AKI (Estonia) - 2.1.-1/23/2891-5
AKI - 2.1.-1/23/2891-5 | |
---|---|
Authority: | AKI (Estonia) |
Jurisdiction: | Estonia |
Relevant Law: | Article 6(1)(a) GDPR Article 6(1)(f) GDPR § 10 IKS § 4 IKS |
Type: | Other |
Outcome: | n/a |
Started: | 26.01.2023 |
Decided: | 10.03.2023 |
Published: | 12.04.2023 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 2.1.-1/23/2891-5 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Estonian |
Original Source: | Andmekaitse Inspektsioon (in ET) |
Initial Contributor: | Norman Aasma |
Estonian DPA held that the disclosure of personal data of debtors in a public Facebook group was unlawful and orderes the controller to stop the processing.
English Summary
Facts
The data controller opened a Facebook group aimed at sharing information about debtors in order to warn people not to carry out commercial transactions with them and to pressure them to settle their debts.
This Facebook group was public and the personal data published therein were available to everyone without any restrictions. Upon learning that their data had been published in the group, a data subject filed a complaint with the Estonian DPA.
The DPA launched an investigation and made a proposal that the controller ceased the activity. Although the controller spoke on the phone with the responsible authority, they failed to comply with the proposal.
Holding
The DPA pointed out that Article 4(7) GDPR defines the controller as the one who determines the purposes and means of the data processing operations. In the case at hand, it held that the controller was the group administrator as they determined the group purposes (name and rules) and means (choice of social media platform, public group). Therefore, the administrator was considered responsible for ensuring that the disclosure of data in the group was lawful.
The DPA also highlighted that personal data processing needs to be grounded on one of the legal basis of Article 6 GDPR. In view of this, the DPA proceeded to analyze whether there was a legal basis for the treatment.
Firstly, it noted that the controller did not provide any evidence data subjects have consented to the processing of their data. Thus, there was no possibility of relying on article 6(1)(a).
Secondly, it recalled that, according to Article 6(1)(f), processing of personal data on the basis of a legitimate interest is only possible when these interests do not override the rights and freedoms of the data subjects. In the case at hand, it held that the processing of personal data for the sole purpose of warning the public about debtor is not legitimate. Furthermore, the controller failed to provide the DPA with a legitimate interest assessment.
Thirdly, it stated that there was no public interest in the publication of of such dept data and, even if there was, it would still be necessary to comply with the Code of Journalistic Ethics, which was not done in this case.
Finally, regarding the provision contained in article 10 of Personal Data Protection Act, according to which the disclosure of a debtor's personal data is permitted after they breached their contractual obligation, the DPA clarified that the following: requirements must be met:
1) the data controller has verified that there is a legal basis for the disclosure;
2) the data controller has verified the accuracy of the data;
3) the data disclosure has been recorded (keeping a record of what data was disclosed to whom).
However, the DPA considered that the controller did not check whether there was a legal basis for disclosing the data . As the debt data was published in the public domain, it was not possible to control who had access to these data, nor whether there was a legal basis for granting this access. Thus, it was not possible to rely on Article 10 of the Personal Data Protection Act .
For these reasons, the DPA held that the processing was illegal and ordered the controller to stop it.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details.
PRIVACY PROTECTION AGAINST STATE TRANSPARENCY PRESCRIPTION WARNING personal data protection case no. 2.1.-1/23/2891-5 Alissa Hmelnitskaja, lawyer of the Data Protection Inspectorate, issued the order Time of prescription and place 10.03.2023 in Tallinn Addressee of the prescription - XXX e-mail address of the personal data processor: XXX RESOLUTION: § 56 subsection 1, subsection 2 point 8, § 58 subsection 1, § 10 of the Personal Data Protection Act (IKS) and Article 58 paragraph 1 point d and paragraph 2 of the General Regulation on Personal Data Protection (GPR). on the basis of clauses f and g, as well as taking into account Article 6 of the IKÜM, Data Protection does Inspection to fulfill the mandatory prescription: 1. Terminate the Facebook group "XXX" managed by XXX, without IKÜM Article 6 Disclosure of other people's personal data without consent in accordance with subsection 1 point a. I set 24.03.2023 as the deadline for fulfilling the injunction. Report the fulfillment of the prescription by this deadline at the latest to the e-mail address of the Data Protection Inspectorate at info@aki.ee. DISPUTE REFERENCE: This order can be challenged within 30 days by submitting either: - a complaint to the Data Protection Inspectorate under the Administrative Procedure Act or - a complaint to the administrative court according to the Code of Administrative Court Procedure (in this case it is no longer possible to review the argument in the same matter). Challenging an injunction does not suspend the obligation to fulfill it or the measures necessary for its fulfillment implementation. EXTORTION WARNING: If the injunction has not been fulfilled by the set deadline, the Data Protection Inspectorate will determine to the addressee of the injunction on the basis of § 60 of the Personal Data Protection Act: A fine of 1,500 euros. A fine may be imposed repeatedly - until the injunction is fulfilled. If the recipient does not pay extortion money, it is forwarded to the bailiff to start enforcement proceedings. In this case, they are added bailiff's fee and other enforcement costs for the enforcement money. VIOLATION PENALTY WARNING: Protection of personal data against failure to comply with the injunction pursuant to Article 58 (2) of the General Regulation misdemeanor proceedings may be initiated based on § 69 of the Personal Data Protection Act. For this act a natural person may be fined up to 20,000,000 euros and a legal person Tatari tn 39 / 10134 Tallinn / 627 4135 / info@aki.ee / www.aki.ee Registration code 70004235 may be punished with a fine of up to 20,000,000 euros or up to 4 percent of his previous of the total worldwide annual turnover of the financial year, whichever is the amount bigger. The out-of-court procedure for a misdemeanor is the Data Protection Inspectorate. FACTUAL CIRCUMSTANCES: In the proceedings of the Data Protection Inspectorate (AKI) there is a person's complaint regarding the debt data of private individuals with disclosure in the Facebook group "XXX". Therefore, AKI initiated the supervision procedure. As part of the supervision procedure, on 26.01.2023 AKI made XXX (hereinafter also the data processor or controller) proposal in personal data protection case no. 2.1.-1/23/2891-2, the content of which was the following: "stop disclosing posts containing personal data in your managed in the Facebook group "XXX". The deadline for responding to the proposal was 10.02.2023. In the proposal drew the attention of the AKI, among others, to the possibility of making an injunction and imposing a fine and to the right to file a case before issuing an administrative act in accordance with § 40 (1) of the Administrative Procedure Act about your opinion and objections. The data processor has received AKI's proposal and on 09.02.2023 expressed a desire to chat with the official. The conversation took place on 15.02.2023 by telephone, during which the official gave further clarifications on the proposal. As of 10.03.2023, the data processor is not AKI completed the proposal. GROUNDS FOR DATA PROTECTION INSPECTION: Pursuant to article 4 point 1 of ICYM, personal data is any information identified or about an identifiable natural person (data subject). An identifiable natural person is a person who can to identify directly or indirectly, in particular on the basis of an identification feature such as a name, personal code, location information; but also one or more physical, physiological of this natural person based on the feature. Therefore, personal data also includes a person's name, image and other information that enables identification. In this case, it is a public Facebook group in which other people's actions are made posts containing personal data. In the case of certain posts, it is a matter of warnings, perhaps the purpose of the post is to warn other people to avoid entering into transactions with persons, whose personal data is disclosed. At the same time, posts are also made in this group which the purpose is to influence the debtor and pressure the debtor to pay off the debt. Examples: 1) The post was made on 19.02.2023 at 13:02. On the computer network: XXX 2) The post was made on 19.02.2023 at 13:00. On the computer network: XXX 3) The post was made on 19.02.2023 at 13:06. On the computer network: XXX 4) The post was made on 19.02.2023 at 13:01. On the computer network: XXX 5) The post was made on 19.02.2023 at 13:06. On the computer network: XXX 6) Cont According to article 4 point 2 of the IKÜM, the processing of personal data is personal data or theirs an automated or non-automated operation or set of operations performed with sets, incl distributing them or otherwise making them available to the public. Article 4 point 7 of IKÜM states that the responsible processor is a natural or legal person, a public sector institution, agency or other body that, alone or together with others, determines purposes and means of personal data processing. Facebook has determined that the group the administrator (or data processor) has access to the Facebook group with full control. This means that the data processor can change the name of the group or its privacy settings, can delete posts and comments written about it. It follows that the contested As a Facebook group administrator, the data processor has the opportunity to change the name of the given group and delete posts made in the group and comments made about it. In addition, the data processor, as an administrator, has assigned the name of this group to "XXX" and is made this group public, which has clearly directed the discussion in the group (created a group for the purpose of allowing users to post on specific topics) and due to the fact that the data processor made the group public, personal data will be disclosed there unlimited for everyone. Taking into account the above, AKI considers that the data processor is in accordance with Article 4, Clause 7 of the IKÜM controller, as it determines the purposes of personal data processing (group name, rules) and tools (choice of social media platform, public group). Data processor as a group the administrator is responsible for ensuring that the disclosure of data is legal. The principles of personal data processing are set out in Article 5 of the IKÜM, which must be followed by the person in charge processor to follow, including the principle of legality. The processing of personal data is legal, if it corresponds to one of the legal grounds set out in Article 6 of the IKÜM (consent, performance of the contract, legal obligation, protection of vital interests, to fulfill a task in the public interest or for the exercise of public authority, legitimate interest). 1. IKYM article 6 paragraph 1 point a IKÜM Article 6(1)(a) states that the processing of personal data is legal only if if the data subject has given consent to process his personal data in one or more ways for a specific purpose. In article 4, clause 11 of the UNCLOS, consent is defined as "voluntary, specific, informed and an unequivocal statement of intent to which the data subject either in the form of a statement or express consent by expressing his consent to the processing of his personal data": a) The word "voluntary" means truly free choice and control for the data subject. In general, IKÜM stipulates that if the data subject does not have a real option if he feels compelled to consent or if he has to not consent failure to bear negative consequences, the consent is invalid. If consent is part of non-negotiable terms, shall not be deemed to have been voluntarily given. So no the consent shall be considered as consent given voluntarily if the data subject cannot be deprived of it refuse or withdraw consent without adverse consequences. b) "Specific" means that the consent of the data subject must be given "on one or for several specific purposes". According to IKÜM article 5 paragraph 1 point b precedes accurate, clear and lawful processing always planned for obtaining valid consent determining the goal. Necessity of specific consent together with Article 5 paragraph 1 by delimiting the purpose according to point b, prevent the purposes of data processing gradual expansion or obfuscation after the data subject has provided your consent to data collection. c) IKÜM strengthens the requirement that consent must be informed. On the basis of Article 5 of the Convention One of the basic principles is transparency, which is closely related to legality and justice with the principle. Providing information to data subjects before obtaining their consent is important to enable data subjects to make an informed decision, to understand what they agree, and for example exercise their right to withdraw consent. 1 Facebook Help Center: https://www.facebook.com/help/901690736606156; https://www.facebook.com/help/289207354498410?helpref=faq_content 2Similarly, in decision C-210/16, the European Court has concluded that the administrator of the Facebook page is responsible processor within the meaning of Article 2 point d of Directive 95/46. d) It is clearly stated in IKÜM that a statement from the data subject is required for consent or a clear action expressing consent, which means that it must always be given by taking active steps or providing confirmation. It should be obvious that the data subject has consented to the specific processing. Silence of the data subject or inaction and merely continuing to use the service cannot be considered an active choice to do. In addition, the controller must keep in mind that the obligation to prove consent lies precisely on him. As a result of the above, the controller cannot rely on IKÜ Article 6(1)(a) because has not provided AKI with proof that personal data is disclosed to the data subject with consent and that the consent is valid in accordance with the provisions of article 4, clause 11 of the IKÜM requirements. 2. IKYM article 6 paragraph 1 p f IKÜM article 6 paragraph 1 point f, i.e. personal data processing on the basis of legitimate interest the data processor must be convinced that the purpose of personal data processing is more compelling than the rights and freedoms of the data subject and articles 21 (right to object) and 17 of the IKÜM (right to deletion of data) the processing of personal data must be terminated if the data processor is unable to prove that the processing is for a compelling legitimate reason that weighs the interests, rights and freedoms of the data subject. Processing of personal data on the basis of legitimate interest must be preceded by the data processor the analysis carried out in terms of the legitimate interest and importance of the data processor and third parties, analysis and subsequent weighing of the rights and interests of the data subject and their weighting between the interests of the data processor and the data subject. 3 AKI is of the opinion that the processing of personal data for the mere purpose of public warning is not legitimate on the basis of legitimate interest. In addition, the data controller is not entitled to the AKI interest analysis. 3. IKS § 10 In addition to the legal bases mentioned in Article 6 of the IKÜM, it is possible for debtors to disclose data, rely on IKS § 10, which stipulates that with a breach of a debt relationship disclosure of related personal data to a third party and processing of transmitted data a third party is allowed to assess the creditworthiness of the data subject or otherwise for the same purpose and only if all three conditions are met: 1) the data processor has verified that there is a legal basis for data transmission; 2) the data processor has checked the correctness of the data; 3) the data transmission is registered (keeping information about who and what was transmitted). In this case, according to AKI, the presumption that the data controller would have checked has not been met legal basis for the transfer of personal data. However, the controller has disclosed debt data in unlimited public view, which means that the data controller cannot to check who can see the data and therefore also check whether the recipient of the data has legal basis. In addition, according to IKS § 10 (2) point 3, the processing of a person's debt data (including on Facebook) 3 AKI Guide to Legitimate Interest, page 6. Available on the computer network: https://www.aki.ee/sites/default/files/dokumendid/oigudustu_huvi_juhend_aki_26.05.2020.pdfallowed if it would excessively harm the rights and freedoms of the data subject. So it comes the data processor must assess whether the right of the data is based on the circumstances of each specific case to the processing outweighs the interference caused to the privacy of the person or not. AKI is of the opinion that in this case the disclosure of personal data of different people is large-scale, as it is carried out via the Internet (including Facebook). Internet data disclosure increases people's vulnerability, as the given environment is sometimes uncontrollable and it is not possible to identify who has received information related to personal data and what is doing with it forward with the information. Therefore, on the basis of § 10 of the IKS, the requirements for disclosure of personal data are not met. 4. IKS § 4 In certain cases, there may be a journalistic justification for disclosing some people's data for the purpose. According to IKS § 4, personal data may be processed without the data subject's consent for journalistic purposes, in particular to disclose in the media, if there is a public interest and that is in line with the principles of journalistic ethics. Disclosure of personal data may not be excessive harm the rights of the data subject. In order to disclose personal data on the basis of § 4 of the IKS, three conditions must be met: 1. there is a public interest in the disclosure of personal data; 2. the disclosure is in accordance with the rules of journalistic ethics; 3. the disclosure of personal data must not excessively harm the rights of the data subject. According to AKI, the criterion of public interest is not met in this case. Public interest the existence can be confirmed if the topic raised and personal data disclosed contribute to debate in a democratic society. The latter could be the case, for example, if a published opinion piece, for example, about why loans are taken lightly in Facebook groups in Estonia are taken and, on the contrary, loans are given, but the disclosure of personal data of individual debtors such does not have the driving force of the discussion. Also, the data processor has not proven to AKI that the code of journalistic ethics has been met requirements, because the data subject is not heard before publishing the debt data (p. of the Code). 4.2) and he is not given the opportunity to submit an objection (p. 5 of the Code). AKI is of the opinion that data processing is accompanied by an obvious inviolability of the privacy of data subjects interference, which, in addition to the lack of a legal basis, is also excessive considering the composition of the data. For example, it is not legal to disclose photos of the debtor or other people, held with the person(s). complete extracts of conversations, etc. Since the criteria for the application of IKS § 4 have not been met, personal data cannot be obtained on the basis of IKS § 4 to disclose. AKI notes that in the case of payment defaults, it must be borne in mind that in the event of arrears, there will be in order to achieve payment of the debt, the creditor can primarily use § 101 of the Law of Obligations Act listed legal remedies, one of which is to demand the performance of an obligation. of persons the publication of payment default data is not only a pressure measure to achieve payment of the debt permissible. Taking the above into account, AKI is of the opinion that in this case other people There is no disclosure of personal data referred to in Article 6, paragraph 1 of the IKÜM legal grounds and the data processor has not proven to AKI that the data the legal basis for disclosure comes from IKS § 10. Personal data has been processed without any legal basis, therefore the controller must stop the processing of other people's disclosure of posts containing personal data in the Facebook group "XXX". According to IKS § 58 paragraph 1 and IKÜ Article 58 paragraph 2 points f and g, the inspection has the right to issue an order to limit the processing of personal data. Considering that in a particular case the personal data of natural persons is disclosed illegally and that the responsible processor is not fulfilled the AKI's proposal of 26.01.2023, the AKI considers that making a mandatory injunction given in the matter, it is necessary to end the offense as soon as possible. (signed digitally) Alissa Khmelnitskaya lawyer on the authority of the Director General