VSL - VSL00035084

From GDPRhub
Revision as of 14:38, 13 August 2020 by AN (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
VSL - VSL00035084
Courts logo1.png
Court: VSL (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 6(1)(c) GDPR
Article 6(2) GDPR
Decided: 18.06.2020
Published: 30.07.2020
Parties:
National Case Number/Name: VSL00035084
European Case Law Identifier: ECLI:SI:VSLJ:2020:PRP.345.2019
Appeal from:
Appeal to:
Original Language(s): Slovenian
Original Source: Sodna Praksa (in Slovenian)
Initial Contributor: n/a

The High Court of Ljubljana (VSL) dismissed an appeal challenging a lower court's decision and held that Article 6(1)(c) was not applicable to a case where a representative of a company forwarded personal data to that company on the basis of an incorrectly applied Slovenian law.

English Summary

Facts

A representative of a company obtained the personal data, including the names, surnames and addresses, of 51 owners of motor vehicles registered in Slovenia, and forwarded the obtained data to the company. He forwarded this information on the basis of Article 10 of the Slovenian Law on Advocacy (ZOdv). The authority found that the forwarding of the data was in breach of this law, because the representative did not acquire the data for reasons permitted in the ZOdv, i.e. for performing an act of the legal profession for an individual case where the data was required.


The decision of the authority was appealed to the Ljubljana District Court. As the court of first instance, it considered that Article 6(1)(c) GDPR (processing on the basis of complying with a legal obligation) did not apply to this case. The Slovenian DPA (Informacijski pooblaščenec) disagreed with the court's assessment.

Dispute

Does Article 6(1)(c) apply here?

Holding

The VSL agreed with the finding of the court of first instance and dismissed the appeal as unfounded.

In its reasoning, the VSL noted that while Article 6(2) GDPR permits Member States to maintain or introduce more detailed provisions in order to adapt the application of GDPR rules for processing done under Article 6(1)(c), this does not permit Member States to regulate Article 6(1)(c) in such a way "indefinitely".

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.

VSL Judgment PRp 345/2019
ECLI: SI: VSLJ: 2020: PRP.345.2019
Registration number: VSL00035084
Date of decision: 18.06.2020
Senate, single judge: Živa Bukovac (president), Boštjan Kovič (report), Anton Panjan
Area: OFFENSES - PROTECTION OF PERSONAL DATA
Institute: existence of a misdemeanor - principle of legality - milder regulation - request for judicial protection - appeal of a misdemeanor authority - processing of personal data - transmission of personal data to a lawyer - duty to provide data
Sail

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC, which is to be applied directly, c) the first paragraph of Article 6 replaces Article 8 of ZVOP-1.

The provision of the first paragraph of Article 10 of the ZOdv regulates when the obligation to provide personal data to a lawyer applies and when it is legal for a lawyer to obtain personal data; if the controller and the processor act in accordance with that provision, then such conduct shall be in accordance with the lawfulness of the processing referred to in point (c) of the first paragraph of Article 6 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC; contrary conduct means a violation of this provision, which in the circumstances of a specific case must be applied directly and for the violation of which the decree in point a) of the fifth paragraph of Article 83 prescribes administrative and not punitive sanctioning.
Theorem

The appeal is dismissed as unfounded and the judgment of the court of first instance is upheld.
Justification

1. By the impugned judgment, the District Court in Ljubljana granted the request for judicial protection of the advocate of the responsible person of the legal entity and amended the decision on misdemeanor so that the misdemeanor proceedings against the responsible person of the legal entity for 51 misdemeanors under Article 91 (2) personal data (ZVOP-1) in connection with point 1 of the first paragraph of Article 91 of ZVOP-1, as described in point 1 of the decision on misdemeanors, on the basis of point 1 of the first paragraph of Article 136 of the Misdemeanors Act (ZP-1) stopped (point I of the operative part), granted the request for judicial protection of the legal entity's defense counsel and changed the decision on the misdemeanor so that the misdemeanor proceedings against the legal entity, due to 51 misdemeanors under point 1 of the first paragraph of Article 91 ZVOP-1, as are described in item 2 of the decision on a misdemeanor, on the basis of point 1 of the first paragraph of Article 136 of ZP-1 stopped (point II of the disposition). It also ruled on the costs of the misdemeanor proceedings, which it imposed on the budget (point III of the operative part).

2. The misdemeanor authority appeals against the judgment for violating the substantive provisions of the law regarding the question of whether the act for which the proceedings were initiated is a misdemeanor, which is the ground of appeal under point 2 of Article 154 in connection with point 1 of Article 156 ZP -1. He claims that the High Court should uphold the appeal and set aside or amend the judgment under appeal.

3. The lawyer of the legal and responsible person opposes the appeal and proposes its rejection and confirmation of the judgment of the court of first instance.

4. The appeal is unfounded.

5. The misdemeanor body found the legal and responsible person responsible for the services of 51 misdemeanors under point 1 of the first paragraph of Article 91 of ZVOP-1, which he allegedly committed by being the responsible person of the legal person who was authorized as a legal person. to perform the work of a lawyer, in the period between April 2016 and 18 January 2017, on the basis of Article 10 of the Law on Advocacy (ZOdv) as a representative of A. plc, obtained personal data, ie names, surnames, addresses of residence, EMŠO and weight of motor vehicles , on 51 owners of motor vehicles registered in the Republic of Slovenia, and forwarded the obtained data to the company A. plc to send reminders for the payment of receivables to these owners or users of motor vehicles, thus obtaining personal data of owners or users of vehicles contrary to Article 10 of the ZOdv, as he did not acquire them for the practice of the legal profession in individual cases, but acquired them only for the purpose of forwarding them to A. plc, as to him and the legal person by an individual other creditor or company A. plc, apart from obtaining personal data, was not ordered to perform any act of the legal profession in an individual case for which he would need the obtained personal data.

6. The Court of First Instance considered as a key fact that after the commission of the offenses on 25 May 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46 / EC (hereinafter the General Regulation), which by the provision of point c) of the first paragraph of Article 6 replaced Article 8 of ZVOP-1, which is no longer applicable and whose violation is not several misdemeanors under point 1 of the first paragraph of Article 91 of ZVOP-1, as the General Decree for violation of point c) of the first paragraph of Article 6 provides for the imposition of an administrative fine and does not define such an act as a misdemeanor. 2 of ZP-1 used the General Regulation as a regulation that is more lenient for the perpetrator because it excludes a misdemeanor.

7. The Information Commissioner does not agree with the court's assessment and considers that the General Regulation did not replace the provision of Article 8 of ZVOP-1, which is still applicable and whose violation constitutes an offense under point 1 of the first paragraph of Article 91 of ZVOP-1. stipulates that a fine of EUR 4,170 to 12,510 shall be imposed on a legal person, sole proprietor or sole proprietor if he processes personal data without having a basis in law or with the personal consent of the individual. In the complaint, the Information Commissioner refers to the non-binding opinion of the Ministry of Justice in the First System Explanatory Notes at the beginning of the development of the application of the new European legislation on personal data protection (General Data Protection Regulation - GDPR and related Directive) of 28.5.2018. assessment that most of the provisions of ZVOP-1 on the processing of personal data cease to apply, except for the provisions of articles which are not regulated by the General Data Protection Regulation or which the Republic of Slovenia may still regulate otherwise, among which the Ministry also includes Article 8 of ZVOP-1. 1, which stipulates in the first paragraph that personal data may be processed only if the processing of personal data and personal data being processed is stipulated by law or if the personal consent of the individual is given for the processing of certain personal data, and in the second paragraph stipulates that the purpose of the processing of personal data must be determined by law, and in the case of processing on the basis of the personal consent of the individual, the the subject is previously informed in writing or in another appropriate manner of the purpose of the processing of personal data.

8. A general regulation is a legally binding act and must be fully applied in all EU countries. National authorities must ensure its proper use. Article 6 of the General Regulation regulates the lawfulness of processing and stipulates in point c) of the first paragraph that processing is lawful only insofar as the condition that the processing is necessary to fulfill the legal obligation applicable to the controller is met. The general regulation in Article 6 (2) does provide that Member States may maintain or introduce more detailed provisions in order to adapt the application of the rules of this Regulation concerning the processing of personal data to ensure compliance (inter alia) with point (c) of the first paragraph. to further specify the specific processing requirements and other measures to ensure lawful and fair processing. However, this does not mean that a Member State may otherwise regulate the lawfulness of the processing referred to in Article 6 (1) (c) of the General Regulation indefinitely, as it is required to maintain or introduce more detailed provisions to adapt the application of the rules of this Regulation. In view of the above, it is not possible to follow the position that Article 8 of ZVOP-1 has been retained in force in each case, but this depends on the circumstances of the specific case. In the specific case, the legal and responsible person is accused of violating the provision of Article 8 of ZVOP-1 because the responsible person obtained personal data of vehicle owners or users in contravention of Article 10 of ZOdv. In the first paragraph, it determines when the controller is considered to be required to fulfill a legal obligation, as it stipulates that state bodies, bodies of self-governing local communities and holders of public authority are obliged to give free of charge to a lawyer without the consent of the data subject. the information he needs in the practice of the legal profession in an individual case. That provision therefore governs when the obligation to provide personal data to a lawyer applies and when it is lawful for a lawyer to obtain personal data and if the controller and processor act in accordance with that provision, then such conduct is in accordance with the lawfulness of processing in point c) of the first paragraph 6. Article 2 of the General Regulation, and acting contrary to it means a violation of this provision, which in the circumstances of a specific case must be applied directly and for the violation of which the General Regulation in point a) of the fifth paragraph of Article 83 prescribes administrative and not punitive sanctions. The imposition of administrative fines, as prescribed by the General Regulation, has not been transposed into the national legal order of the Republic of Slovenia, as ZP-1 as well as the misdemeanor regulation do not regulate the manner of imposing administrative fines in misdemeanor proceedings. that it should take into account the fact that the General Regulation prescribes a significantly higher administrative fine than the prescribed fine in ZVOP-1 and that for this reason the court of first instance incorrectly applied the provision of the second paragraph of Article 2 of ZP-1.

9. For the foregoing reasons, the Court of Appeal agrees with the Court of First Instance's finding that the General Regulation, to be applied directly, does not constitute a violation of Article 6 § 1 (c) as a misdemeanor. from the point of view of misdemeanor law, which is part of criminal law, is more lenient for the perpetrator and the court is justified in applying the principle of legality from the second paragraph of Article 2 of ZP-1 on the basis of point 1 of the first paragraph of Article 136. Therefore, on the basis of the third paragraph of Article 163 of ZP-1, the High Court rejected the appeal as unfounded and upheld the judgment of the court of first instance.


Relationship:

ZVOP-1 Articles 8, 91, 91/1, 91 / 1-1, 91/2. ZP-1 Article 2, 2/2, 136, 136/1, 136 / 1-1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC Art. 6, 6/1, 6/1-c , 6/2. ZOdv Article 10, 10/1

Date of last change:
    07/30/2020