AKI (Estonia) - 2.1.-5/22/22012
|AKI - 2.1.-5/22/22012|
|Relevant Law:||Article 6(1)(d) GDPR|
§ 10 IKS (Personal Data Protection Act)
|Parties:||M&M Inkasso OÜ|
|National Case Number/Name:||2.1.-5/22/22012|
|European Case Law Identifier:||n/a|
|Original Source:||AKI (in ET)|
|Initial Contributor:||Norman Aasma|
According to the Estonian DPA, the publication of debtor's personal data on social media by a debt collection company did not have a valid legal basis under Article 6(1) GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
M&M Inkasso OÜ (the controller) was a debt collection company, which published information about debtors (data subjects), including names and photographs, on its website and social media (Facebook, Instagram and TikTok) as a form of retaliation.
After receiving a tip from the public about the social media activities of the controller, the Estonian DPA started an ex officio investigation. During the proceedings, the controller explained that the publication was justified by "vital interests". Specifically, the posted content was supposed to prevent malicious exploitation of those who could get in contact with debtors. The controller also submitted that it had taken into consideration all other necessary legal considerations with a view to avoiding legal infringements and all information published on the company's website and social media was taken from the Internet and freely available.
Holding[edit | edit source]
In its decision, the DPA assessed whether the controller had a valid legal basis to publish debt default data of the data subjects on social media.
Firstly, the DPA referred to Recital 46 GDPR and Article 6(1)(d) GDPR, under which processing of personal data is lawful when it is necessary to protect the "vital interests of the data subject or of another natural person". However, the DPA noted that for the protection of vital interests of another natural person (who is not the data subject), this legal basis should only be used when no other, more suitable, legal basis exists. The DPA held that in the case of payment defaults, the creditor must first and foremost use the legal remedies listed in §101 of the Estonian Law of Obligations Act to obtain payment of the debt. According to the DPA, it was illegal to disclose individuals' payment default data solely as a means of retaliation. Therefore, the social media publications by the controller could not be considered as protecting the vital interest of creditors or other natural persons.
Second, the DPA assessed whether the controller had a legitimate interest under Article 6(1)(f) GDPR to post the debt default data on social media. This legal basis would have required an assessment by the controller of the balance between its legitimate interest in informing the public about the debts of the data subjects and the data subjects' right to data protection. However, the controller had not submitted such an assessment to the DPA, making this legal basis not applicable.
Third, the DPA noted under §4 of the Estonian Personal Data Protection Act, personal data can be disclosed for journalistic purposes if three conditions are met: there is a public interest in the disclosure of personal data, the disclosure is in line with journalistic ethics rules, and the disclosure does not prejudice data subject rights. In view of the DPA, the public interest criterion was not met since the disclosure of personal data would have to contribute to the further development of a democratic society. The indebtness of data subjects did not fall within the interest of the public. Since the criteria were cumulative, the DPA did not discuss the further elements.
The DPA concluded that the controller processed personal data without a legal basis. Pursuant to Article 58(2)(d) GDPR, the DPA ordered the controller to stop publishing posts containing personal data on its social media. In case the controller does not comply with the order within the prescribed time limit, the DPA would impose a €1,000 fine as a penalty payment.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details.
PRIVACY PROTECTION AGAINST STATE TRANSPARENCY INTERNAL USE Note made: 06.12.2022e Inspection The access restriction applies until the procedure is completed until the decision comes into force Basis: AvTS § 35 subsection 1 point 2 PRESCRIPTION WARNING personal data protection case no. 2.1.-5/22/2012 Alissa Hmelnitskaja, lawyer of the Data Protection Inspectorate, issued the order Time of making the prescription 06.12.2022 in Tallinn and place M&M Inkasso OÜ (12820582) Addressee of the injunction – address of the personal data processor: Harju county, Keila city, Pae tn 8-54, 76610 email address: email@example.com Copy Representatives: XXX, XXX XXX Personal data processor Member of the Board responsible person RESOLUTION: § 56 subsection 1, subsection 2 point 8, § 56 subsection 3 points 3 and 4, § 58 (1), § 10 and Article 58 (1) of the General Regulation on the Protection of Personal Data (GPR) on the basis of point d and points f and g of paragraph 2, as well as taking into account Article 6 of IKÜM, does inspection to fulfill the mandatory prescription: 1. M&M Inkasso OÜ must terminate the company's TikTok, Instagram and Facebook disclosure of personal data of debtors in accounts, if there is no person for this purpose voluntary consent. I set the deadline for the execution of the order as 20.12.2022. Report the fulfillment of the prescription by this deadline at the latest to the e-mail address of the Data Protection Inspectorate at firstname.lastname@example.org. DISPUTE REFERENCE: This order can be challenged within 30 days by submitting either: - a complaint to the Data Protection Inspectorate under the Administrative Procedure Act or - a complaint to the administrative court according to the Code of Administrative Court Procedure (in this case it is no longer possible to review the argument in the same matter). Challenging an injunction does not suspend the obligation to fulfill it or the measures necessary for its fulfillment implementation. EXTORTION WARNING: If the injunction has not been fulfilled by the set deadline, the Data Protection Inspectorate will determine 1https://www.facebook.com/profile.php?id=100054229521619; https://email@example.com; https://www.instagram.com/mminkasso/?igshid=YmMyMTA2M2Y%3D Tatari tn 39 / 10134 Tallinn / 627 4135 / firstname.lastname@example.org / www.aki.ee Registration code 70004235 to the addressee of the injunction on the basis of § 60 of the Personal Data Protection Act: A fine of 1,000 euros. A fine may be imposed repeatedly - until the injunction is fulfilled. If the recipient does not pay extortion money, it is forwarded to the bailiff to start enforcement proceedings. In this case, they are added bailiff's fee and other enforcement costs for the enforcement money. VIOLATION PENALTY WARNING: Protection of personal data against failure to comply with the injunction pursuant to Article 58 (2) of the General Regulation misdemeanor proceedings may be initiated based on § 69 of the Personal Data Protection Act. For this act a natural person may be fined up to 20,000,000 euros and a legal person may be punished with a fine of up to 20,000,000 euros or up to 4 percent of his previous one of the total worldwide annual turnover of the financial year, whichever is the amount bigger. The out-of-court procedure for a misdemeanor is the Data Protection Inspectorate. FACTUAL CIRCUMSTANCES: The Data Protection Authority (AKI) received a notification that M&M Inkasso OÜ publishes debt data of private individuals on its website and on social media. The inspection started the supervision procedure on the basis of IKS § 56 (3) point 8, within the framework of which there was made on 01.11.2022 proposal for better fulfillment of personal data protection requirements no. 2.1.- 5/22/2012. According to the proposal, M&M Inkasso OÜ had to terminate the company's website and disclosure of debtors' personal information on the company's TikTok account and to send about it confirmation to the inspection no later than 17.11.2022. We also noted that if M&M Inkasso OÜ no accept the proposal, then the company should have answered additional questions. The inspection has received the following response from the contractual representative of the company on 10.11.2022: "You have contacted M&M Inkasso OÜ with a written request for information on 01.11.21 with two questions. In response to your questions, I confirm that the personal data published on the website of M&M Inkasso OÜ the basis for publication is the protection of vital interests. I would like to further explain that the published personal data help prevent malicious exploitation by bona fide individuals. Published personal data prevent new contractual violations if the disclosed persons do not behave according to their contractual obligations fulfilling obligations in good faith. I also explain that all published photographic material has been taken from public space (social media). M&M Inkasso OÜ has considered when publishing the data the possible infringement of the rights of the persons reflected in the photos and found that the published persons the damage caused by the activity to other natural persons and its extent outweighs the debtors the principle of privacy. M&M Inkasso OÜ has not published personal identification codes of individuals. Only names are published and low quality posts from social media by the individuals themselves photos. If the published photos are removed, the impact of the published information disappears and is great the risk that the rights of bona fide persons operating in the same legal space will be acquired by malicious ones to suffer once again by legal entities." As of 06.12.2022, personal data of other persons is still published by M&M Inkasso OÜ accounts on social media (TikTok, Facebook and Instagram). But the company's website https://mminkasso.ee/ is no longer available as of this date. GROUNDS FOR DATA PROTECTION INSPECTION: 1. Legal basis for publishing personal data In the answer of 10.11.2022, the data processor, i.e. M&M Inkasso OÜ, stated that M&M Inkasso The basis for publishing personal data published on OÜ's website is the protection of vital interests. considered legal even if it is necessary for the life of the data subject or other natural person to protect interests. Personal data could be obtained on the basis of the vital interests of another natural person in principle, only be processed if the processing cannot obviously be carried out on another legal basis on the basis of As a result, the disclosure of debtors' data cannot take place IN ACCORDANCE with article 6 par 1 point d. In addition to the above, IKS § 10(1) stipulates that personal data related to the breach of a debt relationship disclosure to a third party and processing of the transmitted data by a third party is permitted for the evaluation of the creditworthiness of the data subject or for other similar purposes and only if all three conditions are met: 1. the data processor has verified that there is a legal basis for the transfer of data; 2. the data processor has checked the correctness of the data; 3. the data transfer is recorded (keeping information about who and what was transferred). However, it is not allowed to collect data for the aforementioned purpose and to a third party transmit if it would excessively harm the rights or freedoms of the data subject and/or the contract less than 30 days have passed since the violation (ICS § 10 (2) points 3 and 4). In addition, we note that the inspection is of the opinion that the right to the debtor's default data to publish does not mean to disclose them to an unlimited number of unidentified persons (on the Internet, in a newspaper, on the bulletin board of an apartment building, on the company's website, etc.). IKS § 10 also stipulates an obligation before disclosing the data, check the legal basis of the recipient of the data for obtaining the data. This obligation cannot be fulfilled if disclosure is made to an unlimited circle. That's why it is at least one of the prerequisites for publishing data on the basis of IKS § 10 has not been fulfilled. In the case of payment defaults, it must be borne in mind that the creditor incurs a debt in the event of arrears to achieve payment, use primarily those listed in § 101 of the Law of Obligations Act legal remedies, one of which is to demand the fulfillment of an obligation. of persons the publication of payment default data is not only a pressure measure to achieve payment of the debt permissible. The data processor has noted that "M&M Inkasso OÜ has considered photographs when publishing data the possible infringement of the rights of the reported persons and found that the activities of the persons disclosed the damage caused to other natural persons and its extent outweighs the private life of the debtors principle of immunity". From this sentence it can be concluded that M&M Inkasso OÜ relies on when publishing personal data, Article 6(1)(f) of IKÜM, i.e. legitimate interest. However in doing so, we explain that even if the disputed data processing could only take place in IKÜM on the basis of Article 6(1)(f), the data processor has not submitted a legitimate interest to the inspection analysis. In addition, we point out that in certain cases it may be possible to disclose the data of some people justification for journalistic purposes. According to § 4 of the IKS, personal data may be transferred to the data subject to process without consent for journalistic purposes, in particular to disclose in the media, if for this purpose is in the public interest and is consistent with the principles of journalistic ethics. Personal data disclosure must not excessively harm the rights of the data subject. In order to disclose personal data on the basis of § 4 of the IKS, three conditions must be met: 1. there is a public interest in the disclosure of personal data; 2. the disclosure is in accordance with the rules of journalistic ethics; 3. the disclosure of personal data must not excessively harm the rights of the data subject. According to AKI, the criterion of public interest is not met in this case. Public interest its existence can be confirmed if the topic raised and personal data disclosed contribute to the debate in a democratic society. However, the fact of indebtedness of each individual natural person does not fall into the sphere of public interest, the publication of which contributes to the further development of a democratic society would help. Since one criterion for the application of IKS § 4, i.e. the existence of public interest, has not been met, no analyze the fulfillment of the following criteria of the AKI, because in the absence of even one criterion § 4 of the IKS on the basis of which personal data cannot be disclosed. Taking into account the above, there are no other disclosures of personal debt data besides IKS § 10 legal grounds. Based on the above, the inspection's assessment is that those managed by M&M Inkasso OÜ The processing of personal debt data on Facebook, Instagram, and TikTok accounts is not legitimate because by disclosing to an unlimited circle of unidentified persons on the Internet it is not possible to fulfill the requirements of IKS § 10 with the data of natural persons (including the data processor must verify that there is a legal basis for the transfer of data). Personal data has been processed without without a legal basis, which is why M&M Inkasso OÜ must terminate those containing personal data disclosure of posts on Facebook, Instagram, TikTok managed by him on pages, accounts, posts and groups. According to IKS § 58 paragraph 1 and IKÜ Article 58 paragraph 2 p. f and g, the inspection has the right to issue an order to limit the processing of personal data. Considering that in a particular case the debt data of natural persons is publicly disclosed illegally and that M&M Inkasso OÜ did not agree to comply with the proposal of the Data Protection Inspectorate of 01.11.2022, finds inspection, that making a mandatory injunction in this case is necessary in order to stop it offense as soon as possible. (signed digitally) Alissa Khmelnitskaya lawyer on the authority of the Director General