Can a pre-school facility, as a personal data controller, transmit information on the psychophysical condition of two underage children, their behaviour towards teachers and other children, absence etc. to a Centre for Social Work as a data recipient?
The Commissioner, as the authority in charge of supervising the implementation and enforcement of the Law on Personal Data Protection, is not entitled to instruct data controllers on how to act in specific cases. All we can do under the law is to give you a general answer and point out issues that merit special attention; however, you are a data controller under the law and the decisions regarding specific cases are yours and yours only to make.
Any processing of personal data requires a proper legal basis. A legal basis for personal data processing can be lawful authorisation or consent of the person whose data are being processed (Article 8, item 1 of the Law on Personal Data Protection – Official Gazette of RS, Nos. 97/2008 and 104/2009, 68/2012 – Decision of the Constitutional Court and 107/2012 – hereinafter referred to as the "LPDP").
A centre for social work is a data recipient in relation to you as a data controller. The provision of Article 3, item 7 of LPDP provides that data user means any natural person, legal entity or public authority authorized by virtue of the law or on the basis of a person's consent to use data. This effectively means that, in order for you as the data controller to be able to give a centre for social work as a data recipient any information regarding a child, you need to have a valid legal basis for your actions. Such legal basis may be either a legislative provision which explicitly orders you (or allows you) to provide such information to the centre for social work or the consent of the data subject (with regard to minors, such consent is given by the child's legal representatives – parents or guardians).
According to Article 10а, paragraph 1 of the Basic Elements of Education System (Official Gazette of RS, Nos. 72/2009 and 52/2011), a recipient of data contained in the single education information system can be a public or other authority or organization, as well as a legal entity or a natural person, if it is authorized by the law or other regulations to request and receive data, if such data are necessary for carrying out of tasks within its sphere of competence or if they are used for the purpose of a research and if it ensures personal data protection.
It should be noted that, when a data recipient asks a data controller for information on a person, the recipient should specify the purpose and the legal basis for such request.
Thus, once the data controller has determined whether the data recipient is authorised to seek and receive data and whether the latter needs such information for performing specific duties within its sphere of competence, the data controller shall decide whether to make the information available to the data recipient, taking into full consideration all obligations provided for by the LPDP, including in particular the principles of personal data protection (Article 8 of LPDP), as well as the regulations providing for its sphere of competence and the sphere of competence of the data user (in this specific case the Law on Basic Elements of Education System – Official Gazette of RS, Nos. 72/2009 and 52/2011, the Law on Preschool Education – official Gazette of RS, No. 18/2010, the Law on Social Welfare – Official Gazette of RS, No. 24/2011, the Family Law – Official Gazette of RS, Nos. 18/2005 and 72/2011 – other law and other regulations providing for operations of social work centres)".
(From the Commissioner's Opinion No. 011-00-00150/2013-05 of 15 May 2013)