AZOP (Croatia) - Decision 16-11-2021

From GDPRhub
Revision as of 13:56, 21 September 2022 by Kk (talk | contribs)
AZOP - Decision of 16 November 2021 - Real Estate Agency
LogoHR.png
Authority: AZOP (Croatia)
Jurisdiction: Croatia
Relevant Law: Article 4(1) GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided: 16.11.2021
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: Decision of 16 November 2021 - Real Estate Agency
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Croatian
Original Source: AZOP (in HR)
Initial Contributor: Presido Croatia

The Croatian DPA determined that a photograph of a person camouflaged in a jacket and wearing a protective mask did not consitute personal data according to Article 4(1) GDPR because it was impossible for the average person to identify the individual. As a result, the publication did not infringe the GDPR.

English Summary

Facts

The Croatia DPA received a complaint in which, in essence, the complainant pointed out that a real estate agency (the controller) published their photograph taken during a viewing of an apartment that was advertised for sale, without their consent and knowledge. The photo was available on a public website via an URL link.

At the request of the Croatian DPA, the controller stated that they deleted, in good faith, the disputed parts of the photo allegedly representing the complainant. At the same time, the controller argued that they did not believe that, in this case, it was about the complainant's personal data, since the person in the initial photograph was camouflaged in a jacket and a protective face mask. Moreover, the person voluntarily entered the frame during the photo shoot.

Holding

The Croatian DPA rejected the complaint as unfounded. It pointed out that it was not possible to determine the data subject's identity from the contested photo. In particular, the assessment of identity should be based on objective and reasonable factors so that the average person could determine in an unequivocal way (directly/indirectly) the identity of an individual.

The DPA concluded that the identity of the applicant was impossible to determine by objective factors available to the average person, who was not an acquaintance of the complainant, from just looking at the attached photo. The photo was not clear and the face was not visible (mostly covered by a surgical mask).

Therefore, the photograph in question could not be referred to as personal data in the sense of Article 4(1) GDPR, so there was no obligation of the controller to delete the photograph. It was only about publishing a photo of a property intended for sale and did not contain personal data.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.

Agency for the protection of personal data based on Article 57 paragraph 1 and 58 paragraph 1 of Regulation (EU)
2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals in relation to processing
personal data and on the free movement of such data and on repealing the Directive
95/46/EC (General Data Protection Regulation) SLEU L119 and Article 34 of the Law on the Implementation of the General
Regulation on data protection ("Official Gazette", number 42/18) and Article 41 paragraph 1 and Article 96 paragraph
1 of the Law on General Administrative Procedure ("Official Gazette" No. 47/09), and acting on the request
to determine the violation of the right to the protection of personal data xy, provides the following
SOLUTION
The request to determine the violation of the right to the protection of personal data xy is rejected as unfounded.
Form layout
The Agency for the Protection of Personal Data (hereinafter: the Agency) received a request for determination
violation of the right to protection of personal data xy (hereinafter: the applicant) in which
In essence, he points out that the real estate agency x (hereinafter referred to as: the agency for real estate
real estate) published her through classifieds websites without her consent and knowledge
photograph during a viewing of an apartment that was advertised for sale, contrary to the provisions
General Data Protection Regulation, which photo is available via URL link. In Attachment
of the request, the applicant submitted a copy of the complete correspondence she had from above
the said real estate agency.
The request is not founded.
Following on from the above, we point out that as of May 25, 2018, in all member states
of the European Union, as well as in the Republic of Croatia, in the area of personal data protection, binding i
directly applies Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on
the protection of individuals in connection with the processing of personal data and the free movement of such data, and o
2
repealing Directive 95/46/EC (General Data Protection Regulation) SL EU 119, and for which
application and enforcement in the territory of the Republic of Croatia is the responsibility of the Personal Protection Agency
data.
Before elaborating the normative part of the General Data Protection Regulation, it is necessary to refer to the introductory part
statement number 26 to the General Regulation on data protection, in which it is defined in more detail that the code
assessment of whether an individual's identity can be established should take into account all means, such as for example
selections, which the controller or any other person can apparently use for the purpose
of direct or indirect identification of an individual. In order to determine whether, according to all appearances,
it is likely that means are used to determine the identity of an individual, should be taken into account
all objective factors, such as costs and time required to establish identity,
taking into account both the technology available at the time of processing and technological developments.
Article 2, paragraph 1 of the General Data Protection Regulation prescribes how it applies to processing
personal data, which is fully automated and non-automated processing of personal data
data that are part of the storage system or are intended to be part of the storage system.
The aforementioned General Data Protection Regulation in Article 4, Paragraph 1, Point 1 stipulates that they are personal
data all data relating to an individual whose identity has been determined or can be determined, a
an individual whose identity can be determined is a person who can be identified directly or indirectly,
especially with the help of identifiers such as name, identification number, location data, network
identifier or with the help of one or more factors specific to physical, physiological, genetic,
mental, economic, cultural or social identity of that individual.
Pursuant to Article 5 of the General Data Protection Regulation, personal data must be lawful, fair and
processed transparently with respect to the respondent (principle of legality, fairness and transparency);
collected for special, explicit and legal purposes and may not be further processed in a way that is not in
in accordance with these purposes (principle of purpose limitation); appropriate, relevant and limited to what
is necessary in relation to the purposes for which they are processed (principle of reducing the amount of data); accurate and according to
up-to-date if necessary (accuracy principle); stored in a form that allows the identification of the respondent only
as long as necessary for the purposes for which personal data are processed (principle of limitations
storage); processed in a way that ensures adequate security of personal data,
including protection against unauthorized or unlawful processing and against accidental loss, destruction or
damage by applying appropriate technical or organizational measures (principle of integrity and
confidentiality).
Article 6, paragraph 1 of the General Regulation on Data Protection prescribes the processing of personal data
legal only if and to the extent that at least one of the following is met: the respondent has given
consent to the processing of your personal data for one or more specific purposes; processing is necessary for
execution of a contract to which the respondent is a party or to take actions at the request of the respondent
before the conclusion of the contract; processing is necessary to comply with the legal obligations of the controller; processing
is necessary to protect the key interests of the controller's legal obligations; processing is necessary for
3
performing a task of public interest or when performing the official authority of the data controller; processing
is necessary for the legitimate interests of the data controller or a third party.
In this administrative matter, the Agency is based on the submitted evidence, more precisely the correspondence between
of the applicant and the real estate agency determined that the applicant is
from February 26, 2021, was in communication with the real estate agency via
e-mail regarding the publication of the disputed photo, which is available via a URL link, and where
the applicant clearly indicated that she was against the publication of the said photo, for which she was not
gave her consent and how she requests its deletion. At the request of real estate agencies
stated on March 1, 2021 that they deleted the disputed parts of the photo in good faith,
and that they do not believe that in this case it is about the applicant's personal data, since
that it is a person (the applicant) who is camouflaged in a jacket and a protective mask and who
voluntarily entered the frame during the photo shoot.
The agency also determined, based on the submitted photo, that a smaller one can be found on it
an apartment in the area of the city of Zagreb, the sale of which is advertised via the URL link, with an area of 20 m2
on
which shows the wardrobe in the studio in question, the sleeping bed, the television, the table, the window. Except
mentioned in the initial photo that was published on February 26, 2021 is also located
a female person in a long brown jacket with a protective (surgical) mask on her face. Photography
is (in relation to the person in the photo) made from a profile without the constitution being seen in its entirety
person, his face or eyes.
In this direction, we point out that it is not possible to determine the identity with certainty from the attached photo
of the person (the applicant) who is in the contested photo, since the assessment
possible determination of identity should be based on objective/reasonable factors of that time
need to be invested so that the average person could determine in an unequivocal way (directly/indirectly).
the identity of the individual respondent. Considering that the identity of the applicant is impossible
determined by objective factors available to the average person who is not
an acquaintance of the applicant from just looking at the attached photo, which is not clear
a visible face that is mostly covered by wearing a surgical mask, in the situation in question
cannot be referred to as personal data in the sense of Article 4, Paragraph 1, Point 1 of the General Regulation on Protection
data, so there was no obligation of the real estate agency to delete it
a photo in which (according to the applicant) the applicant is, since
it is only about publishing a photo of a property that is intended for sale and that does not contain
personal data in the sense of Article 4, paragraph 1 of the General Data Protection Regulation.
Following the above, it was decided as in the Proclamation of the Decision.
LEGAL REMEDY
An appeal against this decision is not allowed, but an administrative dispute can be initiated before the Administrative Court
by the court in Split within 30 days from the date of delivery of the decision.