AKI (Estonia) - 2.1.-1/23/2891-5: Difference between revisions

From GDPRhub
No edit summary
(I changed the order of the facts to report them chronologically. Which came first, then the fact that a claim was made. So, what was claimed by the data subject and what was answered by the controller.)
Line 65: Line 65:
}}
}}


Estonian Data Protection Authority held that disclosure of personal data of debtors in a public Facebook group without legal basis is unlawful
Estonian DPA held that the disclosure of personal data of debtors in a public Facebook group was unlawful and orderes the controller to stop the processing.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The Estonian DPA received a complaint in regard to the disclosure of private debt data in the Facebook group "XXX" (here controller). After receiving the complaint, the DPA launched its investigation into the matter. The investigation concerns a Facebook group, where the group members are making posts which include the personal data of other people. The aim of some of the posts has been to warn other people to avoid transacting with individuals, whose personal information is being disclosed in the posts. At the same time, certain posts are made with the purpose to influence the debtor and put pressure on the debtor to pay the debt. Due to the fact that the controller made the Facebook group public, personal data that is published there has been available to everyone without any restrictions.  
The data controller opened a Facebook group aimed at sharing information about debtors in order to warn people not to carry out commercial transactions with them and to pressure them to settle their debts.  
In February 2023, the DPA made a proposal to the controller to stop the publication of postings containing personal data on a Facebook group "XXX" that the controller manages. The controller had a talk with the DPA, but the proposal has not been complied with by the controller.
 
This Facebook group was public and the personal data published therein were available to everyone without any restrictions. Upon learning that their data had been published in the group, a data subject filed a complaint with the Estonian DPA.
 
The DPA launched an investigation and made a proposal that the controller ceased the activity. Although the controller spoke on the phone with the responsible authority, they failed to comply with the proposal.


=== Holding ===
=== Holding ===
The DPA held that on the basis of [[Article 4 GDPR#7|Article 4(7) GDPR]], the controller determines the purposes for which the personal data are processed (group name, rules) and means (choice of social media platform, public group), then it is the controller, who is responsible for ensuring that the disclosure of data in that group is lawful. The DPA highlighted that under [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]], processing of personal data is lawful only where the data subject has given his or her consent to the processing of his or her personal data for one or more of the following purposes listed under the provision. In the current case, the DPA held that the controller has not provided evidence that there is the consent of the data subject for the disclosure of personal data nor there is evidence provided that the consent of the data is in accordance with the conditions set out in Article 4(11) of the GDPR.
The DPA pointed out that [[Article 4 GDPR#7|Article 4(7) GDPR]] defines the controller as the one who determines the purposes and means of the data processing operations. In the case at hand, it held that the controller was the group administrator as they determined the group purposes (name and rules) and means (choice of social media platform, public group). Therefore, the administrator was considered responsible for ensuring that the disclosure of data in the group was lawful.  
requirements.
 
The DPA also highlighted that personal data processing needs to be grounded on one of the legal basis of Article 6 GDPR. In view of this, the DPA proceeded to analyze whether there was a legal basis for the treatment.
 
Firstly,  it noted that the controller did not provide any evidence data subjects have consented to the processing of their data. Thus, there was no possibility of relying on article 6(1)(a).
 
Secondly, it recalled that, according to Article 6(1)(f), processing of personal data on the basis of a legitimate interest is only possible when these interests do not override the rights and freedoms of the data subjects. In the case at hand, it held that the processing of personal data for the sole purpose of warning the public about debtor is not legitimate. Furthermore, the controller failed to provide the DPA with a legitimate interest assessment.


The DPA also reminded that according to Article 6(1)(f), processing of personal data on the basis of a legitimate interest, the data processor must ensure that the purposes for which the personal data are processed override the rights and freedoms of the data subject. However, in the current scenario, the processing of personal data for the sole purpose of the public alert is not legitimate on the basis of legitimate interest. Furthermore, the controller has not provided the DPA with a legitimate interest analysis in the processing of personal data.  
Thirdly, it stated that there was no public interest in the publication of of such dept data and, even if there was, it would still be necessary to comply with the Code of Journalistic Ethics, which was not done in this case.  


At the same time, the DPA noted that in addition to legal basis of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], it is possible to publish the personal data of debtors on the basis of Personal Data Protection Act Article 10 according to which, in the event of a breach of an obligation.
Finally, regarding the provision contained in article 10 of Personal Data Protection Act, according to which the disclosure of a debtor's personal data is permitted after they breached their contractual obligation, the DPA clarified that the following: requirements must be met:  
the disclosure to a third party of personal data relating to the breach of the obligation and the processing of the data transmitted.
by a third party is lawful for the purposes of assessing the creditworthiness of the data subject or for any other similar purpose, but only if three conditions are met:


1) the data controller has verified that there is a legal basis for the transfer;
1) the data controller has verified that there is a legal basis for the disclosure;


2) the data controller has verified the accuracy of the data;
2) the data controller has verified the accuracy of the data;


3) the data transfer has been recorded (keeping a record of to whom and what the data was transferred).
3) the data disclosure has been recorded (keeping a record of what data was disclosed to whom).


The DPA held that the controller had not checked the legal basis for transferring of personal data. As the debt data was published in the public domain, the controller was not able to control who can actually see the data, and therefore whether the recipient of the data has the necessary legal basis. Thus, it was not possible to rely on Article 10 of the Personal Data Protection Act for processing. The publishing of such dept data could not be done also for the purpose of public interest as the public interest criterion was not met and that would have required compliance with the code of journalistic ethics, which was not complied with in the case.  
However, the DPA considered that the controller did not check whether there was a legal basis for disclosing the data . As the debt data was published in the public domain, it was not possible to control who had access to these data, nor whether there was a legal basis for granting this access. Thus, it was not possible to rely on Article 10 of the Personal Data Protection Act .


The DPA held that the controller is therefore required to cease the disclosure of other people's posts containing personal data in the Facebook group 'XXX'.
For these reasons, the DPA held that the processing was illegal and ordered the controller to stop it.


== Comment ==
== Comment ==

Revision as of 15:31, 18 April 2023

AKI - 2.1.-1/23/2891-5
LogoEE.png
Authority: AKI (Estonia)
Jurisdiction: Estonia
Relevant Law: Article 6(1)(a) GDPR
Article 6(1)(f) GDPR
§ 10 IKS
§ 4 IKS
Type: Other
Outcome: n/a
Started: 26.01.2023
Decided: 10.03.2023
Published: 12.04.2023
Fine: n/a
Parties: n/a
National Case Number/Name: 2.1.-1/23/2891-5
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Estonian
Original Source: Andmekaitse Inspektsioon (in ET)
Initial Contributor: Norman Aasma

Estonian DPA held that the disclosure of personal data of debtors in a public Facebook group was unlawful and orderes the controller to stop the processing.

English Summary

Facts

The data controller opened a Facebook group aimed at sharing information about debtors in order to warn people not to carry out commercial transactions with them and to pressure them to settle their debts.

This Facebook group was public and the personal data published therein were available to everyone without any restrictions. Upon learning that their data had been published in the group, a data subject filed a complaint with the Estonian DPA.

The DPA launched an investigation and made a proposal that the controller ceased the activity. Although the controller spoke on the phone with the responsible authority, they failed to comply with the proposal.

Holding

The DPA pointed out that Article 4(7) GDPR defines the controller as the one who determines the purposes and means of the data processing operations. In the case at hand, it held that the controller was the group administrator as they determined the group purposes (name and rules) and means (choice of social media platform, public group). Therefore, the administrator was considered responsible for ensuring that the disclosure of data in the group was lawful.

The DPA also highlighted that personal data processing needs to be grounded on one of the legal basis of Article 6 GDPR. In view of this, the DPA proceeded to analyze whether there was a legal basis for the treatment.

Firstly, it noted that the controller did not provide any evidence data subjects have consented to the processing of their data. Thus, there was no possibility of relying on article 6(1)(a).

Secondly, it recalled that, according to Article 6(1)(f), processing of personal data on the basis of a legitimate interest is only possible when these interests do not override the rights and freedoms of the data subjects. In the case at hand, it held that the processing of personal data for the sole purpose of warning the public about debtor is not legitimate. Furthermore, the controller failed to provide the DPA with a legitimate interest assessment.

Thirdly, it stated that there was no public interest in the publication of of such dept data and, even if there was, it would still be necessary to comply with the Code of Journalistic Ethics, which was not done in this case.

Finally, regarding the provision contained in article 10 of Personal Data Protection Act, according to which the disclosure of a debtor's personal data is permitted after they breached their contractual obligation, the DPA clarified that the following: requirements must be met:

1) the data controller has verified that there is a legal basis for the disclosure;

2) the data controller has verified the accuracy of the data;

3) the data disclosure has been recorded (keeping a record of what data was disclosed to whom).

However, the DPA considered that the controller did not check whether there was a legal basis for disclosing the data . As the debt data was published in the public domain, it was not possible to control who had access to these data, nor whether there was a legal basis for granting this access. Thus, it was not possible to rely on Article 10 of the Personal Data Protection Act .

For these reasons, the DPA held that the processing was illegal and ordered the controller to stop it.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details.

PRIVACY PROTECTION AGAINST STATE TRANSPARENCY








                              PRESCRIPTION WARNING
                      personal data protection case no. 2.1.-1/23/2891-5




Alissa Hmelnitskaja, lawyer of the Data Protection Inspectorate, issued the order

Time of prescription
and place 10.03.2023 in Tallinn

Addressee of the prescription - XXX
e-mail address of the personal data processor: XXX


RESOLUTION:
§ 56 subsection 1, subsection 2 point 8, § 58 subsection 1, § 10 of the Personal Data Protection Act (IKS) and
Article 58 paragraph 1 point d and paragraph 2 of the General Regulation on Personal Data Protection (GPR).

on the basis of clauses f and g, as well as taking into account Article 6 of the IKÜM, Data Protection does
Inspection to fulfill the mandatory prescription:
    1. Terminate the Facebook group "XXX" managed by XXX, without IKÜM Article 6
       Disclosure of other people's personal data without consent in accordance with subsection 1 point a.

I set 24.03.2023 as the deadline for fulfilling the injunction. Report the fulfillment of the prescription
by this deadline at the latest to the e-mail address of the Data Protection Inspectorate at info@aki.ee.


DISPUTE REFERENCE:
This order can be challenged within 30 days by submitting either:
- a complaint to the Data Protection Inspectorate under the Administrative Procedure Act or
- a complaint to the administrative court according to the Code of Administrative Court Procedure (in this case it is no longer possible
to review the argument in the same matter).

Challenging an injunction does not suspend the obligation to fulfill it or the measures necessary for its fulfillment

implementation.

EXTORTION WARNING:
If the injunction has not been fulfilled by the set deadline, the Data Protection Inspectorate will determine
to the addressee of the injunction on the basis of § 60 of the Personal Data Protection Act:
                                  A fine of 1,500 euros.


A fine may be imposed repeatedly - until the injunction is fulfilled. If the recipient does not pay
extortion money, it is forwarded to the bailiff to start enforcement proceedings. In this case, they are added
bailiff's fee and other enforcement costs for the enforcement money.

VIOLATION PENALTY WARNING:
Protection of personal data against failure to comply with the injunction pursuant to Article 58 (2) of the General Regulation
misdemeanor proceedings may be initiated based on § 69 of the Personal Data Protection Act. For this act

a natural person may be fined up to 20,000,000 euros and a legal person
Tatari tn 39 / 10134 Tallinn / 627 4135 / info@aki.ee / www.aki.ee
Registration code 70004235 may be punished with a fine of up to 20,000,000 euros or up to 4 percent of his previous
of the total worldwide annual turnover of the financial year, whichever is the amount
bigger. The out-of-court procedure for a misdemeanor is the Data Protection Inspectorate.

FACTUAL CIRCUMSTANCES:
In the proceedings of the Data Protection Inspectorate (AKI) there is a person's complaint regarding the debt data of private individuals
with disclosure in the Facebook group "XXX". Therefore, AKI initiated the supervision procedure.


As part of the supervision procedure, on 26.01.2023 AKI made XXX (hereinafter also the data processor or
controller) proposal in personal data protection case no. 2.1.-1/23/2891-2, the content of which was
the following: "stop disclosing posts containing personal data in your managed
in the Facebook group "XXX". The deadline for responding to the proposal was 10.02.2023. In the proposal
drew the attention of the AKI, among others, to the possibility of making an injunction and imposing a fine and
to the right to file a case before issuing an administrative act in accordance with § 40 (1) of the Administrative Procedure Act

about your opinion and objections.

The data processor has received AKI's proposal and on 09.02.2023 expressed a desire to chat
with the official. The conversation took place on 15.02.2023 by telephone, during which the official gave
further clarifications on the proposal. As of 10.03.2023, the data processor is not AKI
completed the proposal.



GROUNDS FOR DATA PROTECTION INSPECTION:
Pursuant to article 4 point 1 of ICYM, personal data is any information identified or
about an identifiable natural person (data subject). An identifiable natural person is a person who can
to identify directly or indirectly, in particular on the basis of an identification feature such as a name,
personal code, location information; but also one or more physical, physiological of this natural person

based on the feature. Therefore, personal data also includes a person's name, image and other information that
enables identification.

In this case, it is a public Facebook group in which other people's actions are made
posts containing personal data. In the case of certain posts, it is a matter of warnings, perhaps
the purpose of the post is to warn other people to avoid entering into transactions with persons,
whose personal data is disclosed. At the same time, posts are also made in this group which

the purpose is to influence the debtor and pressure the debtor to pay off the debt. Examples:
    1) The post was made on 19.02.2023 at 13:02. On the computer network: XXX
    2) The post was made on 19.02.2023 at 13:00. On the computer network: XXX
    3) The post was made on 19.02.2023 at 13:06. On the computer network: XXX
    4) The post was made on 19.02.2023 at 13:01. On the computer network: XXX
    5) The post was made on 19.02.2023 at 13:06. On the computer network: XXX
    6) Cont


According to article 4 point 2 of the IKÜM, the processing of personal data is personal data or theirs
an automated or non-automated operation or set of operations performed with sets, incl
distributing them or otherwise making them available to the public.

Article 4 point 7 of IKÜM states that the responsible processor is a natural or legal person,
a public sector institution, agency or other body that, alone or together with others, determines

purposes and means of personal data processing. Facebook has determined that the group
the administrator (or data processor) has access to the Facebook group with full control.
This means that the data processor can change the name of the group or its privacy settings, can delete posts and comments written about it. It follows that the contested
As a Facebook group administrator, the data processor has the opportunity to change the name of the given group and
delete posts made in the group and comments made about it.


In addition, the data processor, as an administrator, has assigned the name of this group to "XXX" and is
made this group public, which has clearly directed the discussion in the group
(created a group for the purpose of allowing users to post on specific topics) and
due to the fact that the data processor made the group public, personal data will be disclosed there
unlimited for everyone.


Taking into account the above, AKI considers that the data processor is in accordance with Article 4, Clause 7 of the IKÜM
controller, as it determines the purposes of personal data processing (group name,
rules) and tools (choice of social media platform, public group). Data processor as a group
the administrator is responsible for ensuring that the disclosure of data is legal.


The principles of personal data processing are set out in Article 5 of the IKÜM, which must be followed by the person in charge
processor to follow, including the principle of legality. The processing of personal data is legal,
if it corresponds to one of the legal grounds set out in Article 6 of the IKÜM (consent, performance of the contract,
legal obligation, protection of vital interests, to fulfill a task in the public interest or

for the exercise of public authority, legitimate interest).

    1. IKYM article 6 paragraph 1 point a

IKÜM Article 6(1)(a) states that the processing of personal data is legal only if

if the data subject has given consent to process his personal data in one or more ways
for a specific purpose.

In article 4, clause 11 of the UNCLOS, consent is defined as "voluntary, specific, informed and
an unequivocal statement of intent to which the data subject either in the form of a statement or express consent

by expressing his consent to the processing of his personal data":

    a) The word "voluntary" means truly free choice and control for the data subject.
       In general, IKÜM stipulates that if the data subject does not have a real
       option if he feels compelled to consent or if he has to not consent

       failure to bear negative consequences, the consent is invalid. If consent is part
       of non-negotiable terms, shall not be deemed to have been voluntarily given. So no
       the consent shall be considered as consent given voluntarily if the data subject cannot be deprived of it
       refuse or withdraw consent without adverse consequences.
    b) "Specific" means that the consent of the data subject must be given "on one or

       for several specific purposes". According to IKÜM article 5 paragraph 1 point b precedes
       accurate, clear and lawful processing always planned for obtaining valid consent
       determining the goal. Necessity of specific consent together with Article 5 paragraph 1
       by delimiting the purpose according to point b, prevent the purposes of data processing
       gradual expansion or obfuscation after the data subject has provided

       your consent to data collection.
    c) IKÜM strengthens the requirement that consent must be informed. On the basis of Article 5 of the Convention
       One of the basic principles is transparency, which is closely related to legality and justice
       with the principle. Providing information to data subjects before obtaining their consent is
       important to enable data subjects to make an informed decision, to understand what

       they agree, and for example exercise their right to withdraw consent.

1 Facebook Help Center: https://www.facebook.com/help/901690736606156;
https://www.facebook.com/help/289207354498410?helpref=faq_content
2Similarly, in decision C-210/16, the European Court has concluded that the administrator of the Facebook page is responsible
processor within the meaning of Article 2 point d of Directive 95/46. d) It is clearly stated in IKÜM that a statement from the data subject is required for consent or
       a clear action expressing consent, which means that it must always be given
       by taking active steps or providing confirmation. It should be obvious that
       the data subject has consented to the specific processing. Silence of the data subject or

       inaction and merely continuing to use the service cannot be considered an active choice
       to do.

In addition, the controller must keep in mind that the obligation to prove consent lies precisely
on him.


As a result of the above, the controller cannot rely on IKÜ Article 6(1)(a) because
has not provided AKI with proof that personal data is disclosed to the data subject
with consent and that the consent is valid in accordance with the provisions of article 4, clause 11 of the IKÜM
requirements.


    2. IKYM article 6 paragraph 1 p f

IKÜM article 6 paragraph 1 point f, i.e. personal data processing on the basis of legitimate interest
the data processor must be convinced that the purpose of personal data processing is more compelling than

the rights and freedoms of the data subject and articles 21 (right to object) and 17 of the IKÜM
(right to deletion of data) the processing of personal data must be terminated if
the data processor is unable to prove that the processing is for a compelling legitimate reason that weighs
the interests, rights and freedoms of the data subject.


Processing of personal data on the basis of legitimate interest must be preceded by the data processor
the analysis carried out in terms of the legitimate interest and importance of the data processor and third parties,
analysis and subsequent weighing of the rights and interests of the data subject and their weighting
between the interests of the data processor and the data subject. 3


AKI is of the opinion that the processing of personal data for the mere purpose of public warning is not
legitimate on the basis of legitimate interest. In addition, the data controller is not entitled to the AKI
interest analysis.

    3. IKS § 10


In addition to the legal bases mentioned in Article 6 of the IKÜM, it is possible for debtors
to disclose data, rely on IKS § 10, which stipulates that with a breach of a debt relationship
disclosure of related personal data to a third party and processing of transmitted data
a third party is allowed to assess the creditworthiness of the data subject or otherwise

for the same purpose and only if all three conditions are met:
    1) the data processor has verified that there is a legal basis for data transmission;
    2) the data processor has checked the correctness of the data;
    3) the data transmission is registered (keeping information about who and what was transmitted).


In this case, according to AKI, the presumption that the data controller would have checked has not been met
legal basis for the transfer of personal data. However, the controller has disclosed
debt data in unlimited public view, which means that the data controller cannot
to check who can see the data and therefore also check whether the recipient of the data has
legal basis.


In addition, according to IKS § 10 (2) point 3, the processing of a person's debt data (including on Facebook)


3 AKI Guide to Legitimate Interest, page 6. Available on the computer network:
https://www.aki.ee/sites/default/files/dokumendid/oigudustu_huvi_juhend_aki_26.05.2020.pdfallowed if it would excessively harm the rights and freedoms of the data subject. So it comes
the data processor must assess whether the right of the data is based on the circumstances of each specific case
to the processing outweighs the interference caused to the privacy of the person or not.

AKI is of the opinion that in this case the disclosure of personal data of different people is
large-scale, as it is carried out via the Internet (including Facebook). Internet data

disclosure increases people's vulnerability, as the given environment is sometimes uncontrollable
and it is not possible to identify who has received information related to personal data and what is doing with it
forward with the information.

Therefore, on the basis of § 10 of the IKS, the requirements for disclosure of personal data are not met.

    4. IKS § 4


In certain cases, there may be a journalistic justification for disclosing some people's data
for the purpose. According to IKS § 4, personal data may be processed without the data subject's consent
for journalistic purposes, in particular to disclose in the media, if there is a public interest and that
is in line with the principles of journalistic ethics. Disclosure of personal data may not be excessive
harm the rights of the data subject.


In order to disclose personal data on the basis of § 4 of the IKS, three conditions must be met:
    1. there is a public interest in the disclosure of personal data;
    2. the disclosure is in accordance with the rules of journalistic ethics;
    3. the disclosure of personal data must not excessively harm the rights of the data subject.

According to AKI, the criterion of public interest is not met in this case. Public interest

the existence can be confirmed if the topic raised and personal data disclosed contribute
to debate in a democratic society. The latter could be the case, for example, if
a published opinion piece, for example, about why loans are taken lightly in Facebook groups in Estonia
are taken and, on the contrary, loans are given, but the disclosure of personal data of individual debtors such
does not have the driving force of the discussion.

Also, the data processor has not proven to AKI that the code of journalistic ethics has been met

requirements, because the data subject is not heard before publishing the debt data (p. of the Code).
4.2) and he is not given the opportunity to submit an objection (p. 5 of the Code).

AKI is of the opinion that data processing is accompanied by an obvious inviolability of the privacy of data subjects
interference, which, in addition to the lack of a legal basis, is also excessive considering the composition of the data.
For example, it is not legal to disclose photos of the debtor or other people, held with the person(s).
complete extracts of conversations, etc.


Since the criteria for the application of IKS § 4 have not been met, personal data cannot be obtained on the basis of IKS § 4
to disclose.

AKI notes that in the case of payment defaults, it must be borne in mind that in the event of arrears, there will be
in order to achieve payment of the debt, the creditor can primarily use § 101 of the Law of Obligations Act
listed legal remedies, one of which is to demand the performance of an obligation. of persons

the publication of payment default data is not only a pressure measure to achieve payment of the debt
permissible.

Taking the above into account, AKI is of the opinion that in this case other people
There is no disclosure of personal data referred to in Article 6, paragraph 1 of the IKÜM
legal grounds and the data processor has not proven to AKI that the data

the legal basis for disclosure comes from IKS § 10. Personal data has been processed without any legal basis, therefore the controller must stop the processing of other people's
disclosure of posts containing personal data in the Facebook group "XXX".

According to IKS § 58 paragraph 1 and IKÜ Article 58 paragraph 2 points f and g, the inspection has the right
to issue an order to limit the processing of personal data. Considering that in a particular case
the personal data of natural persons is disclosed illegally and that the responsible processor is not

fulfilled the AKI's proposal of 26.01.2023, the AKI considers that making a mandatory injunction given
in the matter, it is necessary to end the offense as soon as possible.



(signed digitally)
Alissa Khmelnitskaya

lawyer
on the authority of the Director General