UODO (Poland) - DS.523.4480.2024: Difference between revisions

From GDPRhub
Line 96: Line 96:


<pre>
<pre>
PRESIDENTOF THE OFFICE OFPROTECTIONPERSONAL DATA  
PRESIDENT OF THE OFFICE FOR PERSONAL DATA PROTECTION
Miroslaw Wroblewski
Mirosław Wróblewski
Warsaw, August 5, 2024.
 
Warsaw, 5 August 2024
 
DS.523.4480.2024
DS.523.4480.2024
PROVISION
 
Pursuant to Article 123 of the Act of June 14, 1960, Code of Administrative Procedure (Journal of Laws of 2024, item 572), in conjunction with Article 70 (1) and (2) ofthe Act of May 10, 2018 on Personal Data Protection (Journal of Laws of 2019, item1781), in conjunction with Article 66 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016. on the protection of natural persons with regard to the processing of personal data and on the free flow of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the EU L 119of 4.05.2016, p. 1, Official Journal of the EU L 127 of 23.05.2018, p. 2, and Official Journal of the EU L 74 of 4.03.2021, p. 35), in Proceedings from the complaint of Mr. J.C., residing in W., about irregularities in the processing of his personal data by M., consisting in providing his personal data, including false information about him, in advertisements displayed on social networks: F., available at the Internet address [...] and I., available at the Internet address [...], without legalbasis, the President of the Office for Personal Data Protection decides
DECISION
oblige M. to restrict the processing of the personal data of Mr. J.C., residing in W., by prohibiting it from being made available to other entities in advertisements displayed on social networks: F., available at the Internet address [...] and l., available at the Internet address [...], on the territory of the Republic of Poland for a period of three months from the date of delivery of this order to M.Justification The Office for Personal Data Protection received a complaint from Mr. J.C. zam. inW., hereinafter referred to as the Complainant, about irregularities in the processing of his personal data by M., hereinafter referred to as the Company, consisting in providing his personal data, including false information about him, in advertisements displayed on social networks: F., available at the Internet address [...] and I., available at the Internet address[...], without legal basis.In the wording of the aforementioned complaint, the Complainant claimed, in particular,that the Company violated his personal data by publishing - without his consent and without any other basis2The legal processing of personal data - his image and name in advertisements prepared in the form of deepfake, consisting in the provision of unlawfully modified footage of the Complainant's image without the required assessment of the reliability of the source of the materials and without applying an appropriate procedure for verifying the veracity of the acquired personal data (footage), which exposed the Complainant to the loss of confidence in his business and good name. This is because the advertisements juxtapose true and current personal data of the Complainant and data on his business activities with false information that the Complainant is the founder, supports and controls the advertisedinvestment platforms.At the same time, the Complainant indicated that he had taken action against the Company by sending [...] July 2024 a notice to remove advertisements and sponsored materials and to stop displaying ads that use the Complainant's image.
 
As evidence of the violation of data protection regulations, the Complainant submitted a printout of the advertisement displayed on the profile "I. ", available at:https://[...], a printout of the advertisement displayed on the profile of "T.", available at:https://[...], printout of the advertisement displayed on the profile of "R." available at:https://[...], printout of the advertisement displayed on the "N." profile, available at:https://[...], printout of the advertisements displayed on the "B." profile; available at:https://[...]; https://[...]; https://[...], printout of ads displayed on "S." profile, available at:https://[...], https://[...], printout of ads displayed on the profile of "L.", available at:https://[...]; https://[...]; https://[...], printout of ads displayed on the profile of "K. ", available at: https://[...]; https://[...]; https://[...]: https://[...]; https://[...], printout of ads displayed on theprofile of "P." available at: https://[...]; https://[...].
Pursuant to Article 123 of the Code of Administrative Procedure of 14 June 1960 (Journal of Laws of 2024, item 572) in conjunction with Article 70(1) and (2) of the Personal Data Protection Act of 10 May 2018 (Journal of Laws of 2019, item 1781) in conjunction with Article 66(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the EU L 119 of 4 May 2016, p. 1, Official Journal of the EU L 127 of 23 May 2018, p. 2 and Official Journal of the EU L 74 of 4 March 2021, p. 35), in the proceedings of the complaint by Mr. J.C. residing in W., regarding irregularities in the process of processing his personal data by M., which involves sharing his personal data, including false information about him, in advertisements displayed on social media platforms F., accessible at [ ... ] and I., accessible at [ ... ], without a legal basis, the President of the Office for Personal Data Protection hereby orders M. to limit the processing of personal data of Mr. J.C. residing in W., by prohibiting their sharing with other entities in advertisements displayed on social media platforms F., accessible at [ ... ] and I., accessible at [ ... ], within the territory of the Republic of Poland for a period of three months from the date of delivery of this decision to M.
Pointing to the above, the Complainant requested, among other things, that the Company be ordered to completely restrict processing, including a ban on processing the Complainant's personal data in the form of broadcasting deepfake advertising materials with the Complainant's image and name, and to impose an administrative fine on the Company under Art. 83 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the EU L 119of 4.05.2016, p. 1, Official Journal of the EU L 127 of 23.05.2018, p. 2, and Official Journal of the EU L 74 of4.03.2021, p. 35), hereinafter referred to as RODO, adequate to the circumstances and scale of the breach of data protection regulations.According to the findings of the President of the Office for Personal Data Protection,despite the Complainant's aforementioned request to the Company dated [...] July 2024, the Complainant's personal data continues to be provided by the Company in the manner questioned in the complaint. This is because the data continues to appear in advertisements available at: https://[...], https://[...], https://[...], https://[...], https://[...], https://[...].The Complainant's disputed processing of his personal data by the Company is in the nature of "cross-border processing" within the meaning of Article 4(23)(a) of the RODO,according to which cross-border processing means the processing of personal data that takes place in the Union in the course of the activities of organizational units in the3more than one member state of a controller or processor in the Union with organizational units in more than one member state.As the Company's registered office is in Ireland, the competent authority to act in the case as the lead supervisory authority, with respect to this cross-border processing of the Complainant's data, pursuant to Article 56(1) of the RODO, is the Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland.However, according to Article 66(1) of the RODO, in exceptional circumstances, if the supervisory authority concerned considers that there is an urgent need to take action to protect the rights and freedoms of data subjects, it may, by way of derogation from the consistency mechanism referred to in Articles 63, 64 and 65, or from the procedure referred to in Article 60, immediately adopt provisional measures intended to produce legal effects on the territory of its Member State for a specified period, not exceeding three months. The supervisory authority shall immediately inform the other supervisory authorities concerned, the European Data Protection Board and the Commission of these measures and the reasons for their adoption.In turn, according to the wording of Article 70 (1) of the Act of May 10, 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), if in the course of the proceedings it becomes probable that the processing of personal data violates the provisions on the protection of personal data, and further processing of personal data may cause serious consequences that are difficult to eliminate, the President of the Office, in order to prevent such consequences, may, by means of a decision, oblige the entity alleged to have violated the provisions on the protection of personal data to restrict the processing of personal data, indicating the permissible scope of such processing.Pursuant to Article 70 (2) of the Personal Data Protection Act, in the order referred to in paragraph (1), the President of the Office shall specify the duration of the restriction of the processing of personal data no longer than until the date of issuing a decision concluding the case.As is clear from the above provisions, the basis for the adoption of provisional measures by the supervisory authority concerned in the territory of its member state under Article 66(1) of the RODO is the urgent need to take action to protect the rights and freedoms of data subjects. Provisional measures under national law are provided for by the above-cited Article 70(1) of the Law on Personal Data Protection in the form of the issuance of an order requiring the entity alleged to have violated data protection laws to restrict the processing of personal data, while the prerequisite for their application is the probability of a violation of data protection laws and the risk of causing serious consequences that are difficult to remedy.In the opinion of the President of the Office for Personal Data Protection, in the present case the above prerequisites for the issuance of the aforementioned order were met.The urgency of the interim measures must be assessed against the need to protect the rights and freedoms of data subjects. The negative effects on data subjects and their fundamental rights and freedoms are very significant in the present case.4In fact, in the questioned advertisements displayed by the Company on the F.social network, personal data of the Complainant in the scope of his name, surname and image are made available, as well as false information about him, from which it appears that he proposes to the recipients of the advertisements investments that guarantee the multiplication of their wealth and a certain fast high profit and financial independence,which can come true by watching the advertisements to the end and following the guidelines given in them.There is no doubt that the aforementioned information about the Complainant constitutes his personal data within the meaning of Article 4(1) of the RODO, according to which personal data means any information about an identified or identifiable natural person ("data subject"), and an identifiable natural person is one who can be identified directly or indirectly, in particular on the basis of an identifier such as a name.Indeed, in the questioned advertisements displayed by the Company in ads on the social network F., the Complainant is a person identified by name. In addition, the ads point to the Complainant's achievements and business activities, which further enable him to be identified.Moreover, the Complainant is a well-known person, he is a Polish entrepreneur,manager, investor, philanthropist, founder and president of I., under which he organized a network of self-service parcel machines in Poland. In addition, the Complainant founded R.in 2022, which aims to financially and mentor young talent. He has received a number of awards and honors, such as the Manager of the Year award in 2009 for his merits in crushing the P. monopoly, and the 2022. B. in the "N." category. (an award received jointly with his wife Mrs. B.K. for his commitment to philanthropy), as well as honors in 2022. - K.(see https://[...]).The cited content of the advertisements is false, harms the opinion of others about the Complainant, undermines confidence in him as a person, a businessman,or the above-mentioned effects on this individual. It should be noted that the Complainant, in particular by virtue of the aforementioned business and charitable activities, is a public figure, widely known and recognizable. Therefore, the cited advertisements evoke a negative opinion of the Complainant's person, or undermine the trust in him necessary for his business and charitable activities. It can be assumed that the referenced content of the advertisements would not have appeared if the Complainant had not been a public, publicly known person, since information about just such a person enjoys widespread interest, and because of such characteristics of this person, this individual became the target of the attack.The advertisements juxtapose the Complainant's true and current personal information and details of his business with false information that the Complainant is the founder, supports and controls the advertised investment platforms. Using false personal information obtained illegally, false information is spread that these platforms are new business models of the Complainant, created by his employees, family or in cooperation with other well-known entrepreneurs, and that they are fully secure tools. Significantly, theads claim that the Complainant5is such a well-known, professional and highly trusted public figure that it cannot be as cam, as he vouches for the legitimacy of the new investment platform. Thus, the advertisements strongly a f f e c t the psyche of the users of the indicated social networks,also creating the false impression that the video is aimed directly at them, assuring that if the video is displayed to the user, he has been selected for the project and his device has the technical capabilities to participate in investments. Using the Complainant's image and personal data, the advertisers are trying to lead the users of the portals to make an impulsive decision, emphasizing that once the entry is closed, the invitation to invest will no longer be available, which is patently untrue.Thus, the dissemination of the Complainant's personal information is aimed at taking advantage of the Complainant's trust and social standing to reach the groups that are most susceptible to this type of online fraud, such as, in particular, young people inexperienced in life, the elderly, the clumsy, or, for example, those without sufficient economic knowledge.The above content presented by the Company, due to its untruthfulness and the potential danger of leading an unlimited number of people to unfavorable financial investments and disposition of property with exposure to financial losses,also fully justifies the urgent need for the President of the Office for Personal Data Protection to take immediate action in the interest of protecting the fundamental rights and freedoms of data subjects.Moreover, this content, despite the fact that it dignifies "S." and "S." as defined by the Company, have not been removed by the Company, while according to its preferred standards it should do so. Indeed, as the Company declares in the aforementioned standards, quote: "(...) In accordance with our principles, advertisements may not promote products, services, programs or offers using deceptive or misleading practices, including practices that are intended to defraud people of money or personal information (...)", as well as quote: "(...) Advertisements may not coordinate, organize, promote or permit specific criminal or harmful activities that target people, businesses, property or animals(...)", or quote:"(...) Advertisers promoting financial products and services must demonstrate that they are authorized by the relevant regulatory authorities, if required. Any such authorization may be subject to verification by the M. Advertisers must also comply with disclosure requirements specified by law (...)," and cited:"(...) We enforce our policies using automated and, in some cases, manual verification. In addition to verifying individual advertisements, we also monitor and investigate advertiser behavior and may impose restrictions on advertiser accounts if they violate our Ad Placement Standards, Community Standards or other M. (...) policies and regulations,"(see https://[...]).In addition, the Company pledged, quote: "(...) We want to ensure that the content displayed on F. We believe that authenticity creates a better environment for sharing content (...)," and also quote: "(...) We are committed to ensuring that security on the F. (...)"(see [...]).Despite the indicated declarations of the Company, false information about the Complainant continues to be displayed on F., hence the undoubtedly urgent reaction of the authority6of the data protection supervisor in the present case is fully justified and necessary.In addition, in the present case, it has been fully probable that through the contested processing of the Complainant's personal data by the Company, involving the inclusion of the Complainant's data, including false information about the Complainant's person in the advertisements presented by the Company on the aforementioned portals,there is a violation of data protection laws by the Company.Indeed, the Company is a joint controller of the Complainant's personal data processed in the aforementioned manner, within the meaning of Article 26 of the RODO,according to which, if two or more controllers jointly determine the purposes and means of processing, they are joint controllers who, through joint arrangements, transparently determine the respective scopes of their responsibility for fulfilling their obligations under this Regulation.According to the regulations presented by the Company on the portal F. community, the Company and you are joint data controllers in accordance with Article 26of the RODO to the extent of Joint Data Processing as defined by the Terms and Conditions of the relevant product. The scope of joint data processing includes the collection of personal data as defined by the Terms and Conditions of the relevant product and their transfer to the Company (cf. https://[...]).Moreover, as the aforementioned regulation states, quote: "(...) The advertiser creates ads to be displayed on F. and I. and on other sites and mobile apps, and then uploads them using our ad management tools. F. then displays the ads. We take into account the advertiser's goal, the expected audience and the advertisement when selecting t h e appropriate ads to display. We do not provide advertisers with information about your identity and we do not sell them your data (...)" (cf. https://[...]). Furthermore,according to the Company's claims in the aforementioned website, cited:"(...) Protecting people's privacy is a key dia of designing our advertising system. When we display ads on M. Products, we display relevant and useful ads to you without sharing information about you with advertisers. We do not sell your personal information or share information that directly identifies you (such as your name, email address or other contact information) with advertisers without your explicit consent. We allow advertisers to provide us with information such as their business purpose and the type of audience they want to display ads to (for example, people aged 18-35 who live near the advertiser's store in P.).We then display their ads to people we think might find them relevant (cf. https://[...]).In case of doubts about the Company's co-administration with the advertiser of possible personal data contained in the content of advertisements presented by the Company, it is reasonable to refer here to the judgment of the Court of Justice of June 5,2018 in Case C-210/16, i.e. the proceedings Unabhängiges Landeszentrum fürDatenschutz Schleswig-Holstein v. Wirtschaftsakademie Schleswig-Holstein GmbH, withthe participation of: Facebook Ireland Ltd, Vertreter des Bundesinteresses beimBundesverwaltungsgericht, in which the Court held that a Facebook fanpage operator co-manages personal data7together with the Company, stating in particular quote: "(...) the controller of a fanpageoperated on Facebook, (...) participates, by taking steps to establish parameters depending in particular on its target users, as well as on the objectives for the management or promotion of its activities, in the determination of the purposes andmeans of processing of the personal data of visitors to its fan page. Therefore, in the present case, it should be considered that this fan page controller is jointly liable at the Union level with Facebook Ireland for the processing of data within the meaning of Article2(d) of Directive 95/46 (...)."Therefore, it is incumbent on the Company, as co-controllers of the Complainant's personal data, to process the Complainant's personal data in compliance with the legitimizing prerequisites listed in Article 6(1) of the RODO, and furthermore in compliance with the principles of data processing under Article 5(1) of the RODO, such as, in particular, the principles of lawfulness, fairness and transparency (Article 5(1)(a) of the RODO), as well as the principle of accuracy (Article 5(1)(d) of the RODO). In addition, the Company, pursuant to Article 5(2) of the RODO, must be able to demonstrate compliance with the provisions of the RODO in the processing of the Complainant's personal data.Thus, the Company's publicizing of the Complainant's personal data, includingfalse information about him, in advertising content presented by the Company, in a manner that allows an unlimited circle of other persons/entities to become acquainted withit, may therefore result in the Company's violation of Art. 5(1) of the RODO and Article6(1) of the RODO, as demonstrated above by indicating the manner in which the Company shared the Complainant's data, as well as the nature of that sharing, further contradicting the Company's regulations on the use of its services contained in the Fsocial network.The Company's publicizing of the aforementioned personal data of the Complainant, including the described false information about him, in the aforementioned advertising content violates Article 1 of the Charter of Fundamental Rights of the European Union, which states that human dignity is inviolable. It must be respected and protected.Thus, in the case it has been made probable that the processing of the Complainant's personal data by the Company may violate the provisions on the protection of personal data, as a result of which the first of the prerequisites for the application of the provisional measure in the case under Article 70 (1) of the Law on the Protection of Personal Data, has been met.In the case, there is also a second prerequisite for issuing the above-mentioned order in the form of a probable threat to cause serious and difficult-to-remove consequences.This is because, due to the Company's dissemination of false information about forms of investment allegedly being the Complainant's new business models, the content made public by the Company in the aforementioned advertisements on the social network F. and I., may cause severe financial consequences for other people, users of the aforementioned portals, through unfavorable disposition of their funds.In doing so, it should be noted that the manner in which the alleged investment tools were promoted, especially when taking into account the dissemination of the Complainant's personal data and his alleged assurances of achieving a high return on8investment (e.g., the promise of [...] euros per day, [...] thousand zlotys per week), raises9suspicion that financial fraud may be carried out through this platform, to the detriment of those to whom the content in question was directed through the aforementioned portals.In view of the above, the case may give rise to an irremediable effect in the form of further processing of false information about the Complainant by other entities and further spreading of disinformation about the Complainant in the Polish society resulting in loss of trust in him as an entrepreneur and philanthropist, as well as in the form of severe financial consequences in other people, users of the above-mentioned portals, susceptible to the displayed content, who may be both young people inexperienced in life, elderly people, clumsy people or, for example, those without sufficient economic knowledge.Therefore, prohibiting the Company in this procedure from providing the aforementioned personal data of the Complainant contained in advertisements displayed on the social network F. and I. in the territory of the Republic of Poland for a period of three months from the date of delivery of this order to the Company is fully justified and necessary.The subsequent decision of the lead authority in the case will not remove the negative effects of unauthorized processing of personal data by others, especially with regard to the effects on the rights of individuals, as indicated above.This fully justifies the application of the protection mechanism of Article 70(1) of the Data Protection Law in conjunction with Article 66(1) of the RODO.In this state of facts and law, the President of the Office for Personal Data Protection has ruled as in the operative part.
 
President of the Office Personal Data Protection Miroslaw Wroblewski
RATIONALE
This order is final. Pursuant to Article 70 (3) of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), a party has the right to lodge a complaint against this order with the Provincial Administrative Court in Warsaw,within 30 days from the date of delivery of this order, through the President of the Office for Personal Data Protection (address: Office for Personal Data Protection, 2 Stawki Street, 00-193 Warsaw). The entry fee for the complaint is PLN 200. The party has the right to apply for the right to assistance, including exemption from court costs.
 
</pre>
The Office for Personal Data Protection received a complaint from Mr. J.C., hereinafter referred to as the Complainant, regarding irregularities in the process of processing his personal data by M., hereinafter referred to as the Company, involving sharing his personal data, including false information about him, in advertisements displayed on social media platforms F., accessible at [ ... ] and I., accessible at [ ... ], without a legal basis.
 
In the content of the aforementioned complaint, the Complainant specifically raised that the Company violated his personal data by publishing - without his consent and without any other legal basis for processing personal data - his image and name in advertisements prepared in the form of deepfake, involving the unlawful sharing of a modified recording of the Complainant's image without carrying out the required evaluation of the credibility of the source of the materials and without applying the appropriate procedure for verifying the authenticity of the obtained personal data (recordings), which exposed the Complainant to a loss of trust in his business activities and good name.
 
In these advertisements, true and current personal data of the Complainant and data concerning his business activities are combined with false information that the Complainant is the founder, supports, and controls the advertised investment platforms.
 
Additionally, the Complainant indicated that he had taken action against the Company by sending a notice on [ ... ] July 2024 to remove the advertisements and sponsored materials and to cease displaying advertisements that utilize the Complainant's image.
 
As evidence of the occurred violation of personal data protection regulations, the Complainant submitted a printout of an advertisement displayed on the profile "I.", accessible at: https://[ ... ], a printout of an advertisement displayed on the profile "T.", accessible at: https://[ ... ], a printout of an advertisement displayed on the profile "R." accessible at: https://[ ... ], a printout of an advertisement displayed on the profile "N.", accessible at https://[ ... ], and printouts of advertisements displayed on the profiles "B."; accessible at: https://[ ... ]; https://[ ... ]; https://[ ... ], printouts of advertisements displayed on the profile "S.", accessible at: https://[ ... ], https://[ ... ], and printouts of advertisements displayed on the profile "L.", accessible at: https://[ ... ]; https://[ ... ]; https://[ ... ], printouts of advertisements displayed on the profile "K.", accessible at: https://[ ... ]; https://[ ... ]; https://[ ... ]: https://[ ... ]; https://[ ... ], and a printout of advertisements displayed on the profile "P." accessible at: https://[ ... ]; https://[ ... ].
 
Pointing out the above, the Complainant requested, among other things, that the Company be ordered to completely limit the processing, including a ban on processing the Complainant's personal data in the form of deepfake material advertisements with his image and name, and imposing an administrative financial penalty on the Company under Article 83 of Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the EU L 119 of 4 May 2016, p. 1, Official Journal of the EU L 127 of 23 May 2018, p. 2 and Official Journal of the EU L 74 of 4 March 2021, p. 35), hereinafter referred to as GDPR, appropriate to the circumstances and scale of the violation of personal data protection regulations.
 
As determined by the President of the Office for Personal Data Protection, despite the notice sent by the Complainant to the Company on [ ... ] July 2024, the Complainant's personal data are still being shared by the Company in the manner questioned in the complaint. These data are still featured in advertisements accessible at: https://[ ... ], https://[ ... ], https://[ ... ], https://[ ... ], https://[ ... ], https://[ ... ].
 
The questioned processing of the Complainant's personal data by the Company constitutes "cross-border processing" within the meaning of Article 4 point 23(a) GDPR, according to which cross-border processing means processing personal data that takes place in the Union within the activities of organizational units in more than one Member State of the controller or processor in the Union having organizational units in more than one Member State.
 
Given that the Company's headquarters are located in Ireland, the competent body to take actions in the case as the leading supervisory authority, with respect to this cross-border processing, is the Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland.
 
However, in accordance with Article 66(1) GDPR, in exceptional circumstances, if the supervisory authority concerned considers that there is an urgent need to act in order to protect the rights and freedoms of the data subjects, it may, by way of derogation from the consistency mechanism referred to in Articles 63, 64, and 65, or from the procedure referred to in Article 60, immediately adopt provisional measures intended to produce legal effects in the territory of its Member State for a specified period not exceeding three months. The supervisory authority shall immediately inform the other supervisory authorities concerned, the European Data Protection Board, and the Commission about those measures and the reasons for adopting them.
 
Further, in accordance with the wording of Article 70(1) of the Act of 10 May 2018 on Personal Data Protection (Journal of Laws of 2019, item 1781), if in the course of proceedings it is substantiated that the processing of personal data violates the provisions on personal data protection, and further processing may cause serious and difficult to remedy effects, the President of the Office, in order to prevent these effects, may, by way of a decision, require the entity accused of violating the provisions on personal data protection to limit the processing of personal data, indicating the permissible scope of such processing. In accordance with Article 70(2) of the Act on Personal Data Protection, in the decision referred to in paragraph 1, the President of the Office shall determine the term for the restriction of the processing of personal data not longer than until the day of issuing the decision concluding the proceedings in the case.
 
As follows from the above provisions, the basis for the supervisory authority concerned to adopt provisional measures in the territory of its Member State under Article 66(1) GDPR is the urgent need to take action to protect the rights and freedoms of the data subjects. Provisional measures on the basis of national law are provided for in the aforementioned Article 70(1) of the Act on Personal Data Protection in the form of issuing a decision requiring the entity accused of violating the provisions on personal data protection to limit the processing of personal data, while the premise for their application is the substantiation of the violation of the provisions on personal data and the threat of causing serious and difficult to remove effects.
 
In the opinion of the President of the Office for Personal Data Protection in the present case, the above premises for issuing the aforementioned decision have been met.
 
The urgent nature of the provisional measures should be assessed in relation to the need to protect the rights and freedoms of the data subjects. The negative effects on the persons concerned and their fundamental rights and freedoms are very significant in this case.
 
In the questioned advertisements displayed by the Company on the social media platform F., the personal data of the Complainant in terms of his name, surname, and image, as well as false information about him, are shared, which suggest that he offers to the advertisement recipients investments guaranteeing the multiplication of their wealth and a sure quick high return and financial independence, which can be achieved by watching the advertisements to the end and acting in accordance with the guidelines
 
provided therein.
 
There is no doubt that the aforementioned information about the Complainant constitutes his personal data within the meaning of Article 4 point 1 GDPR, according to which personal data means any information concerning an identified or identifiable natural person ("data subject"), while an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name and surname.
 
In the questioned advertisements displayed by the Company in advertisements on the social media platform F., the Complainant is indeed identified by name and surname. Moreover, the advertisements indicate the Complainant's achievements and business activities, which further enable his identification.
 
Furthermore, the Complainant is a well-known person, a Polish entrepreneur, manager, investor, philanthropist, founder, and president of I., within which he organized a network of self-service parcel lockers in Poland. In addition, in 2022, the Complainant founded R., aimed at financially and mentorship supporting talented young individuals. He has received numerous awards and honors, such as, among others, in 2009, the Manager of the Year award for merits in breaking the monopoly of P., or in 2022, B. in the category "N." (award received together with his wife Mrs. B.K. for engagement in philanthropic activities), as well as decorations in 2022 - K. (see https://[ ... ]).
 
The content cited in the advertisements is false, affects the opinion of other people about the Complainant, undermines trust in him as a person, entrepreneur, and the aforementioned effects thus cause with respect to this natural person.
 
It should be noted that the Complainant, especially due to the aforementioned business and charitable activities, is a public figure, widely known and recognizable. The cited advertisements therefore generate a negative opinion about the Complainant, or undermine the trust in him necessary for his business and charitable activities. It can be assumed that the cited content in the advertisements would not have appeared if the Complainant were not a public figure, publicly known, as information about such a person enjoys widespread interest and because of such characteristics of this person, this natural person has become the target of an attack.
 
In the advertisements, true and current personal data of the Complainant and data concerning his business activities are combined with false information that the Complainant is the founder, supports, and controls the advertised investment platforms. By using false personal data, obtained unlawfully, false information is disseminated that these platforms are new business models of the Complainant, created by his employees, family, or in cooperation with other well-known entrepreneurs, and that they are fully safe tools. Significantly, the advertisements contain information that the Complainant is so well-known, professional, and enjoys great public trust that it cannot be a fraud, because he guarantees the legality of the new investment platform. In this way, the advertisements strongly affect the psyche of users of the indicated social media platforms, also creating the false impression that the recording is directed directly to them, assuring that if the recording is displayed to the user, he has been selected for the project and his device has the technical capabilities to participate in the investments. By using the image and personal data of the Complainant, the advertisers try to induce users of the portals to make impulsive decisions, emphasizing that after closing the post, it will no longer be possible to accept the invitation to invest, which is an obvious falsehood.
 
The dissemination of the Complainant's personal data is therefore aimed at using his trust and social position to reach the most vulnerable groups to such online frauds, such as in particular young people inexperienced in life, older people, helpless individuals, or those, for instance, lacking sufficient economic knowledge.
 
The above content presented by the Company, due to its falsehood and potential danger of leading an unlimited number of people to disadvantageous financial investments and management of assets with financial losses, also fully justifies the urgent need to take immediate actions by the President of the Office for Personal Data Protection in the interest of protecting the fundamental rights and freedoms of the data subjects.
 
Moreover, despite these contents affecting "S." and "S." defined by the Company, they have not been removed by it, while according to the preferred standards it should have done so. As the Company declares in the aforementioned standards, quote: "( ... ) According to our principles, advertisements cannot promote products, services, programs, or offers using deceptive or misleading practices, including practices intended to extort money or personal data from individuals( ... )", as well as quote: "( ... ) Advertisements cannot coordinate, organize, promote or allow specific criminal or harmful activities that are aimed at people, businesses, property or animals( ... )", or quote: "( ... )Advertisers promoting financial products and services must demonstrate that they have authorization from the relevant regulatory authorities if required. Any such authorization may be subject to verification by M. Advertisers must also meet the legal requirements for disclosing information( ... )", and also quote: "( ... )We enforce our rules using automated and, in some cases, manual verification. In addition to verifying individual advertisements, we also monitor and investigate the behavior of the advertiser and may impose restrictions on his accounts if they violate our Advertising Posting Standards, Community Standards or other company rules and regulations( ... )", (see https://[ ... ]).
 
Furthermore, the Company committed itself, quote: "( ... ) We want to ensure that the content displayed on F. We believe that authenticity creates better conditions for sharing content( ... )", and also quote: "( ... ) We have committed to ensuring safety on F. ( ... )"(see [ ... ]).
 
Despite the aforementioned declarations of the Company, false information concerning the Complainant is still displayed on F., hence undoubtedly the urgent reaction of the supervisory authority for personal data protection in this case is fully justified and necessary.
 
Furthermore, in this case, it has been fully substantiated that through the questioned processing of the Complainant's personal data by the Company, involving the placement of his data, including false information concerning his person in the advertisements presented by the Company on the aforementioned platforms, there is a violation of the data protection regulations by the Company.
 
The Company is indeed a joint controller of the Complainant's personal data processed in the aforementioned manner, within the meaning of Article 26 GDPR, according to which if at least two controllers jointly determine the purposes and means of processing, they are joint controllers, who in a transparent manner by mutual arrangements define the appropriate scopes of their responsibility concerning the fulfillment of the obligations arising from this regulation.
 
As follows from the regulations presented by the Company on the social media platform F., the Company and the user are joint controllers of data according to Article 26 GDPR in the scope of joint data processing defined in the Terms and Conditions of a given product. The scope of Joint data processing includes the collection of personal data specified by the Terms and Conditions of a given product and their transfer to the Company (see https://[ ... ]).
 
Moreover, as follows from the aforementioned regulations, quote: "( ... ) The advertiser creates advertisements for display on F. and I. as well as on other websites and mobile applications, and then sends them via our advertising management tools. Then F. displays the advertisement. When selecting appropriate advertisements to display, we take into account the advertiser's goal, the expected target group, and the advertisement. We do not provide advertisers with information about your identity and do not sell them your data( ... )" (see https://[ ... ]). Furthermore, according to the Company's claims contained in the aforementioned service, quote: "( ... )Protecting individuals' privacy is a key element in designing our advertising system. When displaying advertisements in M. Products, we display relevant and useful advertisements to the user without sharing information about the user with advertisers. We do not sell user's personal data or provide advertisers with information that enables direct identification of the user (such as name, email address or other contact data) without the user's explicit consent. We allow advertisers to provide us with such information as their business goal and the type of audience they want to display ads to (for example, individuals aged 18-35 who live near the advertiser's store in P.). We then display their advertisement to those who we believe may find it significant (see https://[ ... ]).
 
In case of doubts as to the joint administration by the Company along with the advertiser of any personal data contained in the content presented by the Company in the advertisements, it is reasonable to refer here to the judgment of the Court of Justice of 5 June 2018 in case C-210/16, i.e., the proceedings of Unabhangiges Landeszentrum fur Datenschutz Schleswig-Holstein against Wirtschaftsakademie Schleswig-Holstein GmbH, with the participation of: Facebook Ireland Ltd, Representative of the Federal Interest at the Federal Administrative Court, in which the Court ruled that the entity operating a fanpage on Facebook jointly administers personal data together with the Company, stating in particular, quote: "( ... ) the administrator of a fanpage operated on Facebook,( ... ), participates by taking actions consisting of determining parameters dependent in particular on his target users, as well as from the objectives in terms of managing or promoting his business, in determining the purposes and means of processing personal data of persons visiting his fanpage. Therefore, in this case, it should be recognized that this fanpage administrator bears at the Union level joint responsibility with Facebook Ireland for processing data within the meaning of Article 2(d) Directive 95/46( ... )".
 
Therefore, on the Company, as a joint controller of the Complainant's personal data, rests the obligation to process his personal data in compliance with the legal bases mentioned in Article 6(1) GDPR, and also in compliance with the principles of data processing arising from Article 5(1) GDPR, such as in particular the principles of legality, fairness and transparency (Article 5(1)(a) GDPR), and also the principle of accuracy
 
(Article 5(1)(d) GDPR). Furthermore, the Company, in accordance with Article 5(2) GDPR, must be able to demonstrate compliance with the GDPR regulations in the process of processing the Complainant's personal data.
 
The public disclosure by the Company of the Complainant's personal data, including false information about him, in the advertising content presented by the Company, in a manner enabling access to them by an unlimited circle of other persons/entities, may therefore result in the Company violating Articles 5(1) GDPR and 6(1) GDPR, as demonstrated above by indicating the manner of sharing the Complainant's data by the Company, as well as the nature of this sharing, additionally being in contradiction with the Company's regulations regarding the use of its services contained on the social media platform F.
 
The public disclosure by the Company of the aforementioned personal data of the Complainant, including the described false information about him, in the aforementioned advertising content violates Article 1 of the Charter of Fundamental Rights of the European Union, which provides that human dignity is inviolable. It must be respected and protected.
 
Thus, in the case, it has been substantiated that the processing of the Complainant's personal data by the Company may violate the data protection regulations, as a result of which the first of the premises for applying the provisional measure under Article 70(1) of the Act on Personal Data Protection has been met.
 
In the case, there is also the second premise for issuing the aforementioned decision in the form of substantiating the threat of causing serious and difficult to remove effects.
 
Given that the Company is disseminating false information about forms of investing allegedly being new business models of the Complainant, the content publicized by the Company in the aforementioned advertisements on the social media platforms F. and I., may cause severe financial consequences for other persons, users of the aforementioned platforms, by disadvantageous disposition of their monetary funds.
 
It should be noted that the way of promoting alleged investment tools, especially when taking into account the dissemination of the Complainant's personal data and his alleged assurances of achieving high profit from investments (e.g., a promise of [ ... ] euros per day, [ ... ] thousand zlotys weekly), raises the suspicion that through this platform, financial frauds may occur to the detriment of persons to whom the discussed content was directed via the aforementioned platforms.
 
Consequently, in the case, an irremovable effect may occur in the form of further processing of false information concerning the Complainant by other entities and further spreading of misinformation about the Complainant in Polish society resulting in loss of trust in him as an entrepreneur and philanthropist, as well as in the form of severe financial consequences for other persons, users of the aforementioned platforms, susceptible to the displayed content, which may include both young inexperienced individuals, older people, helpless individuals, or those, for instance, lacking sufficient economic knowledge.
 
Therefore, prohibiting the Company in the present procedure from sharing the aforementioned personal data of the Complainant, contained in advertisements displayed on the social media platforms F. and I. within the territory of the Republic of Poland for a period of three months from the day of delivery of this decision to the Company, is fully justified and necessary.
 
A later decision of the leading authority in the case will not remove the negative consequences of unauthorized processing of personal data by other entities, especially with respect to the consequences for the rights of persons, as indicated above.
 
This fully justifies the application of the protection mechanism under Article 70(1) of the Act on Personal Data Protection in conjunction with Article 66(1) GDPR.
 
In this factual and legal state, the President of the Office for Personal Data Protection resolved, as in the ruling.
 
President of the Office for Personal Data Protection
Mirosław Wróblewski
 
This decision is final. Pursuant to Article 70(3) of the Act of 10 May 2018 on Personal Data Protection (Journal of Laws of 2019, item 1781), the party has the right to file a complaint with the Provincial Administrative Court in Warsaw within 30 days from the day of delivery of this decision, through the President of the Office for Personal Data Protection (address: Office for Personal Data Protection, ul. Stawki 2, 00-193 Warsaw). The fee for the complaint is 200 zlotys. The party has the right to seek legal aid, including exemption from court fees.</pre>

Revision as of 13:17, 27 August 2024

UODO - DS.523.4480.2024
LogoPL.png
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 5(1) GDPR
Article 6(1) GDPR
Article 66(1) GDPR
Article 70 para 1 of of Data protection act (Ustawa o ochronie danych osobowych)
Type: Complaint
Outcome: Other Outcome
Started:
Decided: 05.08.2024
Published:
Fine: n/a
Parties: Meta Platforms Ireland
National Case Number/Name: DS.523.4480.2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Polish
Original Source: UODO (Poland) (in PL)
Initial Contributor: wp

A DPA issued a decision under Article 66 GDPR, prohibiting Meta from sharing advertisements containing data subject’s data, including the fake-ads, on Facebook and Instagram within Poland for three months.

English Summary

Facts

Data subject’s data was used to create a deep-fake ads, published on Facebook and Instagram. According to the data subject, there were ads, where his name, surname and image was published, combined with a fake information about him, for example deep-fake video with data subject image soliciting an investment platform. The fake-ads aimed at creating a false impression that the investment platform was supported by the data subject and, hence, secure and worth investing in. The ads were accessible to many users of Facebook and Instagram. The data subject contacted the data controller Meta Ireland, acting as a data controller of data processed on Facebook and Instagram, and requested restriction of data processing and prohibition of publication of her data via fake ads. The controller didn’t answer the request. In parallel, the data subject filed a complaint with the Polish DPA (UODO).

Holding

The DPA explained that the Irish DPA (DPC) was competent to examine the complaint and start the proceedings. Nevertheless, the DPA found the contested processing activities fell within the scope of urgency procedure under Article 66(1) GDPR.

According to the DPA, Meta Ireland together with the ads creator acted as a joint controllers within Article 26 GDPR.

The DPA emphasised the Meta Ireland, acting as a data controller of data processed on Facebook and Instagram, processed the data related fake-news ads. One of the aggravating factors was the fact that Meta didn’t follow their privacy polices in practice (regarding ads creators due diligence). The position of data controller obliged Meta process the data subject’s data, including the data contained in ads, in compliance with data principles stemming from Article 5(1) GDPR, in particular, the principles of lawfulness, fairness and transparency (Article 5(1)(a) GDPR), as well as the principle of accuracy (Article 5(1)(d) GDPR), under a proper legal basis of Article 6(1) GDPR. Additionally, the affected data subject was a famous person and the published ads contained serious fake information about him and his professional activity. Because of that, not only data subject’s privacy and reputation were threatened, but also credibility of data subject’s business activity was influenced.

As a result, the DPA considered it was probable that Meta violated Article 5(1) GDPR and Article 6(1) GDPR. Therefore, the DPA issued a decision under Article 66(1) GDPR and Article 70(1) of Data protection act (Ustawa o ochronie danych osobowych) to secure rights and freedoms of data subject by restricting the processing activities. The DPA prohibited the controller to share the data subject’s data via advertisements presented on Facebook and Instagram within Poland for three months.

Comment

The Polish DPA issued another decision under Article 66(1) GDPR and Article 70(1) of Data protection act against Meta. The cases are correlated regarding the subject matter and the relationship between data subjects (a husband and a wife)- see: UODO (Poland) - DS.523.4486.2024.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

PRESIDENT OF THE OFFICE FOR PERSONAL DATA PROTECTION
Mirosław Wróblewski

Warsaw, 5 August 2024

DS.523.4480.2024

DECISION

Pursuant to Article 123 of the Code of Administrative Procedure of 14 June 1960 (Journal of Laws of 2024, item 572) in conjunction with Article 70(1) and (2) of the Personal Data Protection Act of 10 May 2018 (Journal of Laws of 2019, item 1781) in conjunction with Article 66(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the EU L 119 of 4 May 2016, p. 1, Official Journal of the EU L 127 of 23 May 2018, p. 2 and Official Journal of the EU L 74 of 4 March 2021, p. 35), in the proceedings of the complaint by Mr. J.C. residing in W., regarding irregularities in the process of processing his personal data by M., which involves sharing his personal data, including false information about him, in advertisements displayed on social media platforms F., accessible at [ ... ] and I., accessible at [ ... ], without a legal basis, the President of the Office for Personal Data Protection hereby orders M. to limit the processing of personal data of Mr. J.C. residing in W., by prohibiting their sharing with other entities in advertisements displayed on social media platforms F., accessible at [ ... ] and I., accessible at [ ... ], within the territory of the Republic of Poland for a period of three months from the date of delivery of this decision to M.

RATIONALE

The Office for Personal Data Protection received a complaint from Mr. J.C., hereinafter referred to as the Complainant, regarding irregularities in the process of processing his personal data by M., hereinafter referred to as the Company, involving sharing his personal data, including false information about him, in advertisements displayed on social media platforms F., accessible at [ ... ] and I., accessible at [ ... ], without a legal basis.

In the content of the aforementioned complaint, the Complainant specifically raised that the Company violated his personal data by publishing - without his consent and without any other legal basis for processing personal data - his image and name in advertisements prepared in the form of deepfake, involving the unlawful sharing of a modified recording of the Complainant's image without carrying out the required evaluation of the credibility of the source of the materials and without applying the appropriate procedure for verifying the authenticity of the obtained personal data (recordings), which exposed the Complainant to a loss of trust in his business activities and good name.

In these advertisements, true and current personal data of the Complainant and data concerning his business activities are combined with false information that the Complainant is the founder, supports, and controls the advertised investment platforms.

Additionally, the Complainant indicated that he had taken action against the Company by sending a notice on [ ... ] July 2024 to remove the advertisements and sponsored materials and to cease displaying advertisements that utilize the Complainant's image.

As evidence of the occurred violation of personal data protection regulations, the Complainant submitted a printout of an advertisement displayed on the profile "I.", accessible at: https://[ ... ], a printout of an advertisement displayed on the profile "T.", accessible at: https://[ ... ], a printout of an advertisement displayed on the profile "R." accessible at: https://[ ... ], a printout of an advertisement displayed on the profile "N.", accessible at https://[ ... ], and printouts of advertisements displayed on the profiles "B."; accessible at: https://[ ... ]; https://[ ... ]; https://[ ... ], printouts of advertisements displayed on the profile "S.", accessible at: https://[ ... ], https://[ ... ], and printouts of advertisements displayed on the profile "L.", accessible at: https://[ ... ]; https://[ ... ]; https://[ ... ], printouts of advertisements displayed on the profile "K.", accessible at: https://[ ... ]; https://[ ... ]; https://[ ... ]: https://[ ... ]; https://[ ... ], and a printout of advertisements displayed on the profile "P." accessible at: https://[ ... ]; https://[ ... ].

Pointing out the above, the Complainant requested, among other things, that the Company be ordered to completely limit the processing, including a ban on processing the Complainant's personal data in the form of deepfake material advertisements with his image and name, and imposing an administrative financial penalty on the Company under Article 83 of Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the EU L 119 of 4 May 2016, p. 1, Official Journal of the EU L 127 of 23 May 2018, p. 2 and Official Journal of the EU L 74 of 4 March 2021, p. 35), hereinafter referred to as GDPR, appropriate to the circumstances and scale of the violation of personal data protection regulations.

As determined by the President of the Office for Personal Data Protection, despite the notice sent by the Complainant to the Company on [ ... ] July 2024, the Complainant's personal data are still being shared by the Company in the manner questioned in the complaint. These data are still featured in advertisements accessible at: https://[ ... ], https://[ ... ], https://[ ... ], https://[ ... ], https://[ ... ], https://[ ... ].

The questioned processing of the Complainant's personal data by the Company constitutes "cross-border processing" within the meaning of Article 4 point 23(a) GDPR, according to which cross-border processing means processing personal data that takes place in the Union within the activities of organizational units in more than one Member State of the controller or processor in the Union having organizational units in more than one Member State.

Given that the Company's headquarters are located in Ireland, the competent body to take actions in the case as the leading supervisory authority, with respect to this cross-border processing, is the Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland.

However, in accordance with Article 66(1) GDPR, in exceptional circumstances, if the supervisory authority concerned considers that there is an urgent need to act in order to protect the rights and freedoms of the data subjects, it may, by way of derogation from the consistency mechanism referred to in Articles 63, 64, and 65, or from the procedure referred to in Article 60, immediately adopt provisional measures intended to produce legal effects in the territory of its Member State for a specified period not exceeding three months. The supervisory authority shall immediately inform the other supervisory authorities concerned, the European Data Protection Board, and the Commission about those measures and the reasons for adopting them.

Further, in accordance with the wording of Article 70(1) of the Act of 10 May 2018 on Personal Data Protection (Journal of Laws of 2019, item 1781), if in the course of proceedings it is substantiated that the processing of personal data violates the provisions on personal data protection, and further processing may cause serious and difficult to remedy effects, the President of the Office, in order to prevent these effects, may, by way of a decision, require the entity accused of violating the provisions on personal data protection to limit the processing of personal data, indicating the permissible scope of such processing. In accordance with Article 70(2) of the Act on Personal Data Protection, in the decision referred to in paragraph 1, the President of the Office shall determine the term for the restriction of the processing of personal data not longer than until the day of issuing the decision concluding the proceedings in the case.

As follows from the above provisions, the basis for the supervisory authority concerned to adopt provisional measures in the territory of its Member State under Article 66(1) GDPR is the urgent need to take action to protect the rights and freedoms of the data subjects. Provisional measures on the basis of national law are provided for in the aforementioned Article 70(1) of the Act on Personal Data Protection in the form of issuing a decision requiring the entity accused of violating the provisions on personal data protection to limit the processing of personal data, while the premise for their application is the substantiation of the violation of the provisions on personal data and the threat of causing serious and difficult to remove effects.

In the opinion of the President of the Office for Personal Data Protection in the present case, the above premises for issuing the aforementioned decision have been met.

The urgent nature of the provisional measures should be assessed in relation to the need to protect the rights and freedoms of the data subjects. The negative effects on the persons concerned and their fundamental rights and freedoms are very significant in this case.

In the questioned advertisements displayed by the Company on the social media platform F., the personal data of the Complainant in terms of his name, surname, and image, as well as false information about him, are shared, which suggest that he offers to the advertisement recipients investments guaranteeing the multiplication of their wealth and a sure quick high return and financial independence, which can be achieved by watching the advertisements to the end and acting in accordance with the guidelines

 provided therein.

There is no doubt that the aforementioned information about the Complainant constitutes his personal data within the meaning of Article 4 point 1 GDPR, according to which personal data means any information concerning an identified or identifiable natural person ("data subject"), while an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name and surname.

In the questioned advertisements displayed by the Company in advertisements on the social media platform F., the Complainant is indeed identified by name and surname. Moreover, the advertisements indicate the Complainant's achievements and business activities, which further enable his identification.

Furthermore, the Complainant is a well-known person, a Polish entrepreneur, manager, investor, philanthropist, founder, and president of I., within which he organized a network of self-service parcel lockers in Poland. In addition, in 2022, the Complainant founded R., aimed at financially and mentorship supporting talented young individuals. He has received numerous awards and honors, such as, among others, in 2009, the Manager of the Year award for merits in breaking the monopoly of P., or in 2022, B. in the category "N." (award received together with his wife Mrs. B.K. for engagement in philanthropic activities), as well as decorations in 2022 - K. (see https://[ ... ]).

The content cited in the advertisements is false, affects the opinion of other people about the Complainant, undermines trust in him as a person, entrepreneur, and the aforementioned effects thus cause with respect to this natural person.

It should be noted that the Complainant, especially due to the aforementioned business and charitable activities, is a public figure, widely known and recognizable. The cited advertisements therefore generate a negative opinion about the Complainant, or undermine the trust in him necessary for his business and charitable activities. It can be assumed that the cited content in the advertisements would not have appeared if the Complainant were not a public figure, publicly known, as information about such a person enjoys widespread interest and because of such characteristics of this person, this natural person has become the target of an attack.

In the advertisements, true and current personal data of the Complainant and data concerning his business activities are combined with false information that the Complainant is the founder, supports, and controls the advertised investment platforms. By using false personal data, obtained unlawfully, false information is disseminated that these platforms are new business models of the Complainant, created by his employees, family, or in cooperation with other well-known entrepreneurs, and that they are fully safe tools. Significantly, the advertisements contain information that the Complainant is so well-known, professional, and enjoys great public trust that it cannot be a fraud, because he guarantees the legality of the new investment platform. In this way, the advertisements strongly affect the psyche of users of the indicated social media platforms, also creating the false impression that the recording is directed directly to them, assuring that if the recording is displayed to the user, he has been selected for the project and his device has the technical capabilities to participate in the investments. By using the image and personal data of the Complainant, the advertisers try to induce users of the portals to make impulsive decisions, emphasizing that after closing the post, it will no longer be possible to accept the invitation to invest, which is an obvious falsehood.

The dissemination of the Complainant's personal data is therefore aimed at using his trust and social position to reach the most vulnerable groups to such online frauds, such as in particular young people inexperienced in life, older people, helpless individuals, or those, for instance, lacking sufficient economic knowledge.

The above content presented by the Company, due to its falsehood and potential danger of leading an unlimited number of people to disadvantageous financial investments and management of assets with financial losses, also fully justifies the urgent need to take immediate actions by the President of the Office for Personal Data Protection in the interest of protecting the fundamental rights and freedoms of the data subjects.

Moreover, despite these contents affecting "S." and "S." defined by the Company, they have not been removed by it, while according to the preferred standards it should have done so. As the Company declares in the aforementioned standards, quote: "( ... ) According to our principles, advertisements cannot promote products, services, programs, or offers using deceptive or misleading practices, including practices intended to extort money or personal data from individuals( ... )", as well as quote: "( ... ) Advertisements cannot coordinate, organize, promote or allow specific criminal or harmful activities that are aimed at people, businesses, property or animals( ... )", or quote: "( ... )Advertisers promoting financial products and services must demonstrate that they have authorization from the relevant regulatory authorities if required. Any such authorization may be subject to verification by M. Advertisers must also meet the legal requirements for disclosing information( ... )", and also quote: "( ... )We enforce our rules using automated and, in some cases, manual verification. In addition to verifying individual advertisements, we also monitor and investigate the behavior of the advertiser and may impose restrictions on his accounts if they violate our Advertising Posting Standards, Community Standards or other company rules and regulations( ... )", (see https://[ ... ]).

Furthermore, the Company committed itself, quote: "( ... ) We want to ensure that the content displayed on F. We believe that authenticity creates better conditions for sharing content( ... )", and also quote: "( ... ) We have committed to ensuring safety on F. ( ... )"(see [ ... ]).

Despite the aforementioned declarations of the Company, false information concerning the Complainant is still displayed on F., hence undoubtedly the urgent reaction of the supervisory authority for personal data protection in this case is fully justified and necessary.

Furthermore, in this case, it has been fully substantiated that through the questioned processing of the Complainant's personal data by the Company, involving the placement of his data, including false information concerning his person in the advertisements presented by the Company on the aforementioned platforms, there is a violation of the data protection regulations by the Company.

The Company is indeed a joint controller of the Complainant's personal data processed in the aforementioned manner, within the meaning of Article 26 GDPR, according to which if at least two controllers jointly determine the purposes and means of processing, they are joint controllers, who in a transparent manner by mutual arrangements define the appropriate scopes of their responsibility concerning the fulfillment of the obligations arising from this regulation.

As follows from the regulations presented by the Company on the social media platform F., the Company and the user are joint controllers of data according to Article 26 GDPR in the scope of joint data processing defined in the Terms and Conditions of a given product. The scope of Joint data processing includes the collection of personal data specified by the Terms and Conditions of a given product and their transfer to the Company (see https://[ ... ]).

Moreover, as follows from the aforementioned regulations, quote: "( ... ) The advertiser creates advertisements for display on F. and I. as well as on other websites and mobile applications, and then sends them via our advertising management tools. Then F. displays the advertisement. When selecting appropriate advertisements to display, we take into account the advertiser's goal, the expected target group, and the advertisement. We do not provide advertisers with information about your identity and do not sell them your data( ... )" (see https://[ ... ]). Furthermore, according to the Company's claims contained in the aforementioned service, quote: "( ... )Protecting individuals' privacy is a key element in designing our advertising system. When displaying advertisements in M. Products, we display relevant and useful advertisements to the user without sharing information about the user with advertisers. We do not sell user's personal data or provide advertisers with information that enables direct identification of the user (such as name, email address or other contact data) without the user's explicit consent. We allow advertisers to provide us with such information as their business goal and the type of audience they want to display ads to (for example, individuals aged 18-35 who live near the advertiser's store in P.). We then display their advertisement to those who we believe may find it significant (see https://[ ... ]).

In case of doubts as to the joint administration by the Company along with the advertiser of any personal data contained in the content presented by the Company in the advertisements, it is reasonable to refer here to the judgment of the Court of Justice of 5 June 2018 in case C-210/16, i.e., the proceedings of Unabhangiges Landeszentrum fur Datenschutz Schleswig-Holstein against Wirtschaftsakademie Schleswig-Holstein GmbH, with the participation of: Facebook Ireland Ltd, Representative of the Federal Interest at the Federal Administrative Court, in which the Court ruled that the entity operating a fanpage on Facebook jointly administers personal data together with the Company, stating in particular, quote: "( ... ) the administrator of a fanpage operated on Facebook,( ... ), participates by taking actions consisting of determining parameters dependent in particular on his target users, as well as from the objectives in terms of managing or promoting his business, in determining the purposes and means of processing personal data of persons visiting his fanpage. Therefore, in this case, it should be recognized that this fanpage administrator bears at the Union level joint responsibility with Facebook Ireland for processing data within the meaning of Article 2(d) Directive 95/46( ... )".

Therefore, on the Company, as a joint controller of the Complainant's personal data, rests the obligation to process his personal data in compliance with the legal bases mentioned in Article 6(1) GDPR, and also in compliance with the principles of data processing arising from Article 5(1) GDPR, such as in particular the principles of legality, fairness and transparency (Article 5(1)(a) GDPR), and also the principle of accuracy

 (Article 5(1)(d) GDPR). Furthermore, the Company, in accordance with Article 5(2) GDPR, must be able to demonstrate compliance with the GDPR regulations in the process of processing the Complainant's personal data.

The public disclosure by the Company of the Complainant's personal data, including false information about him, in the advertising content presented by the Company, in a manner enabling access to them by an unlimited circle of other persons/entities, may therefore result in the Company violating Articles 5(1) GDPR and 6(1) GDPR, as demonstrated above by indicating the manner of sharing the Complainant's data by the Company, as well as the nature of this sharing, additionally being in contradiction with the Company's regulations regarding the use of its services contained on the social media platform F.

The public disclosure by the Company of the aforementioned personal data of the Complainant, including the described false information about him, in the aforementioned advertising content violates Article 1 of the Charter of Fundamental Rights of the European Union, which provides that human dignity is inviolable. It must be respected and protected.

Thus, in the case, it has been substantiated that the processing of the Complainant's personal data by the Company may violate the data protection regulations, as a result of which the first of the premises for applying the provisional measure under Article 70(1) of the Act on Personal Data Protection has been met.

In the case, there is also the second premise for issuing the aforementioned decision in the form of substantiating the threat of causing serious and difficult to remove effects.

Given that the Company is disseminating false information about forms of investing allegedly being new business models of the Complainant, the content publicized by the Company in the aforementioned advertisements on the social media platforms F. and I., may cause severe financial consequences for other persons, users of the aforementioned platforms, by disadvantageous disposition of their monetary funds.

It should be noted that the way of promoting alleged investment tools, especially when taking into account the dissemination of the Complainant's personal data and his alleged assurances of achieving high profit from investments (e.g., a promise of [ ... ] euros per day, [ ... ] thousand zlotys weekly), raises the suspicion that through this platform, financial frauds may occur to the detriment of persons to whom the discussed content was directed via the aforementioned platforms.

Consequently, in the case, an irremovable effect may occur in the form of further processing of false information concerning the Complainant by other entities and further spreading of misinformation about the Complainant in Polish society resulting in loss of trust in him as an entrepreneur and philanthropist, as well as in the form of severe financial consequences for other persons, users of the aforementioned platforms, susceptible to the displayed content, which may include both young inexperienced individuals, older people, helpless individuals, or those, for instance, lacking sufficient economic knowledge.

Therefore, prohibiting the Company in the present procedure from sharing the aforementioned personal data of the Complainant, contained in advertisements displayed on the social media platforms F. and I. within the territory of the Republic of Poland for a period of three months from the day of delivery of this decision to the Company, is fully justified and necessary.

A later decision of the leading authority in the case will not remove the negative consequences of unauthorized processing of personal data by other entities, especially with respect to the consequences for the rights of persons, as indicated above.

This fully justifies the application of the protection mechanism under Article 70(1) of the Act on Personal Data Protection in conjunction with Article 66(1) GDPR.

In this factual and legal state, the President of the Office for Personal Data Protection resolved, as in the ruling.

President of the Office for Personal Data Protection
Mirosław Wróblewski

This decision is final. Pursuant to Article 70(3) of the Act of 10 May 2018 on Personal Data Protection (Journal of Laws of 2019, item 1781), the party has the right to file a complaint with the Provincial Administrative Court in Warsaw within 30 days from the day of delivery of this decision, through the President of the Office for Personal Data Protection (address: Office for Personal Data Protection, ul. Stawki 2, 00-193 Warsaw). The fee for the complaint is 200 zlotys. The party has the right to seek legal aid, including exemption from court fees.