AKI (Estonia) - 2.1.-1/23/2891-5: Difference between revisions
Norman.aasma (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Estonia |DPA-BG-Color= |DPAlogo=LogoEE.png |DPA_Abbrevation=AKI |DPA_With_Country=AKI (Estonia) |Case_Number_Name=2.1.-1/23/2891-5 |ECLI= |Or...") |
No edit summary |
||
Line 76: | Line 76: | ||
The DPA held that on the basis of [[Article 4 GDPR#7|Article 4(7) GDPR]], the controller determines the purposes for which the personal data are processed (group name, rules) and means (choice of social media platform, public group), then it is the controller, who is responsible for ensuring that the disclosure of data in that group is lawful. The DPA highlighted that under [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]], processing of personal data is lawful only where the data subject has given his or her consent to the processing of his or her personal data for one or more of the following purposes listed under the provision. In the current case, the DPA held that the controller has not provided evidence that there is the consent of the data subject for the disclosure of personal data nor there is evidence provided that the consent of the data is in accordance with the conditions set out in Article 4(11) of the GDPR. | The DPA held that on the basis of [[Article 4 GDPR#7|Article 4(7) GDPR]], the controller determines the purposes for which the personal data are processed (group name, rules) and means (choice of social media platform, public group), then it is the controller, who is responsible for ensuring that the disclosure of data in that group is lawful. The DPA highlighted that under [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]], processing of personal data is lawful only where the data subject has given his or her consent to the processing of his or her personal data for one or more of the following purposes listed under the provision. In the current case, the DPA held that the controller has not provided evidence that there is the consent of the data subject for the disclosure of personal data nor there is evidence provided that the consent of the data is in accordance with the conditions set out in Article 4(11) of the GDPR. | ||
requirements. | requirements. | ||
The DPA also reminded that according to Article 6(1)(f), processing of personal data on the basis of a legitimate interest, the data processor must ensure that the purposes for which the personal data are processed override the rights and freedoms of the data subject. However, in the current scenario, the processing of personal data for the sole purpose of the public alert is not legitimate on the basis of legitimate interest. Furthermore, the controller has not provided the DPA with a legitimate interest analysis in the processing of personal data. | The DPA also reminded that according to Article 6(1)(f), processing of personal data on the basis of a legitimate interest, the data processor must ensure that the purposes for which the personal data are processed override the rights and freedoms of the data subject. However, in the current scenario, the processing of personal data for the sole purpose of the public alert is not legitimate on the basis of legitimate interest. Furthermore, the controller has not provided the DPA with a legitimate interest analysis in the processing of personal data. | ||
At the same time, the DPA noted that in addition to legal basis of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], it is possible to publish the personal data of debtors on the basis of Personal Data Protection Act Article 10 according to which, in the event of a breach of an obligation. | At the same time, the DPA noted that in addition to legal basis of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], it is possible to publish the personal data of debtors on the basis of Personal Data Protection Act Article 10 according to which, in the event of a breach of an obligation. | ||
the disclosure to a third party of personal data relating to the breach of the obligation and the processing of the data transmitted. | the disclosure to a third party of personal data relating to the breach of the obligation and the processing of the data transmitted. | ||
by a third party is lawful for the purposes of assessing the creditworthiness of the data subject or for any other similar purpose, but only if three conditions are met: | by a third party is lawful for the purposes of assessing the creditworthiness of the data subject or for any other similar purpose, but only if three conditions are met: | ||
1) the data controller has verified that there is a legal basis for the transfer; | 1) the data controller has verified that there is a legal basis for the transfer; | ||
2) the data controller has verified the accuracy of the data; | 2) the data controller has verified the accuracy of the data; | ||
3) the data transfer has been recorded (keeping a record of to whom and what the data was transferred). | 3) the data transfer has been recorded (keeping a record of to whom and what the data was transferred). | ||
The DPA held that the controller had not checked the legal basis for transferring of personal data. As the debt data was published in the public domain, the controller was not able to control who can actually see the data, and therefore whether the recipient of the data has the necessary legal basis. Thus, it was not possible to rely on Article 10 of the Personal Data Protection Act for processing. The publishing of such dept data could not be done also for the purpose of public interest as the public interest criterion was not met and that would have required compliance with the code of journalistic ethics, which was not complied with in the case. | The DPA held that the controller had not checked the legal basis for transferring of personal data. As the debt data was published in the public domain, the controller was not able to control who can actually see the data, and therefore whether the recipient of the data has the necessary legal basis. Thus, it was not possible to rely on Article 10 of the Personal Data Protection Act for processing. The publishing of such dept data could not be done also for the purpose of public interest as the public interest criterion was not met and that would have required compliance with the code of journalistic ethics, which was not complied with in the case. | ||
The DPA held that the controller is therefore required to cease the disclosure of other people's posts containing personal data in the Facebook group 'XXX'. | The DPA held that the controller is therefore required to cease the disclosure of other people's posts containing personal data in the Facebook group 'XXX'. | ||
Revision as of 09:36, 18 April 2023
AKI - 2.1.-1/23/2891-5 | |
---|---|
Authority: | AKI (Estonia) |
Jurisdiction: | Estonia |
Relevant Law: | Article 6(1)(a) GDPR Article 6(1)(f) GDPR § 10 IKS § 4 IKS |
Type: | Other |
Outcome: | n/a |
Started: | 26.01.2023 |
Decided: | 10.03.2023 |
Published: | 12.04.2023 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 2.1.-1/23/2891-5 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Estonian |
Original Source: | Andmekaitse Inspektsioon (in ET) |
Initial Contributor: | Norman Aasma |
Estonian Data Protection Authority held that disclosure of personal data of debtors in a public Facebook group without legal basis is unlawful
English Summary
Facts
The Estonian DPA received a complaint in regard to the disclosure of private debt data in the Facebook group "XXX" (here controller). After receiving the complaint, the DPA launched its investigation into the matter. The investigation concerns a Facebook group, where the group members are making posts which include the personal data of other people. The aim of some of the posts has been to warn other people to avoid transacting with individuals, whose personal information is being disclosed in the posts. At the same time, certain posts are made with the purpose to influence the debtor and put pressure on the debtor to pay the debt. Due to the fact that the controller made the Facebook group public, personal data that is published there has been available to everyone without any restrictions. In February 2023, the DPA made a proposal to the controller to stop the publication of postings containing personal data on a Facebook group "XXX" that the controller manages. The controller had a talk with the DPA, but the proposal has not been complied with by the controller.
Holding
The DPA held that on the basis of Article 4(7) GDPR, the controller determines the purposes for which the personal data are processed (group name, rules) and means (choice of social media platform, public group), then it is the controller, who is responsible for ensuring that the disclosure of data in that group is lawful. The DPA highlighted that under Article 6(1)(a) GDPR, processing of personal data is lawful only where the data subject has given his or her consent to the processing of his or her personal data for one or more of the following purposes listed under the provision. In the current case, the DPA held that the controller has not provided evidence that there is the consent of the data subject for the disclosure of personal data nor there is evidence provided that the consent of the data is in accordance with the conditions set out in Article 4(11) of the GDPR. requirements.
The DPA also reminded that according to Article 6(1)(f), processing of personal data on the basis of a legitimate interest, the data processor must ensure that the purposes for which the personal data are processed override the rights and freedoms of the data subject. However, in the current scenario, the processing of personal data for the sole purpose of the public alert is not legitimate on the basis of legitimate interest. Furthermore, the controller has not provided the DPA with a legitimate interest analysis in the processing of personal data.
At the same time, the DPA noted that in addition to legal basis of Article 6(1)(f) GDPR, it is possible to publish the personal data of debtors on the basis of Personal Data Protection Act Article 10 according to which, in the event of a breach of an obligation. the disclosure to a third party of personal data relating to the breach of the obligation and the processing of the data transmitted. by a third party is lawful for the purposes of assessing the creditworthiness of the data subject or for any other similar purpose, but only if three conditions are met:
1) the data controller has verified that there is a legal basis for the transfer;
2) the data controller has verified the accuracy of the data;
3) the data transfer has been recorded (keeping a record of to whom and what the data was transferred).
The DPA held that the controller had not checked the legal basis for transferring of personal data. As the debt data was published in the public domain, the controller was not able to control who can actually see the data, and therefore whether the recipient of the data has the necessary legal basis. Thus, it was not possible to rely on Article 10 of the Personal Data Protection Act for processing. The publishing of such dept data could not be done also for the purpose of public interest as the public interest criterion was not met and that would have required compliance with the code of journalistic ethics, which was not complied with in the case.
The DPA held that the controller is therefore required to cease the disclosure of other people's posts containing personal data in the Facebook group 'XXX'.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details.
PRIVACY PROTECTION AGAINST STATE TRANSPARENCY PRESCRIPTION WARNING personal data protection case no. 2.1.-1/23/2891-5 Alissa Hmelnitskaja, lawyer of the Data Protection Inspectorate, issued the order Time of prescription and place 10.03.2023 in Tallinn Addressee of the prescription - XXX e-mail address of the personal data processor: XXX RESOLUTION: § 56 subsection 1, subsection 2 point 8, § 58 subsection 1, § 10 of the Personal Data Protection Act (IKS) and Article 58 paragraph 1 point d and paragraph 2 of the General Regulation on Personal Data Protection (GPR). on the basis of clauses f and g, as well as taking into account Article 6 of the IKÜM, Data Protection does Inspection to fulfill the mandatory prescription: 1. Terminate the Facebook group "XXX" managed by XXX, without IKÜM Article 6 Disclosure of other people's personal data without consent in accordance with subsection 1 point a. I set 24.03.2023 as the deadline for fulfilling the injunction. Report the fulfillment of the prescription by this deadline at the latest to the e-mail address of the Data Protection Inspectorate at info@aki.ee. DISPUTE REFERENCE: This order can be challenged within 30 days by submitting either: - a complaint to the Data Protection Inspectorate under the Administrative Procedure Act or - a complaint to the administrative court according to the Code of Administrative Court Procedure (in this case it is no longer possible to review the argument in the same matter). Challenging an injunction does not suspend the obligation to fulfill it or the measures necessary for its fulfillment implementation. EXTORTION WARNING: If the injunction has not been fulfilled by the set deadline, the Data Protection Inspectorate will determine to the addressee of the injunction on the basis of § 60 of the Personal Data Protection Act: A fine of 1,500 euros. A fine may be imposed repeatedly - until the injunction is fulfilled. If the recipient does not pay extortion money, it is forwarded to the bailiff to start enforcement proceedings. In this case, they are added bailiff's fee and other enforcement costs for the enforcement money. VIOLATION PENALTY WARNING: Protection of personal data against failure to comply with the injunction pursuant to Article 58 (2) of the General Regulation misdemeanor proceedings may be initiated based on § 69 of the Personal Data Protection Act. For this act a natural person may be fined up to 20,000,000 euros and a legal person Tatari tn 39 / 10134 Tallinn / 627 4135 / info@aki.ee / www.aki.ee Registration code 70004235 may be punished with a fine of up to 20,000,000 euros or up to 4 percent of his previous of the total worldwide annual turnover of the financial year, whichever is the amount bigger. The out-of-court procedure for a misdemeanor is the Data Protection Inspectorate. FACTUAL CIRCUMSTANCES: In the proceedings of the Data Protection Inspectorate (AKI) there is a person's complaint regarding the debt data of private individuals with disclosure in the Facebook group "XXX". Therefore, AKI initiated the supervision procedure. As part of the supervision procedure, on 26.01.2023 AKI made XXX (hereinafter also the data processor or controller) proposal in personal data protection case no. 2.1.-1/23/2891-2, the content of which was the following: "stop disclosing posts containing personal data in your managed in the Facebook group "XXX". The deadline for responding to the proposal was 10.02.2023. In the proposal drew the attention of the AKI, among others, to the possibility of making an injunction and imposing a fine and to the right to file a case before issuing an administrative act in accordance with § 40 (1) of the Administrative Procedure Act about your opinion and objections. The data processor has received AKI's proposal and on 09.02.2023 expressed a desire to chat with the official. The conversation took place on 15.02.2023 by telephone, during which the official gave further clarifications on the proposal. As of 10.03.2023, the data processor is not AKI completed the proposal. GROUNDS FOR DATA PROTECTION INSPECTION: Pursuant to article 4 point 1 of ICYM, personal data is any information identified or about an identifiable natural person (data subject). An identifiable natural person is a person who can to identify directly or indirectly, in particular on the basis of an identification feature such as a name, personal code, location information; but also one or more physical, physiological of this natural person based on the feature. Therefore, personal data also includes a person's name, image and other information that enables identification. In this case, it is a public Facebook group in which other people's actions are made posts containing personal data. In the case of certain posts, it is a matter of warnings, perhaps the purpose of the post is to warn other people to avoid entering into transactions with persons, whose personal data is disclosed. At the same time, posts are also made in this group which the purpose is to influence the debtor and pressure the debtor to pay off the debt. Examples: 1) The post was made on 19.02.2023 at 13:02. On the computer network: XXX 2) The post was made on 19.02.2023 at 13:00. On the computer network: XXX 3) The post was made on 19.02.2023 at 13:06. On the computer network: XXX 4) The post was made on 19.02.2023 at 13:01. On the computer network: XXX 5) The post was made on 19.02.2023 at 13:06. On the computer network: XXX 6) Cont According to article 4 point 2 of the IKÜM, the processing of personal data is personal data or theirs an automated or non-automated operation or set of operations performed with sets, incl distributing them or otherwise making them available to the public. Article 4 point 7 of IKÜM states that the responsible processor is a natural or legal person, a public sector institution, agency or other body that, alone or together with others, determines purposes and means of personal data processing. Facebook has determined that the group the administrator (or data processor) has access to the Facebook group with full control. This means that the data processor can change the name of the group or its privacy settings, can delete posts and comments written about it. It follows that the contested As a Facebook group administrator, the data processor has the opportunity to change the name of the given group and delete posts made in the group and comments made about it. In addition, the data processor, as an administrator, has assigned the name of this group to "XXX" and is made this group public, which has clearly directed the discussion in the group (created a group for the purpose of allowing users to post on specific topics) and due to the fact that the data processor made the group public, personal data will be disclosed there unlimited for everyone. Taking into account the above, AKI considers that the data processor is in accordance with Article 4, Clause 7 of the IKÜM controller, as it determines the purposes of personal data processing (group name, rules) and tools (choice of social media platform, public group). Data processor as a group the administrator is responsible for ensuring that the disclosure of data is legal. The principles of personal data processing are set out in Article 5 of the IKÜM, which must be followed by the person in charge processor to follow, including the principle of legality. The processing of personal data is legal, if it corresponds to one of the legal grounds set out in Article 6 of the IKÜM (consent, performance of the contract, legal obligation, protection of vital interests, to fulfill a task in the public interest or for the exercise of public authority, legitimate interest). 1. IKYM article 6 paragraph 1 point a IKÜM Article 6(1)(a) states that the processing of personal data is legal only if if the data subject has given consent to process his personal data in one or more ways for a specific purpose. In article 4, clause 11 of the UNCLOS, consent is defined as "voluntary, specific, informed and an unequivocal statement of intent to which the data subject either in the form of a statement or express consent by expressing his consent to the processing of his personal data": a) The word "voluntary" means truly free choice and control for the data subject. In general, IKÜM stipulates that if the data subject does not have a real option if he feels compelled to consent or if he has to not consent failure to bear negative consequences, the consent is invalid. If consent is part of non-negotiable terms, shall not be deemed to have been voluntarily given. So no the consent shall be considered as consent given voluntarily if the data subject cannot be deprived of it refuse or withdraw consent without adverse consequences. b) "Specific" means that the consent of the data subject must be given "on one or for several specific purposes". According to IKÜM article 5 paragraph 1 point b precedes accurate, clear and lawful processing always planned for obtaining valid consent determining the goal. Necessity of specific consent together with Article 5 paragraph 1 by delimiting the purpose according to point b, prevent the purposes of data processing gradual expansion or obfuscation after the data subject has provided your consent to data collection. c) IKÜM strengthens the requirement that consent must be informed. On the basis of Article 5 of the Convention One of the basic principles is transparency, which is closely related to legality and justice with the principle. Providing information to data subjects before obtaining their consent is important to enable data subjects to make an informed decision, to understand what they agree, and for example exercise their right to withdraw consent. 1 Facebook Help Center: https://www.facebook.com/help/901690736606156; https://www.facebook.com/help/289207354498410?helpref=faq_content 2Similarly, in decision C-210/16, the European Court has concluded that the administrator of the Facebook page is responsible processor within the meaning of Article 2 point d of Directive 95/46. d) It is clearly stated in IKÜM that a statement from the data subject is required for consent or a clear action expressing consent, which means that it must always be given by taking active steps or providing confirmation. It should be obvious that the data subject has consented to the specific processing. Silence of the data subject or inaction and merely continuing to use the service cannot be considered an active choice to do. In addition, the controller must keep in mind that the obligation to prove consent lies precisely on him. As a result of the above, the controller cannot rely on IKÜ Article 6(1)(a) because has not provided AKI with proof that personal data is disclosed to the data subject with consent and that the consent is valid in accordance with the provisions of article 4, clause 11 of the IKÜM requirements. 2. IKYM article 6 paragraph 1 p f IKÜM article 6 paragraph 1 point f, i.e. personal data processing on the basis of legitimate interest the data processor must be convinced that the purpose of personal data processing is more compelling than the rights and freedoms of the data subject and articles 21 (right to object) and 17 of the IKÜM (right to deletion of data) the processing of personal data must be terminated if the data processor is unable to prove that the processing is for a compelling legitimate reason that weighs the interests, rights and freedoms of the data subject. Processing of personal data on the basis of legitimate interest must be preceded by the data processor the analysis carried out in terms of the legitimate interest and importance of the data processor and third parties, analysis and subsequent weighing of the rights and interests of the data subject and their weighting between the interests of the data processor and the data subject. 3 AKI is of the opinion that the processing of personal data for the mere purpose of public warning is not legitimate on the basis of legitimate interest. In addition, the data controller is not entitled to the AKI interest analysis. 3. IKS § 10 In addition to the legal bases mentioned in Article 6 of the IKÜM, it is possible for debtors to disclose data, rely on IKS § 10, which stipulates that with a breach of a debt relationship disclosure of related personal data to a third party and processing of transmitted data a third party is allowed to assess the creditworthiness of the data subject or otherwise for the same purpose and only if all three conditions are met: 1) the data processor has verified that there is a legal basis for data transmission; 2) the data processor has checked the correctness of the data; 3) the data transmission is registered (keeping information about who and what was transmitted). In this case, according to AKI, the presumption that the data controller would have checked has not been met legal basis for the transfer of personal data. However, the controller has disclosed debt data in unlimited public view, which means that the data controller cannot to check who can see the data and therefore also check whether the recipient of the data has legal basis. In addition, according to IKS § 10 (2) point 3, the processing of a person's debt data (including on Facebook) 3 AKI Guide to Legitimate Interest, page 6. Available on the computer network: https://www.aki.ee/sites/default/files/dokumendid/oigudustu_huvi_juhend_aki_26.05.2020.pdfallowed if it would excessively harm the rights and freedoms of the data subject. So it comes the data processor must assess whether the right of the data is based on the circumstances of each specific case to the processing outweighs the interference caused to the privacy of the person or not. AKI is of the opinion that in this case the disclosure of personal data of different people is large-scale, as it is carried out via the Internet (including Facebook). Internet data disclosure increases people's vulnerability, as the given environment is sometimes uncontrollable and it is not possible to identify who has received information related to personal data and what is doing with it forward with the information. Therefore, on the basis of § 10 of the IKS, the requirements for disclosure of personal data are not met. 4. IKS § 4 In certain cases, there may be a journalistic justification for disclosing some people's data for the purpose. According to IKS § 4, personal data may be processed without the data subject's consent for journalistic purposes, in particular to disclose in the media, if there is a public interest and that is in line with the principles of journalistic ethics. Disclosure of personal data may not be excessive harm the rights of the data subject. In order to disclose personal data on the basis of § 4 of the IKS, three conditions must be met: 1. there is a public interest in the disclosure of personal data; 2. the disclosure is in accordance with the rules of journalistic ethics; 3. the disclosure of personal data must not excessively harm the rights of the data subject. According to AKI, the criterion of public interest is not met in this case. Public interest the existence can be confirmed if the topic raised and personal data disclosed contribute to debate in a democratic society. The latter could be the case, for example, if a published opinion piece, for example, about why loans are taken lightly in Facebook groups in Estonia are taken and, on the contrary, loans are given, but the disclosure of personal data of individual debtors such does not have the driving force of the discussion. Also, the data processor has not proven to AKI that the code of journalistic ethics has been met requirements, because the data subject is not heard before publishing the debt data (p. of the Code). 4.2) and he is not given the opportunity to submit an objection (p. 5 of the Code). AKI is of the opinion that data processing is accompanied by an obvious inviolability of the privacy of data subjects interference, which, in addition to the lack of a legal basis, is also excessive considering the composition of the data. For example, it is not legal to disclose photos of the debtor or other people, held with the person(s). complete extracts of conversations, etc. Since the criteria for the application of IKS § 4 have not been met, personal data cannot be obtained on the basis of IKS § 4 to disclose. AKI notes that in the case of payment defaults, it must be borne in mind that in the event of arrears, there will be in order to achieve payment of the debt, the creditor can primarily use § 101 of the Law of Obligations Act listed legal remedies, one of which is to demand the performance of an obligation. of persons the publication of payment default data is not only a pressure measure to achieve payment of the debt permissible. Taking the above into account, AKI is of the opinion that in this case other people There is no disclosure of personal data referred to in Article 6, paragraph 1 of the IKÜM legal grounds and the data processor has not proven to AKI that the data the legal basis for disclosure comes from IKS § 10. Personal data has been processed without any legal basis, therefore the controller must stop the processing of other people's disclosure of posts containing personal data in the Facebook group "XXX". According to IKS § 58 paragraph 1 and IKÜ Article 58 paragraph 2 points f and g, the inspection has the right to issue an order to limit the processing of personal data. Considering that in a particular case the personal data of natural persons is disclosed illegally and that the responsible processor is not fulfilled the AKI's proposal of 26.01.2023, the AKI considers that making a mandatory injunction given in the matter, it is necessary to end the offense as soon as possible. (signed digitally) Alissa Khmelnitskaya lawyer on the authority of the Director General