Banner2.png

DSB (Austria) - 2024-0.796.258

From GDPRhub
DSB - 2024-0.796.258
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 5 GDPR
Article 9 GDPR
Type: Complaint
Outcome: Upheld
Started: 28.08.2024
Decided: 12.12.2024
Published: 24.01.2025
Fine: 2,000 EUR
Parties: n/a
National Case Number/Name: 2024-0.796.258
European Case Law Identifier: ECLI:AT:DSB:2024:2024.0.796.258
Appeal: n/a
Original Language(s): German
Original Source: RIS (in DE)
Initial Contributor: ao

The DPA fined a controller €2,000 for sending nude pictures he had taken of the data subject to his own phone and storing them on it until the data subject noticed and demanded their erasure.

English Summary

Facts

The controller and the data subject had agreed that the controller would take one nude picture of the data subject for the data subject’s personal use. The controller took this picture. However, the controller had secretly taken more nude pictures of the data subject on the data subject’s phone.

He then sent the pictures to his own phone without the data subject’s consent. The controller stored the pictures on his phone for one day.

The data subject noticed the next day and demanded the controller to delete the pictures. The controller responded that he can delete the pictures and that he merely wanted to photoshop them for the data subject. The controller did delete the pictures. The data subject filed a complaint on the 28 August 2024 with the Austrian DPA (Datenschutzbehörde – DSB) against the controller. Throughout the course of the investigation, the controller did not respond to any of the requests of the DSB.

Holding

The DSB held that the taking of the pictures did not constitute unlawful processing as the data subject’s consent had been obtained.

However, for the transmission of the pictures to his own phone and the storage for one day, the controller was held to have violated Article 9(2) GDPR, Article 5(1)(a),(b)&(c) GDPR. The court found that the nude pictures related to the data subject's sex life and therefore constituted sensitive data under Article 9 GDPR. The court highlighted that it did not matter whether the controller knew he was violating the GDPR.

The court considered that the controller had deleted the pictures after he was requested to do so. The court based the fine off the median income of film crew, which was the controller’s profession. Therefore, the DSB set a fine of €2,000 for the unlawful processing.

Comment

The court did not elaborate on the household exemption under Article 2(2)(c) GDPR in this case.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details. 

GZ: 2024-0.796.258 of December 12, 2024 (case number: DSB-D550.1113)

[Editor's note: Names and companies, legal forms and product names, addresses
(including URLs, IP and email addresses), file numbers (and the like), statistical information, etc., as well as
their initials and abbreviations may be abbreviated and/or

changed for pseudonymization reasons. Obvious spelling, grammatical and punctuation errors have been corrected.]

Criminal conviction

Accused: Michael D***, born on **.**.196*

As the controller within the meaning of Art. 4 Z 7 of Regulation (EU) 2016/679 on the protection

of natural persons with regard to the processing of personal data and on the free movement of such data, and

repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: "GDPR"), OJ No. L 119 of 04.05.2016 p. 1 as amended, you have realized the following facts and thereby committed the following

administrative offense:

On July 15, 2024 in Vienna (hereinafter "crime scene") you took nude photos of Angelika V*** (hereinafter "affected party"), which you had previously taken with the affected party's mobile phone. have,

without the consent of the person concerned, forwarded the data from their mobile phone to your own mobile phone via the “I***” service. In addition, you stored the photographs on your mobile phone from July 15, 2024 to July 16, 2024 (“period of the offense”). The photographs reflect intimate images as nude photos and are personal data about the sex life of the person concerned.

The image data processing carried out - forwarding and storing the photographs - was unlawful because it cannot be based on the consent of the person concerned or on any of the other exceptions under Art. 9 (2) GDPR and

contradicts the principles under Art. 5 (1) lit. a GDPR (legality, processing in good faith, transparency”), Art. 5 (1) lit. b (“purpose limitation”) and Art. 5 (1) lit. c GDPR (“data minimization”).

Administrative offence according to:

Art. 9 and Art. 5 para. 1 lit. a in conjunction with Art. 83 para. 1 and para. 5 lit. a GDPR OJ L 2016/119, p. 1, as amended

The following penalty is imposed for this administrative offence:

Fine penalty of Euro if this is uncollectible in accordance with

alternative prison sentence

of

€ 2,000 120 hours Art. 83 para. 5 lit. a GDPR in conjunction with Section 16

Administrative Penal Code 1991 – VStG

You must also pay in accordance with Section 64 of the Administrative Penal Code 1991 – VStG:

200 Euro as a contribution to the costs of the criminal proceedings, which is 10% of the penalty,

but at least 10 Euro;

Euro as compensation for the cash expenses for

The total amount to be paid (fine/costs/cash expenses) is therefore
2,200 euros

Payment deadline:

If no appeal is lodged, this penalty decision is immediately enforceable. The total amount must
in this case be paid into the account [Note

processor: abbreviated here], made out to the data protection authority, within two weeks of the decision becoming final. The reference number and the date of completion should be stated as the

purpose of payment.

If no payment is made within this period, the total amount can be demanded. In this case,

a flat-rate contribution to costs of five euros must be paid. If no payment is made, the outstanding amount will be enforced and, in the event of non-collectibility, the substitute prison sentence corresponding to this amount will be carried out.

Reason:

1. The following facts relevant to the decision are established on the basis of the evidence procedure carried out:

1.1. On the course of the proceedings and the lack of cooperation of the accused

On August 28, 2024, the data protection authority (hereinafter: "DSB") was informed by means of a report by Ms.

Angelika V*** (hereinafter "affected party") that on July 15, 2024, the accused had secretly taken several nude photos - when taking a nude photo of the affected party - and had sent them to himself via the "I***" service.

The DSB subsequently initiated administrative penal proceedings with a settlement of October 1, 2024 (GZ: D550.1113; 2024-0.631.094) and called on the accused to justify himself in relation to the following administrative offense (formatting not adopted 1:1): “On July 15, 2024 in Vienna (“crime scene”), as agreed, you took a nude photo of Angelika V*** (hereinafter “affected person”) with your mobile phone, taking into account the sole use of the affected person. However, without the consent of the affected person, you took several nude photos - in addition to the agreed photograph - and forwarded them to your mobile phone via the “I***” service, thereby unlawfully collecting and transmitting personal data of the affected person. In addition, you saved the photographs on your mobile phone from July 15, 2024 to August 28, 2024 (“period of the offense”) and thus continuously processed the personal data of the persons concerned. As nude photos, the photographs reflect intimate images and are personal data about the sex life of the persons concerned. The image data processing carried out - production, forwarding and storage of the photographs - was unlawful, as it cannot be based on the consent of the person concerned, nor on any of the other permissions under Art. 9 Para. 1 GDPR, and contradicts the principles under Art. 5 GDPR.” In this letter, it was expressly pointed out that the criminal proceedings would be carried out without hearing the accused if the request for justification was not complied with. An appendix concerning the disclosure of income and assets as well as care obligations was attached to the request for justification. The appendix contains the following
note (formatting not adopted 1:1):

"With the enclosed request for justification, administrative penal proceedings have been initiated against you as the accused. According to Section 19 Paragraph 2, last sentence,

Administrative Penal Code 1991 - VStG, the

income and assets as well as any care obligations of the accused must be

taken into account when determining fines.

We therefore request that you fill out the questionnaire below and send it back to us.

If you do not send the questionnaire to us or do not send it back on time (by the time specified in the

enclosed request for justification), we are

forced to determine any fine in the course of the administrative penal proceedings by assessing these circumstances.

Profession: .....................................................................................................................................

Monthly net income: .....................................................................................................

Assets: ..............................................................................................................................

Care responsibilities: .......................................................................................................................“

The letter was sent together with the enclosure by RSa letter to the accused’s main residence at

address “F***platz *5/*4, 1*** Vienna”. After an attempted delivery by postal officials,

the letter was held for collection from October 11, 2024 at the “Collection branch: Post Office 1*** Vienna,

Date of deposit: October 11, 2024”.

The shipment was returned on October 29, 2024 as “not resolved”.

1.2. Regarding the production and storage of the photographs in question: On July 15, 2024, the accused invited the victims to "cool off" with him in Vienna (hereinafter "crime scene") in a swimming pool on the roof of an apartment belonging to a mutual acquaintance. Since the victim did not have any swimwear with her, she undressed and went swimming in an undressed state. The accused is a cameraman and the victim and the accused agreed that a nude photo of the victim would be taken using the victim's cell phone for her sole use. The accused took several photographs of the victim in an undressed state and transmitted them to his own cell phone via the "I***" service without the knowledge of the victim. On July 16, 2024, the person concerned asked the accused to delete the

photographs using the following message (formatting not adopted 1:1):

"Delete immediately, my sister is a police officer. I want the pictures to be deleted immediately.

I did not give you permission to do so. If they are forwarded to third parties,

I will file a complaint. […]"

The accused replied to the person concerned on the same day as follows (formatting not adopted 1:1):

"Actually, I wanted to photoshop them [sic] and send you the improved photos, but as you

say, I know the right to one's own image and would never disregard it. I am a

cameraman and deal with it every day."

The accused subsequently deleted the nude photos of the person concerned from his cell phone on July 16, 2024.

2. The findings are made on the basis of the following assessment of evidence:

2.1. The findings under 1.1. are undoubtedly based on the initial submission of August 28, 2024 and

the administrative offense in question. The finding regarding the delivery process of the settlement of

October 1, 2024 (GZ: D550.1113; 2024-0.631.094) is based on the harmless and easily legible

return receipt.2.2. The findings are essentially based on the information provided by the complainant, in particular on the screenshots of the message history between the person concerned and the accused. On July 16, 2024, the person concerned asked the accused whether he had sent himself the photographs, to which he replied: "Exactly, I'm not going to show them anyway." The chat history also shows the accused's appeal and that he deleted the photographs as a result of the request. The accused has not commented on the accusation - despite being asked to justify himself on October 1, 2024 (GZ: D550.1113; 2024-0.631.094). 3. Legally, this means: 3.1. On the jurisdiction of the DPO and the scope of the GDPR

Article 83 (5) (a) GDPR stipulates that in the event of violations of the provisions of Articles 5, 6, 7 and 9

GDPR, fines of up to 20,000,000 euros or, in the case of a company, up to 4% of its

total worldwide annual turnover of the previous financial year, whichever is higher, can be imposed. According to Section 22 (5) DSG, the responsibility for

imposing fines on natural and legal persons for Austria as the

national supervisory authority lies with the DPO.

According to Article 2 (1) GDPR, the regulation applies to the fully or partially automated

processing of personal data as well as to the non-automated processing

of personal data that is or is to be stored in a filing system.

The image data captured by the mobile phone in this case undoubtedly represent personal data within the meaning of Art. 4 Z 1 GDPR (cf. ECJ 11.12.2014, C-212/13, para. 2).

It should also be noted that the photographs certainly reflect intimate images. The

meanings of "intimate" include: "very close and familiar (in relation to the personal

relationship between people); sexual; relating to the area of the genitals; cozy, comfortable, having a private character" (cf. the link https://www.duden.de/

rechtschreibung/intim). The person concerned is in a naked state and the

photographs were taken as part of the joint "cooling down". The sexual life includes all

information related to sexual activities, preferences and practices, which includes, for example, intimate

images (cf. Kastelitz/Hötzendorfer/Tschohl in Knyrim, DatKomm Art. 9 GDPR, Rz 29).

The photograph in question therefore records data on the sexual life of the person concerned in the

sense of Art. 9 Para. 1 GDPR (cf. also the decision of the DSB dated June 20, 2024, GZ: D124.0614/23 ;

2024-0.342.465).

By "producing", "transmitting" and "storing" the photographs by mobile phone,

processing was carried out in the sense of Art. 4 Z 2 GDPR. In light of the facts assumed to be proven, the accused is to be qualified as the person responsible in accordance with Art. 4 Z 7 GDPR.

As the controller, the accused is the addressee of the relevant obligations of the GDPR - such as

compliance with the principles of data processing - in connection with the processing in question, which are discussed in more detail below.

3.2. On the legality of data processing

With regard to the legality of processing, it is pointed out at the outset that Art. 5

GDPR sets out the principles of processing personal data and stipulates in paragraph 1 lit. a

that personal data must be processed lawfully, fairly and in a manner that is understandable to the data subject (“lawfulness,

fairness and transparency”). The provision of Art. 5 para. 1 lit. b GDPR

also stipulates that personal data must be collected for specified, clear and legitimate purposes

and may not be further processed in a manner that is incompatible with these purposes (principle of “purpose limitation”). The provision according to Art. 5 Para. 1 lit. c GDPR

also stipulates that the specific data processing must be appropriate and

significant for the respective purpose and limited to the extent necessary for the purposes of the processing

(principle of “data minimization”).

In principle, according to Art. 9 Para. 1 GDPR, there is a prohibition on processing special categories

of personal data. The requirements for lawful data processing in

connection with data on sex life are specified in Art. 9 Para. 2 GDPR as an exception

to this prohibition on processing.

Art. 9 Para. 2 GDPR contains a list of ten circumstances (“application cases”) in which

the prohibition on processing in Art. 9 Para. 1 GDPR is not applicable. Recourse to Art. 6 Para. 1

GDPR is excluded, as this would circumvent the high hurdles of Art. 9 Para. 2 (cf. in

Knyrim, DatKomm Art. 9 GDPR Rz 30).

In comparison to Article 6 (1), Article 9 (2) lacks in particular the admissibility provisions of

“processing in the legitimate interest of the controller or of a third party” (Article 6 (1) (f))

and that of “processing for the performance of a contract” (Article 6 (1) (b); see, however, Article 9 (2) (h)

“on the basis of a contract with a member of a healthcare profession”), which leads to a

more restrictive admissibility regime (cf. in Knyrim, DatKomm Article 9 GDPR para. 30).

As already shown at the beginning, the following processing operations must be differentiated

and each of them must then be checked individually for their legality:

1) Production of the photographs

2) Transmission of the photographs and

3) Storage of the photographs.

3.2.1. Regarding the production of the photographs

With regard to the production of the photographs, Art. 9 para. 2 lit. a GDPR applies. According to Art. 9 para. 2 lit. a GDPR, the prohibition on processing special categories of personal data does not apply if the person concerned has expressly consented to the processing of the personal data mentioned for one or more specified purposes.

For example, with regard to the production of the photographs, the express consent of the person concerned was given,

who specifically wanted the photographs of her naked body to be taken using her mobile phone. Accordingly, no

violation can be seen in connection with this processing operation.3.2.2. Regarding the transmission of the photographs

However, there was no express consent for the transmission of the photographs to the accused's mobile phone. Rather, this took place without the knowledge of the person concerned.

Although the accused did not invoke this - due to a lack of justification - he stated in the written "I***" message exchange with the person concerned that he had actually "photoshopped [sic]" the photographs and wanted to "send the improved photos" to the person concerned, and in this respect relied on the legitimate interest of a third party, specifically: the person concerned. However, as already mentioned at the beginning, Art. 9 Para. 2 GDPR does not contain the admissibility of legitimate interest. Furthermore, the data protection authority cannot identify any other exceptions to Art. 9 Para. 2 GDPR. The alleged act cannot therefore be justified by Art. 9 Para. 2 GDPR. As a result, there is no factual basis justifying the processing, which also means that the existence of a legitimate purpose (Art. 5 Para. 1 lit. b GDPR) must be denied. Since the processing action carried out lacks a legitimate purpose, the

processing of the personal data could not be appropriate and significant for the purpose and

limited to the extent necessary for the purposes of the processing (Art. 5 Para. 1 lit. c

GDPR). The objective elements are therefore met.

3.2.3. On the storage of the photographs

With regard to the storage, reference can be made to the statements made under point 3.2.2.

and it also follows in connection with the storage that none of the exceptions in Art. 9 Para. 2

GDPR apply. This means that this

action cannot be justified by Art. 9 Para. 2 GDPR.

As a result, there is no element justifying the processing in connection with the storage, which also means that the existence of a legitimate purpose (Art. 5 Para. 1 lit. b

GDPR) must be denied. Since the processing action carried out lacks a legitimate purpose, the processing of the personal data could not be appropriate to the purpose and significant and limited to the extent necessary for the purposes of the processing (Article 5 (1) (c) GDPR). The objective elements of the offence are therefore also met for this processing action. 3.4. On the subjective side of the offence The ECJ has now explicitly stated that only violations of provisions of the GDPR that the controller commits culpably, i.e. intentionally or negligently, can lead to the imposition of a fine (cf. ECJ of December 5, 2023, C-807/21, para. 68). With regard to the subjective side of the offence, it must be taken into account that the requirement of fault for the imposition of a fine under Article 83 GDPR is to be interpreted autonomously within the Union and is to be assessed in particular in the light of the case law of the ECJ. The ECJ also found on the question referred in relation to fault that the Union legislature had not granted the Member States any discretion in this regard for national regulations, since the substantive requirements are conclusively regulated in Article 83 (1) to (6) GDPR (see also ECJ of December 5, 2023, C-683/21, para. 64 ff). Section 5 of the Criminal Code therefore does not apply in relation to fault.

On the question of whether an infringement was committed intentionally or negligently and can therefore be punished with a fine, the ECJ made it clear in its judgment cited above that such fault already exists if the accused could not have been unaware of the illegality of his conduct, regardless of whether he was aware that he was violating the provisions of the GDPR (cf. ECJ C-807/21, para. 76).

The responsibility and liability of a controller extends to any processing of personal data carried out by or on his behalf. In this context, the controller must not only take appropriate and effective measures, but must also be able to demonstrate that its processing activities are in line with the GDPR and that the measures it has taken to ensure this compliance are also effective (cf. ECJ C-807/21, para. 38, with reference to Recital 74). In the present case, the DPO does not assume that the accused acted intentionally. As the controller pursuant to Art. 4(7) GDPR, the accused consciously decided to send the photographs to himself and store them on his mobile phone, but apparently did not do enough research into the relevant administrative regulations beforehand. Simply accessing the DPO website would have been enough to find out, for example, that the processing of special categories of personal data is generally prohibited and that the exceptions to the processing prohibition are set out in Art. 9(2) GDPR. In addition, this can also be deduced from the clear wording of Art. 9 GDPR. Finally, in this context, reference can also be made to the decision of the Federal Administrative Court of April 8, 2022, GZ: W214 2240128-1, according to which the complainant there must also have been aware "that there are relevant data protection regulations, all the more so since the GDPR was widely informed and discussed in public when it came into effect in 2018 and a large number of media articles on this topic appeared." In any case, in the course of the investigation, there were no indications that the accused was not at fault for violating the administrative regulations applicable in this case. In particular, the accused did not make use of the possibility of justification in order to counter both the objective and subjective aspects of the offense. In the light of the case law of the ECJ, the accused could not have been in any doubt about the illegality of his conduct, regardless of whether he was aware that he was violating the provisions of the GDPR (cf. ECJ C-807/21, paras. 76 and 77; ECJ C-683/21, paras. 81 and 82
with further references).

This also fulfills the subjective aspect of the offense.

4. The following must be noted with regard to sentencing:

According to Art. 83 (1) GDPR, the DPO must ensure that the imposition of fines for

violations of the provisions of the GDPR subject to sanctions (Art. 83 (4), (5) and (6) GDPR) is effective, proportionate and dissuasive in each individual case. In more detail, Article 83

Paragraph 2 GDPR stipulates that when deciding on the imposition of a fine and its

amount, certain criteria must be duly taken into account in each individual case.

The determination of the penalty within a statutory penalty range is a discretionary decision that

must be made according to the criteria set by the legislature (cf. VwGH 05.09.2013,

2013/09/0106). The criteria to be taken into account by the DSB when determining the penalty are

finally set out in Article 83 Para. 2 GDPR.

If a fine is imposed on a natural person, according to Section 16 Para. 1 VStG

a substitute prison sentence must be imposed at the same time in the event that the fine cannot be collected. The substitute prison sentence may not exceed the maximum prison sentence threatened for the administrative offence and, if no prison sentence is threatened and nothing else is specified, two weeks.

Article 83 (3) GDPR stipulates, in deviation from the cumulation principle stipulated in Section 22 (2) VStG, that in cases of identical or interconnected processing operations that intentionally or negligently violate several provisions of the GDPR, the total amount of the fine does not exceed the amount for the most serious violation. Thus, within the scope of application of the GDPR - as applied in the present case - the absorption principle of Article 83 (3) GDPR applies.

The penalty in the specific case extends to an amount of EUR 20,000,000 in accordance with Article 83 (5) (a) GDPR.

The income and assets could not be determined due to the lack of cooperation of the accused. Therefore, an estimate had to be made by the authority in this context. According to the professional lexicon of the Public Employment Service (AMS), the starting salary of a camerawoman or cameraman is between EUR 2,090 and 2,760 (https://www.berufslexikon.at/pdf/ pdf3624-Kameramann-frau/). On this basis, in the present case, the accused's monthly gross income is assumed to be EUR 2,760. In relation to the facts of the case, the following aggravating factors were taken into account when determining the sentence:

 Nature, duration and severity of the violation: The unlawful processing, specifically the

transmission and storage, violated the fundamental rights of the person concerned

(right to confidentiality according to Section 1 Paragraph 1 of the Data Protection Act as well as the respect for private and

family life and the right to protection of personal data according to Articles 7 and 8 of the EU Charter of Fundamental Rights)

(Article 83 Paragraph 2 Letter a of GDPR).

 Categories of personal data affected by the violation: The accused

processed specific categories of personal data, specifically: data

on the sex life of the person concerned (Article 83 Paragraph 2 Letter g of GDPR).

In relation to the facts of the case, the following mitigating factors were taken into account when determining the sentence:  To date, the DSB has not had any relevant previous convictions against the accused for violations of the GDPR or the DSG (Article 83, Paragraph 2, Letter e of GDPR),  The accused deleted the photograph at the request of the person concerned (Article 83, Paragraph 2, Letter c of GDPR). The imposition of the sentence in this specific case is not only necessary in the special preventive sense in order to deter the accused from further criminal acts of the same kind (in particular, the accused did not inform the DSB that he would refrain from such processing in the future), but also necessary in the general preventive sense in order to sensitize those responsible with regard to the legally compliant processing of sensitive data. The specific penalty imposed in the amount of EUR 2,000 therefore appears to be appropriate to the offense and guilt in view of the

realized penalty value of the offense, measured against the available penalty range under Art. 83 Para. 5 GDPR (in this case up to EUR 20,000,000) and taking into account the relevant

criteria for determining the penalty under Art. 83 Para. 2 GDPR, and is

at the lowest end of the available penalty range due to the first violation.

As a result, the specific penalty imposed is therefore effective,

proportionate and deterrent in the sense of Art. 83 Para. 1 GDPR for the present case.
Retrieved from "https://gdprhub.eu/index.php?title=DSB_(Austria)_-_2024-0.796.258&oldid=45474"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki