IDPC (Malta) - CDP/54/2023: Difference between revisions

IDPC - CDP/54/2023
Authority:	IDPC (Malta)
Jurisdiction:	Malta
Relevant Law:	Article 4(1) GDPR Article 5(2) GDPR Article 6(1) GDPR Article 14(2)(f) GDPR Article 8 Data Protection Act
Type:	Other
Outcome:	n/a
Started:
Decided:
Published:	15.01.2024
Fine:	n/a
Parties:	n/a
National Case Number/Name:	CDP/54/2023
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	English
Original Source:	IDPC (in EN)
Initial Contributor:	nho23

The DPA reprimanded a controller for distributing personal data of 26 data subjects, which pertained to a publicly available civil complaint, via a Facebook video because it failed to provide a legal basis pursuant to Article 6(1) GDPR.

English Summary

Facts

On 1 April 2023 the controller posted a publicly accessible video about a complaint, filed at a Maltese court, on their Facebook page. The video contained information relating to 26 data subjects.

The Maltese DPA (IDPC) requested the controller to submit their comments on the publication of the video. The controller argued that they only published the video because the complaint filed in court was made public as well. The controller argued that the data subjects made the details public themselves, as the complaint being made public would make the personal information of the data subjects accessible for everyone. Further, the controller stated, the subject of the complaint was of civil and not criminal nature and would hence be accessible to everyone even if one is not a party to the action.

Holding

First, the IDPC assessed whether the data contained in the controller´s video was personal data. It concluded that it was personal data according to Article 4(1) GDPR because the video published by the controller shows the full names and identity card numbers of 26 data subjects. This information leads to the identification of the data subjects and thus constitutes personal data.

Second, the IDPC stated that the dissemination of personal data to the public is an act of processing according to Article 4(2) GDPR and thus requires a legal basis according to Article 6(1) GDPR and comply with Article 5 GDPR. The controller did not give information about what legal basis according to Article 6(1) GDPR it based the distribution of the video on. Therefore, the controller did not comply with the principle of accountability pursuant to Article 5(2) GDPR.

Third, the argument that the complaint was of a civil nature which allowed the controller to publish it was dismissed by the IDPC because there would still need to be a legal basis in order to process the personal data. The controller also should have informed the data subjects of the processing, particularly about the source of the personal data according to Article 14(2)(f) GDPR.

Fourth, the IDPC held that under Article 8 of the Maltese Data Protection Act, the processing of identity cards warrants heightened protection. In particular, the provision states that "national identity number or any other identifier of general application shall be used only under appropriate safeguards for the rights and freedoms of the data subject pursuant to the Regulation." The IDPC interpreted this to mean that identity card information could only be processed if absolutely necessary, which was not the case here.

Lastly, the IDPC addressed the controller´s argument that news outlets published information on the complaint, which did not contain personal data. The IDPC concluded that the fact that the media published such a news article in relation to the case does not give the controller a right to make the data subjects' personal data public.

The IDPC reprimanded the controller for violating Article 6(1) GDPR and ordered them to remove all personal data contained in the video.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

ease
Our Ref: CDP/54/2023
15" January 2024
The Managing Director
Sent by registered mail only.
FACTS OF THE CASE
|. On the 1* April 2023 Fr ti—<‘i‘ié«*éd “controller”) posted a video on its
Facebook page iit 5 1. 2 oe which contained information in relation to twentysix (26) data subjects. The video captioned as: (Sas es)
is made publicly available.
INVESTIGATION
2. Pursuant to article 58(1)(a) of the Regulation and the investigative procedure of this Office, the
Information and Data Protection Commissioner (the “Commissioner”) requested the controller
to provide its submissions in relation to the publication of this video on its Facebook page.
3. By means of a letter dated the 20 July 2023, the controller submitted the following salient
arguments in relation to this case:
a. that as explained in the video itself, the video was published publicly solely due to the
fact that the judicial protest filed in Court was made public, and’indeed, the controller
strongly believes that the judicial protest was either leaked to the media or the media
was tipped off;
alge Aelig a Seen oe) last accessed by this Office on the 15" January 2024.
Ainways House, Second Floor = & [+356] 2328 7100 Page 1 of 6
High Street, Sliema SLM 1549 =) idpcinfo@idpc.arg.mt
MALTA. = wwwidpc.org.mt
that whilst it is true that judicial protests are accessible to the general public, several
acts are filed daily in the Court Registry, and therefore, it is impossible that the media
is aware of all the acts filed daily in the Court Registry;
that additionally, news portals, such as the Times of Malta’, published articles with
details regarding the judicial protest on the very same day that the judicial protest was
filed tn Court on the 30" March 2023::
that as a matter of fact, the controller became aware of the judicial protest and its
contents from the media before it was actually notified by the Court officials on the 6"
April 2023+, and therefore, this led the controller to conclude that the details of the
judicial protest were made public by the data subjects themselves;
that the judicial protest can be obtained by anyone from the Court Registry and this
means that just like the content of the rest of the judicial letter, the identity card numbers
of all the data subjects can be easily attained by the public; and
that acts relating to an action which is of a civil nature, unlike those of a criminal nature,
are accessible by the general public, which means that one does not need to be a party
to the action to be able to have access to such acts and information contained within,
and, consequently, any information relayed by the controller in the video is not
confidential information, and the disclosure of such information cannot be interpreted
as a breach of the data protection principles.
LEGAL ANALYSIS AND DECISION
4. For the purpose of this legal analysis, the Commissioner sought to examine the personal data
contained in the video published by the controller on its Facebook page on ee)
ap. Article 4(1) of the Regulation defines ‘personal data’ as ‘any information relating to an
identified or identifiable natural person’. Based on the settled case-law of the Court of Justice
‘January 2 The link was last accessed by this Office
J24.
* The controller submitted an extract from the online system of the Court Registry, which demonstrates that the judicial protest was filed on the 30" March 2023. * The controller submitted an extract from the online system of the Court Registry, which shows that the controller was notified by the judicial protest on the 6" April 2023.
Ainways House, Second Floor
High Street, Sliema SLM 1549
MALTA.
\ (+356) 2328 7100 Page 2 of 6
& idpcinfo@idpc.org.mt
= wwwiidecorg.mt
id9 JL.
AACN ANE CATS OW LOMMINE ONE=
of the European Union’, the definition of ‘personal data’ should be interpreted as broadly as
possible. The video contains the names, sumames, and identity card numbers of twenty-six (26)
data subjects. The full names of the data subjects coupled with the identity card numbers are
identifiers which lead to the correct and certain identification of these individuals. In addition
to this, the controller singled out three (3) specific individuals and published information which
relates directly to them. Therefore, the information contained in the video constitutes ‘personal
data” within the meaning of article 4(1) of the Regulation.
The controller published the personal data pertaining to twenty-six (26) individuals on its social
media page which are made accessible to an indeterminate number of people. The
dissemination of personal data to the public is considered to be a processing operation in terms
of article 4(2) of the Regulation, which falls within the material scope of the Regulation. This
means that the processing operation conducted by the controller should have a legal basis in
terms of article 6(1) of the Regulation and comply with the principles of the processing as held
in article 5 of the Regulation.
The processing of personal data is deemed lawful if it comes within one of the six grounds as
mentioned in article 6(1) of the Regulation, which are as follows: (a) consent; (b) contract; (c)
compliance with a legal obligation; (d) vital interest; (e) performance of a task carried out in
the public interest or in the exercise of official authority vested in the controller: and (f)
legitimate interest. In the present case, pursuant to the principle of accountability as set forth in
article 5(2) of the Regulation, the controller should have been in a position to concretely
demonstrate that the public dissemination of the video is based on at least one of the lawful
bases held in article 6(1) of the Regulation. However, during the course of the investigation,
the controller did not even attempt to justify the processing activity by citing any of these legal
grounds. It even seemed to suggest that there is no legal requirement to comply with the
provisions of the Regulation as the information loses its confidentiality when it may be accessed
from publicly accessible sources.
In its submissions, the controller argued that acts of a civil nature are public, and as a result, the
processing of information which may be accessed from the Court Registry, does not constitute
an infringement of the provisions of the Regulation. The Commissioner clarifies that this
* C-434/16, Peter Nowak vs Data Protection Commissioner of the 20 December 2017 — “The use of the expression ‘any information’ in the definition of the concept of ‘personal data’, within Article 2(a} of Directive 93:46, reflects the aim of the EU legislature to assign a wide scope to that concept, which is not restricted to information that is sensitive or private, but potentially encompasses all kinds of information, not only abjective but also subjective, in the form of opinions and assessments. provided that it ‘relates’ to the data subject”.
Page 3 of 6
IODC.
reasoning is completely incorrect and should not serve as a justification or a blanket permission
to enable the controller to reuse and further process personal data for its own purposes without
having a valid lawful basis. In fact, the law provides that not only the controller should have a
legal ground to process the data, but the controller should also inform the data subjects about
the processing activity, particularly, the source from where the personal data originate, in order
to ensure fair and transparent processing pursuant to the requirement held in article 14(2)(f) of
the Regulation.
8. In addition, article 8 of the Data Protection Act (Cap. 586 of the Laws of Malta) provides
heightened protection to the processing of an identity card number, which is an identifier that
may be found in judicial acts. The proviso to article 8 states that “the national identity number
or any other identifier of general application shall be used only under appropriate safeguards
for the rights and freedoms of the data subject pursuant to the Regulation” [emphasis has
been added]. The word ‘only’ emphasises that the identity card number should be processed
where strictly necessary and subject to the appropriate data protection safeguards. In the present
case, it is abundantly clear that the controller chose to publicly disseminate the personal data of
many individuals in complete disregard of its obligations and the fundamental right to the
protection of personal data of these individuals.
9. Lastly, the controller attempted to justify its processing activity by referring to a news article®
which does not contain any personal data, but it reported on the matter in relation to the judicial
protest filed by the data subjects. Whereas it is not clear the relevance of this argument raised
by the controller, the fact that the media published a news article in relation to the case does
not give the controller an automatic right to make publicly available the personal data of those
individuals who filed the judicial protest.
On the basis of the foregoing considerations, the Commissioner is deciding tbat the controller
failed to demonstrate that its processing activity was based on at least one of the lawful bases held
in article 6(1) of the Regulation. This therefore constitutes an infringement of article 6(1) of the
Regulation. Consequently, by virtue of article 58(2)(b) of the Regulation, the controller is hereby
served with a reprimand.
In terms of article 58(2)(d) of the Regulation, the Commissioner is ordering the controller to
remove all the personal data contained in the video, namely, all the information relating to the
* Doc Al of the submissions provided by the controller.
Page 4 of 6
d Je
three (3) individuals who were singled out, and all the names, surnames and identity card
numbers contained in the judicial protest. If this is not possible due to any reason whatsoever, the
video shall be removed in its entirety. This order shall apply to all the platforms where the video
might have been published or shared by the controller.
The controller shall fully comply with this order without undue delay and by no later than twenty
(20) days from the date of receipt of this legally binding decision. The Commissioner shall be
informed of the action taken supported by evidence demonstrating compliance.
Non-compliance with this order in full shall lead to the imposition of an administrative fine
pursuant to article 83(6) of the Regulation.
Page 5 of 6
IOC.
Right of Appeal
The controller is hereby being informed that in terms of article 26(1) of the Data Protection Act (Cap.
586 of the Laws of Malta), any person to whom a legally binding decision of the Commissioner is
addressed, shall have the right to appeal to the Information and Data Protection Appeals Tribunal within
twenty (20) days from the service of the said decision as provided in article 23 thereof.
An appeal to the Tribunal shall be made in writing and addressed to “The Secretary, Information and
Data Protection Appeals Tribunal, 158, Merchants Street, Valletta.”
Page 6 of 6