IP – Violation Found (Slovenia, 2021)

Violation Found
Informacijski pooblaščenec8 April 2021Slovenia
final
Violation Found

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Slovenia's data protection authority decided that employees cannot get details about who accessed their personal data at work. This means workers can't find out which colleagues have seen their data, even if it was accessed unlawfully. The decision highlights limits on employee rights to know who handles their personal data.

What happened

A hospital asked if it could provide an employee with information about which colleagues accessed their personal data.

Who was affected

Employees wanting to know which of their colleagues accessed their personal data at work.

What the authority found

The authority ruled that employees cannot obtain information about specific individuals who have accessed their personal data under Article 15 GDPR.

Why this matters

This decision clarifies that employees have limited rights to know who within their organization accesses their personal data. Companies should be aware of these limits when handling internal data access requests.

GDPR Articles Cited

Art. 15 GDPR
Slovenia enforcementInformacijski pooblaščenec actionsAll IP actions
Full Legal Summary
Detailed

The DPA was asked by a hospital if it can provide an employee with data on which of its other employees are processing health data, as well as when and how they are processing such data. The DPA held that under its current practice, it is not possible under Article 15 GDPR to obtain information about specific individuals who have processed personal data within the controller. This applies irrespective of the fact: - that the person is employed by a controller, - which systems and collections the employee has accessed, and - whether the access was lawful or unlawful.

Outcome

Violation Found

The DPA found a violation but did not impose a fine.

Related Enforcement Actions (0)

No other enforcement actions found for IP in SI

This is the only recorded action for this entity in this jurisdiction.

Details

Decision Date

8 April 2021

Authority

Informacijski pooblaščenec

GDPRhub ID

gdprhub-3346

Sources

About this data

Data: GDPRhub (noyb.eu)
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. IP - Slovenia (2021). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: