Jedna austrijska banka kažnjena je iznosom od 9.500 EUR jer je njezin Službenik za zaštitu podataka zahtjev klijenta za pristupom svojim osobnim podacima pogrešno protumačio kao zahtjev za brisanjem osobnih podataka. Moramo priznati da nam nije jasno kako je takav slučaj moguć, ali dogodio se.

Banka kao voditelj obrade se opravdavala da je to pogreška Službenika za zaštitu podataka i da će angažirati nekog drugog zaposlenika ili potražiti pomoć vanjskim profesionalaca koji pružaju usluge Službenika za zaštitu podataka.

Naravno, banka je htjela izbjeći odgovornost okrivljavanjem Službenika za zaštitu podataka, kojeg je sama banka postavila. No, to banci nije pošlo za rukom.

 

Slučaj njemačke banke je ovdje:

https://gdprhub.eu/index.php?title=DSB_(Austria)_-_2023-0.789.858&mtc=today

 

No, nadzorno tijelo se oslonilo na prethodna stajališta Europskog suda, posebice na presudu C‑807/21:

https://curia.europa.eu/juris/document/document.jsf?text=&docid=272981&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=4523475

kojom se utvrđuje da je pravna osoba odgovorna za povrede koje su počinili njezini predstavnici, a koje mogu biti svaka osoba koja djeluje u okviru poslovanja u ime nadzornika.

 

Citiramo iz CJEU presude C‑807/21:

„57. A legal person who can be classified as a data controller or processor must bear the consequences, in terms of penalties, of infringements of the GDPR committed not only by its representatives, directors or managers, but also by natural persons (employees, in the broad sense) acting in the course of the legal person’s business and under the supervision of its representatives, directors or managers.

58. The fact of the matter is that those natural persons shape and define the intent of the legal person, giving concrete expression to it by means of individual and specific acts. Individual acts which, as an expression in concreto of that intent, are ultimately attributable to the legal person itself.

59. In short, these are natural persons who, without themselves being representatives of a legal person, act under the authority of persons who, as representatives of the legal person, have failed to exercise supervision or control over them. Finally, imputability ultimately leads to the legal person itself, since an infringement committed by an employee acting under the authority of its managing bodies is a failure in the control and supervision system, for which those managing bodies are directly responsible.“

 

Image by master1305 on FreePik

#gdprcroatia