Data Storage for Data Access Requests

Datum

22.07.2024

Številka

5424-1/2024/73

Kategorije

Pravica do seznanitve z lastnimi osebnimi podatki, Rok hrambe OP, Upravni postopki

The Information Commissioner (IC) has received your inquiry concerning the applicable laws and regulations for data storage in relation to the request for information and its responses, following a data subject's exercise of their right of access by the data subject under Article 15 GDPR.

***

IC initially emphasizes that we cannot provide a concrete and definitive answer on the data storage duration within the context of a non-binding opinion. The IC can only conduct a specific assessment of individual data processing cases during an inspection or other administrative procedure.

We would firstly like to emphasize that in Slovenia, the matter of data storage is primarily governed by the data storage principles outlined in Article 5 of the GDPR, Article 21 of ZVOP-2 on securing the personal data subject to the procedure, sector specific legislation relevant for the personal data and documents in question, the Act on the Protection of Documentary and Archival Material and Archives (ZVDAGA), and the Decree on Administrative Operations regarding the preservation of documentary material. Since IC competencies are limited only to Slovenia, we are unable to assess the national requirements of other Member States.

In this regards, it should be noted that the duration of data storage for a data subject's request and the controller’s decision always depends on the applicable (also national) legal framework taking into account the concrete situation in question. In Slovenia, any legal or natural entity performing administrative tasks based on public authorisation, as is the case when controllers are deciding on the rights of individuals based on data subjects' rights, must comply with the Decree on Administrative Operations[1] (Article 1).

This decree mandates that all entities to which this act applies to, must adhere to rules on the preservation of documentary material. According to Article 77 of this decree, certain documents must be preserved as permanent material. These documents must be retained by the authority (the public or private entity deciding on the data subject’s right – the controller) permanently or until the expiry of the permanent retention period unless they qualify as archival material. Specifically, point 6 of the second paragraph of Article 77 mandates that such authorities permanently preserve decisions on administrative matters, except for cases with a shorter retention period (for more on this please refer to our opinion num. 07120-1/2023/232 dated 20. 4. 2023). Since decisions on data subject’s rights under Article 15 GDPR are regarded as administrative matters, they necessitate their permanent storage.

In addition to national regulations, controllers must also adhere to the principles of data minimization and storage limitation as outlined in Article 5 GDPR. While Article 17 of the GDPR emphasizes the obligation to erase personal data without undue delay, it also provides in paragraph 3 exceptions under specific circumstances that justify retaining data for longer periods. These exceptions include:

1.Exercising the right of freedom of expression and information;

2.Compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

3.Reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);

4.Archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) to the extent that the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing;

5.The establishment, exercise, or defense of legal claims.

Additionally, Article 21 ZVOP-2 stipulates specific protections for personal data subject to a request under Articles 15 to 22 GDPR. From the receipt of such request, the controller or processor shall not delete, dispose of or modify the requested personal data subject to the procedure, the processing logs and other related information, irrespective of the expiry of the statutory or internally established retention periods, until the matter has been finally decided, and after the final decision has been taken, in accordance with the final decision in the matter. After the final decision, the data must be handled in accordance with that decision. The IC may order the production of a copy of the personal data or the processing operations in a manner that does not impede the business or functions of the controller or processor. Where the personal data concerned are classified data, the IC shall protect the personal data subject to the procedure.

Furthermore if the personal data and/or documents are considered to be part of the processing for archiving purposes in the public interest or for national statistical purposes articles 71 and 72 of the ZVOP-2 need to be taken into consideration as well.

We hope our response has been helpful.

Kind regards,

dr. Jelena Virant Burnik, Information Commissioner of the Republic of Slovenia

Prepared by

Grega Rudolf, Assistant Legal Advisor of the IC

---

[1]Uredba o upravnem poslovanju (Uradni list RS, št. 9/18, 14/20, 167/20, 172/21, 68/22, 89/22, 135/22, 77/23 in 24/24). The unofficial translation could be accessed here: https://pisrs.si/Prevodi/EN-2018-01-0353.doc