DVI (Latvia) - 02/02/2024: Difference between revisions

From GDPRhub
mNo edit summary
mNo edit summary
 
(11 intermediate revisions by 2 users not shown)
Line 74: Line 74:


=== Facts ===
=== Facts ===
On 20 May 2023, the DPA carried out an on-site investigation into operation of company AQAPHOTO (‘controller’) carried out the at the Līvu Akvaparks, a water amusement park. The controller’s primary activity was offering photography services to visitors (‘data subjects’) at the amusement park. For the purpose to capture and provide photographic memories, the controller hired photographers which took photos of the visitors and were recognizable by wearing yellow T-shirts saying “AQUA FOTO TEAM”. The visitors can select their photos on the monitors located at the AQUAPHOTO booth. The controller used facial recognition technology software to identify the individuals that requested their photos.  
On 20 May 2023, the DPA carried out an on-site investigation into the operations of a company called AQAPHOTO (‘controller’), carried out the at the Līvu Akvaparks, a water amusement park. The controller’s primary activity was offering photography services to visitors (‘data subjects’) at the amusement park. For the purpose to capture and provide photographic memories, the controller hired photographers which took photos of the visitors and were recognizable by wearing yellow T-shirts saying “AQUA FOTO TEAM”. The visitors could then select their photos on the monitors located at the AQUAPHOTO booth. In addition, the controller used facial recognition technology software to identify the individuals that requested their photos and offer the pictures to them.  


The controller informed about its data processing operations in 5 different forms available to the visitors. However, their privacy policy was inconsistent across these different places.
The controller informed about its data processing operations in 4 different forms available to the visitors. However, their privacy policy was inconsistent across these different places.  


# On the amusement’s park website, the privacy policy stated that visitors would be photographed by walking up to the photographers and then obtain their photos at the AQAPHOTO stand.
# On the <u>amusement’s park website</u>, the <u>privacy policy</u> stated that visitors would be photographed by walking up to the photographers and then obtain their photos at the AQUAPHOTO stand.
# The section “Visitor rules” published on their website further specified that visitors with minors under their guardianship may be photographed in the amusement park. If the visitors did not wish to be photographed they had to take a distinguishing sign from the employees of the AWAPHOTO stand.
# The section concerning <u>“Visitor rules”</u> published on their website further specified that visitors with minors under their guardianship may be photographed in the amusement park. If the visitors did not wish to be photographed they had to take a distinguishing sign from the employees of the AQUAPHOTO stand.
# On the contrary, the “Terms and Conditions of Photo Services and Personal Data Processing” posted at the company’s stand said that distinguishing sign could be obtained from the amusement park’s cash desk or the photographers hired by AQAPHOTO.
# On the contrary, the “<u>Terms and Conditions of Photo Services and Personal Data Processing”</u> posted at the company’s stand said that distinguishing sign could be obtained from the amusement park’s cash desk or the photographers hired by AQUAPHOTO.
# By a visual information poster at the amusement park’s cash desk with a text saying:  
# By a visual <u>information poster at the amusement park’s cash desk</u> with a text saying:  
#* 'Don't be afraid of the AQUAPHOTO photographer. You do not want to be photographed in red. Green wristbands make many beautiful photographs’
#* '''Don't be afraid of the AQUAPHOTO photographer. You do not want to be photographed in red. Green wristbands make many beautiful photographs''’;
#* The posted also provided that the data subjects would not receive photographs of other visitors of the amusement park.
#* The posted also provided that the data subjects would not receive photographs of other visitors of the amusement park.


The DPA officers were informed by the controller that the collection of visitors’ personal and biometric data was based on two different consents:


# '''Consent during the visit''' – the data subjects were offered two colored wristbands before entering amusement park: green for consent to pictures and red for rejecting this processing. consented to having their photos taken during their visit to the amusement park. In this case, no biometric data processing is involved.
The DPA officers were later informed by the controller that the collection of visitors’ personal and biometric data was based on two different consents:
 
# '''Consent during the visit''' – the data subjects were offered two colored wristbands before entering amusement park: green for consent to pictures and red for rejecting this processing. In this case, no biometric data processing is involved.
# '''Consent after the visit''' – after visiting the amusement park, data subjects consented to biometric data processing, allowing the system to use facial images to recognize and select their relevant photos
# '''Consent after the visit''' – after visiting the amusement park, data subjects consented to biometric data processing, allowing the system to use facial images to recognize and select their relevant photos


In addition to these inconsistencies, the DPA’s inspection revealed that the data processing practice did not meet the data protection standard the company declared.
Firstly, the employees of the amusement park did not inform the inspection officers about the possible processing of personal data by means of photography.


Secondly, they did not offer the officers the option to choose between the red or green wristband to express their preference regarding this type of data processing. At the ticket office, the inspection officers also noticed a sign saying: “Don’t be afraid of the AQUAPHOTO photographer” and another one in Latvian, English and Russian: “You don’t want to be photographed in the red wristband, instead, green wristband makes for many beautiful photos.” However, the officers also noted that the visitors did not actually wore a green wristband. The adults wore a grey one and children wore red wristbands. Additionally, the photographs were also taken at various attractions sites, such as “Unique Tornado”, “Jacuzzi” or other attractions with pools where the wristbands were not visible.


Thirdly, the officers asked if visiting the stand before entering the amusement park was required. The cashier clarified it was not obligatory; they would be photographed during their visit and could select the photos afterward at the stand.
In addition to these inconsistencies, the DPA’s inspection revealed that the data processing practice did not meet the data protection standard the company declared.


Fourthly, none of the visitors of the park was asked for their consent before the photographs were taken.  
# the employees of the amusement park did not inform the inspection officers about the possible processing of personal data by means of photography;
# they did not offer the officers the option to choose between the red or green wristband to express their preference regarding this type of data processing. At the ticket office, the inspection officers also noticed a sign saying: “''Don’t be afraid of the AQUAPHOTO photographe''r” and another one in Latvian, English and Russian: “''You do not want to be photographed in red. Green wristbands make many beautiful photographs''’.” However, the officers also noted that the visitors did not actually wore a green wristband. The adults wore a grey one and children wore red wristbands. Additionally, the photographs were also taken at various attractions sites, such as “Unique Tornado”, “Jacuzzi” or other attractions with pools where the wristbands were not visible;
# the officers asked if visiting the stand before entering the amusement park was required. The cashier clarified it was not obligatory; they would be photographed during their visit and could select the photos afterward at the stand;
# none of the visitors of the park was asked for their consent before the photographs were taken;
# despite the fact that one of the inspection officers informed the company’s employees that they visited the park alone, they were offered to buy a photo that included both them.


Fifthly, despite the fact that one of the inspection officers informed the company’s employees that they visited the park alone, they were offered to buy a photo that included both them. 


The officers concluded that contrary to the information provided by the amusement park and the company, the data subjects are in fact not verbally informed about the processing of their data by the means of photography carried out on the premises of the park.


The controller claimed that the DPA should consider that the consent was collected by implication. According to the [https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf EDPB Opinion 05/2020] consent, whether explicit or not, must be given by a statement or an explicit affirmative action and must express consent to the processing of personal data. This is complemented by recital 32 GDPR which states that consent should be given by an explicit affirmative act including oral communication.  
The officers concluded that contrary to the information provided by the amusement park and the company, the data subjects are in fact not verbally informed about the processing of their data by the means of photography carried out on the premises of the park.


Lastly, the controller raised arguments against the DPA’s inspection at the amusement park and claimed that according to [https://likumi.lv/ta/en/en/id/300099-personal-data-processing-law Article 15 Lithuanian Data Protection Law], any inspection must take place in cooperation with the controller.
The controller claimed that the DPA should consider that the consent was collected implicitly. According to the [https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf EDPB Opinion 05/2020] consent, whether explicit or not, must be given by a statement or an explicit affirmative action and must express consent to the processing of personal data. This is complemented by recital 32 GDPR which states that consent should be given by an explicit affirmative act including oral communication. Lastly, the controller raised arguments against the DPA’s inspection at the amusement park and claimed that according to [https://likumi.lv/ta/en/en/id/300099-personal-data-processing-law Article 15 Lithuanian Data Protection Law], any inspection must take place in cooperation with the controller. Therefore, the evidence collected should be deemed invalid.  


=== Holding ===
=== Holding ===
To begin with, the DPA discussed the transparency requirements and how they were met by the controller. In regard to the various forms of privacy policies published by the controller, it was explained that making them visible and easily accessible only partly complies with the principle of transparency. Privacy policy should be also concise, comprehensible and in clear and plain language to meet all the elements if this principle. That is to say, the fact that the data subject has access to information on the processing of personal data does not in itself mean that the principle of transparency has been respected. In addition, the information on the poster was not explained properly for visitors to know what ‘green wristbands’ mean, how to obtain them or what kind of consent control measures are put in place. This information is also not provided orally and is otherwise misleading from other available source concerning consent collection. In this regard, the DPA found a violation of Articles 5(1)(a), (2) and 12(1) GDPR.
To begin with, the DPA discussed the transparency requirements and how they were met by the controller. In regard to the various forms of privacy policies published by the controller, it was explained that making them visible and easily accessible only partly complies with the principle of transparency. Privacy policy should be also concise, comprehensible and in clear and plain language to meet all the elements if this principle. That is to say, the fact that the data subject has access to information on the processing of personal data does not in itself mean that the principle of transparency has been respected. In addition, the information on the poster was not explained properly for visitors to know what ‘green wristbands’ mean, how to obtain them or what kind of consent control measures are put in place. This information is also not provided orally and is otherwise misleading from other available source concerning consent collection. In this regard, the DPA found a violation of [[Article 5 GDPR#1a|Articles 5(1)(a)]], [[Article 5 GDPR#2|(2)]] and [[Article 12 GDPR#1|12(1)]] GDPR.


The DPA stated that in relation to the collection of consent, the GDPR does not provide for a clear form of consent but lays down requirements for obtaining a valid consent. In this case, controller took photographs on the premises of the amusement park and processed ordinary personal data for which unambiguous consent is required. The key is to obtain an active consent, i.e. a positive action or indication of the person’s willingness to a specific processing operation – taking photos. Therefore, controller’s photographers shall not take photographs on the basis of silence or otherwise arbitrary photography by visitors of the amusement park. Taking photos based on implied consent is possible only if there is an active action on the part of the visitor such as:  
The DPA stated that, in relation to the collection of consent, the GDPR does not provide for a clear form of consent but lays down requirements for obtaining a valid consent. In this case, the controller took photographs on the premises of the amusement park and processed ordinary personal data for which unambiguous consent is required. The key is to obtain an active consent, i.e. a positive action or indication of the person’s willingness to a specific processing operation – taking photos. Therefore, controller’s photographers shall not take photographs on the basis of silence or otherwise arbitrary photography by visitors of the amusement park. Taking photos based on implied consent is possible only if there is an active action on the part of the visitor such as:  


# inviting the photographer to take the photo,
# inviting the photographer to take the photo;
# visibly posing for the camera,  • the visitor smiling and looking at the photographer,
# visibly posing for the camera;
# the visitor smiling and looking at the photographer;
# consent given in advance, during the visit or other obvious actions from which it can be inferred that the visitor wishes to be photographed
# consent given in advance, during the visit or other obvious actions from which it can be inferred that the visitor wishes to be photographed


Line 120: Line 121:


# visitor does not take active steps to approach the photographer to take the photograph
# visitor does not take active steps to approach the photographer to take the photograph
# the photographer pays attention to the visitor of the water park, the visitor does not pay attention to the photographer and does not take active steps to take the photograph
# the photographer pays attention to the visitor of the water park but the visitor does not pay attention to the photographer and does not take active steps to take the photograph
# the visitor indicates by gestures that they do not wish to be photographed
# the visitor indicates by gestures that they do not wish to be photographed


It was concluded that according to the evidence of this case, the manner of obtaining consent by the controller is not compliant with the above-mentioned requirements because:
It was concluded that according to the evidence of this case, the manner of obtaining consent by the controller is not compliant with the above-mentioned requirements because:
Line 128: Line 128:
# the controller could not demonstrate the valid consent as many photos were not based on a clear affirmative action (visitors were not aware of photographers taking pictures at certain attractions)
# the controller could not demonstrate the valid consent as many photos were not based on a clear affirmative action (visitors were not aware of photographers taking pictures at certain attractions)
# consent mechanism was not specified and explicitly explained to the visitors and several options were available to collect it. In fact, implied actions likely gave the photographers false impression of an expression of informed will of data subjects to take the photos.
# consent mechanism was not specified and explicitly explained to the visitors and several options were available to collect it. In fact, implied actions likely gave the photographers false impression of an expression of informed will of data subjects to take the photos.




Therefore, the controller did not provide the data subjects with the right to consent or object to the processing and therefore violated [[Article 5 GDPR#1a|Article 5(1)(a)]], [[Article 6 GDPR|6]] and [[Article 7 GDPR|7 GDPR]].  
Therefore, the controller did not provide the data subjects with the right to consent or object to the processing and therefore violated [[Article 5 GDPR#1a|Article 5(1)(a)]], [[Article 6 GDPR|6]] and [[Article 7 GDPR|7 GDPR]].  


With regards to the processing of biometric data, the DPA concluded that this processing is carried out on the basis of explicit consent of a data subject according to [[Article 9 GDPR#2a|Article 9(2)(a) GDPR]]. Additionally, in the absence of consent, the processing of personal data is based on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] as manual selection of images by visual identification of the customer (data subject) is required for the purpose of concluding a transaction for the purchase of photographs. Therefore, the DPA found no infringement of processing of biometric data.  
With regards to the processing of biometric data, the DPA concluded that this processing is carried out on the basis of explicit consent of a data subject according to [[Article 9 GDPR#2a|Article 9(2)(a) GDPR]]. Additionally, in the absence of consent, the data subjects can conduct a manual selection of images by visual identification which will not involve processing of biometric data. This type of processing is based on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] for the purpose of concluding a transaction for the purchase of photographs. Therefore, the DPA found no infringement of processing of biometric data.  


Regarding the controller’s argument on the validity of the inspection at the amusement park, the DPA considered that this interpretation of the legal provisions is unjustified. [https://likumi.lv/ta/en/en/id/300099-personal-data-processing-law Article 15 of the Lithuanian Data Protection Law] refers to cases when the inspection is carried out by the DPA using the administrative power granted to it by the regulatory enactments. In the present case, the DPA officers obtained the information not by exercising public authority but by carrying out these acts as any natural person would since they were visiting public places. As a result, the requirements of [https://likumi.lv/ta/en/en/id/300099-personal-data-processing-law Article 15 of the Lithuanian Data Protection Law] do not apply and the evidence of this case is admissible.   
Regarding the controller’s argument on the validity of the inspection at the amusement park, the DPA considered that this interpretation of the legal provisions is unjustified. [https://likumi.lv/ta/en/en/id/300099-personal-data-processing-law Article 15 of the Lithuanian Data Protection Law] refers to cases when the inspection is carried out by the DPA using the administrative power granted to it by the regulatory enactments. In the present case, the DPA officers obtained the information not by exercising public authority but by carrying out these acts as any natural person would since they were visiting public places. As a result, the requirements of [https://likumi.lv/ta/en/en/id/300099-personal-data-processing-law Article 15 of the Lithuanian Data Protection Law] do not apply and the evidence of this case is admissible.   


As a result, the DPA fined the controller €1000 for violations of [[Article 5 GDPR#1a|Articles 5(1)(a)]], [[Article 5 GDPR#2|(2)]], [[Article 6 GDPR|6]], [[Article 7 GDPR|7]] and [[Article 12 GDPR#1|12(1) GDPR]].
As a result, the DPA fined the controller €1,000 for violations of [[Article 5 GDPR#1a|Articles 5(1)(a)]], [[Article 5 GDPR#2|(2)]], [[Article 6 GDPR|6]], [[Article 7 GDPR|7]] and [[Article 12 GDPR#1|12(1) GDPR]].


== Comment ==
== Comment ==

Latest revision as of 11:31, 19 June 2024

DVI - 02/02/2024
LogoLV.png
Authority: DVI (Latvia)
Jurisdiction: Latvia
Relevant Law: Article 5(1)(a) GDPR
Article 6 GDPR
Article 7 GDPR
Article 12 GDPR
Article 12(1) GDPR
Type: Investigation
Outcome: Violation Found
Started: 29.06.2022
Decided: 02.02.2024
Published:
Fine: 1,000 EUR
Parties: AQAPHOTO
National Case Number/Name: 02/02/2024
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Latvian
Original Source: DVI (in LV)
Initial Contributor: im

The DPA fined a company offering photography services at an amusement park €1000. The company took visitors' photos based on an implied consent which in reality could not be considered an affirmative action.

English Summary

Facts

On 20 May 2023, the DPA carried out an on-site investigation into the operations of a company called AQAPHOTO (‘controller’), carried out the at the Līvu Akvaparks, a water amusement park. The controller’s primary activity was offering photography services to visitors (‘data subjects’) at the amusement park. For the purpose to capture and provide photographic memories, the controller hired photographers which took photos of the visitors and were recognizable by wearing yellow T-shirts saying “AQUA FOTO TEAM”. The visitors could then select their photos on the monitors located at the AQUAPHOTO booth. In addition, the controller used facial recognition technology software to identify the individuals that requested their photos and offer the pictures to them.

The controller informed about its data processing operations in 4 different forms available to the visitors. However, their privacy policy was inconsistent across these different places.

  1. On the amusement’s park website, the privacy policy stated that visitors would be photographed by walking up to the photographers and then obtain their photos at the AQUAPHOTO stand.
  2. The section concerning “Visitor rules” published on their website further specified that visitors with minors under their guardianship may be photographed in the amusement park. If the visitors did not wish to be photographed they had to take a distinguishing sign from the employees of the AQUAPHOTO stand.
  3. On the contrary, the “Terms and Conditions of Photo Services and Personal Data Processing” posted at the company’s stand said that distinguishing sign could be obtained from the amusement park’s cash desk or the photographers hired by AQUAPHOTO.
  4. By a visual information poster at the amusement park’s cash desk with a text saying:
    • 'Don't be afraid of the AQUAPHOTO photographer. You do not want to be photographed in red. Green wristbands make many beautiful photographs’;
    • The posted also provided that the data subjects would not receive photographs of other visitors of the amusement park.


The DPA officers were later informed by the controller that the collection of visitors’ personal and biometric data was based on two different consents:

  1. Consent during the visit – the data subjects were offered two colored wristbands before entering amusement park: green for consent to pictures and red for rejecting this processing. In this case, no biometric data processing is involved.
  2. Consent after the visit – after visiting the amusement park, data subjects consented to biometric data processing, allowing the system to use facial images to recognize and select their relevant photos


In addition to these inconsistencies, the DPA’s inspection revealed that the data processing practice did not meet the data protection standard the company declared.

  1. the employees of the amusement park did not inform the inspection officers about the possible processing of personal data by means of photography;
  2. they did not offer the officers the option to choose between the red or green wristband to express their preference regarding this type of data processing. At the ticket office, the inspection officers also noticed a sign saying: “Don’t be afraid of the AQUAPHOTO photographer” and another one in Latvian, English and Russian: “You do not want to be photographed in red. Green wristbands make many beautiful photographs’.” However, the officers also noted that the visitors did not actually wore a green wristband. The adults wore a grey one and children wore red wristbands. Additionally, the photographs were also taken at various attractions sites, such as “Unique Tornado”, “Jacuzzi” or other attractions with pools where the wristbands were not visible;
  3. the officers asked if visiting the stand before entering the amusement park was required. The cashier clarified it was not obligatory; they would be photographed during their visit and could select the photos afterward at the stand;
  4. none of the visitors of the park was asked for their consent before the photographs were taken;
  5. despite the fact that one of the inspection officers informed the company’s employees that they visited the park alone, they were offered to buy a photo that included both them.


The officers concluded that contrary to the information provided by the amusement park and the company, the data subjects are in fact not verbally informed about the processing of their data by the means of photography carried out on the premises of the park.

The controller claimed that the DPA should consider that the consent was collected implicitly. According to the EDPB Opinion 05/2020 consent, whether explicit or not, must be given by a statement or an explicit affirmative action and must express consent to the processing of personal data. This is complemented by recital 32 GDPR which states that consent should be given by an explicit affirmative act including oral communication. Lastly, the controller raised arguments against the DPA’s inspection at the amusement park and claimed that according to Article 15 Lithuanian Data Protection Law, any inspection must take place in cooperation with the controller. Therefore, the evidence collected should be deemed invalid.

Holding

To begin with, the DPA discussed the transparency requirements and how they were met by the controller. In regard to the various forms of privacy policies published by the controller, it was explained that making them visible and easily accessible only partly complies with the principle of transparency. Privacy policy should be also concise, comprehensible and in clear and plain language to meet all the elements if this principle. That is to say, the fact that the data subject has access to information on the processing of personal data does not in itself mean that the principle of transparency has been respected. In addition, the information on the poster was not explained properly for visitors to know what ‘green wristbands’ mean, how to obtain them or what kind of consent control measures are put in place. This information is also not provided orally and is otherwise misleading from other available source concerning consent collection. In this regard, the DPA found a violation of Articles 5(1)(a), (2) and 12(1) GDPR.

The DPA stated that, in relation to the collection of consent, the GDPR does not provide for a clear form of consent but lays down requirements for obtaining a valid consent. In this case, the controller took photographs on the premises of the amusement park and processed ordinary personal data for which unambiguous consent is required. The key is to obtain an active consent, i.e. a positive action or indication of the person’s willingness to a specific processing operation – taking photos. Therefore, controller’s photographers shall not take photographs on the basis of silence or otherwise arbitrary photography by visitors of the amusement park. Taking photos based on implied consent is possible only if there is an active action on the part of the visitor such as:

  1. inviting the photographer to take the photo;
  2. visibly posing for the camera;
  3. the visitor smiling and looking at the photographer;
  4. consent given in advance, during the visit or other obvious actions from which it can be inferred that the visitor wishes to be photographed


Moreover, the DPA listed possible situations which could be misunderstood as consent:

  1. visitor does not take active steps to approach the photographer to take the photograph
  2. the photographer pays attention to the visitor of the water park but the visitor does not pay attention to the photographer and does not take active steps to take the photograph
  3. the visitor indicates by gestures that they do not wish to be photographed

It was concluded that according to the evidence of this case, the manner of obtaining consent by the controller is not compliant with the above-mentioned requirements because:

  1. the controller could not demonstrate the valid consent as many photos were not based on a clear affirmative action (visitors were not aware of photographers taking pictures at certain attractions)
  2. consent mechanism was not specified and explicitly explained to the visitors and several options were available to collect it. In fact, implied actions likely gave the photographers false impression of an expression of informed will of data subjects to take the photos.


Therefore, the controller did not provide the data subjects with the right to consent or object to the processing and therefore violated Article 5(1)(a), 6 and 7 GDPR.

With regards to the processing of biometric data, the DPA concluded that this processing is carried out on the basis of explicit consent of a data subject according to Article 9(2)(a) GDPR. Additionally, in the absence of consent, the data subjects can conduct a manual selection of images by visual identification which will not involve processing of biometric data. This type of processing is based on Article 6(1)(b) GDPR for the purpose of concluding a transaction for the purchase of photographs. Therefore, the DPA found no infringement of processing of biometric data.

Regarding the controller’s argument on the validity of the inspection at the amusement park, the DPA considered that this interpretation of the legal provisions is unjustified. Article 15 of the Lithuanian Data Protection Law refers to cases when the inspection is carried out by the DPA using the administrative power granted to it by the regulatory enactments. In the present case, the DPA officers obtained the information not by exercising public authority but by carrying out these acts as any natural person would since they were visiting public places. As a result, the requirements of Article 15 of the Lithuanian Data Protection Law do not apply and the evidence of this case is admissible.

As a result, the DPA fined the controller €1,000 for violations of Articles 5(1)(a), (2), 6, 7 and 12(1) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Latvian original. Please refer to the Latvian original for more details.

Elijas iela 17, Riga, LV-1050, tel. 67223131, e-mail pasts@dvi.gov.lv, www.dvi.gov.lv





                                          Limited Liability Company "AQUAPHOTO"

                                                                        to the authorized person [...]

                                                                                      In case no. [..]



                                             The decision

Riga, 02.02.2024.                                                        No. [..]


On the appealed decision in the case of an administrative violation

       [1.] Data State Inspections (hereinafter – Inspection) [..] (hereinafter – Official) of 2023

On December 15, decision no. [..] "On the imposition of a penalty" (hereinafter - the Decision) administrative
in violation case no. [..] (hereinafter - the Case), recognizing the limited liability company 1
"AQUAPHOTO" (hereinafter - AQUAPHOTO) is guilty of the General Data Protection Regulation
(hereinafter – Data Regulation) Article 83.5. of the administrative offense provided for in sub-paragraphs a) and b).
making, applying an administrative fine of EUR 1000.00 (one thousand euros,
00 cents). The decision was announced on December 15, 2023, by sending it to the authorized representative of AQUAPHOTO

to the person [..] to the e-mail address. In accordance with the second part of Article 9 of the Notification Law
a document sent by electronic mail shall be considered notified on the second working day after it
sending. Therefore, the Decision is considered to have been announced on December 19, 2023.

       [2.] The decision found the following circumstances:

       [2.1.] The case materials contain the Officer's report of August 4, 2023 no. [..] about
test file no. partial termination and initiation of the administrative violation process" (hereinafter -
Report) with attachments. The report states that:
       [2.1.1.]AQUAPHOTO operates limited liability company "Akvaparks", registrations
number 40003508890 (hereinafter - Akvaparks) in the premises and provided by Akvaparks in the water amusement park "Livu"
Akvaparks" (hereinafter - Livu Aquaparks) photo services for visitors, thereby making Livu

Processing of personal data (photos) of water park visitors – natural persons (data subjects).
(acquisition, storage, transfer) in the form of photography.
       On June 29, 2022, the Inspectorate launched a personal data processing inspection ([..]) to verify
Akvaparks and AQUAPHOTOLivė Aquapark visitors - natural persons (data


1Regulation No. 2016/679 of the European Parliament and of the Council (April 27, 2016) on the protection of natural persons in relation to
processing of personal data and free circulation of such data and repealing Directive 95/46/EC 2

subject) processing of personal and biometric data, incl. using the one offered by NtechLab
facial recognition technology program, providing photography services, matching Data
regulation and the requirements of the Personal Data Processing Law (hereinafter - the Data Law).
       On April 6, 2023, Inspection officials performed an in-person inspection of AQUAPHOTO data

at the processing site, i.e. AQUAPHOTO at the customer service point, which is located in the premises of Livu Aquapark
Viestura Street 24, Jurmala. AQUAPHOTO was not found within the scope of the mentioned inspection case
illegal processing of biometric data, therefore the inspection in this part was completed and with the Inspection
August 7, 2023 letter no. [..] AQUAPHOTO was informed that the verification of biometric data
processing in inspection case no. [..] has been completed without finding the Data Regulations and Data at AQUAPHOTO's disposal
violations of the law.

       [2.1.2.] At the same time, inspection file no. Within [..] the Inspectorate obtained information which
testified that:
       [2.1.2.1.] AQUAPHOTO is carried out by a visitor of Livu Aquapark - a natural person (data subject)
processing of personal data (photos) in the form of photography based on two types of consent: 1)
consent of the data subject to take photos during the visit to Livu Aquapark (in this case, no
processed biometric data); 2) the data subject's consent, which is already provided after Livu Aquapark
for the processing of visit, biometric data (in addition to taking a face image) in order to AQUAPHOTO

would recognize and select relevant photos of the data subject in the billboard system;
       [2.1.2.2.] before entering Livu Aquapark, data subjects are offered to choose one of
for two-color bracelets. Consent to take photos is confirmed by a green wristband, a ban
to take pictures – a red bracelet;
       [2.1.2.3.] informing data subjects about the planned processing of personal data in the form of photography
and the actual handing out of wristbands is done by Aquapark cashiers. You can also get bracelets at
AQUAPHOTO for photographers in Livu Aquapark;

       [2.1.2.4.] additional information on the processing of personal data in the form of photography is available: 1)
On the website of the Aquapark (hereinafter - the Website) in the "Current" section, in which the article "Catch a beautiful
a moment!” with the text of the following content: "To make the time spent in the aquapark memorable, use SIA
"Aquaphoto" professional photographer services. So that the great moments spent in the water park remain
in memories SIA "Aquaphoto" offers the services of professional photographers. Photographers will take great
and professional photos, which will be a beautiful addition to the family album for Livu Aquapark

the perfectly spent vacation would be immortalized and unforgettable. You will recognize the photographer by the yellow shirt
with the inscription AQUA FOTO TEAM! Feel free to go over and say you want a photo for memory. Where are these photos
after that can get? When leaving the recreation area, approach AQUAFOTO in the lobby of Livu Aquapark
choose the pictures you like best on the stand and monitor and they will be yours! [..] Memorize! If you
if you want more beautiful pictures, get a green wristband from the staff of AQUA FOTO, which is located in the water park
in the lobby at the entrance! If you don't want photos and you don't want a red bracelet to be taken in your picture![..]”; 2)
1.9 of the "Visitor Terms" section of the website. in subsection: "The visitor is informed that

Visitor and his or her minor children or minors under guardianship Aqua Park
photographs may be taken in the territory. The visitor has the right to get acquainted with his personal data in connection with
photo by manager - SIA "Aquaphoto", reg. No. 40103215468, Dižozolu iela 25-6, Riga, LV-1058,
contact information – phone: +371 29846414, e-mail: aquaphoto@inbox.lv. If the Visitor
does not want to be photographed, he takes a badge from the employees of SIA "Aquaphoto""; 3) at
In the regulations placed on the AQUAPHOTO stand "Photo services and processing of personal data
rules" stating that "Consent to photography is confirmed by a green wristband,

prohibition – a red wristband, which is issued at the Akvaparks cash desk or can be obtained from
in the photographer's attraction area”; 4) with a visual information poster at the Aqua Park cash desks;
       [2.1.2.5.] data subjects are not provided with photos showing other Livu Aquaparks
visitors.                                                   3

        [2.2.] Taking into account the conflicting information related to the receipt of data subjects' consent and
informing about taking photographs, the Inspection, on its own initiative, carried out on May 20, 2023
face-to-face inspection (hereinafter - May 20, 2023 inspection) of the AQUAPHOTO service
at the place of delivery in Livu Aquapark, in order to verify the conformity of the information at the disposal of the Inspectorate

actual conditions.
        [2.3.] The report of the Inspection officials [..] of June 1, 2023 is in the appendix of the report
No. [..] and [..] of June 2, 2023, report no. [..] for what was done on May 20, 2023 in Livua Aquapark
Check. As part of the mentioned inspection, it was found that:
        [2.3.1.] at the time of purchase of non-tickets, employees of Liva Akvaparkakase did not inform the non-purchasers
Inspection officials about the possible processing of personal data in the form of photography did not provide either

information and did not offer the option to choose one of the wristbands (green or red);
        [2.3.2.] to the question of the Inspection official [..] about the possibilities of receiving photos, Livu
The cashier of the water park pointed with her hand to the AQUAPHOTO stand, indicating that it was with them.
To the inspection official's clarifying question, or before visiting Livu Aquapark
should approach the AQUAPHOTO stand, the Aquapark cashier explained that it is not
mandatory, because during the visit to Livu Aquapark, the official will be photographed, after which he will be able to approach
AQUAPHOTO stand and choose the relevant photos;

        [2.3.3.[ Two photographers took photos during the visit to Livu Aquapark
in yellow vests. Visitors to Livu Aquapark, including the two officials, before the photo
admissions, consent was not asked;
        [2.3.4.] photos were also taken at moments when visitors to Livu Aquapark participated in various activities
in attractions, such as the "Unique Tornado" or located in jacuzzis and swimming pools, where the price was visible;
        [2.3.5.] none of the visitors to Livu Aquapark had a green bracelet on their arm.
Adults wore gray-blue wristbands, while children wore red wristbands;

        [2.3.6.] a small informational poster with the following text is placed near the Livu Aqua Park ticket offices:
"Don't be afraid of the AQUAPHOTO photographer", which states the following in three languages (Latvian, English and Russian).
information: "You don't want to be immortalized in red concert gloves. Concert bracelet in green color a lot
beautiful photos”;
        [2.3.7.] despite the fact that the Inspection official [..] informed AQUAPHOTO
employees, that she visited the water park alone, was offered to the Inspection official

opportunity to purchase and the officer also purchased a photo of both her and the other
Inspection officer.
        [2.3.8.] Taking into account the above, the inspection of May 20, 2023 concluded that, contrary to the Aqua Park and
For the information provided by AQUAPHOTO, data subjects are not actually informed verbally about Liv
They are not offered the opportunity to receive data processing in the water park premises in the form of photography
a green or red colored wristband to indicate their choice of how to take the photo
also, contrary to the information provided by AQUAPHOTO, the Inspection official had the opportunity to purchase

a photo showing not only her, but also other visitors to Livu Aquapark (in the specific case
– the other Inspection official).
        Also, in the inspection of May 20, 2023, it was concluded that the cash register located at the Livu Aquapark
the informational poster and the photo services placed at the AQUAPHOTO service stand
personal data processing rules, do not provide the visitors of Livua Aquapark a true, easy
accessible, transparent and understandable information about the processing of data in the form of photography, successively denying
they have the opportunity to express unequivocal consent or refusal before visiting Livu Aquapark

for taking photos.
        [2.4.] Evaluating the information obtained in the inspection of May 20, 2023 in the context of the inspection
case no. [...] materials, the Report concludes that AQUAPHOTO's commercial activities -
within the framework of the provision of photography services, performed by Livua Aquaparks visitor-natural person 4

(data subject's) personal data - photo processing - acquisition, storage, transfer, in violation
basic principles of processing, including conditions for consent, in compliance with Article 5, 1 of the Data Regulation.
point (a), Article 6, paragraph 1 and Article 7, and the rights of data subjects under the Data
paragraph 1 of Article 12 of the regulation - i.e. without providing data subjects with real rights from the outset and

agree or object to the processing of your data at any time, thus not providing adequate personal data
the legal basis for the processing of personal data, and not providing the data during the acquisition of personal data
fulfillment of the obligation of clear, understandable and accurate information regarding data processing,
which indicates a real possibility that the administrative violation for which the administrative offense is intended has occurred
responsibility in Article 83(5)(a) and (b) of the Data Regulation.
       [2.5.] The case materials contain the Official's decision of August 4, 2023 no. [..] about

the initiation of the administrative violation process and the extension of the deadline for consideration of the case (hereinafter -
decision of 4 August 2023). On August 7, 2023, the decision of August 4, 2023 with a cover letter
notified to AQUAPHOTO by registered mail to its registered address.
       [2.6.] In the case materials, there is the letter of the Inspection dated August 8, 2023 no. [..] "About
submission of explanations and request for information", as well as in connection with the mentioned letter
Explanations of the authorized representative of AQUAPHOTO [..] (hereinafter - the Representative) dated October 6, 2023
(hereinafter – Explanations).

       [2.7.] The case materials contain AQUAPHOTO Representative's November 28, 2023
submission "opinion on the legality of the proposed administrative violation case, information
request and request to postpone the examination of the administrative violation case" (hereinafter - Submission)
and Inspection letter of December 4, 2023 no. [..] "On giving an answer".
       [2.8.] During the consideration of the case, the representative of AQUAPHOTO repeated what was already presented
explanations, additionally certifying that the consent of the data subjects to the processing of personal data (photo
for reception) is obtained both by bracelets and by conclusive actions. Data subjects are informed

with an informative poster at the Aquapark cash desks and the AQUAPHOTO stand, with the information provided on the Website,
as well as through Livu Akvapark's cashiers, who provide information and factual information
handing out wristbands. Likewise, the AQUAPHOTO representative stated that he could not submit additional
explanations, because he has not received the response of the Inspection to the arguments expressed in the Submission.
       In the opinion of the representative, the Check is logically incomprehensible and was carried out without complying with the Data Law 15 and
Article 16 requirements. The representative stated that the case should be closed because the evidence was not conducted against the law

were not obtained by legal means and the only evidence provided by AQUAPHOTO can be recognized in the Case
explanations, as well as the information provided by AQUAPHOTO during the April 6, 2023 face-to-face inspection.
       Regarding the Official's request to explain how AQUAPHOTO's cooperation with
Livu Aquapark employees in informing data subjects and issuing wristbands, AQUAPHOTO
The representative informed that cooperation is taking place, but exactly how it is happening, in which document this form of cooperation,
including employee liability is covered, etc., the representative could not explain.
      [2.9.] In the decision, the Official concluded that:

      [2.9.1.] The circumstances found in the case clearly prove that AQUAPHOTO's Explanations
and the information given in the oral explanations about obtaining the consent of the data subjects when issuing
a wristband of the corresponding color is not implemented in practice. Namely, according to what was found in the Inspection, the data
wristbands and Livu Aquapark cash registers are not issued to subjects before visiting Livu Aquapark
employees do not inform data subjects about the processing of personal data in the form of photography. Sequentially from the data
the subjects do not receive consent in accordance with the requirements of the Data Regulation. This is confirmed even more
the fact that none of the visitors to Livu Aquapark had green paint on their hands during the inspection

a bracelet. Taking into account the above, the Official concludes that AQUAPHOTO both in person on April 6, 2023
during the inspection, as well as later when providing explanations in the Case, has given false information to the Inspection
information about the actual circumstances in the order of issuing bracelets and informing data subjects.                                                  5

      Although AQUAPHOTO explained that the Aquapark cashier can make a mistake in the ratio
to the execution of informing and handing out bracelets, and there is no reason to draw a conclusion from one case,
that the visitors are not informed, the Official concluded that two Inspections participated in the Inspection
officials and according to the information provided in the reports, in both cases the officials did not

verbal information about the planned processing of personal data in the form of photography was provided, and was not
offered the opportunity to express consent or denial by receiving a wristband of the corresponding color. That way
The official concluded that by not issuing bracelets to the visitors of Livua Aquapark, AQUAPHOTO
does not provide data subjects with the right to initially and at any time agree or object to their personal data
for data processing, consecutively AQUAPHOTO cannot demonstrably demonstrate that the data subject has given his consent
for the processing of personal data and that a valid consent and the requirements of the Data Regulation have been received from the data subject

appropriate consent. In addition, during the entire investigation, including the case review, the Inspection after
for several requests, cooperation documents between AQUAPHOTO and Aquapark were not submitted,
which thus calls into question the existing cooperation between the parties regarding the duty of Aquapark employees
to issue wristbands and inform data subjects, as well as indicating that such cooperation is not prohibited
in the company's internal regulations and the employees are not informed about it.
       [2.9.2.] Regarding obtaining consent by conclusive actions, Officer
pointed out that the Data Regulation does not provide for such a form of consent. In addition, if the processing is based on consent,

the manager must be able to demonstrably prove that the data subject has unequivocally consented to his personal data
for processing which, in the opinion of the Official, cannot be implemented with conclusive actions. Namely, in conclusion
actions can give the photographer a false impression of a photo of conscious statements of will
for admission, as a result of which the data subject's personal data would be processed without the requirements of the Data Regulation
receiving appropriate consent.
       Taking into account the above, the Official concluded that in the specific case with conclusive actions
consent received cannot be recognized as complying with the requirements of the Data Regulation, including the conditions of Article 7

the consent of the data subject and cannot be used as a legal basis for the person carried out by AQUAPHOTO
for data processing. Even more so if AQUAPHOTO has implemented a special data subject's consent
procedure, by handing them a wristband of the relevant color, then it can be assumed that the visitors of Livu Aqua Park
there is either a green or red bracelet on the arm and consent to the performance of other, additional actions
for receiving, is not required.
       [2.9.3.] In view of the above, the Official concludes that AQUAPHOTO carried out and continues to carry out Liv

Processing of personal data of water park visitors – natural persons (data subjects) (obtaining photos,
storage), based on a legal basis that does not meet the requirements of the Data Regulation for valid consent
acquisition. Namely, AQUAPHOTO carried out and continues to carry out the mentioned personal data processing in violation
basic principles of processing, including conditions for consent, in accordance with Article 5, 1 of the Data Regulation.
(a), Article 6(1) and Article 7.
       In compliance with the above, AQUAPHOTO has committed an administrative violation for Data
in Article 83, paragraph 5, letter a) of the regulation.

      [2.9.4.] Regarding the processing (transfer) of personal data carried out by AQUAPHOTO, the Official
concluded that the processing of said personal data is carried out on the basis of Article 9, Paragraph 2 of the Data Regulation
Subparagraph a) – the explicit consent of the data subject, which, in the opinion of the Official, is appropriate
the legal basis for performing biometric data identification of the data subject. Failure to provide consent
in this case, the processing of personal data is based on Article 6, paragraph 1, subparagraph b) of the Data Regulation (ie
manual selection of images by visual identification of the customer) to conclude a transaction for the purchase of photos.
AQUAPHOTO's presentation, printing or sending of selected photos to the e-mail specified by the customer

postal address and the sales person at the AQUAPHOTO stand, the legal basis is the Data Regulation
Article 6, paragraph 1, subparagraph b) - conclusion of the transaction. Regarding the above, Officer
no violations were found.                                                  6

      [2.9.5.] Regarding informing data subjects, AQUAOHOTO explained that data
information about the processing of natural persons' data available to subjects is easily available both on the Website and
at the cash desks of Līvu Aquapark and at the AQUAPHOTO stand, thus AQUAPHOTO has complied with the Data
information and transparency requirements set out in the regulation. The official stated that according to Data

the transparency of regulations is inextricably linked to the principle of honesty as well as the principle of accountability.
It follows from Article 5, Clause 2 of the Data Regulation that the controller must always be able to demonstrably demonstrate that persons
the data is processed in a transparent manner with respect to the data subject. Accountabilities in connection with it
the principle requires transparency of processing operations so that data controllers can demonstrate their
compliance of obligations with the Data Regulation. The elements of the principle of transparency are not only that information about
processing of personal data must be visible and easily accessible, but it must also be concise and understandable

and using clear and simple language. Namely, the fact that the data subject has access to information about
processing of personal data does not in itself mean that the principle of transparency has been observed and so
elements.
      The official concluded that the informational poster placed at the Aquapark cash desks contained the following
information: "Don't be afraid of an AQUAPHOTO photographer. You don't want to have a concert bracelet in red
immortalized. Concert bracelet in green color, many beautiful photos". Although the small poster contains
information in three different languages (Latvian, Russian and English), it is not provided in a way understandable to the data subjects,

in clear and simple language. Namely, the data subject is not informed about what "concert processes" are
is their meaning, applicability and order of receipt, as well as other issues related to
The consent control measure implemented by AQUAPHOTO. In addition, according to the Inspection
established, such information is not provided to data subjects verbally before Livu Aquapark
ticket purchases. Also, the Officer concluded that the information provided to the data subjects about the bracelet
the pick-up point is misleading, that is, in the Aquapark Website, subsection 1.9 of the Visitor Regulations
it is indicated that [..] if the Visitor does not want to be photographed, he should contact the employees of SIA "Aquaphoto".

take the mark of distinction. On the other hand, in the regulations placed at the AQUAPHOTO stand "Photo
service and personal data processing rules" states that "Consent to take photos
is confirmed by a green wristband, the ban on photography is confirmed by a red wristband, which is issued
At the cash desk of the water park or you can get it from the photographer in the amusement area".
      Taking into account the above, AQUAPHOTO has provided the data subjects with information about the person's actions
data processing, but has not taken appropriate measures to fully implement the rights of data subjects

in accordance with the requirements of Article 12, paragraph 1 of the Data Regulation - i.e. has not provided data subjects with clear,
fulfillment of the duty of clear and accurate information regarding data processing. That way
AQUAPHOTO has processed personal data without complying with Article 5, paragraph 1 a) of the Data Regulation
the requirements specified in sub-section, paragraph 2 and paragraph 1 of Article 12, without ensuring transparency and
compliance with the principle of accountability in the processing of personal data of natural persons (customers). Sequentially
AQUAPHOTO has committed an administrative violation provided for in Article 835 of the Data Regulation. point
in subparagraph b).

      [2.9.6.] With regard to the opinion expressed by AQUAPHOTO in the Submission and Case review, that
The inspection official did not follow the procedural rules while performing the inspection in Livu Aquapark
with regard to conducting the inspection, so the facts and other information specified in the Report cannot be used as
evidence in accordance with the second and third parts of Article 93 of the AAL, the Officer states the following.
      The reasoning expressed by AQUAPHOTO is basically based on the consideration that Article 15 of the Data Law
determines the procedure for conducting checks, including providing for the obligation before the place of data processing
visits, inform the manager about the purpose, time and place of the planned visit, ask the manager to provide

the presence of the authorized representative, as well as to inform the manager about his rights. AQUAPHOTO also states that
in accordance with Article 16 of the Data Law, the progress of the examination must be recorded in the protocol of the procedural activity, which
May 20, 2023 was not drawn up. Based on the above, AQUAPHOTO made a conclusion,
that any verification should take place in cooperation with the data controller.                                                  7

      The official considers such an interpretation of legal norms to be unfounded. In Article 15 of the Data Law
the included norms on conducting the inspection and informing the supervisor apply to cases when

the inspection is carried out by using the administrative power granted to it in the regulatory acts
(coercive mechanisms), and the manager's obligation to obey the orders of the Inspectorate. The mentioned norm
refers to trespassing on private property as well as access to non-public systems and documents
access. At the same time, the first part of Article 15 of the Data Law contains the right of the Inspectorate to obtain
information using all legal methods. Undoubtedly, it can also be considered as such a method

visiting public places and performing such activities, which can be performed by any natural person.
In the specific case, the Inspectorate obtained the information without using public authority, but by conducting and
capturing actions that any natural person could perform. Therefore, in Article 15 of the Data Law
the mentioned requirements do not apply to this type of information acquisition, consequently the official had no obligation
to inform the manager about his rights, as well as to draw up a procedural protocol according to the Data
to that specified in Article 16 of the law.

      If AQUAPHOTO's statement was considered justified, it would prevent the Inspection from performing at all
any actions without cooperation with the manager, such as viewing websites, would be publicly posted
the locations of the video cameras to find out their angles and to perform any other actions. In all
in the mentioned cases, the Inspection official obtains information without using state power, but
recording his observations in a report, as was the case here. In view of the above, the news that

officials obtained as part of the Inspection, may be used as evidence in the Case.
      [2.9.7.] Regarding the fact that the Inspection official performed the Inspection in the presence of another
to a woman who may not be an employee of the Inspection and to whom information about the Inspections has been disclosed
execution, the Inspection indicates that the Inspection was carried out by two Inspection officials, which is confirmed
The reports of the two officials attached to the report. Hence, the information on conducting the Test
has not been disclosed to third parties.

      [2.9.8.] Regarding the opinion expressed by AQUAPHOTO, it is objectively not clear in what way
The inspection was able to complete the inspection against AQUAPHOTO, announcing that no violations were found, but
later to send a decision on the initiation of an administrative violation case, the official stated that
The inspection case was initiated regarding the biometric data processing carried out in Livu Aquapark, in connection with the established
the use of the technical tool and the transfer of personal data outside the European Union. Test cases

within the scope of the Inspection did not find any Data Regulations in the biometric data processing performed by AQUAPHOTO
violations, sequentially the examination case in the part on the processing of biometric data was terminated.
      On the other hand, in order to make sure that the additional information obtained within the scope of the examination file corresponds
to the actual circumstances (Livu Aqua Park employees inform data subjects about personal data processing
in the form of photography and issue green and red color wristbands), The inspection case was continued,

by performing an in-person inspection. The information obtained during the inspection showed that it was administrative
committing a violation, therefore, in the Report, a proposal was made to complete the Inspection case for
biometric data processing and start the process of administrative violation.
      [2.9.9.] During the consideration of the case, the representative of AQUAPHOTO stated that the case is not objectively understandable,
moreover, AQUAPHOTO cannot submit additional explanations, as it has not received a response to the Submission.
      The official states that in response to the Submission, the Inspection in the letter of December 4, 2023 3

informed AQUAPHOTO that the circumstances presented in the Submission and the requests expressed do not affect it
and does not interfere with the consideration of the Case on its merits, therefore, the date of the Case consideration will not be postponed
and the information requested in the Submission will be provided in accordance with the Freedom of Information Act
established procedures and deadlines.
      In view of the above, the Official concluded that the Case did not exist during consideration and also before that

circumstances that would make it difficult for AQUAPHOTO to provide additional explanations in the Case. In addition

2 Inspection official[..]2023. for the report of 1 June[..and [..[..]
3Inspection's letter of December 4, 2023 no. [..] 8

AQUAPHOTO had at its disposal all Case materials and information about the nature of the violation.
Also, the Official concluded that AQUAPHOTO is guilty of Article 83, Clause 5 a) and
in the commission of an administrative violation provided for in subsection b) is proven by the Report and so
attachments and other case materials.

       [2.9.10.] The official, taking into account the reasoning mentioned in the Decision, concluded that the Data Regulation
in the sense of Article 83, Clause 5 of the Data Regulation, violations are considered material
violations, as well as the circumstances found in the Case and the conclusions made by the Official,
The official, using the determination of the amount of the administrative fine developed by the Inspectorate
mechanism for companies and individuals, recognizes the violation committed by AQUAPHOTO as average
severe, determining the sanction provided for in Article 83, paragraph 5, sub-paragraphs a) and b) of the Data Regulation

administrative fine EUR 765.36 (seven hundred sixty-five euros and thirty-six cents)
amount. At the same time, the Officer taking into account the fact that the personal data processed by AQUAPHOTO (Livu
Photos of Aquapark visitors) are used for commercial purposes, namely AQUAPHOTO gains
economic benefit from the personal data processing (sale of photos). Also taking into account that
that the violation was committed intentionally and not due to negligence, the Officer adjusted the fine by applying
a fine of EUR 1000.00 (one thousand euros) as appropriate to deter AQUAPHOTO from
for further violations of personal data processing.

       [2.10.] AQUAPHOTO January 2, 2024 was registered in the inspection on January 3, 2024
complaint about the Decision (hereinafter – Complaint) .
       The inspection finds that the complaint was submitted under the Administrative Responsibility Law (hereinafter - AAL)
within the term specified in the first part of Article 168 and its examination is permissible.

        [3.] According to AAL172. the first part of the article, the higher official examines complaints in writing
in the process within one month from the date of receipt of the complaint. Administrative offense cases

the circumstances are clarified by a higher official based on the evidence in the relevant case.
At the same time, Article 47 of the AAL stipulates that a higher official in the sense of this law is a person who
is authorized to commit an administrative offense in accordance with the competence defined in the regulatory enactments
control of the legality and reasonableness of the decision taken in the case.
        Taking into account the above, the Director of the Inspection, as a higher official, examines the Case again
essence in connection with the circumstances indicated in the Complaint.


        On obtaining consent through conclusive actions
       [4.] The complaint states that, in the opinion of AQUAPHOTO, the consideration given by the Inspectorate that Datu
the regulation does not provide for obtaining consent with conclusive actions is completely unjustified and contradictory
with the positions of the European Data Protection Board based on the following arguments:
       [4.1.] The Data Regulation stipulates that the data subject's consent must be unambiguous if the relevant data
is ordinary personal data that is not sensitive (Article 6 of the Data Regulation states that consent is required and

Article 4 defines that consent must be unequivocal), but unambiguous if the relevant data is sensitive
personal data (i.e. refers to any of the sensitive data listed in Article 9, paragraph 1 of the Data Regulation
categories). Consent, whether implied or not, must be given by notice or express
affirmative action and must express consent to the processing of personal data in accordance with Article 4 of the Data Regulation
Clause 11. This is complemented by Recital 32 of the Data Regulation, which states that consent "should be given with a clear
affirmative action ... such as by written notice, including by electronic means, or
verbal statement". The manner in which consent must be given by data subjects remains "unambiguous"

regarding the processing of all types of personal data, specifying that this requires "clear affirmative
activity" and that consent must be "unambiguous" for sensitive data."
       The director of the inspection, regarding the mentioned argument, states that Article 4 of the Data Regulation
Clause 11 states that the data subject's consent is any freely given, specific, informed and 9

unequivocal reference to the wishes of the data subject, with which he is notified or clearly affirmative
gives consent to the processing of his/her personal data in the form of action. At the same time, in recital 32 of the Data Regulation
it is explained that consent should be given by an express affirmative act, which means freely given,
a specific, deliberate and unambiguous indication of the data subject's consent to the personal data related to him

for processing, for example by written, including electronic, or oral notification. This could include
marking a field with a tick on an Internet website, an information society service
the choice of technical settings or other statements or actions that in this case clearly indicate that the data
the subject agrees to the proposed processing of his personal data. Silence, previously marked fields or
abstention from action should not therefore be considered as consent.
       Taking into account the above, it can be concluded that the mentioned regulation of the Data Regulation does not define clear data

the subject's form of giving consent, but determines the requirements for receiving valid consent.
At the same time, it can be concluded that AQUAPHOTO reasonably stated that according to the consent of the data subject
the said legal justification must be unambiguously provided in the specific case.
       [4.2.] AQUAPHOTO points out that the Data Regulation clearly states that even unambiguous consent
must be given by affirmative action, but this does not mean that consent is not possible by implication
for actions. Moreover, it is affirmative action and unequivocal consent that is sufficient to
would meet the consent requirements for both ordinary personal data and sensitive personal data

processing.
       In the specific situation, AQUAPHOTO, when taking photographs in the premises of Livu Akvaparks,
processes ordinary personal data that requires unequivocal consent to be received
by means of another statement or action which, in this context, clearly indicates that the data subject consents
for the proposed processing of his personal data. The main point is that all consent must be an active activity,
t. i.e., a positive action or indication indicating a person's willingness to consent to a specific processing operation
– for taking photos.

         AQUAPHOTO photographers, when taking photos, do not perform the relevant actions on the basis
to inactivity, silence or otherwise arbitrary photography of theme park visitors.
Photography with implied consent is only done if active action is received from
on the part of the visitor, such as inviting a photographer to take a photo, obvious posing
in front of the camera, the visitor smiling and looking at the photographer, before the visit
express consent, as well as other obvious actions from which it can be inferred that there is

visitor's willingness to take photos. Accordingly, in all these cases there are clear actions that
the person consciously and actively chose to consent to the taking of photographs that would comply with the Data Regulation
to that specified for another statement or action that clearly indicates in this context that the data subject agrees
for the proposed processing of his personal data. In addition, there are clearly defined when taking pictures
actions so that the photographer does not misunderstand the consent given when the person does not want to be photographed
photography, first of all, it is in cases where the visitor does not take an active action to address the photographer
for taking a photo, secondly, with the photographer paying attention to the water park visitor,

the visitor does not pay attention to the photographer and does not take active actions to take photos,
thirdly, the visitor indicates by gestures that he does not want to be photographed.
       Regarding this argument, the Director of the Inspection states that the requirements are valid consents
in addition to the Data Regulation, are explained in the Guidelines of the European Data Protection Board
No. 05/2020 on consent in accordance with Regulation 2016/679 (Adopted on May 4, 2020) (hereinafter -
Guidelines). Regarding the fact that the consent must have an unambiguous indication of the data subject
wishes Clause 75 of the Guidelines explains that the Data Regulation clearly states that consent must

requires a statement or clear affirmative action by the data subject, which means that it always
to be provided in an active form or by means of a declaration. On the other hand, point 75 of the Guidelines explains that
an explicit affirmative action means that the data subject has knowingly consented to a particular processing.
Consent can also be obtained through written or (recorded) oral confirmation, including 10

electronic means. In addition to the above, paragraph 84 explains that Managers should develop
consent mechanisms in a way that is understandable to data subjects. Managers should avoid
ambiguity and must ensure that the acts by which consent is given can be distinguished from others
for actions.

       The director of the inspection finds that the evidence in the case is at the Livu Akvaparks cash desks
posted information, information posted at the AQUAPHOTO stand, information available on the website
and 1.9 of the Aquapark visitor rules. subsection indicates that visitors to Livu Aquaparks
consent to photography is confirmed by a bracelet of the corresponding color. How consent is obtained, e.g.
gesturing to oneself and then posing, smiling, is not specified in the mentioned materials.
At the same time, it can be concluded that the materials of the Case do not confirm that AQUAPHOTO was developed by Liva as well

A clear consent mechanism has been publicly announced to the visitors of the water park in cases where
the data subject's consent is obtained by conclusive actions before the processing is carried out. Thereby,
The director of the inspection is critical of the fact that such a mechanism has been created and is being implemented in real life.
       It should also be noted that in accordance with Article 7, Clause 1 of the Data Regulation, AQUAPHOTO as the controller
it is necessary to be able to demonstrably demonstrate that the data subject has consented to the processing of his personal data, if the processing
based on consent. If photography is done based on conclusive actions, which is not rare
can be so misunderstood or ambiguous, for example, a person looks at a person behind

photographer, or a person goes down the tube and looks at their family member, it does not mean that the photographer
clear affirmative action is provided. Considering that photographers do not only photograph persons who
pose themselves, but take photos when the person is swimming in the pool, in the jacuzzi or taking part in any of
for attractions, i.e. performs processing in real life situations where a person may not notice the photographer at all,
obtaining consent through conclusive actions is not possible in these situations. It is doubtful that
a person can consciously and with an active action give consent to photography, if in the specific situations
she may also be unaware that she is being photographed. Just because a person sees a photographer doesn't mean they do

active action and action to give your consent. Namely, the concluded actions can be created for the photographer
a false impression of the expression of a conscious will to take photos, as a result of which the data subject
processing of personal data would be carried out without obtaining consent in accordance with the requirements of the Data Regulation.
Therefore, the Director of the Inspection recognizes as justified the conclusion contained in the Decision, that in the specific
in the event that consent received through conclusive actions is not recognized as a requirement of the Data Regulation,
including the conditions of Article 7, appropriate consent of the data subject and cannot be used as legal

basis for personal data processing by AQUAPHOTO. Even more so if AQUAPHOTO has introduced
a special procedure for obtaining the data subject's consent by issuing them a wristband of the relevant color, then
it is assumed that the visitors of Livu Aquapark have either a green or a red bracelet on their arm
and performing other, additional actions for obtaining consent is not necessary. The fact that it is
various forms of consent have been introduced - both bracelets and conclusive actions, one might rather point out
to the fact that one developed mechanism does not work in practice and other ways to ensure are sought
legal basis for data processing.


       On the admissibility of the examination of May 20, 2023 as evidence
       [5.] The complaint states that AQUAPHOTO believes that the Inspection can implement any actions,
which are aimed at checking the compliance of processing only based on the provisions of Chapter IV of the Data Law
procedures for the implementation of inspections.
       [5.1.] At the discretion of AQUAPHOTO, the Inspection can carry out an on-site inspection only based on
The requirements of the second to fourth parts of Article 15 of the Data Law, as well as Article 16 of the Data Law.

       AQUAPHOTO indicates that regarding the inspection carried out by the Inspection officials,
AQUAPHOTO: a) has not received information about the planned visit of the Inspection officials,
contrary to the way it was carried out in the previous inspection - on April 6, 2023; b) in the test
no representative of AQUAPHOTO participated, because for this inspection Inspection AQUAPHOTO 11

did not inform; c) as part of the inspection, AQUAPHOTO has not been warned of its rights; d) after
the protocol of the procedural activity of the inspection on May 20, 2023 has not been drawn up.
         Regarding the mentioned argument, the Director of the Inspection finds that from the case materials and
from the information mentioned in sub-sections [2.2] and [2.3] of this decision, it follows that two Inspections

officials, taking into account the fact that the inspection file contained contradictory information about Liva in the Aquapark
implemented personal data processing in the form of photography, on May 20, 2023 in Livu Aquapark as
female visitors did the inspection. From the point of view of the Director of Inspection, a face-to-face inspection based on Data
the procedures for the implementation of the inspections specified in Chapter IV of the law, can be implemented in those cases, if
it is necessary to use the powers of public authority to enter or obtain premises not accessible to the public
publicly unavailable documents or data from management information systems. On the other hand, in cases

when it is necessary to check the controller's processing of data from the data subject and ordinary consumers
point of view, without using a privileged position, Inspection officials can carry out the following inspections,
not complying with the procedures for the implementation of inspections specified in Chapter IV of the Data Law. In this case Inspections
officials visited a public area open to any paying person
for the specified service, thereby also verifying how the data processing is practically implemented. Such
actions could be performed by any person to find out how the manager implements the processing of personal data and for that
no special regulatory regulation is required.

         [5.2.] AQUAPHOTO draws attention to the fact that the annotation of the Data Law states: "In doing
tests, they can be of different nature. Planned inspections, unplanned inspections and entry into premises,
without notifying the manager (entry and forcible search)." In addition, the annotation states: “Planned
checks are carried out by the controller or other legal entities (possible controller or processor)
in the presence of an authorized responsible person or, if one is appointed, in the presence of a data protection specialist.
The inspection agrees in advance with the time of the visit of the legal or natural person and those present
persons. During the inspection, the legal or natural person can also invite legal, financial or IT

consultant or lawyer. Cases should be distinguished when the Inspection establishes a fact (for example
location of the video camera) or wants to get an explanation from the relevant legal or
Natural persons. If the Inspection needs to establish a fact, it should be done by an authorized representative
presence, on the other hand, if it is necessary to obtain information, documents and explanations from the legal department
persons, it must be done in the presence of an authorized representative or a data protection specialist. By doing
unplanned inspection or forced entry into the premises, the Inspection does not warn of its arrival, but it has

a judge's permission must be obtained." Accordingly, according to the annotation of the Data Law, the Inspectorate has the right to perform
unscheduled inspection only with the permission of the judge. The Data Act does not specify procedures or exceptions
this requirement, in addition, this requirement applies to all unplanned inspections performed by the Inspectorate.
In addition, according to the annotation of the draft law, the concepts of "unplanned inspection" and "forced
entering the premises", therefore, in the case of an unplanned inspection, are not covered by the Inspection Decision
the mentioned cases that the teenager's permission is required only in cases where public authority is exercised
implementation, but also for unplanned inspections as such.

      Regarding the mentioned argument, the Director of the Inspection states that AQUAPHOTO is unfounded
refers to the information contained in the annotation of the draft law "Personal Data Processing Law".
to the tests. The aforementioned draft law was clarified in the Saeima by deleting from it the regulation on
Inspection officials, based on the judge's decision, have the right to be in the presence of the police without
prior warning to enter the property, possession or use of the controller or processor
in uninhabitable premises, apartments, buildings and other immovable objects, opening them and those in them
storage facilities, to perform a forced search of these facilities and the storage facilities in them and in the mentioned facilities

and belongings and documents in storage facilities (including in the electronic information system - computers,
on diskettes and other information media - viewing of messages (data) stored. Argument referred to
AQUAPHOTO, refers to the drafting of the law, which was not adopted, so it cannot be considered
as justified and in accordance with the current regulatory framework. Namely, currently Data Law 12

does not regulate the issue of various types of tests and obtaining the judge's permission for certain ones at all
types of testing. In addition, the regulation described in the annotation referred to entry by the manager
in real estate, which is not a publicly accessible space, and where other private persons have access
limited. On the other hand, Livu Aquapark is a place where any resident can enter and be without

restrictions. Similarly, in the digital environment, Livu Aquapark has a website that can be visited
any internet user, including an Inspection official. The inspection does not require the manager's permission
and there is no need to inform the administrator that the Inspection Officer will visit the administrator's website.
      [5.3.] In AQUAPHOTO's opinion, it does not matter that the premises of Livu Aquaparks are publicly available, because,
even if these premises are available to Livu Aquaparks visitors for the purposes of their commercial activities,
they are not public spaces, as would be the case with a public park, street or other public space, with

it, the Inspection would also need to comply with the procedures established by the Data Law.
      Regarding this argument, the Director of the Inspection states that the second part of Article 110 of the AAL stipulates,
that areas or premises not accessible to the public (that is, places where you cannot enter or stay without
consent of the owner, possessor or holder) and inspection of the belongings in them can be done with the owner
consent of the (owner, keeper) or the decision of the judge of the district (city) court, adopted on the basis of
to the official's application and the attached materials. Hence, AAL is explained
the question of what is considered a non-public space that requires viewing

judge's decision. In the view of the inspection, the premises of Livu Aquaparks, which are available to visitors,
does not correspond to the given explanation and a judge's decision is not necessary for the inspection of such premises.
      [5.4.] AQUAPHOTO believes that in the specific situation, the Inspection, using fraud,
without coordinating actions with the court and using their powers as Inspection officials, undertook
for natural persons and arrived at AQUAPHOTO's business premises, where he conducted a covert operation
investigation and asked questions of AQUAPHOTO employees using a deception which is in nature
shall be considered a check in accordance with the provisions of the Data Law. An ordinary water park

the visitor receiving AQUAPHOTO services would not mislead about the persons with whom
visited the amusement park, as well as in other ways would not engage in misleading activities, as performed by the Inspections
officials.
      In the opinion of the Director of the Inspection, AQUAPHOTO's argument that the Inspections
officials have fraudulently carried out the specific inspection using their authority. Said statement
does not contain information on exactly how the officials used their powers. In addition, officials who

carried out this inspection, did not initiate administrative infringement proceedings against AQUAPHOTO.
      Regarding the fact that officials deliberately misled AQUAPHOTO employees about
to the persons with whom he visited the Livu Aquaparks premises, it is indicated that none of the documents in the Case
adult visitors to Livu Aquaparks are not obliged to inform AQUAPHOTO about
for persons with whom Livu Aquaparks premises are visited. The official AQUAPHOTO employee had
provided the information that she was alone, therefore based on the mentioned information and above
The information provided by AQUAPHOTO representatives, recorded in the procedural actions of April 6, 2023

protocol no. [..] 7. in point 7: "The photos taken in Jakadana show other water
theme park visitors, including with a red wristband, then such photos are immediately deleted and
does not go to the photo processing server for selection", a photo with multiple people at all
could not be sold to an official.
      Taking into account the arguments contained in paragraph [5] of this decision, as well as in paragraph [2.9.6] of this decision
Based on the arguments given by the official, the Director of the Inspection concludes that the Inspection official
The test performed on May 20, 2023 may be used as evidence in the Case.


      Evaluating the circumstances of the Case, the evidence provided by AQUAPHOTO, the Decision and the Complaint,
The director of the inspection concludes that the inspection officer has justified AQUAPHOTO in the decision
Article 835 of the Data Regulation. 13 of the administrative offense provided for in sub-paragraphs a) and b).

making, applying an administrative fine of AQUAPHOTO EUR 1000.00 (one thousand euros,
00 cents).

      Taking into account the above and in accordance with Article 132, Article 168 of the Law on Administrative Responsibility

first part, Article 172 and Article 173, first part, paragraph 1, Director of Inspection

                                                decided

      leave the decision of December 15, 2023 no. [..] "On the application of punishment" would not change, but
to reject the complaint of limited liability company "AQUAPHOTO".


      The fine shall be paid in full no later than one month from the date of entry into force of this decision
      the day of entry into any banking institution or after the deadline for voluntary execution of the fine
      end of this decision in accordance with Articles 262 and 269 of the Law on Administrative Responsibility
      will be immediately handed over to a sworn bailiff for enforcement.

      Details for paying a fine:

      Beneficiary: State Treasury
      Registration No.: 90000050138
      Account no.: LV69TREL1060191019200
      Beneficiary BIC code: TRELLV22
      Notes: Indicate the number of this decision.

      The fine applied in the process of the administrative violation will be reimbursed

procedural costs and damages to natural resources can be paid on the portal www.latvija.lv,
using the e-service Administrative fines check and payment.

      Please note that, in accordance with Article 568 of the Civil Procedure Law, voluntary execution of the decision
after the enforcement document is submitted for enforcement, I will not be released from the obligation to compensate
execution costs to the bailiff.

      At the same time, we inform you that the limited liability company "AQUAPHOTO", respecting
The Inspectorate has the right to request the first, second and third part of Article 266 of the Law on Administrative Responsibility
postpone the execution of the fine for a period of up to one month or divide the fine into parts, if any
objective circumstances due to which the full amount of the fine is not possible within the term of voluntary execution
execute the sentence decision.
      According to Article 184 of the Law on Administrative Responsibility. the first part of the article and the first and third articles of Article 186
part of these decisions can be appealed by limited liability company "AQUAPHOTO" within 10 working days

from the day when the decision in the case of an administrative offense was announced in the district (city) court following a complaint
address of residence declared by the applicant when submitting a complaint to the Data State Inspectorate (Elijas Street 17,
Riga, LV-1050), curator's working day after the end of the deadline for submitting a complaint, complaints and matters
materials are sent to the district (city) court after jurisdiction.

Director
                                                                                        J. Macuka

[..]