Effective Approach to Personal Data Protection in Public Institutions

Personal data protection in public institutions effective approach EU Twinning Project Expert: Dr Jens Ambrock Project Activity: Training course Personal data protection and freedom of information Date: 7.-9.11.2018 This project is funded by the European Union This project is funded by the European Union

Main Principles of European Data Protection Law Checklist of Art. 5 GDPR: Lawfulness Fairness Transparency Purpose limitation Accuracy Data minimisation Storage limitation Integrity and confidentiality Accountability

Main Principles of European Data Protection Law Checklist of Art. 5 GDPR: Lawfulness Fairness Transparency Purpose limitation Accuracy Data minimisation Storage limitation Integrity and confidentiality Accountability

Principle of Lawfulness Processing of personal data only allowed on the basis of or consent legal ground (= law)

Structure of Legal Grounds Area specific (national) law e.g. tax law / food law / academic law / wastewater law etc. Area specific clauses of the GDPR e.g. Art. 22 GDPR (Profiling), e.g. Art. 9 (2) GDPR (special categories) etc. General clauses of the GDPR Art. 6 (1) b)-f) GDPR Changed purpose, Art 6 (4) GDPR Consent

Example of Area-specific Law 15 Hamburg Waste Disposal Act (1)The competent public authority is entitled to collect and process personal data ( ) for the puposes of its accomplishment of tasks. The collection and processing may in particular be carried out for purposes of 1. supervision of the waste disposal, 2. organisation of the waste disposal according to 6, 3. ( ) 4. consultation on waste disposal according to 3.

Structure of Legal Grounds Area specific (national) law e.g. tax law / food law / academic law / wastewater law etc. Area specific clauses of the GDPR e.g. Art. 22 GDPR (Profiling), e.g. Art. 9 (2) GDPR (special categories) etc. General clauses of the GDPR Art. 6 (1) b)-f) GDPR Changed purpose, Art 6 (4) GDPR Consent

General Clauses for Data Processing Fulfil a contract Art. 6 (1) b) GDPR processing is necessary for the performance of a contract to which the data subject is party Example: Employment contract Example: Public administration buying goods Necessary More than just helpful Purpose of the contract

General Clauses for Data Processing Public interest Art. 6 (1) e) GDPR processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller Always comply with the public authorities duties / functions statute / legal basis of the public body

General Clauses for Data Processing Legal obligation Art. 6 (1) c) GDPR Obligation to process data Permission to process data e.g. tax law e.g. investivative authorities public prosecution authority e.g. auditing authority / comptroller s office e.g. Freedom of Information Act

Consent Only if no legal basis is applicable statement or by a clear affirmative action Only valid if freely given Free choice to refuse the consent No voluntariness in cases of subordination Employer v employee State v citisen The state (usually) does not ask for consent

Principle of Purpose Limitation The purpose of the processing is to be defined before the collection. Collection without puropse is forbidden. Limit on the data which is necessary to serve the purpose. Problem of changed purposes Example: Journalist asks for the salaries of administrative employees. Old purpose: Payment of Salaries New purpose: Public information/discussion Example: Journalist asks for data collected by the police. Old purpose: Danger prevention New purpose: Public information/discussion

Freedom of Information Act(s) Most EU-memberstates provide FOI-acts Administrative data is to provide upon request No specification of reasons Requests e.g. from press/media, NGOs or interested citizens Derogations Personal data(!) Business secrets Public interests e.g. ongoing procedures e.g. security (police tactics)

Freedom of Information: Example open call for tender design drafts from six architects requests for files concerning criteria for the choice of the winning draft building permission Public money spent on the project architect s name = personal data? business secrets?

Information Requests from Press and Media Role of the press as a public watchdog Also: Online-blogs (with editorial approach) Special right of access Limited to information of public interest Again: Derogation for public interests Including access to personal data if proportionate Interest of the individual - Private/Family life - No public interest - Personal disadvantages Interest of the public - Official business - Controversal topic - Importance for the democratic discussion

Practical Handling When receaving a FOI-request: Does the file include personal data? Can the personal data be blackend? Example: The citizen sdfsdfsdfsdfs has received social benefits. After blackening the names: Is the data still personal because of the combination of data? Example: The Moldowan teacher sdfsdfsdfsdfs drives a Toyota has four children and an uncle in Italy.

Practical Handling Aggregation of information Build groups of persons and generate averages. Employee x earns y Leu per month. Bus drivers earn from x to z Leu per month; teachers earn from x to z How large are the salaries of the governmental employees? Bus drivers earn x Leu per month on average; teachers earn y Leu on average.

Thank you for your attention! Dr Jens Ambrock Office of the Hamburg Commissioner for Data Protection and Freedom of Information Ludwig-Erhard-Stra e 22, 20459 Hamburg, Germany jens.ambrock@datenschutz.hamburg.de EU Twinning Project Expert: Dr Jens Ambrock Project Activity: Training course Personal data protection and freedom of information Date: 7.-9.11.2018 This project is funded by the European Union This project is funded by the European Union