1) GDPR<br />
|GDPR_Article_Link_11=Article 25 GDPR#1<br />
|GDPR_Article_12=Article 58(2)(b) GDPR<br />
|GDPR_Article_Link_12=Article 58 GDPR#2b<br />
|GDPR_Article_13=Article 58(2)(c) GDPR<br />
|GDPR_Article_Link_13=Article 58 GDPR#2c<br />
|GDPR_Article_14=Article 83 GDPR<br />
|GDPR_Article_Link_14=Article 83 GDPR<br />
|GDPR_Article_15=<br />
|GDPR_Article_Link_15=<br />
|GDPR_Article_16=<br />
|GDPR_Article_Link_16=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Lääkäriklinikka Estetic Oy<br />
|Party_Link_1=https://clinicestetic.fi/en/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=Helsingin hallinto-oikeus (Finland)<br />
|Appeal_To_Case_Number_Name=3620/2023<br />
|Appeal_To_Status=Appealed - Confirmed<br />
|Appeal_To_Link=https://gdprhub.eu/index.php?title=Helsingin_hallinto-oikeus_(Finland)_-_3620/2023<br />
<br />
|Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Fred fred]<br />
|<br />
}}<br />
<br />
The Finnish DPA imposed a fine of €5,000 on a medical clinic for not implementing the data subject's access request and failing to inform data subjects about the processing of personal data.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The Finnish DPA was notified that the controller (Lääkäriklinikka Estetic Oy, a medical clinic) had refused to provide patient records to the data subject despite an access request pursuant to [[Article 15 GDPR]]. The DPA had asked the controller to explain why it had refused to fulfil the data subject's request.<br />
<br />
In response to the request, the controller clarified that the data subject had been treated at the controller's premises by a surgeon from another company, which is an independent controller of its patient records. The controller did not have access to that company's patient records.<br />
<br />
The controller stated that its patients could access their personal data by visiting the controller's premises and that the personal data was not sent by email. The controller also claimed that it had already provided the requested personal data to the data subject.<br />
<br />
=== Holding ===<br />
On the basis of the information provided by the controller, the DPA considered that the controller had not provided sufficient explanation of which entity acted as the controller with regard to patient data that was generated during the treatment of the data subject at the controller's premises. Thus, the controller had not implemented the data subject’s right to access their personal data in accordance with [[Article 15 GDPR#1|Article 15(1) GDPR]] and [[Article 15 GDPR#3|Article 15(3) GDPR]] or informed the data subject of the reason for not taking action in accordance with [[Article 12 GDPR#4|Article 12(4) GDPR]].<br />
<br />
The DPA stated that the controller's practice of not sending personal data by email was unreasonable, considering that the controller shall facilitate the exercise of data subject rights pursuant to [[Article 12 GDPR#2|Article 12(2) GDPR]]. The controller had also not provided the information to the data subject within the deadline defined in [[Article 12 GDPR#3|Article 12(3) GDPR]].<br />
<br />
The DPA also noted that the controller's website did not contain information about the processing of personal data, such as which entity acted as the controller of patient data. The DPA considered that the controller had not fulfilled its obligation to provide data subjects with the information required by [[Article 12 GDPR#1|Article 12(1) GDPR]], [[Article 13 GDPR#1|Article 13(1) GDPR]] and [[Article 13 GDPR#2|Article 13(2) GDPR]] regarding the processing of personal data. Therefore, the controller had not taken into account data protection by design and by default in its operations as required by [[Article 25 GDPR#1|Article 25(1) GDPR]] and had processed the personal data in violation of the transparency principle.<br />
<br />
On the basis of the information gathered, the DPA held that the controller had violated [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], [[Article 12 GDPR]], [[Article 13 GDPR]], [[Article 15 GDPR]] and [[Article 25 GDPR#1|Article 25(1) GDPR]]. As a result, the DPA issued a reprimand to the controller in accordance with [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]]. Pursuant to [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]], the DPA also ordered the controller to comply with the data subject's access request insofar as it concerned the personal data processed by the controller.<br />
<br />
In addition to the reprimand and the order, the Sanctions Board of the DPA imposed an administrative fine of €5,000 on the controller pursuant to [[Article 83 GDPR]]. The Board considered the controller’s practice to be systematic, and in addition, the violation had been long-term and concerned a large number of data subjects.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.<br />
<br />
<pre><br />
Decisions of the Deputy Data Protection Commissioner and Sanctions Board<br />
Thing<br />
<br />
The data subject's right to have access to data ("right of inspection"), informing data subjects<br />
Registrar<br />
<br />
Medical clinic<br />
<br />
On 23 October 2019, a complaint regarding the registered person's right of inspection was initiated in the office of the data protection commissioner. The initiator has said that he requested his patient information from the doctor's clinic, but according to the initiator, the request has not been implemented. The request has been about the protection of natural persons in the processing of personal data and the request in accordance with Article 15 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the free movement of this data and the repeal of Directive 95/46/EC (later: General Data Protection Regulation).<br />
The decision of the Deputy Data Protection Commissioner in the matter concerning the data subject's inspection right and the information of the data subject<br />
Explanation and consultation received from the registrar<br />
Request for clarification<br />
<br />
In order to investigate the operation of the medical clinic, the Office of the Data Protection Commissioner has requested an explanation from the clinic with an explanation request dated August 25, 2020. The deadline for submitting the report has been September 8, 2020.<br />
<br />
The medical clinic has not provided an explanation in the matter within the deadline, and the request for clarification has been sent to the medical clinic by email again on September 14, 2020. In this case, the presenter of the case has also called the doctor's clinic. On September 15, 2020, Lääkäriklinikka sent the following email to the data protection commissioner's office:<br />
<br />
Hey<br />
<br />
Have you already asked [the initiator] what papers he has already received? Personal patient information can be obtained, as he has, on the spot, we do not send it by e-mail.<br />
<br />
On September 15, 2020, the Office of the Data Protection Commissioner has urged [medical clinic] by email to answer the questions raised in the clarification request. The Data Protection Commissioner's office has also asked whether [medical clinic] requires registered users who have submitted an inspection request to come to the office of [medical clinic].<br />
<br />
The representative of the Office of the Data Protection Commissioner has been in contact with the medical clinic by phone on 21 September 2020 and has again brought up the fact that the supervisory authority's request for clarification has not been properly answered. In this context, the presenter has asked the medical clinic to deliver the answers to the questions raised in the clarification request to the data protection commissioner's office by September 25, 2020 at the latest.<br />
<br />
On September 23, 2020, the medical clinic responded to the request for clarification. In its report, the medical clinic has said that it is aware of the registered person's right to inspection according to Article 15 of the General Data Protection Regulation, and stated that the initiator has already received all the patient documents concerning him. Lääkäriklinikka also wanted to inform the Office of the Data Protection Commissioner that the instigator's actions are only a matter of teasing.<br />
<br />
On September 24, 2020, the initiator submitted a response to the doctor's clinic's report and submitted to the data protection commissioner's office that he has not received any of his information from the doctor's clinic.<br />
<br />
On October 7, 2020, the Office of the Data Protection Commissioner has requested by email the medical clinic to deliver all documents within the scope of the initiator's inspection right to the Office of the Data Protection Commissioner by October 26, 2020. In this context, Lääkäriklinikka has provided the address information of the data protection authorized office as well as information about the Ministry of Justice's secure mail option and a link to the instructions for using secure mail.<br />
<br />
On November 5, 2020, the representative of the data protection authorized office has been in contact with the medical clinic by phone, because the medical clinic had not delivered documents within the scope of the initiator's inspection right to the data protection authorized office within the deadline. The owner of the medical clinic has said that he will send the documents as a registered letter, and the presenter has discussed with the owner of the medical clinic about Article 15 of the General Data Protection Regulation and its practical application. During the call, the owner of the medical clinic has mentioned that there have been disagreements with the person who initiated the case. On 14 December 2020, the case presenter has given the medical clinic instructions over the phone to send the documents to the data protection commissioner's office via the Ministry of Justice's secure mail, and the medical clinic has stated that it will send the documents as a registered letter during the same day.<br />
<br />
On 14 December 2020, Lääkäriklinikka has sent a document containing the following initiator's information to the registry of the data protection authorized office by e-mail:<br />
<br />
name,<br />
social security number,<br />
telephone number,<br />
address,<br />
the date of the call request,<br />
the date of the call,<br />
the date of the reception visit,<br />
the date of the procedure,<br />
the date of the procedure,<br />
the date of the reception visit,<br />
the date of the reception visit<br />
<br />
The representative of the data protection authorized office has contacted the medical clinic by phone on 23 December 2020 and asked for confirmation of sending the letter containing patient information and its follow-up information. The person who introduced himself as the secretary did not discuss the matter in more detail at that time, and according to the secretary, the other staff would be there next time on 28 December 2020. On 23 December 2020, the Office of the Data Protection Commissioner has also asked the medical clinic by email to confirm that the letter has been sent, and to provide the Office of the Data Protection Commissioner with the tracking number of the shipment.<br />
<br />
On December 31, 2020, a new clarification request from the data protection authorized officer's office was sent to the medical clinic by email, in which copies of patient documents and photographs of the initiator have been requested to be delivered to the data protection authorized officer's office by January 15, 2021 at the latest. Lääkäriklinikka has not submitted information to the data protection commissioner's office within the deadline.<br />
<br />
The representative of the Office of the Data Protection Commissioner has called the medical clinic on February 3, 2021 to discuss the incompleteness of the case and the incomplete documents submitted to the Office of the Data Protection Commissioner. The owner of the medical clinic was not there at the time, and the discussion about the problems related to the implementation of the inspection request was held with the employee who answered the call. On February 3, 2021, Lääkäriklinikka contacted the Data Protection Commissioner's office via email and said that the requested information has already been sent to the Data Protection Commissioner's office via a secure connection and a receipt has been received. The data protection commissioner's office has responded to the doctor's clinic's message on the same day and pointed out that the data protection commissioner's office has not been provided with the initiator's patient documents, but only the basic information about the client submitted on December 14, 2020. The medical clinic has responded to this during the same day as follows:<br />
<br />
You have been sent the [doctor's clinic] [initiator's] information about customer entries. Patient documents are available from the party that operated on him and consulted with him, with whom he had a treatment relationship (XX OY, [surgeon], I do not have access to XX OY's patient register.)<br />
<br />
On February 3, 2021, the data protection commissioner's office notified the initiator of the doctor's clinic's response. On February 3, 2021, the initiator told the data protection commissioner's office that he was not aware that, according to the medical clinic's opinion, the information should have been requested from the attending physician. In this context, the initiator has said that he has also visited the reception of the owner of the medical clinic.<br />
<br />
The Office of the Data Protection Commissioner has inquired from the medical clinic by e-mail on February 3, 2021, which entity it considers to be the personal data controller for the clinic owner's office visits, and has asked the medical clinic to provide an answer to this question by February 8, 2021 at the latest. Lääkäriklinikka has not been in contact with the data protection commissioner's office since then.<br />
Hearing<br />
<br />
The medical clinic has been reserved the opportunity referred to in § 34 of the Administrative Act (434/2003) to be heard and to express its opinion on the matter and to give its explanation of such demands and explanations that may affect the resolution of the matter. At the same time, the medical clinic is given the opportunity to bring up such matters as referred to in Article 83, paragraph 2 of the General Data Protection Regulation, which, according to the medical clinic's opinion, should be taken into account when making a decision. For this purpose, a request for consultation and a request for additional clarification have been sent to Lääkäriklinika on August 6, 2021 electronically and by ground mail, to which it has been asked to respond by September 3, 2021. Lääkäriklinikka has not responded to the consultation request or request for additional clarification. In the consultation request, the medical clinic has been informed that the matter can be resolved, even if the medical clinic does not submit its answer by the end of the deadline.<br />
Background information<br />
Service description<br />
<br />
Lääkäriklinikka is a company offering health services, whose services include, for example, laser and injection treatments as well as face and body cosmetic surgery procedures.<br />
Sales<br />
<br />
The turnover of the medical clinic in the financial period 1 September 2019 – 31 August 2020 has been approx. 500,000 euros.<br />
On applicable legislation<br />
<br />
The General Data Protection Regulation (EU) 2016/679 of the European Parliament and the Council (data protection regulation) has been applied since 25 May 2018. As a regulation, the legislation is immediately applicable law in the member states. The Data Protection Regulation contains national leeway, on the basis of which national legislation can be used to supplement and clarify matters specifically defined in the regulation. The general data protection regulation is specified by the national data protection act (1050/2018), which has been applied since January 1, 2019. The previously valid Personal Data Act (523/1999) was repealed by the Data Protection Act.<br />
<br />
According to introductory paragraph 63 of the General Data Protection Regulation, the data subject's right of inspection includes the data subject's right to access his or her own health data, such as health files, which include, for example, diagnoses, examination results, assessments of attending physicians and other information regarding treatment or other procedures.<br />
<br />
Article 5(1)(a) of the General Data Protection Regulation provides for the principle of transparency. According to the article, personal data must be processed in accordance with the law, appropriately and transparently from the point of view of the data subject ("lawfulness, reasonableness and transparency").<br />
<br />
Articles 12–14 of the General Data Protection Regulation provide for informing data subjects, the implementation of which falls under the duties of the data controller. By informing registrants about the processing of personal data, the controller also implements the principle of transparency in Article 5(1)(a) of the General Data Protection Regulation.<br />
<br />
Article 12 of the General Data Protection Regulation contains procedural regulations regarding, for example, transparent information and the use of the data subject's rights. According to Article 12(1), the controller must take appropriate measures to provide the data subject with the information in accordance with Articles 13 and 14 and all processing information in accordance with Articles 15-22 and 34 in a concise, transparent, easily understandable and accessible form in clear and simple language, especially when the information is intended especially for the child. The information must be submitted in writing or in another way and, as the case may be, in electronic form. If the data subject requests it, the information can be given verbally, provided that the identity of the data subject has been confirmed in another way.<br />
<br />
According to Article 12, paragraph 2 of the General Data Protection Regulation, the data controller must facilitate the exercise of the data subject's rights according to Articles 15–22.<br />
<br />
According to Article 12, paragraph 3 of the General Data Protection Regulation, the data controller must provide the data subject with information on the measures taken in response to a request made pursuant to Articles 15–22 without undue delay and in any case within one month of receiving the request. If necessary, the deadline can be extended by a maximum of two months, taking into account the complexity and number of requests. The controller must inform the data subject of such a possible extension within one month of receiving the request and the reasons for the delay. If the data subject submits the request electronically, the information must be submitted electronically as far as possible, unless the data subject requests otherwise.<br />
<br />
According to Article 12, paragraph 4 of the General Data Protection Regulation, if the data controller does not take measures based on the data subject's request, the data controller must inform the data subject immediately and no later than one month after receiving the request of the reasons for doing so and inform about the possibility of filing a complaint with the supervisory authority and using other legal remedies.<br />
<br />
Article 13 of the General Data Protection Regulation stipulates the information to be provided when personal data is collected from the data subject. According to paragraph 1 of the article, when collecting personal data concerning him from the registered person, the controller must, when the personal data is obtained, provide the registered person with all the information according to Article 13, paragraph 1, subparagraphs a–e. This information includes, for example, information about the identity of the controller (subsection a).<br />
<br />
According to Article 13, paragraph 2 of the General Data Protection Regulation, in addition to the information referred to in Article 13, paragraph 1, when personal data is obtained, the data controller must provide the data subject with additional information according to Article 13, paragraph 2, subparagraphs a-f, which is necessary to guarantee appropriate and transparent processing. This information includes, for example, information about the data subject's right to request access to his personal data from the controller (subsection b).<br />
<br />
According to Article 15 of the General Data Protection Regulation, the data subject has the right to receive confirmation from the data controller that personal data concerning him or her is processed or that it is not processed, and if it is processed, the right to access the personal data and the information in accordance with Article 15, paragraph 1, subparagraphs a–h. According to paragraph 3 of the article, the controller must provide a copy of the personal data being processed. If the data subject requests more than one copy, the controller may charge a reasonable fee based on administrative costs. If the data subject submits the request electronically, the information must be submitted in a commonly used electronic format, unless the data subject requests otherwise.<br />
<br />
The grounds for limiting the registered inspection right according to Article 15 of the General Data Protection Regulation are additionally provided for in Section 34 of the National Data Protection Act (1050/2018).<br />
<br />
According to Article 25(1) of the General Data Protection Regulation, taking into account the state-of-the-art technology and implementation costs, as well as the nature, scope, context and purposes of the processing, as well as the risks caused by the processing, which vary in probability and severity, to the rights and freedoms of natural persons, the controller must effectively implement the data protection principles in connection with the determination of the processing methods and the processing itself, such as data minimization, appropriate technical and organizational measures for the implementation, such as pseudonymization of data and the necessary protective measures, so that they can be included as part of the processing and so that the processing complies with the requirements of the General Data Protection Regulation and the rights of data subjects are protected.<br />
A legal question<br />
<br />
The Deputy Data Protection Commissioner assesses and resolves the matter on the basis of the aforementioned General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018).<br />
<br />
The following must be assessed:<br />
<br />
1. has the medical clinic implemented the initiator's right to inspect personal data according to Article 15 of the General Data Protection Regulation, and has the medical clinic's procedure in handling the inspection request been in accordance with data protection regulations (15(1), 15(3), 12(3) and 12(4) of the General Data Protection Regulation articles, Section 34 of the Data Protection Act)<br />
<br />
2. has the medical clinic implemented the personal data inspection requests in accordance with Article 15 of the General Data Protection Regulation without interfering with the exercise of the data subject's rights (Article 12(2) of the General Data Protection Regulation)<br />
<br />
3. has the medical clinic's information to the data subjects met the requirements of the data protection regulation and, in particular, has the medical clinic properly informed the data subjects of the extent to which it acts as a data controller (5(1)(a), 12(1), 13(1) of the General Data Protection Regulation, Articles 13(2) and 25(1))<br />
Decision of the Deputy Data Protection Commissioner<br />
The notice and order bring processing operations into compliance with the General Data Protection Regulation<br />
<br />
The Deputy Data Protection Commissioner gives the data controller an order in accordance with Article 58, paragraph 2, subparagraph c of the General Data Protection Regulation to comply with the initiator's request for access to data insofar as it concerns data whose data controller is a medical clinic.<br />
<br />
The Deputy Data Protection Commissioner gives the data controller an order in accordance with Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation to bring the processing operations into compliance with the provisions of the General Data Protection Regulation with regard to the procedures related to the exercise of the rights of the data subjects and the information of the data subjects.<br />
<br />
The Deputy Data Protection Commissioner gives the data controller a notice in accordance with Article 58, Paragraph 2, subparagraph b of the General Data Protection Regulation regarding processing activities contrary to the provisions of the General Data Protection Regulation in exercising the data subject's rights and informing data subjects.<br />
<br />
The deputy data protection commissioner leaves the appropriate measures to the discretion of the data controller, but orders a report on the measures taken to be submitted to the data protection commissioner's office by February 15, 2022, or no later than six weeks after notification of the decision, unless it applies for an amendment to this decision.<br />
Administrative penalty fee<br />
<br />
According to Section 24 of the Data Protection Act, the administrative fine stipulated in Article 83 of the General Data Protection Regulation (administrative penalty fee) is determined by the sanctioning board formed by the data protection commissioner and deputy data protection commissioners. The matter concerning the medical clinic is given to the sanctioning board to decide. The Sanctions Board must therefore assess whether the controller must be subject to an administrative penalty in accordance with Article 58(2)(i) of the General Data Protection Regulation in addition to the notice and order given by the Deputy Data Protection Commissioner.<br />
Reasons for the decision<br />
The data subject's right to access information<br />
<br />
The Office of the Data Protection Commissioner has asked the medical clinic for an explanation of how it has implemented the personal data inspection request submitted by the initiator, in accordance with Article 15 of the General Data Protection Regulation. Lääkäriklinikka has submitted in its report to the data protection commissioner's office on 23 September 2020 that the initiator has already received all the patient documents concerning him. The initiator, on the other hand, has stated in his response to the data protection commissioner's office that he has never received any of his patient information from the medical clinic. The data protection commissioner's office has then asked the medical clinic to deliver the information covered by the initiator's inspection right to the data protection commissioner's office.<br />
<br />
On 14 December 2020, Lääkäriklinikka submitted the initiator's basic information to the Data Protection Commissioner's office, and in this context it has not explained its view of the data controller regarding the initiator's patient data, or presented an explanation that, according to its understanding, any other data controller has carried out a request for inspection of personal data regarding the initiator's visits to the medical clinic. After this, the medical clinic has not answered the data protection authorized office's questions regarding record keeping, and it has thus remained unclear, for example, which entity, according to the medical clinic's opinion, is the data keeper of the patient data that were created in connection with visits to the medical clinic's owner's office.<br />
<br />
The Deputy Data Protection Commissioner notes that on September 23, 2020, the medical clinic submitted to the data protection commissioner's office that the initiator has already received all patient documents concerning him. On 14.12.2020, Lääkäriklinikka has told that the initiator's patient documents are available from another company (XX Oy), which is their data controller. The report given by the Lääkäriklinika in the case has therefore contained contradictions regarding key aspects related to the implementation of the registered inspection right.<br />
<br />
Lääkäriklinikka has not provided an explanation as to which entity is the registrar of the patient data that were created when the initiator visited the doctor's clinic owner's office. Based on the report obtained in the case, there are therefore no grounds to come to any other conclusion than that the medical clinic is at least in the position of the data controller with regard to this data, and the medical clinic has not provided the data protection commissioner's office with any other explanation in this regard. At this point, it can be noted that the regional administrative agency has granted the doctor's clinic a permit to provide health care services as defined in the Act on Private Health Care (152/1990). The license covers, among other things, doctor's reception and surgery services. This supports the fact that the doctor's clinic can be considered a data controller.<br />
<br />
The Deputy Data Protection Commissioner considers that, based on the report obtained in the case, the medical clinic has not implemented the initiator's access to his own personal data in accordance with Article 15, paragraphs 1 and 3 of the General Data Protection Regulation, or informed the initiator of the reason for restricting the right of inspection in accordance with Article 12(4) of the General Data Protection Regulation. Based on the report obtained in the case, the controller has also not complied with the deadlines in accordance with Article 12(3) of the General Data Protection Regulation in processing the request submitted by the initiator.<br />
<br />
Based on the above, the deputy data protection commissioner considers that the medical clinic's procedure in implementing the registered right of inspection has not met the requirements from the data protection regulation, and the initiator's access to his personal data has not been implemented as required by law.<br />
The duty of the data controller is to facilitate the exercise of the data subject's rights<br />
<br />
On September 15, 2020, Lääkäriklinikka explained to the data protection commissioner's office that "Individual patient data can be obtained, as [the initiator] has, on the spot, we do not send them by e-mail".<br />
<br />
The Deputy Data Protection Commissioner considers that the requirement to arrive at the data controller's office in order to obtain information covered by the right of inspection has been a regular operating procedure. It is also known that the registrar has not used an alternative method of operation. The Deputy Data Protection Commissioner considers that the data controller's practice can be considered unreasonably difficult for the data subject, taking into account that the data controller must facilitate the exercise of the data subject's rights according to Articles 15-22 of the General Data Protection Regulation (Article 12(2) of the General Data Protection Regulation). Harassment has been particularly evident for those registered who do not live near the controller's office. In addition, attention must be paid to the fact that in order to exercise his rights, the data subject must visit the office of the data controller during its opening hours.<br />
Informing registered users<br />
<br />
In the case currently being evaluated, the data controller has not provided an explanation of how it informs the data subjects about the processing of personal data and, in particular, of matters related to the data controller. There is no information available on the website of the registrar about the processing of personal data.<br />
<br />
In accordance with the principle of transparency (Article 5(1)(a) of the General Data Protection Regulation), information related to the processing of personal data should be easily accessible, and the principle of transparency applies in particular, for example, to information about the identity of the data controller and the right of data subjects to receive confirmation and notification of the processing of their personal data. The information provided on the website should be available and visible on all pages of the website, so that the data subject can see the information with one click.<br />
<br />
Since in the case no explanation has been received from the data controller on how it has taken care of informing the data subjects, based on the information otherwise received by the data protection authorized office in the case, it must be considered that the data controller has not fulfilled its obligation to provide the data subjects with the information required by Article 12(1) and Article 13, paragraphs 1 and 2 of the General Data Protection Regulation information on the processing of personal data. The Deputy Data Protection Commissioner pays special attention to the fact that the medical clinic does not inform registered users about the extent to which it functions as a registrar of patient data generated in the medical clinic's operations. Based on the report obtained in the case, the medical clinic has also not assessed whether its actual way of processing personal data is such that it acts as joint data controller in some respects. The deputy data protection commissioner further notes that the initiator who initiated the case has remained unaware of the role of the medical clinic in the processing of his personal data, and the medical clinic has also not properly explained these matters to the supervisory authority.<br />
<br />
In addition, it must be assessed whether the requirements of built-in and default data protection have been fulfilled in the operation of the medical clinic (Article 25 of the General Data Protection Regulation). Article 25(1) of the General Data Protection Regulation requires that the data controller should consider data protection in its operations from the beginning. The deputy data protection commissioner considers that the medical clinic has not followed an approach in its operations in which data protection is taken into account as a key factor in the processing of personal data from the beginning, and the medical clinic has not effectively implemented the measures required to implement the data protection principles (transparency, Article 5(1)(a) of the General Data Protection Regulation) in connection with the processing.<br />
<br />
According to Section 24 of the Data Protection Act, the administrative penalty fee is determined by the penalty panel formed by the data protection commissioner and deputy data protection commissioners, which has issued the following decision on imposing the penalty fee.<br />
Sanctions board's decision on an administrative fine (administrative penalty payment)<br />
Registrar<br />
<br />
Medical clinic<br />
Decision of the Sanctions Board<br />
<br />
The Sanctions Board considers that the notice issued by the Deputy Data Protection Commissioner, the notice pursuant to Article 58, paragraph 2, subparagraph b, and the order pursuant to subparagraph d, of the General Data Protection Regulation are not a sufficient sanction, taking into account the nature and seriousness of the violation.<br />
<br />
The sanctioning panel formed by the data protection commissioner and deputy data protection commissioners orders the data controller to pay the state an administrative penalty fee of 5,000 (five thousand) euros pursuant to article 58, paragraph 2, subparagraph i and article 83 of the general data protection regulation.<br />
Reasons for imposing an administrative penalty<br />
<br />
Article 83 of the General Data Protection Regulation provides for the general conditions for imposing administrative fines. According to the article, the imposition of administrative fines must be effective, proportionate and dissuasive in each individual case. Administrative fines are imposed according to the circumstances of each individual case in addition to or instead of the remedial powers provided for in Article 58. When deciding on the imposition of an administrative fine and the amount of the administrative fine, the factors listed in Article 83, Paragraph 2 of the General Data Protection Regulation must be taken into account in each individual case.<br />
<br />
When evaluating the matter, the instructions of the data protection working group in accordance with Article 29 on the application and imposition of administrative fines are also taken into account.<br />
<br />
In the case in question, it has been deemed that the data controller, by not taking care of the data subject's rights and obligation to inform, has violated articles 5(1)(a) (principle of transparency), 12(1–4) (transparent information, communication and detailed rules for the use of the data subject's rights) of the General Data Protection Regulation for), 13(1–2) (information to be provided when personal data is collected from the data subject), 15(1) and (3) (the data subject's right to access data) and 25 (built-in and default data protection).<br />
The nature and seriousness of the breach<br />
<br />
The nature and seriousness of the violation is assessed in light of the factors according to Article 83(2)(a) of the General Data Protection Regulation.<br />
<br />
The matter is not a minor violation referred to in preamble paragraph 148 of the General Data Protection Regulation, and the violation aimed at the exercise of the data subject's rights poses a significant risk to the data subject's rights in the case being evaluated and affects the essential content of the violated obligations. The scope and purpose of the data processing also support the evaluation of the violation as serious, so that the notice according to Article 58, paragraph 2, subparagraph b and the order according to subparagraph d of the General Data Protection Regulation cannot be considered as a sufficient sanction for the data controller.<br />
<br />
According to information from the company and community information system maintained by the Finnish Patent and Registration Board and the Tax Administration, the medical clinic has been in the trade register since spring 2009. The domain name www.[clinic name].fi was registered in the winter of 2013 according to the company and community information system. In this case, it must be considered very unlikely that the information of the registered persons, for example through the website of the data controller, would have been properly taken care of before the start of the investigation work of the data protection authorized office. In the matter, it must also be considered very unlikely that the data controller would have implemented the data subject's access to their own personal data in a way other than the one presented now (the documents must be picked up at the office) before 2019 (the time when the matter was initiated). In addition, when assessing the duration of the violation, it must be taken into account that the inspection request made by the initiator in 2019 has still not been properly implemented. The grievances regarding the systematic operation have thus clearly existed longer than the period of application of the General Data Protection Regulation, and the violation is still ongoing. The time spent in processing the initiator's inspection request must also be taken into account. The long-term nature of the violation must be considered a justification for imposing an administrative penalty.<br />
<br />
The supervisory authority does not have information on the number of registered users. However, the disciplinary board considers, based on the data controller's turnover data, operating hours and the nature of the activity, that the data controller processes the personal data of numerous registered users and that the violation has been systematic, not isolated. The systematic nature of the violation and its impact on numerous data subjects should be taken into account as grounds for imposing an administrative penalty.<br />
<br />
According to the data available to the Data Protection Commissioner's office, the data subjects have not suffered concrete financial or other material damage as a result of the violation in question. However, the occurrence of material damage is not a prerequisite for imposing a fine, and the data subject can also, for example, demand compensation according to Article 82 of the General Data Protection Regulation, regardless of the imposition of a fine.<br />
<br />
In the evaluation of damages caused to registered persons, the decision of the Supreme Court KKO:1998:85 must also be taken into account, where informed self-determination has been emphasized and stated that the wording of the personal registration offense referred to in Section 43 of the Personal Registration Act (471/1987), which has since been repealed, showed that violating the protection of privacy by knowing self-determination as a contrary procedure meant causing the damage or harm required by law. This is still true. A mere breach of privacy means causing harm or inconvenience. The condition is not the occurrence of financial or other material damage per se, although the occurrence of such damages is taken into account in accordance with the provisions of Article 83, paragraph 2, letter a of the General Data Protection Regulation, when imposing an administrative penalty fee and deciding on its amount. The controller must therefore be considered to have violated the rights of the data subjects according to the General Data Protection Regulation, as a result of which the data subjects have suffered damage.<br />
Assessment of aggravating and mitigating factors<br />
Intentional or negligent breach<br />
<br />
The initiator has submitted a request to the medical clinic regarding the rights of the registered person in 2019. The medical clinic has not taken appropriate measures as a result of the request, and it has not given the initiator an explanation of the extent to which it acts as a data controller in the case. In addition, it can be seen from Lääkäriklinika's indifferent attitude towards fulfilling its obligations that it has not found out about the data controller's obligations from the General Data Protection Regulation. In this regard, it would seem to be a lack of understanding and carelessness, as a result of which the rights of the data subjects have not been implemented as required by law. Consequently, no extenuating circumstances can be found for the activities of the registrar in this regard. The registrar's disregard for data protection regulations must be considered an aggravating factor in the case.<br />
Actions taken by the registrar to mitigate the damage caused to the data subjects<br />
<br />
In the assessment of damages caused to registered persons, the decision of the Supreme Court KKO:1998:85 must be taken into account, which emphasized informed self-determination and stated that the wording of the personal registration offense referred to in Section 43 of the Personal Registration Act (471/1987), which has since been repealed, showed that violating the protection of privacy as a violation of informed self-determination as a procedure meant causing the damage or harm required by law. This is still true. A mere breach of privacy means causing harm or inconvenience. The condition is not the occurrence of financial or other material damage per se, although the occurrence of such damages is taken into account in accordance with the provisions of Article 83, paragraph 2, letter a of the General Data Protection Regulation, when imposing an administrative penalty fee and deciding on its amount. In the selection of the type, it has therefore been taken into account that the data controller must be considered to have violated the rights of the data subjects according to the General Data Protection Regulation, as a result of which the data subjects have suffered damage.<br />
<br />
Regarding the measures taken by the data controller to mitigate the damage, it can be stated that the data controller has not taken any steps to mitigate the damage caused to the data subject. The registrar's inactivity in these respects must be considered an aggravating factor in the case.<br />
The degree of responsibility of the controller, taking into account the technical and organizational measures taken by it under Articles 25 and 32<br />
<br />
The controller has not implemented technical and organizational measures that would have ensured the implementation of built-in and default data protection at all organizational levels. The registrar has not ensured that it has appropriate procedures in place for the exercise of the registered right of inspection, and it has not taken into account the risk to the rights of natural persons caused by the lack of procedures. In addition, the controller has not implemented processes to properly inform the data subjects about the processing of personal data. It was a systematic error by the registrar. Neglect of appropriate technical and organizational measures must be considered an aggravating factor in the case.<br />
Cooperation with the supervisory authority<br />
<br />
The registry keeper's cooperation with the supervisory authority has been insufficient, and it has not shown initiative in the matter to investigate the matter. The controller has not responded appropriately to the supervisory authority's clarification requests, and it has not, for example, responded to the clarification request submitted to it on December 31, 2020, or to the consultation and additional clarification request submitted on August 6, 2021 at all. The registry keeper's passivity when investigating the matter must be considered an aggravating factor.<br />
Personal data groups affected by the breach<br />
<br />
The controller is a company providing health services that processes data belonging to special personal data groups (Article 9 of the General Data Protection Regulation). Inspection requests for patient data are directed to sensitive data, related to the registered person's health. In the case of patient data, the implementation of the registered inspection right is also of particular importance in terms of the confidential patient relationship and the patient's right to self-determination. The focus of data processing on health information must be considered an aggravating factor in the case.<br />
The way in which information about the violation came to the attention of the supervisory authority<br />
<br />
The information has come to the supervisory authority through a complaint, not from the data controller's own notification. Therefore, there are no mitigating factors in this regard.<br />
Summary and the amount of the administrative fine<br />
<br />
According to Article 83(1) of the General Data Protection Regulation, the fine must be effective, proportionate and dissuasive. The assessment is made based on the circumstances of each individual case. When examining an individual case, it must be assessed whether the aim is only to change the activity to comply with the law, or whether it is justified to set the goal of punishing the controller for illegal activity. Regarding the amount of the fine, on the other hand, it must be taken into account whether the violation concerns the articles of the General Data Protection Regulation listed in Article 83(4) of the General Data Protection Regulation or Article 83(5) of the Regulation. Grading into two different categories forms the framework for setting the maximum amount of the fine, and the general data protection regulation does not specify fine amounts by type of violation, for example. In turn, the combined effect of all factors mentioned in Article 83(2) is taken into account in the assessment of the seriousness of the violation.<br />
<br />
In the case of the medical clinic, it is justified to set the goal of both making the operation legal and drawing the attention of the registrar to the illegality of the method of operation with a financial penalty. The violation has been long-lasting in terms of making it difficult for the registrant to exercise his rights and providing insufficient information to the registrants, and considering the turnover data, it can be reasonably assumed to have affected a large number of registrants. In addition, the controller has not taken appropriate measures to implement the initiator's inspection right, even at the request of the supervisory authority. Therefore, the background of the violation can be considered to be the controller's disregard for compliance with the data protection regulation in the individual case of the last-mentioned initiator. In the case of the other mentioned points, it can be considered to be either the controller's lack of understanding or disregard for the data protection regulation's obligations to the controller. In the case of Lääkäriklinika, simply bringing the operation into compliance with the requirements of the data protection regulation cannot be considered sufficient. This point of view is also strongly supported by the reluctance of the data controller to cooperate with the supervisory authority, as well as the fact that it has been a violation of the regulation on the rights of the data subject and the data protection principles according to Article 5 of the General Data Protection Regulation. The registrar has not taken appropriate measures to correct the deficiencies, and the registrar's attitude towards the investigative work carried out by the supervisory authority has been indifferent.<br />
<br />
In the case of Lääkäriklinika, the upper limit of the fine in euros is formed in accordance with Article 83(5) of the General Data Protection Regulation, because the violation targets both Article 83(4) of the General Data Protection Regulation (violated articles: Article 25) and Article 83(5) of the General Data Protection Regulation ( violated articles: 5, 12, 13 and 15) to regulations. Non-fulfillment of the obligations arising from Articles 5, 12, 13 and 15 must thus be assessed as a more serious violation, and it is possible to apply Article 83(5) of the General Data Protection Regulation when determining the overall penalty. In the amount of the fine, it must be taken into account that it fulfills the requirement of Article 83(1) of the General Data Protection Regulation regarding the warning effect of an administrative fine.<br />
<br />
As aggravating factors, the controller's passivity in handling the case, the controller's passivity in taking corrective measures, the controller's passivity in implementing appropriate technical and organizational measures, the controller's passivity in mitigating the damage caused to the data subject, the controller's disregard for data protection regulations, the systematicity of the breach, and the targeting of the breach to data belonging to special personal data groups must be taken into account in the assessment. (concerning health information). In accordance with Article 83(5)(b) of the General Data Protection Regulation, an administrative fine of up to EUR 20,000,000 or, in the case of a company, four percent of the leaked total global turnover of the previous financial year is imposed in accordance with paragraph 2 for the violation of the rights of registered persons according to Articles 12 to 22 , whichever of these amounts is greater. Even though the General Data Protection Regulation has been applied on 25 May 2018, and the Personal Data Act has not contained a corresponding fine provision, it is possible to impose a fine for a so-called continuous violation and thus it is also possible to take into account a violation prior to the start of the application of the General Data Protection Regulation.<br />
<br />
In the consultation request delivered to the data controller on August 6, 2021, the data controller has been informed that the matter can be resolved even if the data controller does not submit an answer by the end of the deadline.<br />
<br />
The decision to impose an administrative fine has been made by the members of the data protection commissioner's sanctioning board.<br />
</pre></div>Fredhttps://gdprhub.eu/index.php?title=About_GDPRhubAbout GDPRhub2024-02-27T14:15:07Z<p>Sfl: Created page with "GDPRhub is a wiki with GDPR-related decisions and knowledge and an online community, enabling anyone to find and share GDPR insights across Europe! GDPRhub collects and summarises decisions from Data Protection Authorities (DPAs) and courts across Europe. We believe a good overview of national decisions is a key to a pan-European debate on the interpretation of contentious GDPR issues. As we monitor more than 100 webpages across all Member States for new decisions, this..."</p>
<hr />
<div>GDPRhub is a wiki with GDPR-related decisions and knowledge and an online community, enabling anyone to find and share GDPR insights across Europe!<br />
<br />
GDPRhub collects and summarises decisions from Data Protection Authorities (DPAs) and courts across Europe. We believe a good overview of national decisions is a key to a pan-European debate on the interpretation of contentious GDPR issues. As we monitor more than 100 webpages across all Member States for new decisions, this database grows day by day — subscribe to [[GDPRtoday]] to get a weekly update!<br />
<br />
GDPRhub is an initiative by noyb.eu, and made possible by the contributions of hundreds of volunteers.<br />
<br />
=== Become a Country Reporter ===<br />
Would you like to be one of those volunteers and join of a community of like-minded professionals passionate about all things GDPR? Then become a '''Country Reporters''', the regular contributors that help keeping the GDPRhub consistent, up to date and accurate. As a Country Reporter, you will hear about new decisions in your chosen country via email or our internal chat rooms, and may be asked if you can contribute a summary. Ideally you can update the GDPRhub for your home jurisdiction that you may already follow in your daily work.<br />
<br />
We are in regular contact with our Country Reporters and host an open virtual meeting every month with noyb lawyers presenting current GDPR issues. What's more our Country Reporters receive a little gift (and a certificate, if wanted) when they submitted a certain number of decisions to the GDPRhub and the newsletter.<br />
<br />
[[File:Reporter button.png|200px|link=mailto:GDPRhub@noyb.eu?subject=Inquiry%20on%20becoming%20a%20GDPRhub%20Country%20Reporter&body=Dear%20GDPRhub%20team%2C%0A%0AI%20would%20like%20to%20become%20a%20GDPRhub%20Country%20Reporter.%0A%0A-%20My%20professional%20background%3A%20%0A-%20My%20language%20skills%3A%20%0A-%20I%20would%20like%20to%20work%20on%20(e.g.%20my%20home%20country%20or%20jurisdiction%20I%20am%20interested%20in)%3A%20%0A-%20My%20availability%20is%20(e.g.%20one%20decision%20per%20week)%3A%20%0A-%20My%20existing%20GDPRhub%20user%20name%20(if%20any)%3A%20%0A-%20I%20would%20like%20to%20use%20the%20following%20user%20name%20as%20Country%20Reporter%20(public%20on%20wiki%2C%20between%204%20to%2022%20lowercase%20letters%2C%20numbers%20or%20the%20symbols%20%22.%22%2C%20%22-%22%20and%20%22_%22)%3A%20%0A-%20You%20can%20reach%20me%20at%20this%20phone%20number%20and%2For%20via%20this%20app%3A%20%0A-%20I%20would%20like%20to%20get%20my%20welcome%20package%20at%20this%20postal%20address%3A%20%0A-%20This%20is%20how%20I%20found%20out%20about%20being%20a%20GDPRhub%20Courtry%20Reporter%3A%0A-%20Other%20comments%3A%0A%0ABest%2C%0A%5Bname%5D]]<br />
<br />
<small>[[GDPRhub:Privacy policy|Check our privacy policy for more information]]</small></div>Sflhttps://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9980617Garante per la protezione dei dati personali (Italy) - 99806172024-02-27T12:58:25Z<p>Im: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Italy<br />
|DPA-BG-Color=background-color:#095d7e;<br />
|DPAlogo=LogoIT.png<br />
|DPA_Abbrevation=Garante per la protezione dei dati personali<br />
|DPA_With_Country=Garante per la protezione dei dati personali (Italy)<br />
<br />
|Case_Number_Name=9980617<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=DPA<br />
|Original_Source_Link_1=https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9980617<br />
|Original_Source_Language_1=Italian<br />
|Original_Source_Language__Code_1=IT<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=21.12.2023<br />
|Year=<br />
|Fine=18,000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(f) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1f<br />
|GDPR_Article_2=Article 5(2) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#2<br />
|GDPR_Article_3=Article 9 GDPR<br />
|GDPR_Article_Link_3=Article 9 GDPR<br />
|GDPR_Article_4=Article 32 GDPR<br />
|GDPR_Article_Link_4=Article 32 GDPR<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
|GDPR_Article_6=<br />
|GDPR_Article_Link_6=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Azienda Asl N.8 Di Cagliari<br />
|Party_Link_1=https://www.asl8cagliari.it/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=im<br />
|<br />
}}<br />
<br />
The DPA fined a health service provider €18,000 for the loss of biological data due to the lack of a complete record of processing operations performed on the tissue samples involved. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A data subject filed a complaint against the local health unit no. 8 of Cagliari, the controller, loss of biological data of genetic nature contained in the histological slides kept in some medical records and their unlawful destruction. The data controller and the data subject were parties to legal proceedings prior to this decision. <br />
<br />
Concerning the loss of data, according to an outsourced company (SISAR) which was responsible for the transfer of the samples from the Pathological Anatomy Department, the samples were correctly delivered to the Medical Records Office. However, more specific information about the recipients at the Medical Records Office was unavailable. <br />
<br />
Concerning the destruction of the same samples, the storage period for preserving the biological samples was minimum 10 years after which an assessment was required to determine whether the samples may or may not be destroyed. In this case, the controller allegedly failed to perform this assessment, as they did not consider pending legal proceedings where samples served as an evidence. <br />
<br />
The controller argued, based on the [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp215_en.pdf Article 29 WP Opinion 4/2007] on the concept of personal data, that the incident in question did not involve "personal biometric data". In particular, the controller emphasized that human tissue samples (like a blood samples) are sources out of which biometric data are extracted. As a result, collection, storage and use of tissue samples were subject to rules other than the GDPR. <br />
<br />
=== Holding ===<br />
Firstly, the DPA considered that the controller breached the accountability principle under [[Article 5 GDPR#2|Article 5(2) GDPR]] for failing to effectively demonstrate their data processing operations, including deletion or destruction of the samples after the minimum 10-year period. In addition, the controller did not adopt methods to ensure traceability of the processed data throughout all stages of processing and they were therefore not in the position to know the identity of the recipients in Medical Records Office.<br />
<br />
Secondly, [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] and [[Article 32 GDPR|Article 32 GDPR]] make it mandatory to ensure security of data processing by implementing appropriate technical and organization measures. In this case, the DPA found the controller in violation of the above-mentioned articles. This was due to the loss of stored personal data, resulting from the lack of consideration of pending legal proceedings, which required the samples in question to be present.<br />
<br />
Thirdly, regarding the controller’s statement that the human tissue samples are not biometric data, the DPA decided that irrespective of whether or not the slides are classified as biometric data, they can certainly, in the present case, be classified as special categories of personal data under [[Article 9 GDPR|Article 9 GDPR]]. In fact, the biological materials extracted by the controller included numbers referring to the identity of the natural person to whom they belong. In addition, the samples reveal information concerning the provision of health care services and, thus, they constitute health data as defined in [[Article 4 GDPR#15|Article 4(15) GDPR]]. <br />
<br />
For the reasons stated above, the DPA found the controller in violation of [[Article 5 GDPR|Article 5 GDPR]], [[Article 9 GDPR|Article 9 GDPR]] and [[Article 32 GDPR|Article 32 GDPR]] and imposed a fine in the amount of €18,000.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.<br />
<br />
<pre><br />
[doc. web no. 9980617]<br />
<br />
Provision of 21 December 2023<br />
<br />
Register of measures<br />
n. 601 of 21 December 2023<br />
<br />
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA<br />
<br />
IN today's meeting, which was attended by prof. Pasquale Stazione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary;<br />
<br />
HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter “Regulation”);<br />
<br />
HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing "Code regarding the protection of personal data, containing provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC” (hereinafter “Code”);<br />
<br />
HAVING REGARD TO Legislative Decree 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the freedom circulation of such data and repealing Directive 95/46/EC";<br />
<br />
GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette. n. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);<br />
<br />
HAVING SEEN the documentation in the documents;<br />
<br />
GIVEN the observations formulated by the Secretary General pursuant to art. 15 of the Guarantor's Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, doc. web no. 1098801;<br />
<br />
Speaker Dr. Agostino Ghiglia;<br />
<br />
PREMISE<br />
<br />
1. The request and the preliminary investigation activity<br />
<br />
With note dated XX, Mrs. XX formulated a complaint against the local social and health authority no. 8 of Cagliari complaining about the loss of "biological data, of a genetic nature, contained in the slides and histological inserts present in one's medical record" (...) "as a result of their delivery to subjects not better identified or even identifiable by the 'Hospital that detained them.' This circumstance would have been learned by the complainant only "following the filing of the report of the CTU-Technical Consultant of the Court of Appeal on the XX".<br />
<br />
In particular, according to what was stated in the aforementioned complaint, the absence of the slides and histological inserts containing the genetic material of Ms. effect of making her lose the appeal case against ASL8. In this regard, the CTU himself declares that: «It is absolutely essential to remember that the undersigned was not put in a position to have access to the histological preparations which represent an important element in supporting or not the validity of the compensation request»".<br />
<br />
Following the complaint, the Authority started an investigation, asking, with note dated XX, the local social and health authority no. 8 of Cagliari useful elements for the evaluation of the case in question. With a note dated XX, the General Director of the aforementioned Company provided feedback by declaring that:<br />
<br />
- “from what is reported in the appeal pursuant to art. 77 of EU Regulation 2016/679, the complained of data breach to the detriment of the interested party appears to have occurred in the XX, probably on the XX (the day on which the material containing the interested party's genetic data would have been delivered to unspecified subjects) at the “Businco” hospital. ” and recalling the definition of data controller and “what is expressed in the Guidelines 07/2020 Version 2.0 of the EPDB” that “in the case that interests us the legal entity to which the law has attributed the task (purpose) of conservation of the “ biological data, of a genetic nature, contained in the slides and histological inserts present within the [...] medical record of the complainant" is to be identified on the basis of the legislative provisions in force at the time";<br />
<br />
- “the L.R. n. 23/2014, in force at the time of the reported loss of the complainant's genetic data, containing «urgent rules for the reform of the regional healthcare system», provided for art. 9, paragraph 1 letter. c ["the incorporation into the hospital of national importance "G. Brotzu" of the "Microcitemic" and "Oncological - A. Businco" hospital facilities (the latter where the loss allegedly occurred), currently belonging to ASL n. 8 of Cagliari"]. Therefore, by virtue of the provisions referred to, at the time of the event which is the subject of the complaint (XX) the person to whom the law attributed the task of processing the complainant's personal data was to be identified in the Brotzu Office (...) today Arnas Brotzu”;<br />
<br />
- in relation to the procedural matter which is the subject of the complaint, "the undersigned Administration was not and would not have been able to know about the loss of biological data of a genetic nature following the filing of the expert witness report on XX since it is not part of the proceedings pending before the Court of Appeal of Cagliari. In fact, in the aforementioned judgment, from the little information obtainable from the complaint, the now discontinued ASL 8 is involved (which the appellant in fact identifies with C.F. 02261430926) which then merged into the Company for the Protection of Health of Sardinia (ATS SARDEGNA) with L.R. n. 17/2016”;<br />
<br />
- “this Company (Local Social Health Company no. 8 of Cagliari – VAT number 03990560926), as required by Regional Law. n. 24 of 2020, modified by art. 34 lett. B) of the subsequent L.R. n. 17 of 2021, has been established since 01.01.2022, and in addition, the Regional Health Liquidation Management has been established, with legal personality and patrimonial and economic autonomy, competent for the liquidation of all active and passive positions and all pending cases, from the date of establishment of the Health Protection Agency (ATS) and of those previously belonging to the abolished local health units and to the abolished health companies (see also the following link: https://www.atssardegna .it/company)”;<br />
<br />
- "it is believed that the information requested by this Guarantor Authority regarding the facts which are the subject of the complaint presented pursuant to art. 77 of EU Regulation 2016/679 should not be addressed to this Company, but to Arnas Brotzu (at the time of the facts AO Brotzu) as Data Controller pursuant to art. 4 of EU Regulation 2016/679 to date as at the time of the facts".<br />
<br />
Elements of information useful for the evaluation of the case were therefore requested from the G. Brotzu National Survey and High Specialization Company, with note dated XX (prot. n. XX), which provided feedback with note dated XX, declaring that :<br />
<br />
- “it is not believed that genetic personal data are involved in the above-mentioned episode. In support of this statement, we report what is expressed in "Opinion 4/2007 on the concept of personal data" of WP29 page. 9 “Human tissue samples (like a blood sample) are themselves sources out of which biometric data are extracted, but they are not biometric data themselves (as for instance a pattern for fingerprints is biometric data, but the finger itself is not). Therefore the extraction of information from the samples is collection of personal data, to which the rules of the Directive apply. The collection, storage and use of tissue samples themselves may be subject to separate sets of rules”. In this context, reference is made to Recommendation Rec (2006) 4 of the Committee of Ministers to member states on research on biological materials of human origin and its Explanatory Memorandum (partially applicable to the present case)”;<br />
<br />
- "the materials (assemblies and slides) which are the subject of this complaint date back to a histological examination carried out by Mrs. XX in the year XX at the A. Businco Hospital, then incorporated into ASL no. 8 of Cagliari, which was therefore the data controller, pursuant to the then current art. 1, paragraph 2, letter. D), of the then current Law 675/1996";<br />
<br />
- “only with the L.R. n. 23 of 17.11.2014, art. 9, co. 1, letter. C) and co. 3, letter. A), the Sardinia Region has arranged, starting from the 20th century, for the incorporation into the then G. Brotzu Hospital Company (today ARNAS G. Brotzu) of the A. Cao and A. Businco hospital facilities, therefore called hospital facility, until that moment, it did not fall within the competence of the undersigned Company and moreover at the date of incorporation there was still no obligation to notify violations of personal data, as is known, introduced by the articles. 33 ff. of the General Regulation on the protection of personal data 2016/679/EU (hereinafter GDPR)”;<br />
<br />
- "the CTU Dr. XX, with communication XX of the XX, requested this Company: "as official consultant in the Case XX against ASL 8 Cagliari plus others, N.R. 468/2016, Court of Appeal of Cagliari... please kindly inform this CTU to whom the histological findings were delivered and never returned to your hospital. The party consultants gave me a document from the Oncology Hospital (...), from which it is not clear to whom the aforementioned histological material was delivered";<br />
<br />
- “with note Prot. n. XX and Prot. n. XX of the XX, the Businco Medical Directorate immediately proceeded to verify what was requested by the CTU XX, requesting communications regarding both the Director of the SC Pathological Anatomy and the SISAR company, as the company awarded the outsourced archiving service, communications and related documentation regarding the "handling of the material in question";<br />
<br />
- "from the examination of the respective findings it emerged that: on date XX the Anatomy Pathology department sent Sisar the request for copies of the reports and all the XX pieces of Mrs. XX, which on the same day Sisar sent a copy digital of the reports and communicated the delivery of the tiles for the following day; that, on the following XX, the tiles and slides were delivered by the Sisar operator to the medical records office of the P.O. Businco in the hands of Mrs. XX, who signed the report confirming delivery";<br />
<br />
- “the Businco Health Directorate, with note prot. n. XX of the XX then communicated to Prof. XX "there is no documentation in the records of the undersigned Medical Directorate and of the SC Pathological Anatomy"";<br />
<br />
- "following the receipt of the request for information from this Dear Guarantor (...), this General Directorate immediately proceeded to verify what happened, requesting information from the parties involved in any way, as well as finding the documentation related to the measures techniques and organizational measures adopted, with particular regard to the management of biological samples, and the instructions provided to staff on the matter";<br />
<br />
- "from the examination of the documentation thus found (...) it therefore emerged that the materials under examination, (...) dating back to the 20th century, were the subject of various movements well before the 20th, given that a judgment is pending - at present level of appeal between ASL n. 8 of Cagliari and Mrs. XX - (...) and that the same materials were examined by the expert witnesses appointed in the previous level of the proceedings, in which, it should be noted, this Company is not a party and was never been informed on the matter, at least until May 2022, thus resulting in the absence of any "alert" regarding a specific conservation for reasons of justice";<br />
<br />
- "from the examination of the SISAR delivery list it can be seen that on XX the latter would have physically delivered dowels and slides to the Businco Medical Records Office, in the person of XX who signed the delivery report (...). Otherwise, there is no further documentation in the documents certifying what happened following this delivery to the Medical Records Office. With regard to this last point, it is noted that (...) the documentation produced does not in any way reveal the delivery of these materials externally "to unknown persons". Indeed, otherwise the external company simply acknowledges the delivery of the materials on date XX to the Medical Records Office, while the wording "not returned" evidently refers to the Sisar company itself, which acknowledges that following delivery to the 'Medical Records Office has not received the materials back';<br />
<br />
- "as emerges from the report of Dr. XX, as deputy Head of SC Pathological Anatomy (...), the Company and specifically, the Pathological Anatomy Service, by consolidated practice, proceeds to manage the delivery of slides and inserts to those entitled , “after checking a valid document, identity card, you have a pre-printed form filled out. In the meantime, we proceed to make a photocopy of the document which will be attached to a folder with the applicant's name. The patient is invited to return after 2/3 days necessary for the internal procedures: the person who deals with the request retrieves the material from the archive and submits it to the doctor who carried out the diagnosis so that he can check whether the material is suitable upon request. When everything is ready (reports and copy of the report with the request authorized by the doctor) the patient can come to collect it. Meanwhile, the person responsible for preparing the folder also makes a photocopy of the material he has to deliver (photocopy of the dowels for example). At the time of collection, the patient signs the pre-printed form which specifies how many tiles are being delivered to him". In relation to the archiving of the materials under examination, in the same way, we transcribe what was declared by the Director of the Pathological Anatomy Service, Dr. XX, (...), namely that: "both the slides and the tiles archived at the S.C. Pathological Anatomy, are located in laminate modules ordered by progressive number and by year in a locked room where they can access and move them (when it is necessary for the doctor to see any precedents of a case he is studying to reach a diagnosis, for example example) the staff who work at the same U.O. (Authorized personnel and coordinator). They cannot be accessed by outsiders, including Company employees as such unless accompanied by department personnel (Coordinator for example)... Currently (since the XX), by Company order (...), the archiving of the finds takes place at SISAR s.a.s., including the case under investigation";<br />
<br />
- "with regard to the conservation times of the tiles and slides, it is important to note that (...), there is no specific legislative regulation and no strictly pre-established deadline. Indeed, from the examination of the Guidelines of the Ministry of Health on the subject of May 2015 (point 5.3.2), it emerges that the competent Ministry suggests, on the one hand, the outsourcing of the service - as this Company has arranged - and on the 'other, to proceed with the conservation of the materials of the type object of today's examination for a minimum period of 10 years (...)”;<br />
<br />
- "well this requirement appears to have been respected by this Company, taking into account the circumstance that the elements under examination date back to the year XX";<br />
<br />
- "furthermore, (...), this Company has resolved, over the years, to approve the Annual Training Plan, providing, among other things, for the holding of courses relating to the monitoring of health documentation";<br />
<br />
- "the Company has also, over the years, carried out training on the protection of personal data (...)";<br />
<br />
- "the events described above, which concern a particularly long historical period (please remember that the biological samples were taken in the 20th century, and that, as mentioned in the introduction, the present event concerns biological samples, and certainly not genetic data), in which several owners followed one another, and relating to periods for which there was not yet an obligation to notify violations of personal data (consequent as is known from the regulations referred to in articles 33 and 34 of the RGPD, and therefore applicable to date from 5/25/2018, as the notification obligation established by the Guidelines on the Health Dossier - 4 June 2015 [4084632]" is certainly not applicable to the present case);<br />
<br />
- "(...) ARNAS was not part of the legal proceedings connected to this matter and did not have news of it until May 2022, or with the request of the CTU. In this context, in a situation in which it was complex to establish the actual ownership of the treatment (given the succession of regulatory changes already described in the introduction), or the exact moment in which these biological samples actually became no longer available, the event was not interpreted as a safety incident relevant to ARNAS pursuant to articles. 33 et seq. of the GDPR”;<br />
<br />
- "as emerges from the mere examination of the request formulated by Prof. XX, in which communication was requested regarding "to whom the histological findings which were never returned to your hospital were delivered" and the response from the Businco health management, where declared that: "there is no documentation in the records of the undersigned Medical Directorate and of the SC Pathological Anatomy", it is clear that this Company has not become aware of the violation of availability of biological samples except with the request for information formulated by this esteemed Guarantor" ;<br />
<br />
- "the Company is evaluating, among other things and in any case, multi-level training, dedicated both to top management figures and to all healthcare workers, which delves in detail into the profiles connected to safety incidents and the related obligations" .<br />
<br />
To the acknowledgment note, the aforementioned Company has attached some documents, including the Declaration of the Director of the Pathological Anatomy Service (Dr. XX), from which it appears "there has never been a written protocol for the management of the findings as it is an abundantly consolidated procedure over time (over 40 years) and, in the custody of the finds stored in the archives of the U.O. of Pathological Anatomy (tens of thousands of cases have now been archived), we have always taken the utmost care and attention in safeguarding them in the best possible way. The writer does NOT know that there are written protocols for the management and custody of the finds at the U.O. of Pathological Anatomy where he works and/or in Sardinia and/or in Italy".<br />
<br />
The G. Brotzu National Survey and High Specialization Company has also sent the aforementioned acknowledgment note from the Sisar of the XX and the delivery list of the XX, documents from which it appears that the histological inserts delivered were marked with the numbers XX ( n. 3 plugs) and n. XX (22 tiles) specifically indicated as referring to Mrs. XX, born on XX.<br />
<br />
2. Department assessments on the processing carried out and notification of the violation referred to in the art. 166, paragraph 5 of the Code<br />
<br />
In relation to the facts described, the Office, with note dated XX (prot. n. XX), notified the G. Brotzu National Survey and High Specialization Company (hereinafter "ARNAS Brotzu Company"), pursuant to the art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in the art. 58, par. 2, of the Regulation, inviting it to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of law no. 689 of 24/11/1981).<br />
<br />
In particular, the Office, in the aforementioned act, considered that the ARNAS Brotzu Company had carried out data processing in violation of the basic principles of processing referred to in the articles. 5, 9, and 32 of the Regulation, as well as the "Provision containing the provisions relating to the processing of particular categories of data, pursuant to art. 21, paragraph 1 of Legislative Decree 10 August 2018, n. 101”.<br />
<br />
With a note dated XX, the ARNAS Brotzu Company sent its defense briefs, in which, in particular, it highlighted that:<br />
<br />
“in the episode (…)(in question) no genetic data or even personal data are involved pursuant to art. 4, par. 1, no. 1 of the Regulation";<br />
<br />
“the loss of materials, represented by slides and pieces of a histological examination, cannot be considered an illicit processing of personal data, due to the very nature of the samples involved”;<br />
<br />
"the concept of "biological sample" was also explained in the same terms in the Guarantor's document relating to the Authorization for the processing of genetic data - 22 February 2007 (...) and then reiterated in the most recent Prescriptions relating to the processing of genetic data n. 8/2016 (…). Based on the 2016 provisions just mentioned, the current definition of "genetic data" is represented by "the result of genetic tests or any other information which, regardless of the type, identifies the genotypic characteristics of an individual transmissible within a group of people linked by kinship ties”; while "biological sample" must be considered "any sample of biological material from which genetic data of an individual can be extracted". It therefore emerges that, even in the current legislation on the matter, "genetic data" can be considered only and exclusively the result of a genetic test, i.e. an operation that makes it possible to extrapolate personal data capable of revealing the genotypic characteristics of an individual. Even the biological sample, considered in itself, is not personal data, in the absence of an extraction procedure that allows us to know the characteristic genetic data of an identified or identifiable individual";<br />
<br />
"in the case in question, it was not the genetic data that were lost, but pieces of biological material, considered in themselves devoid of the character of personal data, or the information element required as essential also by the art. 4, no. 1 of Regulation (EU) 2016/679”;<br />
<br />
"for the reasons set out above, it is believed that the hypothesis in question cannot be considered to fall within the competence of the Authority, precisely because the materials requested by the interested party and the CTU cannot be considered personal data";<br />
<br />
“even if we assume that the biological samples considered in themselves are personal data, as has already been specified and as emerges from the report of Dr. XX, then Deputy Head of SC Pathological Anatomy (..) the Company and specifically, the service of Pathological Anatomy, was already equipped at the time with a structured process for managing the delivery of slides and inserts to those entitled (...)”;<br />
<br />
"in relation to the archiving of the materials under examination, in the same way, the Company applied a structured process (...)", already described in the note dated XX in response to the Authority's request for information;<br />
<br />
"in this case, the management of the biological samples by the Company complied with the provisions of the art. 4.2. of the «Measure containing the requirements relating to the processing of particular categories of data, pursuant to art. 21, paragraph 1 of Legislative Decree 10 August 2018, n. 101", for the applicable part";<br />
<br />
"access to the premises was strictly regulated and the management, conservation and transport of the samples were managed with modalities traced in a timely manner and such as to be able to reconstruct the entire path relating to the samples themselves, making the disputed episode a an exceptional fact given the absolutely significant number of samples regularly handled by the service. From this point of view, there is not even a violation of the art. 32 of the Regulation, given that suitable safety measures were applied to the management of biological samples (...)”;<br />
<br />
“the violation of the articles would also appear to be contested. 5 and 9 of the Regulation for not having provided "proof of the evaluation, by the health facility and having consulted the doctor responsible for the conduct, regarding the opportunity to conserve the biological samples even beyond the proposed ten-year period (...)", assuming that this company was aware, at XX, of the pending legal proceedings";<br />
<br />
"in reality (...) the Company was not, nor is, a party to the proceedings, nor was it the data controller at the time of its establishment, and was never properly informed in this regard, at least until May 2022, thus resulting in the absence of any "alert" regarding a specific conservation for reasons of justice";<br />
<br />
“as regards the dispute regarding the violation of the art. 9 of the Regulation, it is reiterated that (...) there has been no communication to third parties of any personal data";<br />
<br />
"this is an isolated case, also related to the complex matter of the succession between health companies following the multiple regional reforms on the matter, which led to the pending litigation to which ARNAS was and is totally extraneous and of which it came to knowledge only during the year 2022. The alleged violation concerned exclusively biological samples (tile and slides) of a single interested party”;<br />
<br />
"with regard to the contested conduct, it must be specified that the same, if deemed to exist, must certainly be considered in its negligent nature (in the degree of slight negligence). In fact, the character is certainly negligent: the failure to formalize a procedure is contested which in essence would have merely implemented the consolidated work of good clinical practice and correct management of samples already in place for about forty years. The succession of healthcare company aggregation operations and related spin-offs have at least slowed down this activity, making it appropriate, if not necessary, to proceed in a homogeneous manner in the different structures. The requirements referred to in point a) of the chapter. 4.2. of the Requirements is largely covered by what has already been stated. Point b) is covered with regards to the tracking of movements (considered as a major risk factor)”;<br />
<br />
“the Company has taken steps with resolution no. XX of the XX to identify, pursuant to art. 2-quaterdecies paragraphs 1 and 2 of the Legislative Decree. 196/2003, as designated the Directors of the Complex structure and the Directors of the Simple Departmental structure, and to establish that Persons authorized to process are to be understood as all employees and collaborators, in any capacity, of the hospital, who process personal data ( …)”;<br />
<br />
the "Company has resolved, over the years, to approve the Annual Training Plan, providing, among other things, for the holding of courses relating to the monitoring of health documentation" and has "also taken steps, over the course of years, to carry out training on data protection”;<br />
<br />
“ARNAS, with the help of the appointed DPO, immediately had a collaborative attitude with the Guarantor Authority, taking steps to react immediately to the report, to critically analyze the problematic profiles, and to promptly provide all the clarifications requested in a manner punctual; (...) the Company immediately took action, involving the DPO and the new Director of SC Anatomy Pathology (...) for an overall verification of the biological sample management process and for its formalization into a procedure aimed at crystallizing and, if where appropriate, improve the existing process. Among other things, the use of computerized archive cabinets that use the reading of the barcodes present on the tiles and slides is envisaged (...)";<br />
<br />
“the processing concerned only biological samples from a single interested party”;<br />
<br />
"it is underlined (...) that ARNAS is not involved in the pending dispute between the interested party and another healthcare company";<br />
<br />
“the incorporation, merger and division operations that affected the processing posed strong organizational obstacles in general and for the specific processing. Please note that for administrative liability the burden of a possible sanction could ultimately fall on a natural person and therefore recital 148 could be applicable (...) at least in determining the extent of the sanction".<br />
<br />
On XX, the hearing requested by the ARNAS Brotzu Company took place, during which it decided to show a presentation regarding the remediation measures, including the procedure for managing requests for biological material, adopted with resolution no. XX of the XX, which was broadcast during the hearing.<br />
<br />
On the same occasion, in addition to what was already highlighted in the briefs, it was declared that:<br />
<br />
- "the aforementioned resolution (n. XX of the XX) formalizes the procedure already in use and introduces elements of improvement and simplification, with the aim of reducing the possibility of error;<br />
<br />
- the actions to improve the procedure also consist of centralizing it at the Pathological Anatomy;<br />
<br />
- the procedure allows the minimization of the planned steps and the better tracking of the operations carried out on the plugs and slides;<br />
<br />
- the Company, as part of the three-year requirement plan, has requested the creation of computerized cabinets for the purposes of completely digitalized management of the archive, with the possibility of being notified via an alert of the failure to return any biological material possibly delivered to the patient ;<br />
<br />
- in the short term, a field training activity has already been planned on the new procedure, already communicated within the pathological anatomy service, and, furthermore, a course/conference on the latest developments regarding the protection of personal data in healthcare;<br />
<br />
- in relation to the event which is the subject of the complaint, it is specified that in the XX the bar code was not foreseen and the tiles were marked manually with a pencil, resistant to the solvents used to process the material;<br />
<br />
- through the aforementioned changes the Company intends to undertake a process of continuous improvement, also providing for periodic audits that allow the concrete application of the procedure and its effectiveness to be monitored;<br />
<br />
- even just the complaint procedure had the effect of activating the Company even more to take every possible action to improve the procedures and avoid the repeatability of the event that occurred;<br />
<br />
- the DPO was immediately involved in the process of analyzing the facts subject to the complaint and in the improvement actions".<br />
<br />
From the documentation containing "Presentation of the procedure referred to in resolution no. XX of the XX", transmitted on the occasion of the aforementioned hearing, it appears that "the biological material (paraffin plugs, histological and cytological slides) is stored in special archives according to the numbering (assigned by the computer system) with which they were accepted at the 'entrance. This is a unique and progressive numbering distinguished by year and type of sample. The number and corresponding barcode are printed on paraffin tiles and slides."<br />
<br />
3. Outcome of the preliminary investigation<br />
<br />
Having taken note of what is represented by the ARNAS Brotzu Company in the documentation in the documents, in the defense briefs and during the hearing, it is observed that:<br />
<br />
1. the Regulation provides that personal data must be "processed in a manner that guarantees adequate security (...), including protection, through appropriate technical and organizational measures, from unauthorized or illicit processing and from loss, destruction or accidental damage (principle of «integrity and confidentiality»)” (art. 5, par. 1, letter f) of the Regulation). The adequacy of such measures must be assessed by the controller and processor with respect to the nature of the data, the object, the purposes of the processing and the risk to the fundamental rights and freedoms of the data subjects, taking into account the risks that derive from the destruction, loss, modification, unauthorized disclosure or access, accidentally or illegally, to personal data transmitted, stored or otherwise processed (art. 32, par. 1 and 2 of the Regulation);<br />
<br />
2. in light of the principle of responsibility (so-called accountability), "the data controller must comply with and be able to demonstrate compliance with the principles and obligations set out in the Regulation" (art. 5, par. 2, 24 and of Regulation);<br />
<br />
3. according to the definition provided by the Regulation, data relating to health are "personal data relating to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information relating to his or her state of health", including "information about the natural person collected during his registration for the purpose of receiving healthcare services or the related provision referred to in Directive 2011/24/EU of the European Parliament and of the Council; a number, symbol or specific element attributed to a natural person to uniquely identify him or her for health purposes; information resulting from examinations and checks carried out on a part of the body or an organic substance, including genetic data and biological samples; and any information concerning, for example, a disease, a disability, the risk of diseases, medical history, clinical treatments or the physiological or biomedical state of the data subject, regardless of the source, such as, for example, a doctor or other healthcare worker, a hospital, a medical device or an in vitro diagnostic test” (art. 4, par. 1, point 15 and Cons. no. 35);<br />
<br />
4. with particular reference to the custody and safety of biological samples, the "Measure containing the requirements relating to the processing of particular categories of data, pursuant to art. 21, paragraph 1 of Legislative Decree 10 August 2018, n. 101” of the Guarantor n. 146 of 5 June 2019 (published in the Official Journal no. 176 of 29 July 2019 and available at www.gpdp.it, web doc. no. 9124510) has, in this regard, prescribed specific precautions that must be adopted by the data controller with particular reference to the conservation, use and transport of biological samples which must take place in ways also aimed at guaranteeing their quality, integrity, availability and traceability (point 4.2., letter b));<br />
<br />
5. the regulations regarding the protection of personal data also provide that information on the state of health can be communicated only to the interested party and can be communicated to third parties only on the basis of a suitable legal basis (art. 9 Regulation and art. 84 of the Code in conjunction with art. 22, paragraph 11, Legislative Decree no. 101 of 10 August 2018);<br />
<br />
6. the guidelines of the Ministry of Health-Superior Council of Health regarding "Traceability, Collection, Transport, Conservation and Archiving of cells and tissues for diagnostic investigations of PATHOLOGICAL ANATOMY" (XX), available at https://www. salute.gov.it/imgs/C_17_pubblicazioni_2369_annex.pdf, provide that, with regards to the sampled material (paraffin blocks and slides), "given (...) the need to set a minimum term for the duration of the conservation obligation, reporting the need for regulatory intervention on this point, it is believed that this deadline can appropriately be set at ten years. (…) As regards medico-legal needs and the possible defense of the healthcare facility or the doctor during any civil or criminal proceedings (…), it should be underlined that the term in question only involves the termination of a conservation obligation of the material, remaining (...), the right of the facility to retain the material for a longer period (for example in all cases in which a dispute with a patient or his successor in title is pending). In the event of an indefinite duration of the obligation, the structure is required to conserve and deliver the sample at any time to the civil judicial authority and failure to deliver it may be detected pursuant to art. 116 c.p.c. With the setting of a duration deadline, any failure to deliver the material (in the event of destruction or loss) after the expiry of the deadline itself cannot be detected pursuant to the art. 116 c.p.c.,”, specifying that “the ten-year term is a minimum term, upon expiration of which the conservation obligation for the structure that holds it expires. In any case, if civil or criminal proceedings are underway, the healthcare facility, having heard the doctor responsible for the conduct, is required to evaluate the opportunity to conserve the material even beyond the ten-year period, in consideration of the ongoing litigation, without prejudice to the discretion of the same on the point and the extinction of the aforementioned conservation obligation" (see point 5.3.2. of the aforementioned document).<br />
<br />
4. Conclusions<br />
<br />
In light of the assessments set out above, taking into account the declarations made by the data controller during the investigation and considering that, unless the fact constitutes a more serious crime, anyone, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code ("False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor"), it is noted that the elements provided by the ARNAS Brotzu Company in the defense briefs referred to above and during the hearing are not suitable to fully accept the dismissal requests, not allowing the findings notified by the Office to be overcome with the aforementioned document initiating the proceedings.<br />
<br />
Preliminarily, it should be noted that, regardless of the qualification of the slides and pieces of a histological examination as "genetic data", they certainly can, in the specific case, be attributable, in any case, to the particular categories of personal data provided for in the art. 9 of the Regulation. In fact, the biological materials extracted from the complainant, associated with elements, in this case numerical (XX and XX), referring to the identity of the natural person to whom it belongs (Mrs. XX), since they reveal information regarding the provision of services of health care, constitute health data, as defined by the art. 4, par. 1, point 15 of the Regulation and Council. n. 35, protected by the specific guarantees of art. 9 of the Regulation.<br />
<br />
Having said this, it should be noted that, in light of the documentation acquired, there has "never existed a written protocol for the management of the finds as it is a procedure well consolidated over time (over 40 years) and, in the custody of the finds stored in the archive of the U.O. of Pathological Anatomy (tens of thousands of cases have now been archived), we have always taken the utmost care and attention in safeguarding them in the best possible way. The writer does NOT know that there are written protocols for the management and custody of the finds at the U.O. of Pathological Anatomy where he works and/or in Sardinia and/or in Italy" (see Declaration of the director of the pathological anatomy service, Attachment no. 7 to the email of the XX).<br />
<br />
In this regard, even if the ARNAS Brotzu Company, as declared by itself, had not been aware, in the XX, of the pending judgment which could have required further investigations to be carried out on the biological samples taken and, therefore, even if it was not was placed in a position to carry out an evaluation - as required by the aforementioned guidelines of the Ministry of Health - Superior Council of Health regarding "Traceability, Collection, Transport, Conservation and Archiving of cells and tissues for diagnostic investigations of PATHOLOGICAL ANATOMY" of XX - in relation to the opportunity to conserve biological samples even beyond the proposed ten-year term, in any case, the aforementioned circumstances do not exempt the Company from the obligation to document which processing operation (including any cancellation and destruction) had been carried out on the personal data contained in the slides associated with uniquely identified persons for health purposes.<br />
<br />
In fact, in light of the so-called principle “accountability”, which requires data controllers to be able to demonstrate the implementation of measures suitable for effectively implementing the data protection principles (art. 5, par. 2, of the Regulation), the Company, even if there was no longer an obligation to conserve the biological samples, it would still have had to adopt methods aimed at guaranteeing their traceability and identifying documented procedures for managing the operations carried out, in all phases of the treatment , taking into account, in particular, the risks deriving from the loss of personal data stored, in accordance with the provisions of the articles. 5, par. 1, letter. f) and 32 of the Regulation.<br />
<br />
For these reasons, in relation to the described loss of personal data contained in the slides belonging to the complainant, we note the illegality of the processing of personal data carried out by the Company, within the terms set out in the motivation, for the violation of the articles. 5, par. 1, letter. f) and par. 2 of the Regulation and art. 32 of the same Regulation, as well as the "Provision containing the requirements relating to the processing of particular categories of data, pursuant to art. 21, paragraph 1 of Legislative Decree 10 August 2018, n. 101” of the Guarantor n. 146 of 5 June 2019 (published in the Official Gazette no. 176 of 29 July 2019 and available at www.gpdp.it, web doc. no. 9124510).<br />
<br />
In this framework, considering that the Company has taken steps to adopt a procedure for the management and conservation of biological material, adopted with resolution no. XX of the XX, the conditions for the adoption of the corrective measures referred to in the art. do not currently exist. 58, par. 2, of the Regulation.<br />
<br />
5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i) and 83 of the Regulation; art. 166, paragraph 7, of the Code).<br />
<br />
The violation of the articles. 5, par. 1, letter. f) and par. 2 of the Regulation and art. 32 of the same Regulation, as well as the "Provision containing the requirements relating to the processing of particular categories of data, pursuant to art. 21, paragraph 1 of Legislative Decree 10 August 2018, n. 101” of the Guarantor n. 146 of 5 June 2019 (published in the Official Journal no. 176 of 29 July 2019 and available at www.gpdp.it, web doc. no. 9124510), is subject to the application of the pecuniary administrative sanction pursuant to art. 83, par. 4 and 5 of the Regulation (see on this point, art. 21, paragraph 5, of Legislative Decree no. 101 of 10 August 2018, according to which "violations of the provisions contained in the general authorizations referred to in this article and in the general provision referred to in paragraph 1 are subject to the administrative sanction referred to in art. 83, par. 5, of the Regulation").<br />
<br />
Consider that the Guarantor, pursuant to articles. 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" and, in this framework, "the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the additional administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code” (art. 16, paragraph 1, of the Guarantor Regulation no. 1/2019).<br />
<br />
Taking into account that the violation of the aforementioned provisions took place as a consequence of a single conduct (same treatment or treatments connected to each other), the art. applies. 83, par. 3 of the Regulation, pursuant to which the total amount of the administrative fine does not exceed the amount specified for the most serious violation. Considering that, in this case, the most serious violation concerns the articles. 5, par. 1, letter. f) of the Regulation and the aforementioned "Provision containing the requirements relating to the processing of particular categories of data, pursuant to art. 21, paragraph 1 of Legislative Decree 10 August 2018, n. 101” of the Guarantor n. 146 of 5 June 2019, the total amount of the fine is to be quantified up to 20,000,000 euros (so-called "static" statutory maximum).<br />
<br />
The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking due account of the elements provided for by the art. 83, par. 2, of the Regulation.<br />
<br />
With specific regard to the violation committed by the ARNAS Brotzu Company, it is highlighted that the level of severity was considered medium, taking into account the number of interested parties involved, the category of personal data involved, the purpose of the processing as well as the level of damage suffered by the the interested party (art. 83, par. 2, letter a) of the Regulation; see European Data Protection Board, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point no. 60).<br />
<br />
The further elements provided for by the art. were then considered. 83, par. 2 of the Regulation and in particular that:<br />
<br />
- the Authority became aware of the case in question following a complaint lodged by the interested party (art. 83, par. 2, letter h) of the Regulation);<br />
<br />
- the Company has taken charge of the findings raised by the Office by adopting the specific procedure mentioned relating to the delivery of slides and histological and cytological test cards (art. 83, par. 2, letter c) of the Regulation);<br />
<br />
- the Company has demonstrated a high degree of cooperation with the Authority in all phases of the procedure (art. 83, par. 2, letter f) of the Regulation);<br />
<br />
- no measures have previously been taken against the owner for relevant violations (art. 83, par. 2, letter e) of the Regulation);<br />
<br />
- the reorganization operations of the Sardinian regional system, provided for by the regional law of the Sardinia Region, of 11 September 2020, n. 24 (containing "Reform of the regional healthcare system and systematic reorganization of the relevant regulations. Repeal of regional law no. 10 of 2006, regional law no. 23 of 2014 and regional law no. 17 of 2016 and further sector regulations ”), which affected the data controller, led to certain organizational obstacles, also for the purpose of reconstructing the event that gave rise to the violation in question (art. 83, par. 2, letter k) of the Regulation).<br />
<br />
On the basis of the aforementioned elements, evaluated as a whole, it is considered to determine the amount of the pecuniary sanction in the amount of 18,000.00 (eighteen thousand) euros for the violation of the art. 5, par. 1, letter. f) and par. 2 of the Regulation, of the art. 32 of the same Regulation, as well as the "Provision containing the requirements relating to the processing of particular categories of data, pursuant to art. 21, paragraph 1 of Legislative Decree 10 August 2018, n. 101” of the Guarantor n. 146 of 5 June 2019.<br />
<br />
Due to the particular sensitivity of the data processed, it is also believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019.<br />
<br />
Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019, concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.<br />
<br />
ALL THIS CONSIDERING THE GUARANTOR<br />
<br />
declares the unlawfulness of the processing of personal data carried out by the G. Brotzu National and High Specialization Company, for the violation of the art. 5, par. 1, letter. f) and 2 of the Regulation, of the art. 32 of the same Regulation, as well as the "Provision containing the provisions relating to the processing of particular categories of data, pursuant to art. 21, paragraph 1 of Legislative Decree 10 August 2018, n. 101” of the Guarantor n. 146 of 5 June 2019.<br />
<br />
ORDER<br />
<br />
pursuant to the articles 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, to the G. Brotzu National and Highly Specialized Company, with registered office in Cagliari, P.le Ricchi, n. 1 — 09134, VAT number 023155209200, to pay the sum of 18,000.00 (eighteen thousand) euros as a pecuniary administrative sanction for the violation indicated in this provision; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed.<br />
<br />
ORDERS<br />
<br />
to the aforementioned Company, in the event of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 18,000.00 (eighteen thousand) euros according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of law no. 689/1981.<br />
<br />
HAS<br />
<br />
pursuant to art. 166, paragraph 7, of the Code, the publication in full of this provision on the Guarantor's website and believes that the conditions set out in the art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.<br />
<br />
Pursuant to art. 78 of the Regulation, of the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.<br />
<br />
Rome, 21 December 2023<br />
<br />
PRESIDENT<br />
Stanzione<br />
<br />
THE SPEAKER<br />
Ghiglia<br />
<br />
THE GENERAL SECRETARY<br />
Mattei<br />
<br />
[doc. web no. 9980617]<br />
<br />
Provision of 21 December 2023<br />
<br />
Register of measures<br />
n. 601 of 21 December 2023<br />
<br />
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA<br />
<br />
IN today's meeting, which was attended by prof. Pasquale Stazione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary;<br />
<br />
HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter “Regulation”);<br />
<br />
HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing "Code regarding the protection of personal data, containing provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC” (hereinafter “Code”);<br />
<br />
HAVING SEEN the Legislative Decree. 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the freedom circulation of such data and repealing Directive 95/46/EC";<br />
<br />
GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette. n. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);<br />
<br />
HAVING SEEN the documentation in the documents;<br />
<br />
GIVEN the observations formulated by the Secretary General pursuant to art. 15 of the Guarantor's Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, doc. web no. 1098801;<br />
<br />
Speaker Dr. Agostino Ghiglia;<br />
<br />
PREMISE<br />
<br />
1. The request and the preliminary investigation activity<br />
<br />
With note dated XX, Mrs. XX formulated a complaint against the local social and health authority no. 8 of Cagliari complaining about the loss of "biological data, of a genetic nature, contained in the slides and histological inserts present in one's medical record" (...) "as a result of their delivery to subjects not better identified or even identifiable by the 'Hospital that detained them.' This circumstance would have been learned by the complainant only "following the filing of the report of the CTU-Technical Consultant of the Court of Appeal on the XX".<br />
<br />
In particular, according to what was stated in the aforementioned complaint, the absence of the slides and histological inserts containing the genetic material of Ms. effect of making her lose the appeal case against ASL8. In this regard, the CTU himself declares that: «It is absolutely essential to remember that the undersigned was not put in a position to have access to the histological preparations which represent an important element in supporting or not the validity of the compensation request»”.<br />
<br />
Following the complaint, the Authority started an investigation, asking, with note dated XX, the local social and health authority no. 8 of Cagliari useful elements for the evaluation of the case in question. With a note dated XX, the General Director of the aforementioned Company provided feedback by declaring that:<br />
<br />
- “from what is reported in the appeal pursuant to art. 77 of EU Regulation 2016/679, the complained of data breach to the detriment of the interested party appears to have occurred in the XX, probably on the XX (the day on which the material containing the interested party's genetic data would have been delivered to unspecified subjects) at the “Businco” hospital. ” and recalling the definition of data controller and “what is expressed in the Guidelines 07/2020 Version 2.0 of the EPDB” that “in the case that interests us the legal entity to which the law has attributed the task (purpose) of conservation of the “ biological data, of a genetic nature, contained in the slides and histological inserts present within the [...] medical record of the complainant" is to be identified on the basis of the legislative provisions in force at the time";<br />
<br />
- “the L.R. n. 23/2014, in force at the time of the reported loss of the complainant's genetic data, containing «urgent rules for the reform of the regional healthcare system», provided for art. 9, paragraph 1 letter. c ["the incorporation into the hospital of national importance "G. Brotzu" of the "Microcitemic" and "Oncological - A. Businco" hospital facilities (the latter where the loss allegedly occurred), currently belonging to ASL n. 8 of Cagliari"]. Therefore, by virtue of the provisions referred to, at the time of the event which is the subject of the complaint (XX) the person to whom the law attributed the task of processing the complainant's personal data was to be identified in the Brotzu Office (...) today Arnas Brotzu”;<br />
<br />
- in relation to the procedural matter which is the subject of the complaint, "the undersigned Administration was not and would not have been able to know about the loss of biological data of a genetic nature following the filing of the expert witness report on XX since it is not part of the proceedings pending before the Court of Appeal of Cagliari. In fact, in the aforementioned judgment, from the little information obtainable from the complaint, the now discontinued ASL 8 is involved (which the appellant in fact identifies with C.F. 02261430926) which then merged into the Company for the Protection of Health of Sardinia (ATS SARDEGNA) with L.R. n. 17/2016”;<br />
<br />
- “this Company (Local Social Health Company no. 8 of Cagliari – VAT number 03990560926), as required by Regional Law. n. 24 of 2020, modified by art. 34 lett. B) of the subsequent L.R. n. 17 of 2021, was established on 01.01.2022, and in addition, the Regional Health Liquidation Management was established, with legal personality and patrimonial and economic autonomy, competent for the liquidation of all active and passive positions and all pending cases, from the date of establishment of the Health Protection Agency (ATS) and of those previously belonging to the abolished local health units and to the abolished health companies (see also the following link: https://www.atssardegna .it/company)”;<br />
<br />
- "it is believed that the information requested by this Guarantor Authority regarding the facts which are the subject of the complaint presented pursuant to art. 77 of EU Regulation 2016/679 should not be addressed to this Company, but to Arnas Brotzu (at the time of the facts AO Brotzu) as Data Controller pursuant to art. 4 of EU Regulation 2016/679 to date as at the time of the facts".<br />
<br />
Elements of information useful for the evaluation of the case were therefore requested from the G. Brotzu National Survey and High Specialization Company, with note dated XX (prot. n. XX), which provided feedback with note dated XX, declaring that :<br />
<br />
- “it is not believed that genetic personal data are involved in the above-mentioned episode. In support of this statement, we report what is expressed in "Opinion 4/2007 on the concept of personal data" of WP29 page. 9 “Human tissue samples (like a blood sample) are themselves sources out of which biometric data are extracted, but they are not biometric data themselves (as for instance a pattern for fingerprints is biometric data, but the finger itself is not). Therefore the extraction of information from the samples is collection of personal data, to which the rules of the Directive apply. The collection, storage and use of tissue samples themselves may be subject to separate sets of rules”. In this context, reference is made to Recommendation Rec (2006) 4 of the Committee of Ministers to member states on research on biological materials of human origin and its Explanatory Memorandum (partially applicable to the present case)”;<br />
<br />
- "the materials (assemblies and slides) which are the subject of this complaint date back to a histological examination carried out by Mrs. XX in the year XX at the A. Businco Hospital, then incorporated into ASL no. 8 of Cagliari, which was therefore the data controller, pursuant to the then current art. 1, paragraph 2, letter. D), of the then current Law 675/1996";<br />
<br />
- “only with the L.R. n. 23 of 17.11.2014, art. 9, co. 1, letter. C) and co. 3, letter. A), the Sardinia Region has arranged, starting from the 20th century, for the incorporation into the then G. Brotzu Hospital Company (today ARNAS G. Brotzu) of the A. Cao and A. Businco hospital facilities, therefore called hospital facility, until that moment, it did not fall within the competence of the undersigned Company and moreover at the date of incorporation there was still no obligation to notify violations of personal data, as is known, introduced by the articles. 33 ff. of the General Regulation on the protection of personal data 2016/679/EU (hereinafter GDPR)”;<br />
<br />
- "the CTU Dr. XX, with communication XX of the XX, requested this Company: "as official consultant in the Case XX against ASL 8 Cagliari plus others, N.R. 468/2016, Court of Appeal of Cagliari... please kindly inform this CTU of whom the histological findings were delivered and never returned to your hospital. The party consultants gave me a document from the Oncology Hospital (...), from which it is not clear to whom the aforementioned histological material was delivered";<br />
<br />
- “with note Prot. n. XX and Prot. n. XX of the XX, the Businco Medical Directorate immediately proceeded to verify what was requested by the CTU XX, requesting communications regarding both the Director of the SC Pathological Anatomy and the SISAR company, as the company awarded the outsourced archiving service, communications and related documentation regarding the "handling of the material in question";<br />
<br />
- "from the examination of the respective findings it emerged that: on date XX the Anatomy Pathology department sent Sisar the request for copies of the reports and all the XX pieces of Mrs. XX, which on the same day Sisar sent a copy digital of the reports and communicated the delivery of the tiles for the following day; that, on the following XX, the tiles and slides were delivered by the Sisar operator to the medical records office of the P.O. Businco in the hands of Mrs. XX, who signed the report confirming delivery";<br />
<br />
- “the Businco Health Directorate, with note prot. n. XX of the XX then communicated to Prof. XX "there is no documentation in the records of the undersigned Medical Directorate and of the SC Pathological Anatomy"";<br />
<br />
- "following the receipt of the request for information from this Dear Guarantor (...), this General Directorate immediately proceeded to verify what happened, requesting information from the parties involved in any way, as well as finding the documentation related to the measures techniques and organizational measures adopted, with particular regard to the management of biological samples, and the instructions provided to staff on the matter";<br />
<br />
- "from the examination of the documentation thus found (...) it therefore emerged that the materials under examination, (...) dating back to the 20th century, were the subject of various movements well before the 20th, given that a judgment is pending - at present level of appeal between ASL n. 8 of Cagliari and Mrs. XX - (...) and that the same materials were examined by the expert witnesses appointed in the previous level of the proceedings, in which, it should be noted, this Company is not a party and was never been informed on the matter, at least until May 2022, thus resulting in the absence of any "alert" regarding a specific conservation for reasons of justice";<br />
<br />
- "from the examination of the SISAR delivery list it can be seen that on XX the latter would have physically delivered dowels and slides to the Businco Medical Records Office, in the person of XX who signed the delivery report (...). Otherwise, there is no further documentation in the documents certifying what happened following this delivery to the Medical Records Office. With regard to this last point, it is noted that (...) the documentation produced does not in any way reveal the delivery of these materials externally "to unknown persons". Indeed, otherwise the external company simply acknowledges the delivery of the materials on date XX to the Medical Records Office, while the wording "not returned" evidently refers to the Sisar company itself, which acknowledges that following delivery to the 'Medical Records Office has not received the materials back';<br />
<br />
- "as emerges from the report of Dr. XX, as deputy Head of SC Pathological Anatomy (...), the Company and specifically, the Pathological Anatomy Service, by consolidated practice, proceeds to manage the delivery of slides and inserts to those entitled , “after checking a valid document, identity card, you have a pre-printed form filled out. In the meantime, we proceed to make a photocopy of the document which will be attached to a folder with the applicant's name. The patient is invited to return after 2/3 days necessary for the internal procedures: the person who deals with the request retrieves the material from the archive and submits it to the doctor who carried out the diagnosis so that he can check whether the material is suitable upon request. When everything is ready (reports and copy of the report with the request authorized by the doctor) the patient can come to collect it. Meanwhile, the person responsible for preparing the folder also makes a photocopy of the material he has to deliver (photocopy of the dowels for example). At the time of collection, the patient signs the pre-printed form which specifies how many tiles are being delivered to him". In relation to the archiving of the materials under examination, in the same way, we transcribe what was declared by the Director of the Pathological Anatomy Service, Dr. XX, (...), namely that: "both the slides and the tiles archived at the S.C. Pathological Anatomy, are located in laminate modules ordered by progressive number and by year in a locked room where they can access and move them (when it is necessary for the doctor to see any precedents of a case he is studying to reach a diagnosis, for example example) the staff who work at the same U.O. (Authorized personnel and coordinator). They cannot be accessed by outsiders, including Company employees as such unless accompanied by department personnel (Coordinator for example)... Currently (since the XX), by Company order (...), the archiving of the finds takes place at SISAR s.a.s., including the case under investigation";<br />
<br />
- "with regard to the conservation times of the tiles and slides, it is important to note that (...), there is no specific legislative regulation and no strictly pre-established deadline. Indeed, from the examination of the Guidelines of the Ministry of Health on the subject of May 2015 (point 5.3.2), it emerges that the competent Ministry suggests, on the one hand, the outsourcing of the service - as this Company has arranged - and on the 'other, to proceed with the conservation of the materials of the type object of today's examination for a minimum period of 10 years (...)”;<br />
<br />
- "well this requirement appears to have been respected by this Company, taking into account the circumstance that the elements under examination date back to the year XX";<br />
<br />
- "furthermore, (...), this Company has resolved, over the years, to approve the Annual Training Plan, providing, among other things, for the holding of courses relating to the monitoring of health documentation";<br />
<br />
- "the Company has also, over the years, carried out training on the protection of personal data (...)";<br />
<br />
- "the events described above, which concern a particularly long historical period (please remember that the biological samples were taken in the 20th century, and that, as mentioned in the introduction, the present event concerns biological samples, and certainly not genetic data), in which several owners followed one another, and relating to periods for which there was not yet an obligation to notify violations of personal data (consequent as is known from the regulations referred to in articles 33 and 34 of the RGPD, and therefore applicable to date from 5/25/2018, as the notification obligation established by the Guidelines on the Health Dossier - 4 June 2015 [4084632]" is certainly not applicable to the present case);<br />
<br />
- "(...) ARNAS was not part of the legal proceedings connected to this matter and did not have news of it until May 2022, or with the request of the CTU. In this context, in a situation in which it was complex to establish the actual ownership of the treatment (given the succession of regulatory changes already described in the introduction), or the exact moment in which these biological samples actually became no longer available, the event was not interpreted as a safety incident relevant to ARNAS pursuant to articles. 33 et seq. of the GDPR”;<br />
<br />
- "as emerges from the mere examination of the request formulated by Prof. XX, in which communication was requested regarding "to whom the histological findings which were never returned to your hospital were delivered" and the response from the Businco health management, where declared that: "there is no documentation in the records of the undersigned Medical Directorate and of the SC Pathological Anatomy", it is clear that this Company has not become aware of the violation of availability of biological samples except with the request for information formulated by this esteemed Guarantor" ;<br />
<br />
- "the Company is evaluating, among other things and in any case, multi-level training, dedicated both to top management figures and to all healthcare workers, which delves in detail into the profiles connected to safety incidents and the related obligations" .<br />
<br />
To the acknowledgment note, the aforementioned Company has attached some documents, including the Declaration of the Director of the Pathological Anatomy Service (Dr. XX), from which it appears "there has never been a written protocol for the management of the findings as it is an abundantly consolidated procedure over time (over 40 years) and, in the custody of the finds stored in the archives of the U.O. of Pathological Anatomy (tens of thousands of cases have now been archived), we have always taken the utmost care and attention in safeguarding them in the best possible way. The writer does NOT know that there are written protocols for the management and custody of the finds at the U.O. of Pathological Anatomy where he works and/or in Sardinia and/or in Italy".<br />
<br />
The G. Brotzu National Survey and High Specialization Company has also sent the aforementioned acknowledgment note from the Sisar of the XX and the delivery list of the XX, documents from which it appears that the histological inserts delivered were marked with the numbers XX ( n. 3 plugs) and n. XX (22 tiles) specifically indicated as referring to Mrs. XX, born on XX.<br />
<br />
2. Department assessments on the processing carried out and notification of the violation referred to in the art. 166, paragraph 5 of the Code<br />
<br />
In relation to the facts described, the Office, with note dated XX (prot. n. XX), notified the G. Brotzu National Survey and High Specialization Company (hereinafter "ARNAS Brotzu Company"), pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in the art. 58, par. 2, of the Regulation, inviting it to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of law no. 689 of 24/11/1981).<br />
<br />
In particular, the Office, in the aforementioned act, considered that the ARNAS Brotzu Company had carried out data processing in violation of the basic principles of processing referred to in the articles. 5, 9, and 32 of the Regulation, as well as the "Provision containing the provisions relating to the processing of particular categories of data, pursuant to art. 21, paragraph 1 of Legislative Decree 10 August 2018, n. 101”.<br />
<br />
With a note dated XX, the ARNAS Brotzu Company sent its defense briefs, in which, in particular, it highlighted that:<br />
<br />
“in the episode (…)(in question) no genetic data or even personal data are involved pursuant to art. 4, par. 1, no. 1 of the Regulation";<br />
<br />
“the loss of materials, represented by slides and pieces of a histological examination, cannot be considered an illicit processing of personal data, due to the very nature of the samples involved”;<br />
<br />
"the concept of "biological sample" was also explained in the same terms in the Guarantor's document relating to the Authorization for the processing of genetic data - 22 February 2007 (...) and then reiterated in the most recent Prescriptions relating to the processing of genetic data n. 8/2016 (…). Based on the 2016 provisions just mentioned, the current definition of "genetic data" is represented by "the result of genetic tests or any other information which, regardless of the type, identifies the genotypic characteristics of an individual transmissible within a group of people linked by kinship ties”; while "biological sample" must be considered "any sample of biological material from which genetic data of an individual can be extracted". It therefore emerges that, even in the current legislation on the matter, "genetic data" can be considered only and exclusively the result of a genetic test, i.e. an operation that makes it possible to extrapolate personal data capable of revealing the genotypic characteristics of an individual. Even the biological sample, considered in itself, is not personal data, in the absence of an extraction procedure that allows us to know the characteristic genetic data of an identified or identifiable individual";<br />
<br />
"in the case in question, it was not the genetic data that were lost, but pieces of biological material, considered in themselves devoid of the character of personal data, or the information element required as essential also by the art. 4, no. 1 of Regulation (EU) 2016/679”;<br />
<br />
"for the reasons set out above, it is believed that the hypothesis in question cannot be considered to fall within the competence of the Authority, precisely because the materials requested by the interested party and the CTU cannot be considered personal data";<br />
<br />
“even if we assume that the biological samples considered in themselves are personal data, as has already been specified and as emerges from the report of Dr. XX, then Deputy Head of SC Pathological Anatomy (..) the Company and specifically, the service of Pathological Anatomy, was already equipped at the time with a structured process for managing the delivery of slides and inserts to those entitled (...)”;<br />
<br />
"in relation to the archiving of the materials under examination, in the same way, the Company applied a structured process (...)", already described in the note dated XX in response to the Authority's request for information;<br />
<br />
"in this case, the management of the biological samples by the Company complied with the provisions of the art. 4.2. of the «Measure containing the requirements relating to the processing of particular categories of data, pursuant to art. 21, paragraph 1 of Legislative Decree 10 August 2018, n. 101", for the applicable part";<br />
<br />
"access to the premises was strictly regulated and the management, conservation and transport of the samples were managed with modalities traced in a timely manner and such as to be able to reconstruct the entire path relating to the samples themselves, making the disputed episode a an exceptional fact given the absolutely significant number of samples regularly handled by the service. From this point of view, there is not even a violation of the art. 32 of the Regulation, given that suitable safety measures were applied to the management of biological samples (...)";<br />
<br />
“the violation of the articles would also appear to be contested. 5 and 9 of the Regulation for not having provided "proof of the evaluation, by the health facility and having consulted the doctor responsible for the conduct, regarding the opportunity to conserve the biological samples even beyond the proposed ten-year period (...)", assuming that this company was aware, at XX, of the pending legal proceedings";<br />
<br />
"in reality (...) the Company was not, nor is, a party to the proceedings, nor was it the data controller at the time of its establishment, and was never properly informed in this regard, at least until May 2022, thus resulting in the absence of any "alert" regarding a specific conservation for reasons of justice";<br />
<br />
“as regards the dispute regarding the violation of the art. 9 of the Regulation, it is reiterated that (...) there has been no communication to third parties of any personal data";<br />
<br />
"this is an isolated case, also related to the complex matter of the succession between health companies following the multiple regional reforms on the matter, which led to the pending litigation to which ARNAS was and is totally extraneous and of which it came to knowledge only during the year 2022. The alleged violation concerned exclusively biological samples (tile and slides) of a single interested party”;<br />
<br />
"with regard to the contested conduct, it must be specified that the same, if deemed to exist, must certainly be considered in its negligent nature (in the degree of slight negligence). In fact, the character is certainly negligent: the failure to formalize a procedure is contested which in essence would have merely implemented the consolidated work of good clinical practice and correct management of samples already in place for about forty years. The succession of healthcare company aggregation operations and related spin-offs have at least slowed down this activity, making it appropriate, if not necessary, to proceed in a homogeneous manner in the different structures. The requirements referred to in point a) of the chapter. 4.2. of the Requirements is largely covered by what has already been stated. Point b) is covered with regards to the tracking of movements (considered as a major risk factor)”;<br />
<br />
“the Company has taken steps with resolution no. XX of the XX to identify, pursuant to art. 2-quaterdecies paragraphs 1 and 2 of the Legislative Decree. 196/2003, as designated the Directors of the Complex structure and the Directors of the Simple Departmental structure, and to establish that Persons authorized to process are to be understood as all employees and collaborators, in any capacity, of the hospital, who process personal data ( …)”;<br />
<br />
the "Company has resolved, over the years, to approve the Annual Training Plan, providing, among other things, for the holding of courses relating to the monitoring of health documentation" and has "also taken steps, over the course of years, to carry out training on data protection”;<br />
<br />
“ARNAS, with the help of the appointed DPO, immediately had a collaborative attitude with the Guarantor Authority, taking steps to react immediately to the report, to critically analyze the problematic profiles, and to promptly provide all the clarifications requested in a manner punctual; (...) the Company immediately took action, involving the DPO and the new Director of SC Anatomy Pathology (...) for an overall verification of the biological sample management process and for its formalization into a procedure aimed at crystallizing and, if where appropriate, improve the existing process. Among other things, the use of computerized archive cabinets that use the reading of the bar codes present on the tiles and slides is envisaged (...)";<br />
<br />
“the processing concerned only biological samples from a single interested party”;<br />
<br />
"it is underlined (...) that ARNAS is not involved in the pending dispute between the interested party and another healthcare company";<br />
<br />
“the incorporation, merger and division operations that affected the processing posed strong organizational obstacles in general and for the specific processing. Please note that for administrative liability the burden of a possible sanction could ultimately fall on a natural person and therefore recital 148 could be applicable (...) at least in determining the extent of the sanction".<br />
<br />
On XX, the hearing requested by the ARNAS Brotzu Company took place, during which it decided to show a presentation regarding the remediation measures, including the procedure for managing requests for biological material, adopted with resolution no. XX of the XX, which was broadcast during the hearing.<br />
<br />
On the same occasion, in addition to what was already highlighted in the briefs, it was declared that:<br />
<br />
- "the aforementioned resolution (n. XX of the XX) formalizes the procedure already in use and introduces elements of improvement and simplification, with the aim of reducing the possibility of error;<br />
<br />
- the actions to improve the procedure also consist of centralizing it at the Pathological Anatomy;<br />
<br />
- the procedure allows the minimization of the planned steps and the better tracking of the operations carried out on the plugs and slides;<br />
<br />
- the Company, as part of the three-year requirement plan, has requested the creation of computerized cabinets for the purposes of completely digitalized management of the archive, with the possibility of being notified via an alert of the failure to return any biological material possibly delivered to the patient ;<br />
<br />
- in the short term, a field training activity has already been planned on the new procedure, already communicated within the pathological anatomy service, and, furthermore, a course/conference on the latest developments regarding the protection of personal data in healthcare;<br />
<br />
- in relation to the event which is the subject of the complaint, it is specified that in the XX the bar code was not foreseen and the tiles were manually marked with a pencil, resistant to the solvents used to process the material;<br />
<br />
- through the aforementioned changes the Company intends to undertake a process of continuous improvement, also providing for periodic audits that allow the concrete application of the procedure and its effectiveness to be monitored;<br />
<br />
- even just the complaint procedure had the effect of activating the Company even more to take every possible action to improve the procedures and avoid the repeatability of the event that occurred;<br />
<br />
- the DPO was immediately involved in the process of analyzing the facts subject to the complaint and in the improvement actions".<br />
<br />
From the documentation containing "Presentation of the procedure referred to in resolution no. XX of the XX", transmitted on the occasion of the aforementioned hearing, it appears that "the biological material (paraffin inserts, histological and cytological slides) is stored in special archives according to the numbering (assigned by the computer system) with which they were accepted at the 'entrance. This is a unique and progressive numbering distinguished by year and type of sample. The number and corresponding barcode are printed on paraffin tiles and slides."<br />
<br />
3. Outcome of the preliminary investigation<br />
<br />
Having taken note of what is represented by the ARNAS Brotzu Company in the documentation in the documents, in the defense briefs and during the hearing, it is observed that:<br />
<br />
1. the Regulation provides that personal data must be "processed in a manner that guarantees adequate security (...), including protection, through appropriate technical and organizational measures, from unauthorized or illicit processing and from loss, destruction or accidental damage (principle of «integrity and confidentiality»)” (art. 5, par. 1, letter. f) of the Regulation). The adequacy of such measures must be assessed by the controller and processor with respect to the nature of the data, the object, the purposes of the processing and the risk to the fundamental rights and freedoms of the data subjects, taking into account the risks that derive from the destruction, loss, modification, unauthorized disclosure or access, accidentally or illegally, to personal data transmitted, stored or otherwise processed (art. 32, par. 1 and 2 of the Regulation);<br />
<br />
2. in light of the principle of responsibility (so-called accountability), "the data controller must comply with and be able to demonstrate compliance with the principles and obligations set out in the Regulation" (art. 5, par. 2, 24 and of Regulation);<br />
<br />
3. according to the definition provided by the Regulation, data relating to health are "personal data relating to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information relating to his or her state of health", including "information about the natural person collected during his registration for the purpose of receiving healthcare services or the related provision referred to in Directive 2011/24/EU of the European Parliament and of the Council; a number, symbol or specific element attributed to a natural person to uniquely identify him or her for health purposes; information resulting from examinations and checks carried out on a part of the body or an organic substance, including genetic data and biological samples; and any information concerning, for example, a disease, a disability, the risk of diseases, medical history, clinical treatments or the physiological or biomedical state of the data subject, regardless of the source, such as, for example, a doctor or other healthcare worker, a hospital, a medical device or an in vitro diagnostic test” (art. 4, par. 1, point 15 and Cons. no. 35);<br />
<br />
4. with particular reference to the custody and safety of biological samples, the "Measure containing the requirements relating to the processing of particular categories of data, pursuant to art. 21, paragraph 1 of Legislative Decree 10 August 2018, n. 101” of the Guarantor n. 146 of 5 June 2019 (published in the Official Journal no. 176 of 29 July 2019 and available at www.gpdp.it, web doc. no. 9124510) has, in this regard, prescribed specific precautions that must be adopted by the data controller with particular reference to the conservation, use and transport of biological samples which must take place in ways also aimed at guaranteeing their quality, integrity, availability and traceability (point 4.2., letter b));<br />
<br />
5. the regulations regarding the protection of personal data also provide that information on the state of health can be communicated only to the interested party and can be communicated to third parties only on the basis of a suitable legal basis (art. 9 Regulation and art. 84 of the Code in conjunction with art. 22, paragraph 11, Legislative Decree no. 101 of 10 August 2018);<br />
<br />
6. the guidelines of the Ministry of Health-Superior Council of Health regarding "Traceability, Collection, Transport, Conservation and Archiving of cells and tissues for diagnostic investigations of PATHOLOGICAL ANATOMY" (XX), available at https://www. salute.gov.it/imgs/C_17_pubblicazioni_2369_annex.pdf, provide that, with regards to the sampled material (paraffin blocks and slides), "given (...) the need to set a minimum term for the duration of the conservation obligation, reporting the need for regulatory intervention on this point, it is believed that this deadline can appropriately be set at ten years. (…) As regards medico-legal needs and the possible defense of the healthcare facility or the doctor during any civil or criminal proceedings (…), it should be underlined that the term in question only involves the termination of a conservation obligation of the material, remaining (...), the right of the facility to retain the material for a longer period (for example in all cases in which a dispute with a patient or his successor in title is pending). In the event of an indefinite duration of the obligation, the structure is required to conserve and deliver the sample at any time to the civil judicial authority and failure to deliver it may be detected pursuant to art. 116 c.p.c. With the setting of a duration deadline, any failure to deliver the material (in the event of destruction or loss) after the expiry of the deadline itself cannot be detected pursuant to the art. 116 c.p.c.,”, specifying that “the ten-year term is a minimum term, upon expiration of which the conservation obligation for the structure that holds it expires. In any case, if civil or criminal proceedings are underway, the healthcare facility, having heard the doctor responsible for the conduct, is required to evaluate the opportunity to conserve the material even beyond the ten-year period, in consideration of the ongoing litigation, without prejudice to the discretion of the same on the point and the extinction of the aforementioned conservation obligation" (see point 5.3.2. of the aforementioned document).<br />
<br />
4. Conclusions<br />
<br />
In light of the assessments set out above, taking into account the declarations made by the data controller during the investigation and considering that, unless the fact constitutes a more serious crime, anyone, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code ("False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor"), it is noted that the elements provided by the ARNAS Brotzu Company in the defense briefs referred to above and during the hearing are not suitable to fully accept the dismissal requests, not allowing the findings notified by the Office to be overcome with the aforementioned document initiating the proceedings.<br />
<br />
Preliminarily, it should be noted that, regardless of the qualification of the slides and pieces of a histological examination as "genetic data", they certainly can, in the specific case, be attributable, in any case, to the particular categories of personal data provided for in the art. 9 of the Regulation. In fact, the biological materials extracted from the complainant, associated with elements, in this case numerical (XX and XX), referring to the identity of the natural person to whom it belongs (Mrs. XX), since they reveal information regarding the provision of services of health care, constitute health data, as defined by the art. 4, par. 1, point 15 of the Regulation and Council. n. 35, protected by the specific guarantees of art. 9 of the Regulation.<br />
<br />
Having said this, it should be noted that, in light of the documentation acquired, there has "never existed a written protocol for the management of the finds as it is a procedure well consolidated over time (over 40 years) and, in the custody of the finds stored in the archive of the U.O. of Pathological Anatomy (tens of thousands of cases have now been archived), we have always taken the utmost care and attention in safeguarding them in the best possible way. The writer does NOT know that there are written protocols for the management and custody of the finds at the U.O. of Pathological Anatomy where he works and/or in Sardinia and/or in Italy" (see Declaration of the director of the pathological anatomy service, Attachment no. 7 to the email of the XX).<br />
<br />
In this regard, even if the ARNAS Brotzu Company, as declared by itself, had not been aware, in the XX, of the pending judgment which could have required further investigations to be carried out on the biological samples taken and, therefore, even if it was not was placed in a position to carry out an evaluation - as required by the aforementioned guidelines of the Ministry of Health - Superior Council of Health regarding "Traceability, Collection, Transport, Conservation and Archiving of cells and tissues for diagnostic investigations of PATHOLOGICAL ANATOMY" of XX - in relation to the opportunity to conserve biological samples even beyond the proposed ten-year term, in any case, the aforementioned circumstances do not exempt the Company from the obligation to document which processing operation (including any cancellation and destruction) had been carried out on the personal data contained in the slides associated with uniquely identified persons for health purposes.<br />
<br />
In fact, in light of the so-called principle “accountability”, which requires data controllers to be able to demonstrate the implementation of measures suitable for effectively implementing the data protection principles (art. 5, par. 2, of the Regulation), the Company, even if there was no longer an obligation to conserve the biological samples, it would still have had to adopt methods aimed at guaranteeing their traceability and identifying documented procedures for managing the operations carried out, in all phases of the treatment , taking into account, in particular, the risks deriving from the loss of personal data stored, in accordance with the provisions of the articles. 5, par. 1, letter. f) and 32 of the Regulation.<br />
<br />
For these reasons, in relation to the described loss of personal data contained in the slides belonging to the complainant, we note the illegality of the processing of personal data carried out by the Company, within the terms set out in the motivation, for the violation of the articles. 5, par. 1, letter. f) and par. 2 of the Regulation and art. 32 of the same Regulation, as well as the "Provision containing the provisions relating to the processing of particular categories of data, pursuant to art. 21, paragraph 1 of Legislative Decree 10 August 2018, n. 101” of the Guarantor n. 146 of 5 June 2019 (published in the Official Journal no. 176 of 29 July 2019 and available at www.gpdp.it, web doc. no. 9124510).<br />
<br />
In this framework, considering that the Company has taken steps to adopt a procedure for the management and conservation of biological material, adopted with resolution no. XX of the XX, the conditions for the adoption of the corrective measures referred to in the art. do not currently exist. 58, par. 2, of the Regulation.<br />
<br />
5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i) and 83 of the Regulation; art. 166, paragraph 7, of the Code).<br />
<br />
The violation of the articles. 5, par. 1, letter. f) and par. 2 of the Regulation and art. 32 of the same Regulation, as well as the "Provision containing the requirements relating to the processing of particular categories of data, pursuant to art. 21, paragraph 1 of Legislative Decree 10 August 2018, n. 101” of the Guarantor n. 146 of 5 June 2019 (published in the Official Journal no. 176 of 29 July 2019 and available at www.gpdp.it, web doc. no. 9124510), is subject to the application of the pecuniary administrative sanction pursuant to art. 83, par. 4 and 5 of the Regulation (see on this point, art. 21, paragraph 5, of Legislative Decree no. 101 of 10 August 2018, according to which "violations of the provisions contained in the general authorizations referred to in this article and in the general provision referred to in paragraph 1 are subject to the administrative sanction referred to in art. 83, par. 5, of the Regulation").<br />
<br />
Consider that the Guarantor, pursuant to articles. 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" and, in this framework, "the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the additional administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code” (art. 16, paragraph 1, of the Guarantor Regulation no. 1/2019).<br />
<br />
Taking into account that the violation of the aforementioned provisions took place as a consequence of a single conduct (same treatment or treatments connected to each other), the art. applies. 83, par. 3 of the Regulation, pursuant to which the total amount of the administrative fine does not exceed the amount specified for the most serious violation. Considering that, in this case, the most serious violation concerns the articles. 5, par. 1, letter. f) of the Regulation and the aforementioned "Provision containing the requirements relating to the processing of particular categories of data, pursuant to art. 21, paragraph 1 of Legislative Decree 10 August 2018, n. 101” of the Guarantor n. 146 of 5 June 2019, the total amount of the fine is to be quantified up to 20,000,000 euros (so-called "static" statutory maximum).<br />
<br />
The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking due account of the elements provided for by the art. 83, par. 2, of the Regulation.<br />
<br />
With specific regard to the violation committed by the ARNAS Brotzu Company, it is highlighted that the level of severity was considered medium, taking into account the number of interested parties involved, the category of personal data involved, the purpose of the processing as well as the level of damage suffered by the the interested party (art. 83, par. 2, letter a) of the Regulation; see European Data Protection Board, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point no. 60).<br />
<br />
The further elements provided for by the art. were then considered. 83, par. 2 of the Regulation and in particular that:<br />
<br />
- the Authority became aware of the case in question following a complaint lodged by the interested party (art. 83, par. 2, letter h) of the Regulation);<br />
<br />
- the Company has taken charge of the findings raised by the Office by adopting the specific procedure mentioned relating to the delivery of slides and histological and cytological test cards (art. 83, par. 2, letter c) of the Regulation);<br />
<br />
- the Company has demonstrated a high degree of cooperation with the Authority in all phases of the procedure (art. 83, par. 2, letter f) of the Regulation);<br />
<br />
- no measures have previously been taken against the owner for relevant violations (art. 83, par. 2, letter e) of the Regulation);<br />
<br />
- the reorganization operations of the Sardinian regional system, provided for by the regional law of the Sardinia Region, of 11 September 2020, n. 24 (containing "Reform of the regional healthcare system and systematic reorganization of the relevant regulations. Repeal of regional law no. 10 of 2006, regional law no. 23 of 2014 and regional law no. 17 of 2016 and further sector regulations ”), which affected the data controller, led to certain organizational obstacles, also for the purpose of reconstructing the event that gave rise to the violation in question (art. 83, par. 2, letter k) of the Regulation).<br />
<br />
On the basis of the aforementioned elements, evaluated as a whole, it is considered to determine the amount of the pecuniary sanction in the amount of 18,000.00 (eighteen thousand) euros for the violation of the art. 5, par. 1, letter. f) and par. 2 of the Regulation, of the art. 32 of the same Regulation, as well as the "Provision containing the requirements relating to the processing of particular categories of data, pursuant to art. 21, paragraph 1 of Legislative Decree 10 August 2018, n. 101” of the Guarantor n. 146 of 5 June 2019.<br />
<br />
Due to the particular sensitivity of the data processed, it is also believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019.<br />
<br />
Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019, concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.<br />
<br />
ALL THIS CONSIDERING THE GUARANTOR<br />
<br />
declares the unlawfulness of the processing of personal data carried out by the G. Brotzu National and High Specialization Company, for the violation of the art. 5, par. 1, letter. f) and 2 of the Regulation, of the art. 32 of the same Regulation, as well as the "Provision containing the requirements relating to the processing of particular categories of data, pursuant to art. 21, paragraph 1 of Legislative Decree 10 August 2018, n. 101” of the Guarantor n. 146 of 5 June 2019.<br />
<br />
ORDER<br />
<br />
pursuant to the articles 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, to the G. Brotzu National and Highly Specialized Company, with registered office in Cagliari, P.le Ricchi, n. 1 — 09134, VAT number 023155209200, to pay the sum of 18,000.00 (eighteen thousand) euros as a pecuniary administrative sanction for the violation indicated in this provision; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed.<br />
<br />
ORDERS<br />
<br />
to the aforementioned Company, in the event of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 18,000.00 (eighteen thousand) euros according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of law no. 689/1981.<br />
<br />
HAS<br />
<br />
pursuant to art. 166, paragraph 7, of the Code, the publication in full of this provision on the Guarantor's website and believes that the conditions set out in the art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.<br />
<br />
Pursuant to art. 78 of the Regulation, of the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.<br />
<br />
Rome, 21 December 2023<br />
<br />
PRESIDENT<br />
Stanzione<br />
<br />
THE SPEAKER<br />
Ghiglia<br />
<br />
THE GENERAL SECRETARY<br />
Mattei<br />
</pre></div>Imhttps://gdprhub.eu/index.php?title=ICO_(UK)_-_Ministry_of_DefenceICO (UK) - Ministry of Defence2024-02-27T10:28:21Z<p>Im: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=United Kingdom<br />
|DPA-BG-Color=background-color:#023868;<br />
|DPAlogo=LogoUK.png<br />
|DPA_Abbrevation=ICO<br />
|DPA_With_Country=ICO (UK)<br />
<br />
|Case_Number_Name=Ministry of Defence<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ICO <br />
|Original_Source_Link_1=https://ico.org.uk/media/action-weve-taken/mpns/4028623/ministry-of-defence-monetary-penalty-notice.pdf<br />
|Original_Source_Language_1=English<br />
|Original_Source_Language__Code_1=EN<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=26.04.2023<br />
|Date_Decided=07.12.2023<br />
|Date_Published=26.02.2024<br />
|Year=2023<br />
|Fine=350,000<br />
|Currency=GBP<br />
<br />
|GDPR_Article_1=Article 5(1)(f) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1f<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Secretary of State for Defence <br />
|Party_Link_1=https://www.gov.uk/government/ministers/secretary-of-state-for-defence<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=im<br />
|<br />
}}<br />
<br />
The DPA fined UK Ministry of Defence €409,080 (GBP 350,000) for disclosure of 265 unique email addresses of individuals seeking relocation from Afghanistan following the Taliban's ascent to power in the summer of 2021.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
On 20 September 2021, following the Taliban's ascent to power, the Ministry of Defence (MoD) sent an email to a list of individuals eligible for evacuation from Afghanistan using the ‘To’ field rather than the ‘blind carbon copy’ (‘Bcc’) field. Following this incident, the MoD identified that two similar incidents involving the staff in charge of the UK's Afghan Relocations and Assistance Policy had already occurred. Overall, 265 unique email addresses were disclosed. <br />
<br />
The UK DPA (''Information Commissioner's Office, ICO'') started and investigation and found that the email addresses could be seen by all recipients, with 55 people having thumbnail pictures on their email profiles. Additionally, MoD confirmed that two people ‘replied all’ to the entire list of recipients, with one of them providing their location.<br />
<br />
=== Holding ===<br />
The ICO’s investigation found that the MoD infringed [https://www.legislation.gov.uk/ukpga/2018/12/pdfs/ukpga_20180012_en.pdf Article 5(1)(f) (UK) GDPR] by failing to have appropriate technical and organization measures in place compromising the security of personal data. This Article is substantially equivalent to the duty of integrity and confidentiality under [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]]. <br />
<br />
The ICO determined that, at the time of the infringement, the MoD did not have operation procedures in place to ensure group emails were sent securely to individuals seeking relocation from Afghanistan. Instead, the staff in charge had to rely on the MoD's broader email policy and were not given specific guidance about the security risks of sending group emails when communicating sensitive information. The ICO noted that this human error led to the potential for unauthorized disclosure of sensitive information, putting the individuals’ lives at risk. Due to the risk of Taliban reprisals against supporters of Western forces, ICO emphasized that the personal data were highly sensitive and required careful handling.<br />
<br />
Accordingly, the ICO imposed the fine on the MoD in the amount of €409,080 (GBP 350,000). The ICO explained that the fine was reduced from an initial amount of €1,168,700 (GBP 1,000,000) to €818,090 (GBP 700,000) in recognition of the unusual and urgent circumstances of the withdrawal from Afghanistan. Further, the ICO took into account the fact the MoD is a public body, and therefore decided to reduce the fine to €409,080 (GBP 350,000).<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the English original. Please refer to the English original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>Imhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202202937AEPD (Spain) - EXP2022029372024-02-26T18:54:55Z<p>Mgrd: /* Holding */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=EXP202202937<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/documento/pd-00104-2022.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=08.02.2022<br />
|Date_Decided=26.08.2022<br />
|Date_Published=26.08.2022<br />
|Year=2022<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 12 GDPR<br />
|GDPR_Article_Link_1=Article 12 GDPR<br />
|GDPR_Article_2=Article 17 GDPR<br />
|GDPR_Article_Link_2=Article 17 GDPR<br />
|GDPR_Article_3=Article 15 GDPR<br />
|GDPR_Article_Link_3=Article 15 GDPR<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=ABANCA CORPORACIÓN BANCARIA, S.A.<br />
|Party_Link_1=https://www.abanca.com/es/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=mgrd<br />
|<br />
}}<br />
<br />
The Spanish DPA notified a bank as a controller, ABANCA, for not replying to a data subject's exercise right, violating [[Article 12 GDPR|Article 12 GDPR.]] <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
On February 8, 2022 the data subject complaint in AEPD against ABANCA CORPORACIÓN BANCARIA, S.A. due to not responding to an access request.<br />
<br />
The data subject also approached LEXER, the credit recovery company for ABANCA, requesting for an immediate cessation of telephone harassment, mail, letters to the data subject requesting money recovery.<br />
<br />
LEXER answered that regarding the debt with ABANCA, the communications were sent to the data subject since they provide a service of money recovery for ABANCA and they would immediately stop the processing.<br />
<br />
LEXER stated that the first complaint made by the data subject was not considered as an exercise right since the data subject did not specify any of the rights in data protection laws.<br />
<br />
ABANCA attributed the failure to immediately address the data subject's request to an internal error at LEXER, which did not communicate the request for data suppression to ABANCA in a timely manner.<br />
<br />
=== Holding ===<br />
AEPD highlighted that the controller must reply to the exercise of rights by the data subject within 30 days, exempt in cases which it cannot identify the data subject and it shall justify the reasons, as per [[Article 12 GDPR|Article 12(3) GDPR.]]<br />
<br />
AEPD stated that, with the documentation provided, the data subject exercised the right of deletion of his data and that LEXER did not forward the request to the ABANCA. In additional, ABANCA, after being aware of the request via the procedure at hand, denied the request claiming existing contractual relations in force, which included debts, thus justifying their refusal to erase the complainant's data. <br />
<br />
AEPD decided to formally notify ABANCA for the exercise of right by the data subject, without any further proceedings, since ABANCA later replied to the data subject.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/8<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
File No.: EXP202202937<br />
<br />
<br />
RESOLUTION NO.: R/00818/2022<br />
<br />
<br />
Considering the claim made on February 8, 2022 before this Agency by D.<br />
A.A.A. against ABANCA CORPORACIÓN BANCARIA, S.A. (hereinafter, the part<br />
claimed), because their right to deletion has not been duly attended to.<br />
<br />
<br />
The procedural actions provided for in Title VIII of the Law have been carried out<br />
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of<br />
digital rights (hereinafter LOPDGDD), the following have been verified<br />
<br />
<br />
FACTS<br />
<br />
<br />
FIRST: D. A.A.A. (hereinafter, the complaining party), submitted a document to<br />
ABANCA CORPORACIÓN BANCARIA, S.A. (hereinafter, the claimed party, or<br />
Abanca) indicating that the data contained in the CIRBE File is erroneous, and<br />
requesting “(…) agree to the rectification of the statements corresponding to the<br />
<br />
appearing at the CIRBE, canceling my data and deregistering me<br />
all legally established effects (…)”<br />
<br />
Likewise, the claimant addressed LEXER requesting “(…) that they order the termination<br />
immediate harassment by telephone, email, letters,... to me for the demand of<br />
<br />
any type of collection, both on me and on possible third parties<br />
related.)”<br />
<br />
This entity answers you, regarding the communications that have been sent to you by a<br />
debt with Abanca, “(…) that our organization only provides a<br />
recovery on account of the Abanca entity, as Data Processor<br />
<br />
of personal data according to the definition of article 33 of Organic Law 3/2018<br />
(…).<br />
<br />
However, we would like to inform you that we will proceed to immediately paralyze the procedures.<br />
associated with your file, in a preventive manner, until what happened is clarified.”<br />
<br />
<br />
SECOND: In accordance with article 65.4 of the LOPDGDD, which has provided for a<br />
mechanism prior to the admission for processing of claims made before<br />
the AEPD, consisting of transferring them to the Data Protection Delegates<br />
designated by those responsible or in charge of the treatment, for the intended purposes<br />
in article 37 of the aforementioned norm, or to these when they have not been designated,<br />
<br />
transferred the claim to the two entities so that they could proceed with their analysis<br />
and respond to the complaining party and this Agency within a period of one month.<br />
<br />
- The representation of Lexer Servicios Integrales de Recovery S.L.U.,<br />
formerly called Cobralia Servicios Integrales de Recovery S:L:<br />
<br />
noted that the first claim received was not considered a<br />
exercise of rights given that the claimant did not specify any of the<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 2/8<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
rights of data protection regulations, requested the “cessation of<br />
communications”, “harassment” and “claiming debts”.<br />
<br />
<br />
"Notwithstanding the above, and given that LSIR processed the claimant's data in<br />
quality of data processor, in accordance with our procedures<br />
internally, that same day, 01/27/2022, we informed the person responsible for the<br />
treatment, to obtain instructions for action on your part. Once<br />
received, that same day, the confirmation of the suspension of efforts by<br />
of the person responsible, LSIR proceeded to said stoppage, with the<br />
<br />
corresponding marking in the management program.<br />
<br />
On 02/14/2022, due to an internal error, of an exceptional nature, that<br />
has already been resolved, the contact details of the complainant were reactivated, which<br />
which caused the claims service to begin again<br />
<br />
of debt by LSIR.<br />
<br />
That same day, an email is received from the claimant, apparently with the<br />
same content as the claim received from you on 01/27/2022, therefore<br />
that at that time, as happened with the claim of 01/27/2022,<br />
It was not processed as an exercise of rights by the claimant.<br />
<br />
<br />
However, currently and due to the request for information received<br />
on the part of the AEPD, we have been able to show that said communication did<br />
included the request for the right of deletion. In this sense, from LSIR<br />
have put in place all the necessary steps to process said<br />
<br />
right, transferring the request to the person responsible for the treatment.”<br />
<br />
Provide a copy of the response sent to the claimant, dated April 27,<br />
2022, informing you that your request has been transferred to the person responsible for the<br />
treatment.<br />
<br />
<br />
- There is no record that this Agency has received any response from<br />
Abanca.<br />
<br />
THIRD: The result of the transfer procedure indicated in the previous Fact does not<br />
allowed the claims of the complaining party to be understood as satisfied. In<br />
<br />
consequently, dated May 8, 2022, for the purposes provided for in its article<br />
64.2 of the LOPDGDD, the Director of the Spanish Data Protection Agency<br />
agreed to admit the claim presented for processing and the parties were informed that the<br />
maximum period to resolve this procedure, which is understood to have been initiated<br />
through said admission agreement for processing, it will be six months.<br />
<br />
<br />
The aforementioned agreement granted Abanca a hearing process, so that within the period<br />
within fifteen business days to present the allegations it deems appropriate. Bliss<br />
entity stated, in summary, that “(…) the claimant maintains contractual relations<br />
active with the entity derived from the subscription of different products and/or services<br />
<br />
financial positions, maintaining, at the date of filing said claim,<br />
debtors with the entity. Likewise, it is confirmed that Abanca commissioned the company<br />
Lexer the management for the collection of the debt of Mr. (…); acting accordingly<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 3/8<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Lexer in its capacity as Data Processor of Abanca's data<br />
is responsible for the treatment.”<br />
<br />
<br />
It indicates that Lexer responded to the claimant, after his request of February 1, 2022, and<br />
following the instructions sent by Abanca in relation to your file,<br />
informing you of the suspension of the procedures associated with it.<br />
<br />
Notwithstanding the above, due to an internal error by Lexer, it was not transferred to Abanca<br />
the new request to cease communications related to the management of your debt<br />
<br />
and the exercise of the right to deletion of their data presented by the claimant, which<br />
which makes it impossible for Abanca to give a timely response to the interested party, in addition to<br />
a breach of the obligations stipulated in the commissioning contract<br />
treatment signed between Abanca and Lexer.<br />
<br />
<br />
Due to the transfer of the claim made by this Agency, Lexer put in<br />
knowledge of Abanca's receipt of the claimant's deletion exercise.<br />
<br />
For this reason, and after the corresponding investigations, Abanca responded to the<br />
complainant indicating that “(…) it is not possible to attend to your request since<br />
currently maintains active positions with the Entity. (…) To proceed with the downgrade<br />
<br />
of your personal data in this entity, it is necessary that you previously proceed to<br />
cancel their positions” by providing a copy of the letter sent.<br />
<br />
FOURTH: Once the allegations presented by the defendant have been examined, they are the subject of<br />
transfer to the complaining party, so that, within a period of fifteen business days, it can formulate<br />
<br />
allegations that it considers appropriate, without the response being recorded in this Agency<br />
some.<br />
<br />
FOUNDATIONS OF LAW<br />
<br />
<br />
FIRST: The Director of the Spanish Agency for<br />
Data Protection, in accordance with the provisions of section 2 of article 56 in<br />
in relation to section 1 f) of article 57, both of Regulation (EU) 2016/679 of the<br />
European Parliament and of the Council of April 27, 2016 regarding the protection of<br />
natural persons with regard to the processing of personal data and the free<br />
circulation of this data (hereinafter referred to as GDPR); and in article 47 of the LOPDGDD.<br />
<br />
<br />
SECOND: In accordance with the provisions of article 55 of the RGPD, the Agency<br />
Spanish Data Protection Agency is competent to perform the functions that<br />
are assigned to it in its article 57, among them, to enforce the Regulation and<br />
promote awareness of data controllers and those in charge of processing<br />
<br />
about their obligations, as well as dealing with claims<br />
presented by an interested party and investigate the reason for them.<br />
<br />
Correlatively, article 31 of the RGPD establishes the obligation of those responsible<br />
and those in charge of processing to cooperate with the supervisory authority that requests it in<br />
<br />
the performance of their functions. In the event that they have designated a<br />
data protection officer, article 39 of the RGPD attributes to him the function of<br />
cooperate with said authority.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 4/8<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Likewise, the domestic legal system, in article 65.4 of the LOPDGDD, has<br />
provided for a mechanism prior to the admission for processing of claims that are<br />
formulate before the Spanish Data Protection Agency, which consists of giving<br />
<br />
transfer of the same to the data protection delegates designated by the<br />
responsible or in charge of the treatment, for the purposes provided for in article 37 of<br />
the aforementioned norm, or to these when they have not been designated, to proceed to the<br />
analysis of said claims and to respond to them within a period of one month.<br />
<br />
In accordance with this regulation, prior to the admission for processing of the<br />
<br />
claim that gives rise to this procedure, it was transferred to the<br />
responsible entity to proceed with its analysis, provide a response to this Agency<br />
within a period of one month and proves that it has provided the claimant with the appropriate response,<br />
in the event of exercise of the rights regulated in articles 15 to 22 of the<br />
GDPR.<br />
<br />
<br />
The result of said transfer did not allow the claims of the<br />
complaining party. Consequently, on May 8, 2022, for the purposes<br />
provided for in article 64.2 of the LOPDGDD, the Director of the Spanish Agency for<br />
Data Protection agreed to accept the claim presented for processing. Saying<br />
admission agreement for processing determines the opening of this procedure<br />
<br />
lack of attention to a request to exercise the rights established in the<br />
articles 15 to 22 of the RGPD, regulated in article 64.1 of the LOPDGDD, according to the<br />
which:<br />
<br />
"1. When the procedure refers exclusively to the lack of attention of a<br />
<br />
request to exercise the rights established in articles 15 to 22 of the<br />
Regulation (EU) 2016/679, will begin by agreement of admission to processing, which will be<br />
will be adopted in accordance with the provisions of the following article.<br />
In this case, the period to resolve the procedure will be six months from<br />
from the date on which the claimant was notified of the admission agreement to<br />
<br />
Procedure. After this period, the interested party may consider his<br />
claim".<br />
<br />
It is not considered appropriate to clarify administrative responsibilities within the framework<br />
of a sanctioning procedure, the exceptional nature of which implies that it is opted,<br />
whenever possible, due to the prevalence of alternative mechanisms that have<br />
<br />
protection in current regulations.<br />
<br />
It is the exclusive responsibility of this Agency to assess whether there are responsibilities<br />
administrative actions that must be purged in a sanctioning procedure and, in<br />
consequently, the decision on its opening, there being no obligation to initiate a<br />
<br />
procedure for any request made by a third party. Such a decision must<br />
be based on the existence of elements that justify said start of the activity<br />
sanctioning, circumstances that do not occur in the present case, considering that<br />
With this procedure, the guarantees are duly restored and<br />
rights of the claimant.<br />
<br />
<br />
THIRD: The rights of people regarding data protection<br />
personal data are regulated in articles 15 to 22 of the RGPD and 13 to 18 of the<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 5/8<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
LOPDGDD. The rights of access, rectification, deletion,<br />
opposition, right to limitation of processing and right to portability.<br />
<br />
<br />
The formal aspects related to the exercise of these rights are established in the<br />
articles 12 of the RGPD and 12 of the LOPDGDD.<br />
<br />
Furthermore, what is expressed in Considering 59 and following of the<br />
GDPR.<br />
<br />
<br />
In accordance with the provisions of these regulations, the person responsible for the treatment<br />
must arbitrate formulas and mechanisms to facilitate the interested party in the exercise of their rights.<br />
rights, which will be free (without prejudice to the provisions of articles 12.5 and 15.3<br />
of the RGPD), and is obliged to respond to requests made no later than a<br />
month, unless you can demonstrate that you are not in a position to identify the<br />
<br />
interested, and to express his reasons in case he was not going to attend said<br />
application. It falls on the person responsible to prove compliance with the duty of<br />
respond to the request to exercise their rights made by the affected party.<br />
<br />
The communication addressed to the interested party on the occasion of their request must<br />
be expressed in a concise, transparent, intelligible and easily accessible manner, with a<br />
<br />
clear and simple language.<br />
<br />
In the case of the right of access to personal data, in accordance with the<br />
established in article 13 of the LOPDGDD, when the exercise of the right is<br />
refers to a large amount of data, the person responsible may request the affected person to<br />
<br />
specify the “data or processing activities to which the request refers”. He<br />
The right will be deemed granted if the person responsible provides remote access to the data,<br />
considering the request has been attended to (although the interested party may request the information<br />
referring to the extremes provided for in article 15 of the RGPD).<br />
<br />
<br />
The exercise of this right may be considered repetitive on more than one occasion.<br />
during the period of six months, unless there is legitimate cause for it.<br />
<br />
On the other hand, the request will be considered excessive when the affected party chooses a means<br />
different from the one offered that entails a disproportionate cost, which must be<br />
assumed by the affected person.<br />
<br />
<br />
FOURTH: Article 17 of the RGPD, which regulates the right to deletion of data<br />
personal, establishes the following:<br />
<br />
"1. The interested party will have the right to obtain without undue delay from the person responsible for the<br />
<br />
processing the deletion of personal data that concerns you, which will be<br />
obliged to delete personal data without undue delay when any<br />
of the following circumstances:<br />
<br />
a) the personal data are no longer necessary in relation to the purposes for which they were<br />
<br />
were collected or otherwise treated;<br />
b) the interested party withdraws the consent on which the treatment is based in accordance<br />
with Article 6(1)(a) or Article 9(2)(a) and this is not<br />
based on another legal basis;<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 6/8<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
c) the data subject objects to the processing in accordance with Article 21(1) and does not<br />
other legitimate reasons for the processing prevail, or the interested party opposes the<br />
treatment pursuant to Article 21(2);<br />
<br />
d) the personal data have been processed unlawfully;<br />
e) personal data must be deleted for compliance with a legal obligation<br />
established in the law of the Union or of the Member States that applies to the<br />
responsible for the treatment;<br />
f) the personal data have been obtained in relation to the offer of services of the<br />
information society mentioned in Article 8, paragraph 1.<br />
<br />
<br />
2. When you have made personal data public and are obliged, by virtue of the<br />
provided in section 1, to delete said data, the data controller,<br />
taking into account the available technology and the cost of its application, it will adopt<br />
reasonable measures, including technical measures, with a view to informing<br />
<br />
responsible parties who are processing the personal data of the interested party's request for<br />
deletion of any link to that personal data, or any copy or replication of<br />
the same.<br />
<br />
3. Sections 1 and 2 will not apply when treatment is necessary:<br />
a) to exercise the right to freedom of expression and information;<br />
<br />
b) for compliance with a legal obligation that requires data processing<br />
imposed by Union or Member State law applicable to the<br />
responsible for the treatment, or for the fulfillment of a mission carried out in the interest<br />
public or in the exercise of public powers conferred on the person responsible;<br />
c) for reasons of public interest in the field of public health in accordance with<br />
<br />
Article 9, paragraph 2, letters h) and i), and paragraph 3;<br />
d) for archival purposes in the public interest, scientific or historical research purposes or<br />
statistical purposes, in accordance with Article 89(1), to the extent that<br />
the right indicated in paragraph 1 could make it impossible or hinder<br />
seriously the achievement of the objectives of said treatment, or<br />
<br />
e) for the formulation, exercise or defense of claims.”<br />
<br />
FIFTH: Article 4 of the GDPR, Definitions, establishes that<br />
<br />
“For the purposes of this Regulation it will be understood as:<br />
<br />
<br />
(…)<br />
<br />
8) "processor" or "processor": the natural or legal person, authority<br />
public, service or other body that processes personal data on behalf of the<br />
responsible for the treatment;<br />
<br />
<br />
(…)”<br />
<br />
Article 28 of the GDPR, Data Processor, provides that<br />
<br />
<br />
1. When treatment is to be carried out on behalf of a person responsible for the<br />
treatment, this will only choose a manager who offers sufficient guarantees<br />
to apply appropriate technical and organizational measures, so that the<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 7/8<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
treatment complies with the requirements of this Regulation and ensures the<br />
protection of the rights of the interested party.<br />
<br />
<br />
2. (…)<br />
<br />
3. The treatment by the processor will be governed by a contract or other legal act with<br />
under the law of the Union or of the Member States, binding the person in charge<br />
regarding the person responsible and establishes the object, duration, nature and<br />
purpose of the processing, the type of personal data and categories of interested parties, and the<br />
<br />
obligations and rights of the person responsible. Said contract or legal act will stipulate, in<br />
particular, that the person in charge:<br />
<br />
a) will process personal data only following instructions<br />
documented data from the controller, including with respect to transfers of<br />
<br />
personal data to a third country or an international organization, unless<br />
is obliged to do so under Union or State law<br />
members that applies to the manager; In this case, the person in charge will inform the<br />
responsible for that legal requirement prior to treatment, unless such Right<br />
prohibits it for important reasons of public interest;<br />
<br />
<br />
b) will ensure that the persons authorized to process personal data are<br />
have agreed to respect confidentiality or are subject to a<br />
confidentiality obligation of a statutory nature;<br />
<br />
c) take all necessary measures in accordance with article 32;<br />
<br />
<br />
d) will respect the conditions indicated in sections 2 and 4 to resort to<br />
another processor;<br />
<br />
e) will assist the person responsible, taking into account the nature of the treatment, to<br />
<br />
through appropriate technical and organizational measures, whenever it is<br />
possible, so that it can fulfill its obligation to respond to the<br />
requests that have as their object the exercise of the rights of<br />
interested parties established in chapter III;<br />
<br />
f) will help the person responsible to ensure compliance with obligations<br />
<br />
established in articles 32 to 36, taking into account the nature of the<br />
treatment and information available to the person in charge;<br />
<br />
g) at the discretion of the controller, delete or return all personal data<br />
once the provision of the treatment services ends, and will delete the<br />
<br />
Existing copies unless retention of data is required<br />
personal under Union or Member State law;<br />
<br />
h) will make available to the person responsible all the information necessary to<br />
demonstrate compliance with the obligations established herein<br />
<br />
article, as well as to allow and contribute to the performance of audits,<br />
including inspections, by the responsible person or another authorized auditor<br />
by said person in charge.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 8/8<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In relation to the provisions of letter h) of the first paragraph, the person in charge will inform<br />
immediately to the controller if, in your opinion, an instruction violates this<br />
<br />
Regulation or other data protection provisions of the Union or<br />
the member states.<br />
<br />
4. (…)"<br />
<br />
<br />
SIXTH: In the present case, from the analysis of the documentation provided, it has<br />
It has been proven that the claimant requested the right to delete their data<br />
personal and that the person in charge of treatment did not transfer said request to the<br />
responsible for the treatment, Abanca, to process it.<br />
<br />
<br />
However, upon becoming aware of it through this procedure, Abanca<br />
has proceeded to respond to the claimant denying the requested deletion as there is<br />
current contractual relationships.<br />
<br />
Consequently, the claim must be upheld for formal reasons.<br />
<br />
<br />
Considering the aforementioned precepts and others of general application,<br />
the Director of the Spanish Data Protection Agency RESOLVES:<br />
<br />
FIRST: ESTIMATE for formal reasons, the claim made by Mr. A.A.A.,<br />
<br />
against ABANCA CORPORACIÓN BANCARIA, S.A.. However, the<br />
issuance of new certification by said entity, having issued the<br />
response extemporaneously, without requiring the performance of actions<br />
additional information from the person responsible.<br />
<br />
<br />
SECOND: NOTIFY this resolution to D. A.A.A. and ABANCA<br />
BANKING CORPORATION, S.A..<br />
<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
Resolution will be made public once it has been notified to the interested parties.<br />
<br />
<br />
Against this resolution, which puts an end to the administrative procedure in accordance with article 48.6<br />
of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the<br />
Interested parties may optionally file an appeal for reconsideration before the<br />
Director of the Spanish Data Protection Agency within a period of one month to<br />
<br />
count from the day following the notification of this resolution or directly<br />
contentious-administrative appeal before the Contentious-administrative Chamber of the<br />
National Court, in accordance with the provisions of article 25 and section 5 of<br />
the fourth additional provision of Law 29/1998, of July 13, regulating the<br />
Contentious-administrative Jurisdiction, within a period of two months from the<br />
<br />
day following the notification of this act, as provided for in article 46.1 of the<br />
referred Law.<br />
<br />
1195-020622<br />
Sea Spain Martí<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
</pre></div>Mgrdhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202104006AEPD (Spain) - EXP2021040062024-02-26T18:40:04Z<p>Im: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=EXP202104006<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/documento/ps-00164-2022.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=21.08.2021<br />
|Date_Decided=13.09.2023<br />
|Date_Published=13.09.2023<br />
|Year=2023<br />
|Fine=56,000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 4(12) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#12<br />
|GDPR_Article_2=Article 5(1)(f) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1f<br />
|GDPR_Article_3=Article 32 GDPR<br />
|GDPR_Article_Link_3=Article 32 GDPR<br />
|GDPR_Article_4=Article 33 GDPR<br />
|GDPR_Article_Link_4=Article 33 GDPR<br />
|GDPR_Article_5=Article 34 GDPR<br />
|GDPR_Article_Link_5=Article 34 GDPR<br />
|GDPR_Article_6=Article 83(4) GDPR<br />
|GDPR_Article_Link_6=Article 83 GDPR#4<br />
|GDPR_Article_7=Article 83(5) GDPR<br />
|GDPR_Article_Link_7=Article 83 GDPR#5<br />
|GDPR_Article_8=<br />
|GDPR_Article_Link_8=<br />
|GDPR_Article_9=<br />
|GDPR_Article_Link_9=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=VODAFONE ESPAÑA, S.A.U.<br />
|Party_Link_1=https://www.vodafone.es/c/particulares/es/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=mgrd<br />
|<br />
}}<br />
<br />
The DPA fined VODAFONE €56,000 for sharing confidential data of another customer while addressing a different customer's right of access. The controller benefitted from a €14,000 reduction in the original fine as they renounced to any form of appeal against the sanction <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
On 21 August 2021 the data subject filed a complaint against Vodafone España, S.A.U., the controller, for violating their right of access.<br />
<br />
The data subject requested VODAFONE to provide a copy of their commercial telephone contract, since the company was, allegedly, not applying the contracted tariff. After several unsuccessful attempts to receive their contract, the controller sent an email containing contract of another customer as well as an audio recording of that customer's data. <br />
<br />
=== Holding ===<br />
The DPA ('AEPD') highlighted the breach of confidentially and security by VODAFONE for sharing a commercial contract of another individual with the data subject, violating [[Article 5 GDPR|Article 5(1)(f) GDPR]]. According to the evidence presented, the data subject acquired access to name, ID number and telephone number of an unknown person without any authorization to disclose their data to third parties. <br />
<br />
The AEPD, therefore, found a violation of [[Article 32 GDPR]] for not implementing the appropriate technical and organization measures to prevent such incident. <br />
<br />
The AEPD fined VODAFONE €50,000 for violating [[Article 5 GDPR|Article 5(1)(f) GDPR]] and €20,000 for violating [[Article 32 GDPR|Article 32 GDPR.]] However, in this case, the AEPD gave two possibilities to VODAFONE to either acknowledge the liability, leading to a greater reduction in the final amount, totaling €42,000 or to pay a fine of €56,000 and renounce any form of appeal against the sanction. <br />
<br />
VODAFONE opted for a voluntary payment option, paying a fine of €56,000. This payment utilized the reduction offered in the initial agreement for early payment, indicating a renunciation of any form of administrative appeal against the sanction. <br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/11<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
File No.: EXP202104006<br />
<br />
RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE<br />
VOLUNTEER<br />
<br />
<br />
From the procedure instructed by the Spanish Data Protection Agency and based<br />
to the following<br />
<br />
BACKGROUND<br />
<br />
<br />
FIRST: On August 10, 2022, the Director of the Spanish Agency for<br />
Data Protection agreed to initiate sanctioning proceedings against VODAFONE<br />
SPAIN, S.A.U. (hereinafter, the claimed party), through the Agreement that is<br />
transcribes:<br />
<br />
<br />
<<<br />
<br />
<br />
<br />
File No.: EXP202104006<br />
<br />
<br />
<br />
AGREEMENT TO START SANCTIONING PROCEDURE<br />
<br />
Of the actions carried out by the Spanish Data Protection Agency and in<br />
<br />
based on the following<br />
<br />
FACTS<br />
<br />
FIRST: A.A.A. (hereinafter, the complaining party) dated August 21, 2021<br />
<br />
filed a claim with the Spanish Data Protection Agency. The<br />
claim is directed against VODAFONE ESPAÑA, S.A.U. with NIF A80907397 (in<br />
forward, VODAFONE). The reasons on which the claim is based are the following:<br />
<br />
Indicates that you have requested a copy of your telephone contract from VODAFONE because it is not<br />
<br />
applying the contracted rate. That he has requested it on several occasions without being<br />
forward (infringement of your right to access your personal data). Finally<br />
receives an email with another client's telephone contract, violating the<br />
secrecy of the personal data of said client.<br />
<br />
<br />
Along with the notification, an audio file in mp3 format is provided, in which you can<br />
listening to a recording in which two people intervene, one on behalf of<br />
VODAFONE, and another that identifies itself as B.B.B. with DNI ***NIF.1, owner of the line<br />
phone ***PHONE.1. The recording is dated 07/28/2020.<br />
<br />
<br />
There is no record of the date on which the complaining party has had access to said<br />
recording, since he has not sent the email in which he states that he had<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 2/11<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
received. Likewise, the complaining party does not provide a document proving that it has<br />
required VODAFONE its own contract.<br />
<br />
<br />
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5<br />
December, Protection of Personal Data and guarantee of digital rights (in<br />
hereinafter LOPDGDD), said claim was transferred to VODAFONE, so that<br />
proceed to its analysis and inform this Agency within a period of one month, of the<br />
actions carried out to adapt to the requirements provided for in the regulations of<br />
Data Protection.<br />
<br />
<br />
The transfer, which was carried out in accordance with the rules established in Law 39/2015, of<br />
October 1, of the Common Administrative Procedure of Administrations<br />
Public (hereinafter, LPACAP), was collected on 11/08/2021 as stated in the<br />
acknowledgment of receipt that appears in the file.<br />
<br />
<br />
No response has been received to this transfer letter.<br />
<br />
THIRD: On November 21, 2021, in accordance with article 65 of<br />
the LOPDGDD, the claim presented by the complaining party was admitted for processing.<br />
<br />
<br />
<br />
<br />
FOUNDATIONS OF LAW<br />
<br />
Yo<br />
<br />
Competence<br />
<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
(General Data Protection Regulation, hereinafter RGPD), grants each<br />
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the<br />
<br />
Organic Law 3/2018, of December 5, on Protection of Personal Data and<br />
guarantee of digital rights (hereinafter, LOPDGDD), is competent to<br />
initiate and resolve this procedure the Director of the Spanish Protection Agency<br />
of data.<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures<br />
<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
regulations dictated in its development and, insofar as they do not contradict them, with a<br />
subsidiary, by the general rules on administrative procedures."<br />
<br />
<br />
II<br />
Previous issues<br />
<br />
In the present case, in accordance with the provisions of article 4.1 of the RGPD, there is<br />
the processing of personal data, since VODAFONE<br />
<br />
carries out, among other treatments, collection, registration, consultation, etc. of the following<br />
personal data of natural persons, such as: name, identification number,<br />
telephone number etc.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 3/11<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
VODAFONE carries out this activity in its capacity as data controller,<br />
given that he is the one who determines the ends and means of such activity, by virtue of article<br />
4.7 of the GDPR.<br />
<br />
<br />
Article 4 section 12 of the GDPR broadly defines “violations of<br />
security of personal data” (hereinafter security breach) as “all<br />
those security violations that cause the destruction, loss or alteration<br />
accidental or unlawful personal data transmitted, preserved or otherwise processed<br />
form, or unauthorized communication or access to said data.”<br />
<br />
<br />
In the present case, there is a personal data security breach in the<br />
circumstances indicated above, categorized as a breach of confidentiality, by<br />
a recording containing data has been sent to the complaining party<br />
personal information of another person, thus allowing its knowledge by someone who is not<br />
<br />
legitimized for it.<br />
<br />
It should be noted that the identification of a security breach does not imply the<br />
imposition of a sanction directly by this Agency, since it is necessary<br />
analyze the diligence of those responsible and in charge and the security measures<br />
applied.<br />
<br />
<br />
Within the treatment principles provided for in article 5 of the RGPD, the<br />
integrity and confidentiality of personal data is guaranteed in section 1.f)<br />
of article 5 of the GDPR. For its part, the security of personal data comes<br />
regulated in articles 32, 33 and 34 of the RGPD, which regulate the security of the<br />
<br />
processing, notification of a breach of personal data security to<br />
the control authority, as well as the communication to the interested party, respectively.<br />
<br />
III<br />
Article 5.1.f) of the GDPR<br />
<br />
<br />
Article 5.1.f) “Principles relating to processing” of the GDPR establishes:<br />
<br />
"1. The personal data will be:<br />
(…)<br />
<br />
<br />
f) treated in such a way as to ensure adequate safety of the<br />
personal data, including protection against unauthorized processing or<br />
unlawful and against its loss, destruction or accidental damage, through the application<br />
of appropriate technical or organizational measures ("integrity and<br />
confidentiality»).”<br />
<br />
<br />
In the present case, it is clear that the personal data of a VODAFONE customer,<br />
recorded in its database, were improperly exposed to the complaining party<br />
who, according to his own statement, received them by email, having had<br />
therefore access to the name, ID and telephone number of an unknown person, without<br />
<br />
There is, of course, the authorization of said person to expose their data to a<br />
Third, there is no legitimizing cause for it.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 4/11<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In accordance with the evidence available in this agreement of<br />
initiation of the sanctioning procedure, and without prejudice to what results from the<br />
instruction, it is considered that the known facts could constitute a<br />
<br />
infringement, attributable to VODAFONE, due to violation of article 5.1.f) of the RGPD.<br />
<br />
IV<br />
Classification of the violation of article 5.1.f) of the RGPD<br />
<br />
If confirmed, the aforementioned violation of article 5.1.f) of the RGPD could mean the<br />
<br />
commission of the infractions classified in article 83.5 of the RGPD that under the<br />
The section “General conditions for the imposition of administrative fines” provides:<br />
<br />
“Infringements of the following provisions will be sanctioned, in accordance with the<br />
paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,<br />
<br />
In the case of a company, an amount equivalent to a maximum of 4% of the<br />
global total annual business volume of the previous financial year, opting for<br />
the largest amount:<br />
<br />
a) the basic principles for the treatment, including the conditions for the<br />
consent under articles 5, 6, 7 and 9; (…)”<br />
<br />
<br />
In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that<br />
“The acts and conduct referred to in sections 4,<br />
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result<br />
contrary to this organic law.”<br />
<br />
<br />
For the purposes of the limitation period, article 72 “Infringements considered very<br />
“serious” of the LOPDGDD indicates:<br />
<br />
"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,<br />
considered very serious and will prescribe after three years the infractions that involve<br />
a substantial violation of the articles mentioned therein and, in particular, the<br />
following:<br />
<br />
<br />
a) The processing of personal data violating the principles and guarantees<br />
established in article 5 of Regulation (EU) 2016/679. (…)”<br />
<br />
V<br />
Penalty for violation of article 5.1.f) of the RGPD<br />
<br />
<br />
For the purposes of deciding on the imposition of an administrative fine and its amount,<br />
in accordance with the evidence currently available<br />
agreement to initiate the sanctioning procedure, and without prejudice to what results from the<br />
instruction, the infraction in question is considered to be serious for the purposes of the<br />
<br />
RGPD and that it is appropriate to graduate the sanction to be imposed in accordance with the following<br />
criteria established by article 83.2 of the RGPD:<br />
<br />
As mitigating factors:<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 5/11<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
-The number of interested parties affected and the level of damages suffered<br />
suffered (section a). This file deals with data from a single<br />
person, and there is no evidence that such action has caused harm.<br />
<br />
<br />
Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the<br />
following criteria established in section 2 of article 76 “Sanctions and measures<br />
corrective measures” of the LOPDGDD:<br />
<br />
As aggravating factors:<br />
<br />
<br />
-The linking of the offender's activity with the performance of<br />
processing of personal data (section b).<br />
The activity of VODAFONE, provider of telephone and<br />
Internet, and the high number of clients it has, entails the<br />
<br />
handling a large number of personal data. This implies that they have<br />
sufficient experience and should have adequate knowledge to<br />
the processing of said data.<br />
<br />
The balance of the circumstances contemplated in article 83.2 of the RGPD and the<br />
article 76.2 of the LOPDGDD, with respect to the infraction committed by violating the<br />
<br />
established in article 5.1.f) of the RGPD, allows initially setting a sanction of<br />
€50,000 (fifty thousand euros).<br />
<br />
SAW<br />
Article 32 of the GDPR<br />
<br />
<br />
Article 32 “Security of processing” of the GDPR establishes:<br />
<br />
"1. Taking into account the state of the art, the application costs, and the<br />
nature, scope, context and purposes of the processing, as well as risks of<br />
<br />
variable probability and severity for people's rights and freedoms<br />
physical, the person responsible and the person in charge of the treatment will apply technical and<br />
appropriate organizational measures to guarantee a level of security appropriate to the risk,<br />
which, if applicable, includes, among others:<br />
a)pseudonymization and encryption of personal data;<br />
b) the ability to guarantee the confidentiality, integrity, availability and<br />
<br />
permanent resilience of treatment systems and services;<br />
c)the ability to restore availability and access to personal data<br />
quickly in the event of a physical or technical incident;<br />
d)a process of regular verification, evaluation and assessment of effectiveness<br />
of the technical and organizational measures to guarantee the security of the<br />
<br />
treatment.<br />
<br />
2. When evaluating the adequacy of the security level, particular consideration will be given to<br />
takes into account the risks presented by data processing, in particular as<br />
consequence of the accidental or unlawful destruction, loss or alteration of data<br />
<br />
personal data transmitted, preserved or otherwise processed, or the communication or<br />
unauthorized access to said data.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 6/11<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
3. Adherence to a code of conduct approved pursuant to Article 40 or to a<br />
certification mechanism approved pursuant to article 42 may serve as an element<br />
to demonstrate compliance with the requirements established in section 1 of the<br />
<br />
present article.<br />
<br />
4. The controller and the person in charge of the treatment will take measures to ensure that<br />
any person acting under the authority of the person responsible or in charge and<br />
has access to personal data can only process said data following<br />
instructions of the person responsible, unless it is obliged to do so by virtue of the Law of<br />
<br />
the Union or the Member States.<br />
<br />
In the present case, at the time of the breach, VODAFONE did not have<br />
with the appropriate technical and organizational measures to avoid the incident, since<br />
According to the complaining party, he was sent by email a<br />
<br />
recording that corresponds to another client, where the personal data of<br />
said client.<br />
<br />
In accordance with the evidence available in this agreement of<br />
initiation of the sanctioning procedure, and without prejudice to what results from the<br />
<br />
instruction, it is considered that the known facts could constitute a<br />
infringement, attributable to VODAFONE, due to violation of article 32 of the RGPD.<br />
<br />
VII<br />
Classification of the violation of article 32 of the RGPD<br />
<br />
<br />
If confirmed, the aforementioned violation of article 32 of the RGPD could mean the<br />
commission of the infractions classified in article 83.4 of the RGPD that under the<br />
The section “General conditions for the imposition of administrative fines” provides:<br />
<br />
“Infringements of the following provisions will be sanctioned, in accordance with the<br />
<br />
paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,<br />
In the case of a company, an amount equivalent to a maximum of 2% of the<br />
global total annual business volume of the previous financial year, opting for<br />
the largest amount:<br />
<br />
<br />
a) the obligations of the controller and the processor pursuant to Articles 8,<br />
11, 25 to 39, 42 and 43; (…)”<br />
<br />
In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that<br />
“The acts and conduct referred to in sections 4,<br />
<br />
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result<br />
contrary to this organic law.”<br />
<br />
For the purposes of the limitation period, article 73 “Infringements considered serious”<br />
of the LOPDGDD indicates:<br />
<br />
“Based on what is established in article 83.4 of Regulation (EU) 2016/679,<br />
are considered serious and will prescribe after two years the infractions that involve a<br />
substantial violation of the articles mentioned therein and, in particular, the<br />
<br />
following:<br />
(…)<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 7/11<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
f) The lack of adoption of those technical and organizational measures that<br />
are appropriate to guarantee a level of security adequate to the<br />
risk of the treatment, in the terms required by article 32.1 of the<br />
<br />
Regulation (EU) 2016/679.<br />
<br />
VIII<br />
Penalty for violation of article 32 of the GDPR<br />
<br />
For the purposes of deciding on the imposition of an administrative fine and its amount,<br />
<br />
in accordance with the evidence currently available<br />
agreement to initiate the sanctioning procedure, and without prejudice to what results from the<br />
instruction, the infraction in question is considered to be serious for the purposes of the<br />
RGPD and that the sanction to be imposed should be graduated in accordance with the following<br />
criteria established by article 83.2 of the RGPD:<br />
<br />
<br />
As mitigating factors:<br />
<br />
-The number of interested parties affected and the level of damages suffered<br />
suffered (section a). This file deals with data from a single<br />
person, and there is no evidence that such action has caused harm.<br />
<br />
<br />
Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the<br />
following criteria established in section 2 of article 76 “Sanctions and measures<br />
“corrective measures” of the LOPDGDD:<br />
<br />
<br />
As aggravating factors:<br />
<br />
-The linking of the offender's activity with the performance of data processing<br />
personal (section b). The activity of VODAFONE, service provider<br />
telephone and internet, and the high number of clients it has, entails the<br />
<br />
handling a large number of personal data. This implies that they have experience<br />
sufficient and should have adequate knowledge for the treatment of<br />
such data.<br />
<br />
The balance of the circumstances contemplated in article 83.2 of the RGPD and the<br />
article 76.2 of the LOPDGDD, with respect to the infraction committed by violating the<br />
<br />
established in article 32 of the RGPD, allows initially setting a sanction of<br />
€20,000 (twenty thousand euros).<br />
<br />
IX<br />
Imposition of measures<br />
<br />
<br />
Among the corrective powers provided in article 58 “Powers” of the GDPR, in the<br />
section 2.d) establishes that each control authority may “order the<br />
responsible or in charge of the treatment that the treatment operations are<br />
comply with the provisions of this Regulation, where applicable, in a manner<br />
<br />
certain manner and within a specified period….”<br />
<br />
The Spanish Data Protection Agency in the resolution that puts an end to the<br />
This procedure may order the adoption of measures, as established<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 8/11<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
in article 58.2.d) of the RGPD and in accordance with what is derived from the instruction<br />
of the procedure, if necessary, in addition to sanctioning with a fine.<br />
<br />
<br />
Therefore, in accordance with the above, by the Director of the Agency<br />
Spanish Data Protection,<br />
HE REMEMBERS:<br />
<br />
FIRST: START SANCTIONING PROCEDURE against VODAFONE ESPAÑA,<br />
S.A.U., with NIF A80907397, for the alleged violation of Article 5.1.f) of the RGPD<br />
<br />
typified in Article 83.5 of the RGPD.<br />
<br />
START SANCTIONING PROCEDURE against VODAFONE ESPAÑA, S.A.U., with<br />
NIF A80907397, for the alleged violation of Article 32 of the RGPD, typified in the<br />
Article 83.4 of the GDPR.<br />
<br />
<br />
SECOND: APPOINT C.C.C. as instructor. and, as secretary, to D.D.D.,<br />
indicating that any of them may be challenged, if applicable, in accordance with the<br />
established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime<br />
Legal Department of the Public Sector (LRJSP).<br />
<br />
<br />
THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the<br />
claim filed by the complaining party and its documentation, as well as the<br />
documents obtained and generated by the General Subdirectorate of Inspection of<br />
Data in the actions prior to the start of this sanctioning procedure.<br />
<br />
<br />
FOURTH: THAT for the purposes provided for in art. 64.2 b) of law 39/2015, of 1<br />
October, of the Common Administrative Procedure of Public Administrations, the<br />
sanction that could correspond would be:<br />
- For the alleged violation of article 5.1.f) of the RGPD, typified in article 83.5<br />
of said rule, administrative fine of 50,000.00 euros<br />
<br />
- For the alleged violation of article 32 of the RGPD, typified in article 83.4 of<br />
said rule, administrative fine of 20,000.00 euros<br />
<br />
FIFTH: NOTIFY this agreement to VODAFONE ESPAÑA, S.A.U., with NIF<br />
A80907397, granting him a hearing period of ten business days to formulate<br />
the allegations and present the evidence that you consider appropriate. In his writing of<br />
<br />
allegations must provide your NIF and the procedure number that appears in the<br />
heading of this document.<br />
<br />
If within the stipulated period you do not make allegations to this initial agreement, the same<br />
may be considered a proposal for a resolution, as established in the article<br />
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of<br />
<br />
Public Administrations (hereinafter, LPACAP).<br />
<br />
In accordance with the provisions of article 85 of the LPACAP, you may recognize your<br />
responsibility within the period granted for the formulation of allegations to the<br />
present initiation agreement; which will entail a 20% reduction in the<br />
<br />
sanction that may be imposed in this procedure. With the application of this<br />
reduction, the penalty would be established at 56,000.00 euros, resolving the<br />
procedure with the imposition of this sanction.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 9/11<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Likewise, you may, at any time prior to the resolution of this<br />
<br />
procedure, carry out the voluntary payment of the proposed sanction, which<br />
will mean a 20% reduction in the amount. With the application of this reduction,<br />
The penalty would be established at 56,000.00 euros and its payment will imply termination<br />
of the procedure.<br />
<br />
<br />
The reduction for the voluntary payment of the penalty is cumulative with that corresponding<br />
apply for recognition of responsibility, provided that this recognition<br />
of the responsibility becomes evident within the period granted to formulate<br />
allegations at the opening of the procedure. The voluntary payment of the referred amount<br />
in the previous paragraph may be done at any time prior to the resolution. In<br />
<br />
In this case, if both reductions were to be applied, the amount of the penalty would remain<br />
established at 42,000.00 euros.<br />
<br />
In any case, the effectiveness of any of the two mentioned reductions will be<br />
conditioned upon the withdrawal or waiver of any action or appeal pending.<br />
<br />
administrative against the sanction.<br />
<br />
In the event that you choose to proceed with the voluntary payment of any of the amounts<br />
indicated above (56,000.00 euros or 42,000.00 euros), you must make it effective<br />
by depositing it into account number ES00 0000 0000 0000 0000 0000 open to<br />
<br />
name of the Spanish Data Protection Agency in the banking entity<br />
CAIXABANK, S.A., indicating in the concept the reference number of the<br />
procedure that appears in the heading of this document and the cause of<br />
reduction of the amount to which it is accepted.<br />
<br />
<br />
Likewise, you must send proof of income to the General Subdirectorate of<br />
Inspection to continue the procedure in accordance with the quantity<br />
entered.<br />
<br />
The procedure will have a maximum duration of nine months counting from the<br />
<br />
date of the initiation agreement or, where applicable, of the draft initiation agreement.<br />
After this period, its expiration will occur and, consequently, the file of<br />
performances; in accordance with the provisions of article 64 of the LOPDGDD.<br />
<br />
Finally, it is noted that in accordance with the provisions of article 112.1 of the<br />
<br />
LPACAP, there is no administrative appeal against this act.<br />
<br />
<br />
935-110422<br />
Sea Spain Martí<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
>><br />
<br />
SECOND: On September 7, 2022, the claimed party has proceeded to<br />
payment of the penalty in the amount of 56,000 euros using one of the two<br />
reductions provided for in the Inception Agreement transcribed above. Therefore, it has not<br />
<br />
recognition of responsibility has been accredited.<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 10/11<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
THIRD: The payment made entails the waiver of any action or resource pending.<br />
administrative against the sanction, in relation to the facts referred to in the<br />
<br />
Startup Agreement.<br />
<br />
FOUNDATIONS OF LAW<br />
<br />
Yo<br />
<br />
<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
(General Data Protection Regulation, hereinafter RGPD), grants each<br />
control authority and as established in articles 47 and 48.1 of the Law<br />
<br />
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of<br />
digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve<br />
this procedure the Director of the Spanish Data Protection Agency.<br />
<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: “The procedures<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
<br />
regulations dictated in its development and, insofar as they do not contradict them, with a<br />
subsidiary, by the general rules on administrative procedures.”<br />
<br />
<br />
<br />
<br />
<br />
II<br />
<br />
Article 85 of Law 39/2015, of October 1, on Administrative Procedure<br />
<br />
Common Public Administrations (hereinafter LPACAP), under the heading<br />
“Termination in sanctioning procedures” provides the following:<br />
<br />
"1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility,<br />
The procedure may be resolved with the imposition of the appropriate sanction.<br />
<br />
<br />
2. When the sanction is solely pecuniary in nature or a penalty can be imposed<br />
pecuniary sanction and another of a non-pecuniary nature but the<br />
inadmissibility of the second, the voluntary payment by the alleged responsible, in<br />
Any time prior to the resolution, will imply the termination of the procedure,<br />
except in relation to the restoration of the altered situation or the determination of the<br />
<br />
compensation for damages caused by the commission of the infringement.<br />
<br />
3. In both cases, when the sanction has only a pecuniary nature, the<br />
body competent to resolve the procedure will apply reductions of, at least,<br />
20% of the amount of the proposed penalty, these being cumulative with each other.<br />
<br />
The aforementioned reductions must be determined in the initiation notification.<br />
of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of<br />
any administrative action or appeal against the sanction.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 11/11<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The reduction percentage provided for in this section may be increased<br />
<br />
“regularly.”<br />
<br />
According to what was stated,<br />
the Director of the Spanish Data Protection Agency RESOLVES:<br />
<br />
<br />
FIRST: DECLARE the termination of procedure EXP202104006, of<br />
in accordance with the provisions of article 85 of the LPACAP.<br />
<br />
<br />
SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U..<br />
<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
Resolution will be made public once it has been notified to the interested parties.<br />
<br />
<br />
Against this resolution, which puts an end to the administrative procedure as prescribed by<br />
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure<br />
Common of Public Administrations, interested parties may file an appeal<br />
administrative litigation before the Administrative Litigation Chamber of the<br />
<br />
National Court, in accordance with the provisions of article 25 and section 5 of<br />
the fourth additional provision of Law 29/1998, of July 13, regulating the<br />
Contentious-Administrative Jurisdiction, within a period of two months from the<br />
day following the notification of this act, as provided for in article 46.1 of the<br />
<br />
referred Law.<br />
<br />
<br />
937-240122<br />
Sea Spain Martí<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
</pre></div>Mgrd