“The processing of personal data should be designed to serve humanity.” …so reads part of the preamble to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter also referred to as the “Regulation”). However, it is not always possible to put this sentence into practice, and this was also the case in the matter discussed in this article.
The Office for Personal Data Protection of the Slovak Republic (hereinafter also referred to as the “Office”) has received a request from the Petitioner to initiate proceedings regarding a breach of the legal obligation arising from Article 15 of the aforementioned Regulation.
The data subject’s right of access to data is an established right enshrined not only in Article 15 of the Regulation but also in the Charter of Fundamental Rights of the European Union. The existence of the data subject’s right of access to personal data processed by others regarding them stems from the need to respect private life, and this right has also been confirmed on multiple occasions by the European Court of Human Rights.[1]
In the petition, the Petitioner requested that the Ministry of Finance of the Slovak Republic (hereinafter also referred to as the “Ministry”) provide information regarding the Ministry’s processing of personal data concerning him. He requested information on what data the Ministry processes, i.e., the provision of all information to which he is entitled under Article 15(1) and (2) of the Regulation.
Paragraphs 1 and 2 of Article 15 of the Regulation govern the data subject’s right to obtain from the controller confirmation as to whether personal data concerning him or her are being processed, and if so, the right to access such personal data, as well as information regarding the purpose of the processing, the categories of personal data concerned, the recipients or categories of recipients to whom the personal data have been or will be disclosed, the envisaged period for which the personal data will be stored, the rights of the data subject, the source of the information (if the data subject was not the source), the transfer of data to third countries and appropriate safeguards, and the existence of automated decision-making, including profiling.
The Ministry informed the Petitioner that, regarding the part of the submission concerning the processing of personal data in the Ministry’s information systems, the Ministry would send him a statement. However, the Ministry did not provide the Petitioner with any further information nor did it communicate with him on the matter.
The Office therefore initiated personal data protection proceedings based on the Petitioner’s submission, notifying both the Petitioner and the Ministry as the Controller. The Ministry commented on the proposal, stating that the Complainant’s request concerned multiple departments and that, at the time the response to the Complainant was being prepared, a communication error occurred between the relevant departments of the Ministry. According to the Ministry’s statements, part of the response was drafted by the first department, which subsequently forwarded that portion of the response to the second department. The latter was supposed to finalize the response and send it directly to the Petitioner. However, for reasons that have not been fully ascertained, the final response was never sent. The Petitioner was sent a response that did not include a complete reply regarding his request. It can be concluded that a situation arose in which the first department believed that the prepared first part of the response had been sent.
However, the petitioner responded to this reply from the Ministry by asserting that if the first department had indeed drafted a response, it would have sent it to the petitioner subsequently or after the Office initiated proceedings, which did not occur.
Based on the supporting documents and facts, the Office concluded that the Ministry had not provided any of the requested information in response to the Applicant’s written request, thereby violating the right of access to data under Article 15(1) and (2) of the Regulation. Based on these facts, the Office for Personal Data Protection of the Slovak Republic ordered the Ministry, pursuant to Article 58(2)(c) of the Regulation, to process this request within the time limit specified in Article 12(3) of the Regulation. The Office also, with the aim of strengthening the enforcement of the Regulation’s rules, imposed a fine of 700 euros on the Ministry, while considering as a mitigating circumstance that there was no reason to conclude the infringement was intentional.
According to the Office, such a failure to provide information on processing creates a risk for the data subjects, in this case the Applicant, of a reduction or loss of control over their personal data. In conclusion, it can be stated that the Ministry’s conduct and the Applicant’s loss of control over his personal data did not fulfill the sentence in the preamble of the Regulation cited at the beginning of this article.
Sources:
[1] Judgment of the European Court of Human Rights of July 7, 1989, in the case of Gaskin v. the United Kingdom, Application No. 10454/83
