"The processing of personal data should be designed to serve the interests of society as a whole." ... This is part of the preamble to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter also referred to as the "Regulation"). However, it is not always possible to put this sentence into practice, and this was also the case in the situation described in this article.
The Office for Personal Data Protection of the Slovak Republic (hereinafter referred to as the "Office") received a proposal from the Applicant to initiate proceedings concerning a breach of the legal obligation arising from Article 15 of the aforementioned Regulation.
The right of access to data by the data subject is an existing right enshrined not only in Article 15 of the Regulation but also in the Charter of Fundamental Rights of the European Union. The existence of the right of access by the data subject to personal data concerning him or her processed by others stems from the need to respect private life and has been confirmed on several occasions by the European Court of Human Rights.
In the proposal, the applicant requested the Ministry of Finance of the Slovak Republic (hereinafter also referred to as the "Ministry") to provide information on the processing of personal data concerning him by the Ministry. He requested information on what data the Ministry processes, i.e. all information to which he is entitled under Article 15(1) and (2) of the Regulation.
Paragraphs 1 and 2 of Article 15 of the Regulation regulate the right of the data subject to obtain confirmation from the controller as to whether personal data concerning him or her are being processed and, if so, he or she has the right to obtain access to the personal data and information about the purpose of the processing, the categories of personal data concerned, the recipients or categories of recipients to whom the personal data have been or will be disclosed, the expected period of storage of the personal data, the rights of the data subject, the source of the information (if the source was not the data subject themselves), the transfer of data to third countries and appropriate safeguards, and the existence of automated decision-making, including profiling.
The Ministry informed the Applicant that, with regard to the part of the submission concerning the processing of personal data in the Ministry's information systems, the Ministry would send a statement to the Applicant. However, the Ministry did not provide any further information to the Applicant or communicate with him on the matter.
The Office therefore initiated personal data protection proceedings on the basis of the Complainant's proposal and notified both the Complainant and the Ministry as the Controller. The Ministry responded to the proposal by stating that the Applicant's request concerned several agendas and that, at the time of preparing the response to the Applicant, there had been a communication error between the relevant departments of the Ministry. According to the Ministry, part of the response was drafted by the first department, which then sent this part of the response to the second department. The latter was supposed to finalize the response and send it directly to the Complainant. However, for reasons that are not clear, the final response was not sent. The applicant received a response that did not include a complete answer to his request. It can be concluded that a situation arose in which the first department believed that the first part of the response had been sent.
However, the applicant responded to the ministry's reply by stating that if the first department had prepared a reply, it would have sent it to the applicant subsequently or after the proceedings had been initiated by the Office, which did not happen.
Based on the documents and facts, the Office found that the Ministry had not provided any of the information requested by the applicant in writing, thereby violating the right of access to data under Article 15(1) and (2) of the Regulation. On the basis of these facts, the Office for Personal Data Protection of the Slovak Republic ordered the Ministry, pursuant to Article 58(2)(c) of the Regulation, to comply with this request within the time limit specified in Article 12(3) of the Regulation. In order to strengthen the enforcement of the rules of the Regulation, the Office also imposed a fine of EUR 700 on the Ministry, considering as a mitigating circumstance that there was no reason to conclude that the infringement was intentional.
According to the Office, the failure to provide information on the processing of personal data creates a risk for the data subjects, in this case the Applicant, of a reduction or loss of control over their personal data. In conclusion, it can be stated that the Ministry's conduct and the Applicant's loss of control over his personal data did not fulfill the sentence in the preamble to the Regulation at the beginning of this article.
Sources:
[1] Judgment of the European Court of Human Rights of 7 July 1989 in the case of Gaskin v. the United Kingdom, application no. 10454/83
