IDPC (Malta) - CDP/54/2023: Difference between revisions
(Thank you very much for this summary -- this is excellently written and very well-organised. I appreciate your work on this : )) |
mNo edit summary |
||
Line 72: | Line 72: | ||
=== Facts === | === Facts === | ||
On 1 April 2023 the controller posted a publicly accessible video about a | On 1 April 2023 the controller posted a publicly accessible video about a complaint, filed at a Maltese court, on their Facebook page. The video contained information relating to 26 data subjects. | ||
The Maltese DPA (IDPC) requested the controller to submit their comments on the publication of the video. The controller argued that they only published the video because the | The Maltese DPA (IDPC) requested the controller to submit their comments on the publication of the video. The controller argued that they only published the video because the complaint filed in court was made public as well. The controller argued that the data subjects made the details public themselves, as the complaint being made public would make the personal information of the data subjects accessible for everyone. Further, the controller stated, the subject of the complaint was of civil and not criminal nature and would hence be accessible to everyone even if one is not a party to the action. | ||
=== Holding === | === Holding === | ||
First, the IDPC assessed whether the data contained in the | First, the IDPC assessed whether the data contained in the controller´s video was personal data. It concluded that it was personal data according to [[Article 4 GDPR#1|Article 4(1) GDPR]] because the video published by the controller shows the full names and identity card numbers of 26 data subjects. This information leads to the identification of the data subjects and thus constitutes personal data. | ||
Second, the IDPC stated that | Second, the IDPC stated that the dissemination of personal data to the public is an act of processing according to [[Article 4 GDPR#2|Article 4(2) GDPR]] and thus requires a legal basis according to [[Article 6 GDPR#1|Article 6(1) GDPR]] and comply with [[Article 5 GDPR|Article 5 GDPR]]. The controller did not give information about what legal basis according to [[Article 6 GDPR#1|Article 6(1) GDPR]] it based the distribution of the video on. Therefore, the controller did not comply with the principle of accountability pursuant to [[Article 5 GDPR#2|Article 5(2) GDPR]]. | ||
Third, the argument that the | Third, the argument that the complaint was of a civil nature which allowed the controller to publish it was dismissed by the IDPC because there would still need to be a legal basis in order to process the personal data. The controller also should have informed the data subjects of the processing, particularly about the source of the personal data according to [[Article 14 GDPR#2f|Article 14(2)(f) GDPR]]. | ||
Fourth, the IDPC held that under [https://idpc.org.mt/wp-content/uploads/2020/07/CAP-586.pdf Article 8 of the Maltese Data Protection Act], the processing of identity cards warrants heightened protection. In particular, the provision states that "national identity number or any other identifier of general application shall be used only under appropriate safeguards for the rights and freedoms of the data subject pursuant to the Regulation." The IDPC interpreted this to mean that identity card information could only be processed if absolutely necessary, which was not the case here. | Fourth, the IDPC held that under [https://idpc.org.mt/wp-content/uploads/2020/07/CAP-586.pdf Article 8 of the Maltese Data Protection Act], the processing of identity cards warrants heightened protection. In particular, the provision states that "national identity number or any other identifier of general application shall be used only under appropriate safeguards for the rights and freedoms of the data subject pursuant to the Regulation." The IDPC interpreted this to mean that identity card information could only be processed if absolutely necessary, which was not the case here. | ||
Lastly, | Lastly, the IDPC addressed the controller´s argument that news outlets published information on the complaint, which did not contain personal data. The IDPC concluded that the fact that the media published such a news article in relation to the case does not give the controller a right to make the data subjects' personal data public. | ||
The IDPC reprimanded the controller and ordered them to remove all personal data contained in the video. | The IDPC reprimanded the controller for violating Article 6(1) GDPR and ordered them to remove all personal data contained in the video. | ||
== Comment == | == Comment == |
Revision as of 13:34, 7 May 2024
IDPC - CDP/54/2023 | |
---|---|
Authority: | IDPC (Malta) |
Jurisdiction: | Malta |
Relevant Law: | Article 4(1) GDPR Article 5(2) GDPR Article 6(1) GDPR Article 14(2)(f) GDPR Article 8 Data Protection Act |
Type: | Other |
Outcome: | n/a |
Started: | |
Decided: | |
Published: | 15.01.2024 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | CDP/54/2023 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | IDPC (in EN) |
Initial Contributor: | nho23 |
The DPA reprimanded a controller for distributing personal data of 26 data subjects via a Facebook video because they failed to provide a legal basis according to Article 6(1) GDPR.
English Summary
Facts
On 1 April 2023 the controller posted a publicly accessible video about a complaint, filed at a Maltese court, on their Facebook page. The video contained information relating to 26 data subjects.
The Maltese DPA (IDPC) requested the controller to submit their comments on the publication of the video. The controller argued that they only published the video because the complaint filed in court was made public as well. The controller argued that the data subjects made the details public themselves, as the complaint being made public would make the personal information of the data subjects accessible for everyone. Further, the controller stated, the subject of the complaint was of civil and not criminal nature and would hence be accessible to everyone even if one is not a party to the action.
Holding
First, the IDPC assessed whether the data contained in the controller´s video was personal data. It concluded that it was personal data according to Article 4(1) GDPR because the video published by the controller shows the full names and identity card numbers of 26 data subjects. This information leads to the identification of the data subjects and thus constitutes personal data.
Second, the IDPC stated that the dissemination of personal data to the public is an act of processing according to Article 4(2) GDPR and thus requires a legal basis according to Article 6(1) GDPR and comply with Article 5 GDPR. The controller did not give information about what legal basis according to Article 6(1) GDPR it based the distribution of the video on. Therefore, the controller did not comply with the principle of accountability pursuant to Article 5(2) GDPR.
Third, the argument that the complaint was of a civil nature which allowed the controller to publish it was dismissed by the IDPC because there would still need to be a legal basis in order to process the personal data. The controller also should have informed the data subjects of the processing, particularly about the source of the personal data according to Article 14(2)(f) GDPR.
Fourth, the IDPC held that under Article 8 of the Maltese Data Protection Act, the processing of identity cards warrants heightened protection. In particular, the provision states that "national identity number or any other identifier of general application shall be used only under appropriate safeguards for the rights and freedoms of the data subject pursuant to the Regulation." The IDPC interpreted this to mean that identity card information could only be processed if absolutely necessary, which was not the case here.
Lastly, the IDPC addressed the controller´s argument that news outlets published information on the complaint, which did not contain personal data. The IDPC concluded that the fact that the media published such a news article in relation to the case does not give the controller a right to make the data subjects' personal data public.
The IDPC reprimanded the controller for violating Article 6(1) GDPR and ordered them to remove all personal data contained in the video.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
ease Our Ref: CDP/54/2023 15" January 2024 The Managing Director Sent by registered mail only. FACTS OF THE CASE |. On the 1* April 2023 Fr ti—<‘i‘ié«*éd “controller”) posted a video on its Facebook page iit 5 1. 2 oe which contained information in relation to twentysix (26) data subjects. The video captioned as: (Sas es) is made publicly available. INVESTIGATION 2. Pursuant to article 58(1)(a) of the Regulation and the investigative procedure of this Office, the Information and Data Protection Commissioner (the “Commissioner”) requested the controller to provide its submissions in relation to the publication of this video on its Facebook page. 3. By means of a letter dated the 20 July 2023, the controller submitted the following salient arguments in relation to this case: a. that as explained in the video itself, the video was published publicly solely due to the fact that the judicial protest filed in Court was made public, and’indeed, the controller strongly believes that the judicial protest was either leaked to the media or the media was tipped off; alge Aelig a Seen oe) last accessed by this Office on the 15" January 2024. Ainways House, Second Floor = & [+356] 2328 7100 Page 1 of 6 High Street, Sliema SLM 1549 =) idpcinfo@idpc.arg.mt MALTA. = wwwidpc.org.mt that whilst it is true that judicial protests are accessible to the general public, several acts are filed daily in the Court Registry, and therefore, it is impossible that the media is aware of all the acts filed daily in the Court Registry; that additionally, news portals, such as the Times of Malta’, published articles with details regarding the judicial protest on the very same day that the judicial protest was filed tn Court on the 30" March 2023:: that as a matter of fact, the controller became aware of the judicial protest and its contents from the media before it was actually notified by the Court officials on the 6" April 2023+, and therefore, this led the controller to conclude that the details of the judicial protest were made public by the data subjects themselves; that the judicial protest can be obtained by anyone from the Court Registry and this means that just like the content of the rest of the judicial letter, the identity card numbers of all the data subjects can be easily attained by the public; and that acts relating to an action which is of a civil nature, unlike those of a criminal nature, are accessible by the general public, which means that one does not need to be a party to the action to be able to have access to such acts and information contained within, and, consequently, any information relayed by the controller in the video is not confidential information, and the disclosure of such information cannot be interpreted as a breach of the data protection principles. LEGAL ANALYSIS AND DECISION 4. For the purpose of this legal analysis, the Commissioner sought to examine the personal data contained in the video published by the controller on its Facebook page on ee) ap. Article 4(1) of the Regulation defines ‘personal data’ as ‘any information relating to an identified or identifiable natural person’. Based on the settled case-law of the Court of Justice ‘January 2 The link was last accessed by this Office J24. * The controller submitted an extract from the online system of the Court Registry, which demonstrates that the judicial protest was filed on the 30" March 2023. * The controller submitted an extract from the online system of the Court Registry, which shows that the controller was notified by the judicial protest on the 6" April 2023. Ainways House, Second Floor High Street, Sliema SLM 1549 MALTA. \ (+356) 2328 7100 Page 2 of 6 & idpcinfo@idpc.org.mt = wwwiidecorg.mt id9 JL. AACN ANE CATS OW LOMMINE ONE= of the European Union’, the definition of ‘personal data’ should be interpreted as broadly as possible. The video contains the names, sumames, and identity card numbers of twenty-six (26) data subjects. The full names of the data subjects coupled with the identity card numbers are identifiers which lead to the correct and certain identification of these individuals. In addition to this, the controller singled out three (3) specific individuals and published information which relates directly to them. Therefore, the information contained in the video constitutes ‘personal data” within the meaning of article 4(1) of the Regulation. The controller published the personal data pertaining to twenty-six (26) individuals on its social media page which are made accessible to an indeterminate number of people. The dissemination of personal data to the public is considered to be a processing operation in terms of article 4(2) of the Regulation, which falls within the material scope of the Regulation. This means that the processing operation conducted by the controller should have a legal basis in terms of article 6(1) of the Regulation and comply with the principles of the processing as held in article 5 of the Regulation. The processing of personal data is deemed lawful if it comes within one of the six grounds as mentioned in article 6(1) of the Regulation, which are as follows: (a) consent; (b) contract; (c) compliance with a legal obligation; (d) vital interest; (e) performance of a task carried out in the public interest or in the exercise of official authority vested in the controller: and (f) legitimate interest. In the present case, pursuant to the principle of accountability as set forth in article 5(2) of the Regulation, the controller should have been in a position to concretely demonstrate that the public dissemination of the video is based on at least one of the lawful bases held in article 6(1) of the Regulation. However, during the course of the investigation, the controller did not even attempt to justify the processing activity by citing any of these legal grounds. It even seemed to suggest that there is no legal requirement to comply with the provisions of the Regulation as the information loses its confidentiality when it may be accessed from publicly accessible sources. In its submissions, the controller argued that acts of a civil nature are public, and as a result, the processing of information which may be accessed from the Court Registry, does not constitute an infringement of the provisions of the Regulation. The Commissioner clarifies that this * C-434/16, Peter Nowak vs Data Protection Commissioner of the 20 December 2017 — “The use of the expression ‘any information’ in the definition of the concept of ‘personal data’, within Article 2(a} of Directive 93:46, reflects the aim of the EU legislature to assign a wide scope to that concept, which is not restricted to information that is sensitive or private, but potentially encompasses all kinds of information, not only abjective but also subjective, in the form of opinions and assessments. provided that it ‘relates’ to the data subject”. Page 3 of 6 IODC. reasoning is completely incorrect and should not serve as a justification or a blanket permission to enable the controller to reuse and further process personal data for its own purposes without having a valid lawful basis. In fact, the law provides that not only the controller should have a legal ground to process the data, but the controller should also inform the data subjects about the processing activity, particularly, the source from where the personal data originate, in order to ensure fair and transparent processing pursuant to the requirement held in article 14(2)(f) of the Regulation. 8. In addition, article 8 of the Data Protection Act (Cap. 586 of the Laws of Malta) provides heightened protection to the processing of an identity card number, which is an identifier that may be found in judicial acts. The proviso to article 8 states that “the national identity number or any other identifier of general application shall be used only under appropriate safeguards for the rights and freedoms of the data subject pursuant to the Regulation” [emphasis has been added]. The word ‘only’ emphasises that the identity card number should be processed where strictly necessary and subject to the appropriate data protection safeguards. In the present case, it is abundantly clear that the controller chose to publicly disseminate the personal data of many individuals in complete disregard of its obligations and the fundamental right to the protection of personal data of these individuals. 9. Lastly, the controller attempted to justify its processing activity by referring to a news article® which does not contain any personal data, but it reported on the matter in relation to the judicial protest filed by the data subjects. Whereas it is not clear the relevance of this argument raised by the controller, the fact that the media published a news article in relation to the case does not give the controller an automatic right to make publicly available the personal data of those individuals who filed the judicial protest. On the basis of the foregoing considerations, the Commissioner is deciding tbat the controller failed to demonstrate that its processing activity was based on at least one of the lawful bases held in article 6(1) of the Regulation. This therefore constitutes an infringement of article 6(1) of the Regulation. Consequently, by virtue of article 58(2)(b) of the Regulation, the controller is hereby served with a reprimand. In terms of article 58(2)(d) of the Regulation, the Commissioner is ordering the controller to remove all the personal data contained in the video, namely, all the information relating to the * Doc Al of the submissions provided by the controller. Page 4 of 6 d Je three (3) individuals who were singled out, and all the names, surnames and identity card numbers contained in the judicial protest. If this is not possible due to any reason whatsoever, the video shall be removed in its entirety. This order shall apply to all the platforms where the video might have been published or shared by the controller. The controller shall fully comply with this order without undue delay and by no later than twenty (20) days from the date of receipt of this legally binding decision. The Commissioner shall be informed of the action taken supported by evidence demonstrating compliance. Non-compliance with this order in full shall lead to the imposition of an administrative fine pursuant to article 83(6) of the Regulation. Page 5 of 6 IOC. Right of Appeal The controller is hereby being informed that in terms of article 26(1) of the Data Protection Act (Cap. 586 of the Laws of Malta), any person to whom a legally binding decision of the Commissioner is addressed, shall have the right to appeal to the Information and Data Protection Appeals Tribunal within twenty (20) days from the service of the said decision as provided in article 23 thereof. An appeal to the Tribunal shall be made in writing and addressed to “The Secretary, Information and Data Protection Appeals Tribunal, 158, Merchants Street, Valletta.” Page 6 of 6