VSRS - VSRS Sodba IV Ips 2/2021
|VSRS - VSRS Sodba IV Ips 2/2021|
|Relevant Law:||Article 83 GDPR|
Article 1&2 of the Minor Offences Act (ZP-1)
Article 91 of the Personal Data Protection Act (ZVOP-1)
|National Case Number/Name:||VSRS Sodba IV Ips 2/2021|
|European Case Law Identifier:|
|Appeal from:||IP (Slovenia)|
|Original Source:||Supreme Court (in Slovenian)|
The Slovenian Supreme Court ruled that the Slovenian DPA can use the Minor Offenses Act (ZP-1) to impose fines under the Slovenian Personal Data Protection Act (ZVOP-1). The Court further stated that the Slovenian DPA cannot impose fines for GDPR violations since Slovenia has not passed a national act implementing the GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
The applicant is an official for the Supreme State Prosecutor's Office. From March and June 2017, the applicant disclosed the personal data of thirty-two data subjects without a legal basis in Slovenian law and without the consent of these data subjects. The Slovenian DPA (Information Commissioner or IP) defined the applicant's disclosures as a repeated violation of the first paragraph of Article 8 of the Slovenian Personal Data Protection Act (ZVOP-1). The IP further determined that the applicant had committed thirty-two offenses under Article 91 of the ZVOP-1. As a result, the Slovenian IP invoked domestic criminal regulating misdemeanor offenses (called the Minor Offenses Act or ZP-1) to impose on the applicant a fine of EUR 830 for each offense, as well as an additional EUR 2,380 sanction.
Slovenia remains the only EU country which has not passed a national act implementing the GDPR. The Slovenian legal system does not allow for the issuing of administrative fines by agencies such as a DPA, which means that even courts cannot initiate proceedings. This should not be a barrier to the implementation of the GDPR because Article 83(9) creates an exception for such countries that do not provide administrative fines, allowing them to impose fines through competent national courts. Slovenia negligently failed to invoke this exception at the time of adoption of the GDPR, and instead continues to rely on ZVOP-1 for data protection. In summary, in Slovenia there is no entity that can impose administrative fines as prescribed by the GDPR, but the DPA can at least impose at least misdemeanor fines under ZVOP-1.
ZVOP-1 gives the Slovenian DPA the power to directly issue misdemeanor fines through the procedural rules defined by the Minor Offenses Act (ZP-1). ZVOP-1 also sets maximum limits on the fines that the DPA can impose: €1 million for large companies, €300,000 for smaller companies, and €20,000 for individuals. These maximum fines are significantly lower than the maximum fines set by the GDPR.
Dispute[edit | edit source]
The applicant appealed the decision of the DPA to the Slovenian Higher Court, and then the Supreme State Prosecutor appealed the case to the Supreme Court. Usually, the Higher Court is the final court of appeal for Slovenian DPA decisions, but the Supreme Court will take on cases regarding the ZVOP-1 where wider legal norms are at issue.
Here, both the applicant and the State Prosecutor argued that the GDPR invalidates ZVOP-1, because the GDPR is European regulation that supersedes ZVOP-1, and because ZVOP-1 predates the GDPR. In consequence, since Slovenia has not implemented the GDPR through a national act, the applicant and the State Prosecutor claimed that neither the GDPR nor ZVOP-1 could be used to impose fines on the applicant for the alleged breaches of personal data protection. In other words, they claimed that in Slovenia there is no competent authority to impose fines for breaches of data protection.
Specifically, the prosecutors key arguments before the Supreme Court were that:
- There is no substantive criminal law for classifying the alleged acts as offenses because ZVOP-1 is invalid,
- The GDPR should regulate the sanctioning of personal data breaches,
- The Slovenian DPA lacked subject-matter jurisdiction to issue an opinion on the alleged acts, and
- The Constitution of the Republic of Slovenia was directly and indirectly violated because
- the provisions of the GDPR that allow administrative fines (Article 58 GDPR and Article 83 GDPR) were not transposed into Slovenian law, and
- the Slovenian DPA failed to take this face into account when imposing fines, meaning that it acted outside its authority.
These allegations, which have been debated at the Slovenian Higher Court for over a year, has severely undercut the efficiency of the Slovenian DPA. While the Slovenian DPA regularly imposed binding decisions and fines before the introduction of the GDPR, since the GDPR, its powers have been restricted and undermined by such interpretive stalemate.
Holding[edit | edit source]
The Slovenian Supreme Court explained that the GDPR does not invalidate ZVOP-1, because ZVOP-1 is sufficiently analogous to the GDPR to carry out the same functions. On these grounds, the Supreme Court ruled that the Slovenian DPA can impose misdemeanor fines prescribed by the Slovenian Personal Data Protection Act (ZVOP-1), provided that the fines relate to principles also found in the GDPR. The Slovenian DPA cannot, however, impose fines to enforce the GDPR itself. In summary, the Supreme Court decision to resolve the interpretive conflict n favor of the Slovenian DPA by suggesting that it would violate the principle of personal data protection to find that neither the GDPR nor ZVOP-1 can sanction breaches of personal data.
The Supreme Court refrained from exploring what should happen to ZVOP-1 in the future, leaving it open to future reform by a national act implementing the GDPR.
Comment[edit | edit source]
The court’s reasoning is somewhat outlandish. As a directly applicable EU regulation, the GDPR does not require implementation into national law, unless requested in certain situations by a so-called mandatory opening clause (such as Article 85 GDPR). Under Article 57(1)(a) GDPR, the Slovenian DPA is under the obligation to monitor and enforce the application of the GDPR; under Article 58(2)(i) GDPR it has the corrective power to impose an administrative fine pursuant to Article 83 GDPR. These provisions are directly applicable in Slovenia – just as in any other Member State. There is no sound legal argument, as to why the Slovenian DPA should not exercise its powers under the GDPR and – in case of GDPR violations – also impose fines.
(Comment by noyb).
Further Resources[edit | edit source]
You can read more about why the Slovenian DPA cannot impose administrative fines on this link.
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.
Registration number: VS00045444 Date of decision: 16.03.2021 Senate: Branko Masleša (president), Marjeta Švab Širok (report), Barbara Zobec Area: OFFENSES Institute: protection of personal data - principle of legality - milder regulation - principle of primacy of EU law Sail The GDPR rules set out in the request, which determine the lawfulness of data processing and sanctions for their breaches (Article 6 of the GDPR in conjunction with Article 83 of the GDPR), came into force only on 25 May 2018 with effect ex nunc , which means that it could be relevant in the present case only if it were more lenient for the perpetrator from the point of view of the second paragraph of Article 2 of ZP-1. However, the substantive provisions of the GDPR relied on by the applicant are not more lenient for the specific perpetrator compared to the provisions of ZVOP-1, on which the contested decision is based. The provisions of the GDPR not only allow Member States to prescribe and (also) impose other sanctions for breaches of data protection rules, but - importantly, in procedural terms they have not replaced the procedural rules of ZP-1 applicable to misdemeanor proceedings concerning acts they were defined as a misdemeanor at the time of their service and a sanction was prescribed for them by law (Article 1 of ZP-1). Theorem The request for protection of legality is rejected. Justification A. 1. The Information Commissioner (hereinafter: IP) by decision on misdemeanors no. 0603-35 / 2018/11 of 28 February 2020, AB found the perpetrator responsible for committing thirty-two offenses under the third paragraph of Article 91 of the Personal Data Protection Act (hereinafter: ZVOP-1) in connection with point 1 of the first paragraph of Article 91 Article ZVOP-1. He imposed a fine of EUR 830.00 for each offense and then imposed a single sanction on him, namely a fine in the amount of EUR 2,380.00. 2. The Supreme State Prosecutor Hinko Jenull filed a request for protection of legality against the said decision due to, as he alleges, violations of the first indent of Article 62 and the second indent of the first paragraph of Article 62a of the Misdemeanors Act (hereinafter: ZP-1) in the manner from points 1 and 4 of Article 156 of ZP-1 in connection with the third paragraph of Article 59 of ZP-1, and violations under the second indent of Article 62 and the first indent of the first paragraph of Article 62.a of ZP-1, all in connection with the third paragraph of Article 3.a, Article 8 and the fourth paragraph of Article 153 of the Constitution of the Republic of Slovenia. The alleged breaches are related to the entry into force of the General Data Protection Regulation (hereinafter: GDPR), 1 which entered into force on 25 May 2018 and on the basis of which the Republic of Slovenia should, as the applicant states, regulate sanctions for breaches of personal data processing regulations. data in the new system framework, or at least by adapting the existing one, but did not do so. The applicant's key allegations are that: (i) in the present case there was no substantive basis for classifying the alleged acts as misdemeanors, (ii) that the GDPR should be regarded as a more lenient rule in relation to the provisions of ZVOP-1 and ZP-1, (iii) that the (competent) competent body did not decide in the present case and (iv) that the Constitution of the Republic of Slovenia was directly and indirectly violated because the provisions of the GDPR were not transposed into Slovenian law and because the misdemeanor authority did not observe or apply them. The applicant proposes to the Supreme Court that due to the violations of the law and the Constitution of the Republic of Slovenia the request be granted and the challenged decision amended by stopping the procedure on misdemeanors on the basis of point 1 of the first paragraph of Article 136 ZP-1. 3. The Supreme Court handed over the request for protection of legality on the basis of Article 171 of ZP-1 in connection with the second paragraph of Article 423 of the Criminal Procedure Act (hereinafter ZKP) to the perpetrator who did not declare it. 4. The Misdemeanor Authority (IP) has lodged a letter stating that it is not itself a party to the proceedings in question, but nevertheless gives its view on the issues raised by the request. He proposes to the Supreme Court to reject the request and find that the law was not violated by the impugned decision. WOULD. 5. In the present case, the perpetrator was found guilty of committing several offenses by the contested IP decision of 28 February 2020, because in the period between March and June 2017 he performed the work of an official for access to public information at the Supreme State Prosecutor's Office. The Republic of Slovenia disclosed the personal data of thirty-two individuals without there being a legal basis in law or the personal consent of these individuals for such processing (ie disclosure) of their personal data. The misdemeanor authority defined the perpetrator's conduct as a repeated violation of the first paragraph of Article 8 of ZVOP-1, which stipulates that personal data may be processed only if the processing of personal data and personal data being processed is provided by law or if certain personal data are processed. personal consent of the individual. The sanction for a misdemeanor is prescribed by point 1 of the first paragraph in connection with the third paragraph of Article 91 of ZVOP-1, which stipulates that a fine of EUR 830 to 2,080 is imposed on a responsible person of a state body if he processes personal data without basis in law or in the personal consent of the individual (Article 8 of ZOVP-1). 6. The applicant bases its claim on four sets of arguments. Primarily, he claims that the violation of the first paragraph of Article 8 of ZVOP-1, which in the present case alleges the infringer, remained without reference to the specific provisions of the GDPR as a valid misdemeanor and sanction norm (regarding the content regulated by the first paragraph before its entry into force). Article 8 of ZVOP-1), which consequently means that from the point of view of the principle of legality there was no material legal basis for defining the alleged acts as misdemeanors, which according to the GDPR could only be defined as administrative violations, for which there is no appropriate grounds). According to the alleged position, the violation of the law is given because the impugned decision does not define the legal basis from which, in accordance with the principle of legality, it follows that these are misdemeanors under the GDPR and which provisions are violated, or because the impugned decision does not define misdemeanor a provision that could only be applied under the GDPR (or in conjunction with the GDPR). The second argument of the applicant is that the GDPR, as a later and explicitly and fully enforced alternative regulation, basically determines the administrative (and not misdemeanor) sanctioning of its provisions, which means that it is in relation to ZVOP-1 in relation to ZP-1, according to the principle legality (Article 2 of ZP-1), a milder regulation. The alleged violation of the law is given in this respect because a regulation (ZVOP-1) was applied to the offenses in question, which should not have been applied, as it has been replaced by another more lenient regulation (GDPR). The applicant's third argument focuses on the administrative fines imposed by Article 83 of the GDPR for breach of Article 6 § 1 (c). The applicant claims that the Slovenian national system does not provide for the imposition of administrative fines, and in such a case the ninth paragraph of Article 83 of the GDPR prescribes that the competent supervisory authority initiate proceedings to impose a fine, which is then imposed by the competent national courts. According to the request, the IP, as a supervisory body, if it already had a material basis for action (which, according to the applicant, did not exist), should initiate proceedings to impose a fine before the court, which means that it did not decide organ. Finally, the applicant claims that the Constitution of the Republic of Slovenia was violated (directly the provision of the third paragraph of Article 3.a and the fourth paragraph of Article 153 of the Constitution of the Republic of Slovenia, and indirectly the provision of Article 8 and the second paragraph of Article 153 of the Constitution of the Republic of Slovenia). Slovenian legal order and because the misdemeanor authority did not take them into account or use them in its decision-making. B-II. 7. The principle of legality is defined as one of the basic principles of misdemeanor law in Article 2 of ZP-1, which determines the limits of sanctioning misdemeanors. On this basis, the case law has repeatedly taken the position that when dealing with misdemeanors regarding legal signs and sanctions and other substantive institutes, the regulation in force at the time of the commission of the misdemeanor should be applied. If the substantive provisions of ZP-1 or a regulation determining the misdemeanor are changed one or more times after the commission of a misdemeanor, the law or regulation that is milder for the perpetrator shall apply (second paragraph of Article 2 of ZP-1). 8. The applicant's complaints must be assessed primarily through rules on the temporal validity of regulations. As can be seen from the contested decision, the time of commission of misdemeanors in the specific case is located in the period between March and June 2017, ie in the period of validity of the provisions of ZVOP-1. The General Regulation on Data Protection came into force on 25 May 2018 (second paragraph of Article 99 of the GDPR), and the contested decision was issued on 28 February 2020. 9. It follows from the presented timetable that the misdemeanor authority relied on the substantive provisions of ZVOP-1, which were in force at the time of the misdemeanor, which is in accordance with the first paragraph of Article 2 of ZP-1. The GDPR rules set out in the request, which determine the lawfulness of data processing and sanctions for their breaches (Article 6 of the GDPR in conjunction with Article 83 of the GDPR), came into force only on 25 May 2018 with effect ex nunc , which means that it could be relevant in the present case only if it were more lenient for the perpetrator from the point of view of the second paragraph of Article 2 of ZP-1. 10. The central question to be answered in the present case is therefore whether the rules of the GDPR, which determine the lawfulness of the processing of personal data (Article 6 of the GDPR) and the sanctions for infringements (in particular Article 83 of the GDPR), constitute a more lenient rule for the perpetrator. in comparison with the provisions of point 1 of the first paragraph in connection with the third paragraph of Article 91 of ZVOP-1 and the first paragraph of Article 8 of ZVOP-1, which determined the legal signs of the considered misdemeanors and sanctions for it. 11. Among the relevant provisions of the GDPR, 3 which the Supreme Court has taken into account in assessing the issue of a more lenient regulation, is the provision of the first paragraph of Article 6 of the GDPR, which regulates the basic conditions for the lawfulness of personal data processing. At the core of the said provision is the same matter as it is regulated (among other things) by the first paragraph of Article 8 of ZVOP-1, as this is the most basic definition of the legal basis for the processing of personal data. If an individual has no basis for the processing of personal data, which is alleged in the specific case of the perpetrator, from the point of view of the provisions of ZVOP-1 it is a matter of acting contrary to the first paragraph of Article 8 of ZVOP-1, and from the point of view of paragraph 6 of Article GDPR. 12. Under Article 6 (1) and (2) of the GDPR, Member States may not regulate the basis for the lawfulness of the processing of personal data in any other way than provided for in the Regulation, 4 but may maintain or adopt more detailed provisions (only) to adapt the application of the GDPR. refer to points (c) and (e) of the first paragraph of Article 6 of the GDPR.5 In the event of a breach of the first paragraph of Article 6 of the GDPR, the supervisory authority shall have the corrective powers referred to in the second paragraph of Article 58 of the GDPR. of this paragraph imposes an administrative fine under Article 83 of the GDPR. For violations of Article 6 of the GDPR, the fifth paragraph of Article 83 of the GDPR prescribes an administrative fine6 in the amount of up to EUR 20,000,000 or, in the case of a company, in the amount of up to 4% of total annual turnover in the previous financial year. 13. The applicant argues that the GDPR, as a subsequent rule for the perpetrator in the present case, is more lenient because it provides for administrative (rather than misdemeanor) sanctioning of its provisions. Such a position is simplistic and erroneous, as the legal definition of a sanction is not the only criterion in assessing whether the chosen sanction has a punitive nature and thus punitive effects. In assessing the nature of an individual sanction, additional account must be taken of the nature of the infringement and thus of the objective pursued by the sanction, and finally of the gravity of the sanction imposed on the infringer. paragraph of Article 83 of the GDPR), which shows that the prescribed sanctions can (at least partially) identify (also) retaliatory elements of sanctions. At the same time, it should be noted that the prescribed sanction for violation of the first paragraph of Article 6 of the GDPR amounts to significantly higher amounts of money than the fine prescribed by ZVOP-1 (in the range of EUR 830 to 2,080), which contradicts the conclusion that the provisions of the GDPR on administrative sanctions at the level of principle for a specific perpetrator are milder than the misdemeanor provisions of ZVOP-1 used by the misdemeanor authority in its decision-making. 14. The Supreme Court also finds, in the context of the entire text of the GDPR, that it leaves a certain degree of discretion to the Member States in regulating the sanctioning of infringements of its rules. Thus, point 149 of the introductory explanations, on which the request is also based, states that Member States should be able to lay down rules on criminal sanctions for infringements of this Regulation, as well as for infringements of national rules adopted pursuant to this Regulation. Regulation and within the limits of this Regulation. Point 150 of the recitals states that the imposition of an administrative fine or the issue of a warning does not affect the exercise of other powers of the supervisory authorities or other penalties in accordance with this Regulation. However, point 152 of the introductory explanations states that, where the Regulation does not provide for the harmonization of administrative penalties or, where appropriate, in other cases, such as serious infringements of this Regulation, Member States should apply a system that provides effective, proportionate and dissuasive penalties. whereas the nature of such penalties, whether criminal or administrative, should be determined by the law of the Member States. The entire GDPR system seeks to strengthen the enforcement of its rules, which is also intended to effectively, proportionately and dissuasively sanction violators. As Member States have a relatively wide scope in regulating national rules to sanction breaches of data protection rules under the GDPR, 8 the applicant's position, which seeks to convince that administrative fines under Article 83 of the GDPR are the only possible and for the perpetrator in compared to the provisions of ZVOP-1, the mildest sanction for the infringements in question proves to be unfounded. 15. The principle of supremacy, which the applicant relies on in its application, requires that, in the event of a conflict between a provision of a Member State's law and a provision of the acquis communautaire, the latter prevails. the provisions of the first paragraph of Article 8 of ZVOP-1 in connection with the misdemeanor sanction under point 1 of the first paragraph and the third paragraph of Article 91 of ZVOP-1, which determine illegal handling of personal data and prescribe a sanction for it, are not insurmountably contrary to GDPR rules, but remain within its limits. This means that the principle of the primacy of EU law in a specific misdemeanor case cannot be a relevant reason for the retroactive application of the substantive provisions of the GDPR. In addition, the applicant's argument, as offered by the request, would be untenable from the point of view of the effectiveness of EU law, as it would ultimately lead to a situation where acts which were defined as infringements under national law at the time of their service were prescribed sanction, could no longer be sanctioned after the entry into force of the GDPR, even though they were not discriminated against by the provisions of the GDPR.10 16. All the above dictates the conclusion that the substantive provisions of the GDPR relied on by the applicant are not more lenient for the specific perpetrator compared to the provisions of ZVOP-1 on which the impugned decision is based, therefore the violation of the principle of legality and Article 2 ZP-1 unfounded in the present proceedings. 17. In his submissions, the Supreme State Prosecutor also raises the question of whether the competent authority decided in a specific misdemeanor procedure. Referring to the ninth paragraph of Article 83 of the GDPR, he argues that the IP, as a supervisory body, should initiate proceedings before a court, which would then impose a sanction on the perpetrator. In this part, the Supreme Court finds that the applicant focuses (only) on the imposition of administrative fines under Article 83 (5) and (ninth) of the GDPR, while ignoring the procedural autonomy left to Member States in implementing common standards of protection. personal data. The provisions of the GDPR not only allow Member States to prescribe and (also) impose other sanctions for breaches of data protection rules, but - importantly, in procedural terms they have not replaced the procedural rules of ZP-1 applicable to misdemeanor proceedings concerning acts they were defined as a misdemeanor at the time of their service and a sanction was prescribed for them by law (Article 1 of ZP-1). 18. The Supreme Court finds that the IP decided as the competent misdemeanor body at the time of issuing the impugned decision and that, in accordance with the first paragraph of Article 2 of ZP-1, it lawfully applied the substantive regulation in force at the time of the misdemeanor. the subsequently enacted regulation for the perpetrator was not more lenient. All other questions raised by the request, including the dilemma of when and in what way the Slovenian legislator should implement European data protection regulations in the Slovenian legal order, are not within the jurisdiction of the Supreme Court in deciding on extraordinary legal remedies, so they cannot be answered. C. 19. Finding that the alleged violations of the law had not been committed, the Supreme Court rejected the request for protection of legality as unfounded. ------------------------------- 1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation). 2 Prim. Judgments of the Supreme Court IV Ips 43/2007 of 15 April 2008 and IV Ips 33/2018 of 18 September 2018. The same goes for K. Filipčič: Commentary on Article 2 of ZP-1, in: Misdemeanors Act commentary (ed. H. Jenull, P. Čas, N. Orel), GV Založba, Ljubljana 2018, p. 37. 3 Although the applicant does not problematize this, it should be noted that in the specific case the provisions of the GDPR are relevant, although the personal data of individuals were disclosed by the offender employed by the Supreme State Prosecutor's Office of the Republic of Slovenia. The specific rules laid down in Directive (EU) 2016/680 of 27 April 2016, which supplement the GDPR regime, apply only to the protection of individuals with regard to the processing of personal data processed by the competent authorities for the purposes of preventing, investigating, detecting or prosecuting criminal offenses. acts or the enforcement of criminal sanctions. If the data are processed by these authorities for other purposes, the GDPR rules apply (see point 11 of the introductory notes to Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data by the competent authorities). authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or the enforcement of criminal sanctions, and on the free movement of such data and on the repeal of Council Framework Decision 2008/977 / JHA). 4 The Court of Justice has already held that Article 6 of the GDPR provides an exhaustive list of cases in which the processing of personal data may be considered lawful (Case C-61/19 of 11 November 2020, paragraph 34). In connection with the previously applicable Directive on the protection of individuals with regard to the processing of personal data, it has also been agreed that Member States may not add any new principles on the lawfulness of the processing of personal data or impose additional requirements C-582/14 of 19 October 2016, paragraph 57). 5 These are more detailed rules regarding the processing of personal data for the fulfillment of the legal obligation applicable to the controller, or regarding the processing of personal data necessary for the performance of a task in the public interest or in the exercise of public authority assigned to the controller. . 6 A more appropriate translation would be an administrative penalty or administrative sanction. Thus also K. Kraigher Mišič: Commentary on Article 83 of the GDPR, in: Commentary on the General Regulation on Data Protection (ed. N. Pirc Musar), Ur. l. RS, Ljubljana 2020, p. 967 7 Prim. Judgment of the Grand Chamber of the Court of Justice of the EU in case C-537/16 of 20 March 2018, item 28-35. 8 Prim. for example, the provision of Article 84 of the GDPR. 9 Thus V. Trstenjak, M. Brkan: EU Law - Constitutional, Procedural and Commercial Law of the EU, GV Založba, Ljubljana 2012, p. 206. Prim. also P. Craig, G. de Búrca: EU Law - Text, Cases and Materials (7th edition), Oxford University Press, Oxford 2020, p. 307-314. 10 It is for the national court, which falls within the scope of its jurisdiction to apply the provisions of the acquis communautaire, to ensure the full effect of those provisions (as in the case of the Court in Case 106/77 of 9 March 1978). in order to justify that the infringer can no longer be sanctioned after the entry into force of the Regulation, contrary to the requirements of Union law.