Personal data protection in public institutions effective approach

Personal data protection in public institutions – effective approach EU Twinning Project Expert: Dr Jens Ambrock Project Activity: Training course “Personal data protection and freedom of information” Date: 7. -9. 11. 2018 This project is funded by the European Union

Main Principles of European Data Protection Law • Checklist of Art. 5 GDPR: üLawfulness üFairness üTransparency üPurpose limitation üAccuracy üData minimisation üStorage limitation üIntegrity and confidentiality üAccountability

Main Principles of European Data Protection Law • Checklist of Art. 5 GDPR: üLawfulness üFairness üTransparency üPurpose limitation üAccuracy üData minimisation üStorage limitation üIntegrity and confidentiality üAccountability

Principle of Lawfulness • Processing of personal data only allowed on the basis of legal ground (= law) or consent

Structure of Legal Grounds Area specific (national) law • e. g. tax law / food law / academic law / wastewater law etc. Area specific clauses of the GDPR • e. g. Art. 22 GDPR (Profiling), • e. g. Art. 9 (2) GDPR (special categories) etc. General clauses of the GDPR • Art. 6 (1) b)-f) GDPR • Changed purpose, Art 6 (4) GDPR Consent

Example of Area-specific Law § 15 Hamburg Waste Disposal Act (1) The competent public authority is entitled to collect and process personal data (…) for the puposes of its accomplishment of tasks. The collection and processing may in particular be carried out for purposes of 1. supervision of the waste disposal, 2. organisation of the waste disposal according to § 6, 3. (…) 4. consultation on waste disposal according to § 3.

Structure of Legal Grounds Area specific (national) law • e. g. tax law / food law / academic law / wastewater law etc. Area specific clauses of the GDPR • e. g. Art. 22 GDPR (Profiling), • e. g. Art. 9 (2) GDPR (special categories) etc. General clauses of the GDPR • Art. 6 (1) b)-f) GDPR • Changed purpose, Art 6 (4) GDPR Consent

General Clauses for Data Processing • Fulfil a contract • Art. 6 (1) b) GDPR • “processing is necessary for the performance of a contract to which the data subject is party” • Example: Employment contract • Example: Public administration buying goods • Necessary • More than just helpful • Purpose of the contract

General Clauses for Data Processing • Public interest • Art. 6 (1) e) GDPR • “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” • Always comply with the public authorities‘ duties / functions statute / legal basis of the public body

General Clauses for Data Processing • Legal obligation • • Art. 6 (1) c) GDPR Obligation to process data Permission to process data e. g. tax law e. g. investivative authorities • public prosecution authority • e. g. auditing authority / comptroller‘s office • e. g. Freedom of Information Act

Consent • Only if no legal basis is applicable • statement or by a clear affirmative action • Only valid if freely given • • Free choice to refuse the consent No voluntariness in cases of subordination Employer v employee State v citisen The state (usually) does not ask for consent

Principle of Purpose Limitation • The purpose of the processing is to be defined before the collection. • Collection without puropse is forbidden. • Limit on the data which is necessary to serve the purpose. • Problem of changed purposes • Example: Journalist asks for the salaries of administrative employees. Old purpose: Payment of Salaries New purpose: Public information/discussion • Example: Journalist asks for data collected by the police. Old purpose: Danger prevention New purpose: Public information/discussion

Freedom of Information Act(s) • Most EU-memberstates provide FOI-acts • Administrative data is to provide upon request • No specification of reasons • Requests e. g. from press/media, NGOs or interested citizens • Derogations • Personal data(!) • Business secrets • Public interests • e. g. ongoing procedures • e. g. security (police tactics)

Freedom of Information: Example • open call for tender • design drafts from six architects • requests for files concerning • criteria for the choice of the winning draft • building permission • Public money spent on the project • architect‘s name = personal data? • business secrets?

Information Requests from Press and Media • Role of the press as a „public watchdog“ • Also: Online-blogs (with editorial approach) • Special right of access • Limited to information of public interest • Again: Derogation for public interests • Including access to personal data if proportionate Interest of the public - Official business - Controversal topic - Importance for the democratic discussion Interest of the individual - Private/Family life - No public interest - Personal disadvantages

Practical Handling • When receaving a FOI-request: • Does the file include personal data? • Can the personal data be blackend? • Example: „The citizen sdfsdfs has received social benefits. “ • After blackening the names: • Is the data still personal because of the combination of data? • Example: „The Moldowan teacher sdfsdfs drives a Toyota has four children and an uncle in Italy. “

Practical Handling • Aggregation of information • Build groups of persons and generate averages. „How large are the salaries of the governmental employees? “ „Employee x earns Leu per month. “ y „Bus drivers earn from x to z Leu per month; teachers earn from x to z…“ „Bus drivers earn x Leu per month on average; teachers earn y Leu on average. “

Thank you for your attention! Dr Jens Ambrock Office of the Hamburg Commissioner for Data Protection and Freedom of Information Ludwig-Erhard-Straße 22, 20459 Hamburg, Germany jens. ambrock@datenschutz. hamburg. de EU Twinning Project Expert: Dr Jens Ambrock Project Activity: Training course “Personal data protection and freedom of information” Date: 7. -9. 11. 2018 This project is funded by the European Union