This question can be interesting in respect of the latest change in Hungarian health data processing: doctors performing health on the workplace tests are obliged to upload the entire files to the common health space where access is not as limited as it should be.
The concrete case adjudicated by the European Court of Justice concerns the processing of COVID vaccination data, also based on national law.
For processing based on a legal obligation to which the controller is subject, Member Statesmay maintan and introduce specific provisions determining more specific requirements and can also describe features of the processing, including measures to ensure fair and lawful processing. Processing of special categories of data (including health data) for reasons of substantial public interest (in any area) or of public interest in the area of public health requires that the élaw should provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject. This latter provision was under the microscope of the Court in this case.
Processing where the law is serving as a basis, may mean that the data subjects are already aware of the information to be obligatorily provided by the controller based on the GDPR and thus information to the data subject does not necessarily has to be provided separately. This was also put in question and the Court also responded.
Summary
The Court of Justice held that the controller has no obligation to provide information about the processing of personal data generated by the controller just like in the case of personal data acquired from a third person or external organisation if the conditions of Article 14(5)c are fulfilled. The national supervisory authority has the right to verify whether the measures in the law laying out the processing indeed covers the processing and whether it provides for appropriate protection measures for the legitimate interests of the data subject but not the actual implementation of these measures by the controller.
Facts
An immunity certificate confirming the vaccination of UC, a natural person, against COVID-19 was issued by the controller to the data subject. The data subject lodged 30/4/2021 a complaint that the controller had not drawn up and published any statement on the protection of personal data in relation to the issuing of immunity certificates and that there was no information concerning the purpose and legal basis of the processing of those data or the rights of data subjects and how those rights could be exercised. The Controller stated that it obtained the personal data that it processed from another body, in accordance with the provisions of Decree No 60/2021. On that basis, it asserted that, pursuant to Article 14(5)(c) of the GDPR, it was not required to provide information on the processing of those data. It nonetheless drew up the requested statement concerning the protection of personal data and published it on its website. The 15 November 2021, the national authority rejected the request and found that the controller had no obligation to provide information because the processing of personal data in question was covered by the exception laid down in Article 14(5)(c) of the GDPR. Decree No 60/2021 formed the legal basis for that processing and it expressly required the issuing authority to collect the data at issue. According to that authority, the publication of information on the processing of personal data by the controller, on its website, amounted to good practice and not to a legal obligation. The national authority also found that Articles 2, 3 and 5 to 7 of Decree No 60/2021 contained appropriate measures to protect the data subject’s legitimate interests. The data subject challenged the decision in court. The first instance court considered that the exception laid down in Article 14(5)(c) of the GDPR was not applicable because certain personal data produced in relation to the immunity certificates were not collected from another body by the controller, but were generated by that controller itself in the performance of its tasks. That was the case, according to that court, so far as concerns the serial number of the immunity certificate, the expiry date of the certificate issued to a person who has contracted the illness, the QR code on the card, the barcode and other alphanumerical codes on the letter of delivery of the certificate and the personal data generated under the controller’s file management processes. In that court’s view, only personal data obtained from another body could be covered by the exception laid down in Article 14(5)(c) of the GDPR. The national authority appealed to the Kuria which asks whether the exception laid down in Article 14(5)(c) of the GDPR can apply to all processing of personal data except processing which relates to personal data collected from the data subject. In the affirmative, that court asks whether, in the context of a complaint procedure under Article 77(1) of the GDPR, the supervisory authority is competent to verify, with a view to ruling on the applicability of that exception, whether the controller’s national law provides appropriate measures to protect the legitimate interests of the data subject. Last, in the affirmative, the referring court wishes to know whether that verification also covers the appropriateness of the measures which the controller is required to implement, under Article 32 of the GDPR, in order to guarantee the security of the processing of personal data.
The judgment
About the first question:
In order to determine whether that exception covers personal data generated by the controller itself – in the performance of its tasks – from data obtained from a person other than the data subject, it is necessary, in accordance with settled case-law, to consider not only the wording of the provision laying down that exception but also its context and the objectives pursued by the legislation of which it forms part. There is a discrepancy between the different language versions of that provision – information or data. by reference to the general scheme and purpose of the rules of which it forms part. Based on recitals 61 and 62 of the GDPR, the CoJ found that the law refers to personal data and that that provision must be understood as referring to obtaining or disclosure of personal data. The obligation to provide information to the data subject imposed by Article 14(1), (2) and (4) of that regulation is not justified when another provision of EU law or of Member State law imposes on the controller a sufficiently comprehensive and binding obligation to provide to the data subject information relating to obtaining or disclosure of personal data. The wording of Article 14(5)(c) of the GDPR does not limit the exception which it lays down merely to personal data obtained by the controller from a person other than the data subject, nor does it exclude data generated by the controller itself, in the performance of its tasks, from such data. All those data which that controller collects from a person other than the data subject and those which that controller generated itself, in the performance of its tasks are data obtained from a person other than the data subject. Therefore the CoJ concluded that the exception to the obligation to provide information to the data subject, laid down in Article 14(5)(c) of the GDPR, requires that, first, the obtaining or disclosure of personal data by the controller be expressly laid down by Union or Member State law to which that controller is subject and second, that that law must provide appropriate measures to protect the data subject’s legitimate interests.
About the second and third questions examined together:
In essence the questions are whether Article 14(5)(c) and Article 77(1) of the GDPR must be interpreted as meaning that, in a complaint procedure, the supervisory authority is competent to verify whether the Member State law to which the controller is subject provides appropriate measures to protect the data subject’s legitimate interests, for the purposes of the application of the exception laid down in Article 14(5)(c) and whether that verification also covers the appropriateness of the measures which the controller is required to implement, under Article 32 of that regulation, in order to guarantee the security of the processing of personal data. Article 77(1) of the GDPR, states that, without prejudice to any other administrative or judicial remedy, every data subject has the right to lodge a complaint with a supervisory authority, if the data subject considers that the processing of personal data relating to him or her infringes that regulation. Article 55(1) of that regulation provides that each supervisory authority is competent, on the territory of its own Member State, for the performance of the tasks assigned to it and the exercise of the powers conferred on it in accordance with that regulation. Finally, Article 57(1)(a) of the GDPR provides that each supervisory authority must monitor and enforce the application of that regulation on its territory. The GDPR does not include any provision such as to exclude certain aspects of the application of the exception laid down in Article 14(5)(c) of that regulation from the competence of those supervisory authorities. Thus, the supervisory authority before which such a complaint is brought may be required to verify whether Union law or national law provides that the controller must obtain or disclose personal data and also for appropriate measures to protect the data subject’s legitimate interests. This includes whether the relevant national or EU law defines with sufficient precision the various types of personal data to be obtained or disclosed, as well as the personal data that it is required to generate in the performance of its duties, and whether that law sets out the manner in which the data subject actually has access to the information referred to in Article 14(1), (2) and (4) of the GDPR. The scope of the expression ‘appropriate measures to protect the data subject’s legitimate interests’ is not defined in the GDPR. That said, the provisions of EU or Member State law which provide for such measures and to which the controller is subject must guarantee, as noted in paragraph 54 of the present judgment, a level of protection of the data subject with regard to the processing of his or her personal data which is at least equivalent to that provided for in Article 14(1) to (4) of that regulation. Thus, those provisions must be such as to put the data subject in a position to enable him or her to exercise control over his or her personal data and to exercise the rights conferred on him or her by the GDPR. It will therefore be for the supervisory authority to verify, inter alia, whether the relevant national or EU law defines with sufficient precision the various types of personal data to be obtained or disclosed, as well as the personal data that it is required to generate in the performance of its duties, and whether that law sets out the manner in which the data subject actually has access to the information referred to in Article 14(1), (2) and (4) of the GDPR. The verification, by a supervisory authority, of whether all the conditions for the application of the exception laid down in Article 14(5)(c) of the GDPR are satisfied does not, however, include an examination of the validity of the relevant provisions of national law. That authority takes a decision only on whether or not, in a given case, the controller is entitled to rely on the exception laid down in that provision in relation to the data subject. The appropriateness of the technical and organisational measures to ensure an adequate level of security for the processing of personal data applied by the controller are not to be evaluated, if the complaint refers to the lack of provision of information. Article 14(5)(c) of that regulation establishes an exception only to the obligation to provide information laid down in Article 14(1), (2) and (4) of that regulation, without providing for a derogation from the obligations contained in other provisions of that regulation, including Article 32 thereof, which must be complied with in all circumstances and irrespective of whether or not there is an obligation to provide information under Article 14 of that regulation, as the obligations in Article 32 differ in nature and scope from the obligation to provide information laid down in Article 14 of that regulation. In case of a complaint on the ground that the controller wrongly relied on the exception laid down in Article 14(5)(c) of that regulation, the subject matter of the verifications to be carried out by the supervisory authority is delimited by the scope of Article 14 of that regulation alone, since compliance with Article 32 thereof is not included in those verifications. Thus, the supervisory authority is competent to verify whether the Member State law to which the controller is subject provides appropriate measures to protect the data subject’s legitimate interests, for the purposes of the application of the exception laid down in Article 14(5)(c). That verification does not however cover the appropriateness of the measures which the controller is required to implement, under Article 32 of that regulation, in order to guarantee the security of processing of personal data.
Summary
The Court of Justice held that the controller has no obligation to provide information about the processing of personal data generated by the controller just like in the case of personal data acquired from a third person or external organisation if the conditions of Article 14(5)c are fulfilled. The national supervisory authority has the right to verify whether the measures in the law laying out the processing indeed covers the processing and whether it provides for appropriate protection measures for the legitimate interests of the data subject but not the actual implementation of these measures by the controller.
Facts
An immunity certificate confirming the vaccination of UC, a natural person, against COVID-19 was issued by the controller to the data subject. The data subject lodged 30/4/2021 a complaint that the controller had not drawn up and published any statement on the protection of personal data in relation to the issuing of immunity certificates and that there was no information concerning the purpose and legal basis of the processing of those data or the rights of data subjects and how those rights could be exercised. The Controller stated that it obtained the personal data that it processed from another body, in accordance with the provisions of Decree No 60/2021. On that basis, it asserted that, pursuant to Article 14(5)(c) of the GDPR, it was not required to provide information on the processing of those data. It nonetheless drew up the requested statement concerning the protection of personal data and published it on its website. The 15 November 2021, the national authority rejected the request and found that the controller had no obligation to provide information because the processing of personal data in question was covered by the exception laid down in Article 14(5)(c) of the GDPR. Decree No 60/2021 formed the legal basis for that processing and it expressly required the issuing authority to collect the data at issue. According to that authority, the publication of information on the processing of personal data by the controller, on its website, amounted to good practice and not to a legal obligation. The national authority also found that Articles 2, 3 and 5 to 7 of Decree No 60/2021 contained appropriate measures to protect the data subject’s legitimate interests. The data subject challenged the decision in court. The first instance court considered that the exception laid down in Article 14(5)(c) of the GDPR was not applicable because certain personal data produced in relation to the immunity certificates were not collected from another body by the controller, but were generated by that controller itself in the performance of its tasks. That was the case, according to that court, so far as concerns the serial number of the immunity certificate, the expiry date of the certificate issued to a person who has contracted the illness, the QR code on the card, the barcode and other alphanumerical codes on the letter of delivery of the certificate and the personal data generated under the controller’s file management processes. In that court’s view, only personal data obtained from another body could be covered by the exception laid down in Article 14(5)(c) of the GDPR. The national authority appealed to the Kuria which asks whether the exception laid down in Article 14(5)(c) of the GDPR can apply to all processing of personal data except processing which relates to personal data collected from the data subject. In the affirmative, that court asks whether, in the context of a complaint procedure under Article 77(1) of the GDPR, the supervisory authority is competent to verify, with a view to ruling on the applicability of that exception, whether the controller’s national law provides appropriate measures to protect the legitimate interests of the data subject. Last, in the affirmative, the referring court wishes to know whether that verification also covers the appropriateness of the measures which the controller is required to implement, under Article 32 of the GDPR, in order to guarantee the security of the processing of personal data.
The judgment
About the first question:
In order to determine whether that exception covers personal data generated by the controller itself – in the performance of its tasks – from data obtained from a person other than the data subject, it is necessary, in accordance with settled case-law, to consider not only the wording of the provision laying down that exception but also its context and the objectives pursued by the legislation of which it forms part. There is a discrepancy between the different language versions of that provision – information or data. by reference to the general scheme and purpose of the rules of which it forms part. Based on recitals 61 and 62 of the GDPR, the CoJ found that the law refers to personal data and that that provision must be understood as referring to obtaining or disclosure of personal data. The obligation to provide information to the data subject imposed by Article 14(1), (2) and (4) of that regulation is not justified when another provision of EU law or of Member State law imposes on the controller a sufficiently comprehensive and binding obligation to provide to the data subject information relating to obtaining or disclosure of personal data. The wording of Article 14(5)(c) of the GDPR does not limit the exception which it lays down merely to personal data obtained by the controller from a person other than the data subject, nor does it exclude data generated by the controller itself, in the performance of its tasks, from such data. All those data which that controller collects from a person other than the data subject and those which that controller generated itself, in the performance of its tasks are data obtained from a person other than the data subject. Therefore the CoJ concluded that the exception to the obligation to provide information to the data subject, laid down in Article 14(5)(c) of the GDPR, requires that, first, the obtaining or disclosure of personal data by the controller be expressly laid down by Union or Member State law to which that controller is subject and second, that that law must provide appropriate measures to protect the data subject’s legitimate interests.
About the second and third questions examined together:
In essence the questions are whether Article 14(5)(c) and Article 77(1) of the GDPR must be interpreted as meaning that, in a complaint procedure, the supervisory authority is competent to verify whether the Member State law to which the controller is subject provides appropriate measures to protect the data subject’s legitimate interests, for the purposes of the application of the exception laid down in Article 14(5)(c) and whether that verification also covers the appropriateness of the measures which the controller is required to implement, under Article 32 of that regulation, in order to guarantee the security of the processing of personal data. Article 77(1) of the GDPR, states that, without prejudice to any other administrative or judicial remedy, every data subject has the right to lodge a complaint with a supervisory authority, if the data subject considers that the processing of personal data relating to him or her infringes that regulation. Article 55(1) of that regulation provides that each supervisory authority is competent, on the territory of its own Member State, for the performance of the tasks assigned to it and the exercise of the powers conferred on it in accordance with that regulation. Finally, Article 57(1)(a) of the GDPR provides that each supervisory authority must monitor and enforce the application of that regulation on its territory. The GDPR does not include any provision such as to exclude certain aspects of the application of the exception laid down in Article 14(5)(c) of that regulation from the competence of those supervisory authorities. Thus, the supervisory authority before which such a complaint is brought may be required to verify whether Union law or national law provides that the controller must obtain or disclose personal data and also for appropriate measures to protect the data subject’s legitimate interests. This includes whether the relevant national or EU law defines with sufficient precision the various types of personal data to be obtained or disclosed, as well as the personal data that it is required to generate in the performance of its duties, and whether that law sets out the manner in which the data subject actually has access to the information referred to in Article 14(1), (2) and (4) of the GDPR. The scope of the expression ‘appropriate measures to protect the data subject’s legitimate interests’ is not defined in the GDPR. That said, the provisions of EU or Member State law which provide for such measures and to which the controller is subject must guarantee, as noted in paragraph 54 of the present judgment, a level of protection of the data subject with regard to the processing of his or her personal data which is at least equivalent to that provided for in Article 14(1) to (4) of that regulation. Thus, those provisions must be such as to put the data subject in a position to enable him or her to exercise control over his or her personal data and to exercise the rights conferred on him or her by the GDPR. It will therefore be for the supervisory authority to verify, inter alia, whether the relevant national or EU law defines with sufficient precision the various types of personal data to be obtained or disclosed, as well as the personal data that it is required to generate in the performance of its duties, and whether that law sets out the manner in which the data subject actually has access to the information referred to in Article 14(1), (2) and (4) of the GDPR. The verification, by a supervisory authority, of whether all the conditions for the application of the exception laid down in Article 14(5)(c) of the GDPR are satisfied does not, however, include an examination of the validity of the relevant provisions of national law. That authority takes a decision only on whether or not, in a given case, the controller is entitled to rely on the exception laid down in that provision in relation to the data subject. The appropriateness of the technical and organisational measures to ensure an adequate level of security for the processing of personal data applied by the controller are not to be evaluated, if the complaint refers to the lack of provision of information. Article 14(5)(c) of that regulation establishes an exception only to the obligation to provide information laid down in Article 14(1), (2) and (4) of that regulation, without providing for a derogation from the obligations contained in other provisions of that regulation, including Article 32 thereof, which must be complied with in all circumstances and irrespective of whether or not there is an obligation to provide information under Article 14 of that regulation, as the obligations in Article 32 differ in nature and scope from the obligation to provide information laid down in Article 14 of that regulation. In case of a complaint on the ground that the controller wrongly relied on the exception laid down in Article 14(5)(c) of that regulation, the subject matter of the verifications to be carried out by the supervisory authority is delimited by the scope of Article 14 of that regulation alone, since compliance with Article 32 thereof is not included in those verifications. Thus, the supervisory authority is competent to verify whether the Member State law to which the controller is subject provides appropriate measures to protect the data subject’s legitimate interests, for the purposes of the application of the exception laid down in Article 14(5)(c). That verification does not however cover the appropriateness of the measures which the controller is required to implement, under Article 32 of that regulation, in order to guarantee the security of processing of personal data.
Comments
Post a Comment