AKI (Estonia) - 2.1.-5/22/22012: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Estonia |DPA-BG-Color= |DPAlogo=LogoEE.png |DPA_Abbrevation=AKI |DPA_With_Country=AKI (Estonia) |Case_Number_Name=2.1.-5/22/22012 |ECLI= |Ori...")
 
mNo edit summary
 
(6 intermediate revisions by 4 users not shown)
Line 63: Line 63:
}}
}}


The publication of debtors' debt data on the debt collection agency's social media accounts and the processing of data that this entails is not lawful.
According to the Estonian DPA, the publication of debtor's personal data on social media by a debt collection company did not have a valid legal basis under [[Article 6 GDPR#1|Article 6(1) GDPR]].


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
A debt collection company, M&M Inkasso OÜ (data controller), published private debt data on its website and social media.  
M&M Inkasso OÜ (the controller) was a debt collection company, which published information about debtors (data subjects), including names and photographs, on its website and social media (Facebook, Instagram and TikTok) as a form of retaliation.  


After receiving a formal notice about the doings of the said debt collection company, the Estonian DPA started an investigation with the aim of urging the company to start acting in compliance with the data protection requirements. More specifically, the Estonian DPA asked the company in the formal injuction to stop disclosing the personal data of the deptors on the company's website and on company's TikTok account. During the proceedings, the controller explained to the DPA that the debt collection company was acting based on the protection of vital interests. It also told that it had taken into consideration all other necessary legal consideration with a view to avoiding other legal infringements and all information published on company's website and social media was taken from the Internet as it was all freely available.
After receiving a tip from the public about the social media activities of the controller, the Estonian DPA started an ex officio investigation. During the proceedings, the controller explained that the publication was justified by "vital interests". Specifically, the posted content was supposed to prevent malicious exploitation of those who could get in contact with debtors. The controller also submitted that it had taken into consideration all other necessary legal considerations with a view to avoiding legal infringements and all information published on the company's website and social media was taken from the Internet and freely available.


=== Holding ===
=== Holding ===
Firstly, the DPA explained that based on recital 46 GDPR, the processing of personal data should be.
In its decision, the DPA assessed whether the controller had a valid legal basis to publish debt default data of the data subjects on social media. 
lawful also where it is necessary for the purposes of the private life of the data subject or of another natural person, or for the purposes of the processing of personal data.
 
The DPA also explained that in accordance with the Estonian Personal Data Protection Act, the disclosure to a third party of data, which is related to the breach of a contractual obligation and the processing of the data transmitted by the third party is lawfulfor the purpose of assessing the creditworthiness of the data subject or for any other related similar purpose. Furthermore, in such case there are other additional legal presumptions that must be met.  
Firstly, the DPA referred to Recital 46 GDPR and [[Article 6 GDPR#1d|Article 6(1)(d) GDPR]], under which processing of personal data is lawful when it is necessary to protect the "''vital interests of the data subject or of another natural person''". However, the DPA noted that for the protection of vital interests of another natural person (who is not the data subject), this legal basis should only be used when no other, more suitable, legal basis exists. The DPA held that in the case of payment defaults, the creditor must first and foremost use the legal remedies listed in §101 of the Estonian Law of Obligations Act to obtain payment of the debt. According to the DPA, it was illegal to disclose individuals' payment default data solely as a means of retaliation. Therefore, the social media publications by the controller could not be considered as protecting the vital interest of creditors or other natural persons. 
Furthermore, under § 10 (2)(3) and (4) Personal Data Protection Act, it is not lawful to publish such data in case it would excessively prejudice the rights or freedoms of the data subject and/or if less than 30 days have passed since the breach of a contract.  
 
The DPA rejected the arguments of the controller that the processing of personal data.  
Second, the DPA assessed whether the controller had a legitimate interest under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] to post the debt default data on social media. This legal basis would have required an assessment by the controller of the balance between its legitimate interest in informing the public about the debts of the data subjects and the data subjects' right to data protection. However, the controller had not submitted such an assessment to the DPA, making this legal basis not applicable.
The DPA found that disclosure of the personal information of the deptors does not imply disclosure of such data to an unlimited number of unidentified persons.
 
The DPA held that as the public interest criteria stemming from the Personal Data protection Act is not met, then all other basis for such data processing cannot even be considered. The DPA held that disclosure of debtors' data on social media accounts managed by the debt collection company M&M Inkasso OÜ is unlawful and the data processing is done without lawful basis.
Third, the DPA noted under [https://www.riigiteataja.ee/en/eli/523012019001/consolide §4 of the Estonian Personal Data Protection Act], personal data can be disclosed for journalistic purposes if three conditions are met: there is a public interest in the disclosure of personal data, the disclosure is in line with journalistic ethics rules, and the disclosure does not prejudice data subject rights. In view of the DPA, the public interest criterion was not met since the disclosure of personal data would have to contribute to the further development of a democratic society. The indebtness of data subjects did not fall within the interest of the public. Since the criteria were cumulative, the DPA did not discuss the further elements.  
 
The DPA concluded that the controller processed personal data without a legal basis. Pursuant to [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], the DPA ordered the controller to stop publishing posts containing personal data on its social media. In case the controller does not comply with the order within the prescribed time limit, the DPA would impose a €1,000 fine as a penalty payment.  


== Comment ==
== Comment ==

Latest revision as of 12:21, 31 January 2023

AKI - 2.1.-5/22/22012
LogoEE.png
Authority: AKI (Estonia)
Jurisdiction: Estonia
Relevant Law: Article 6(1)(d) GDPR
§ 10 IKS (Personal Data Protection Act)
Type: Investigation
Outcome: Violation Found
Started: 01.11.2022
Decided: 06.12.2022
Published: 29.12.2022
Fine: n/a
Parties: M&M Inkasso OÜ
National Case Number/Name: 2.1.-5/22/22012
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Estonian
Original Source: AKI (in ET)
Initial Contributor: Norman Aasma

According to the Estonian DPA, the publication of debtor's personal data on social media by a debt collection company did not have a valid legal basis under Article 6(1) GDPR.

English Summary

Facts

M&M Inkasso OÜ (the controller) was a debt collection company, which published information about debtors (data subjects), including names and photographs, on its website and social media (Facebook, Instagram and TikTok) as a form of retaliation.

After receiving a tip from the public about the social media activities of the controller, the Estonian DPA started an ex officio investigation. During the proceedings, the controller explained that the publication was justified by "vital interests". Specifically, the posted content was supposed to prevent malicious exploitation of those who could get in contact with debtors. The controller also submitted that it had taken into consideration all other necessary legal considerations with a view to avoiding legal infringements and all information published on the company's website and social media was taken from the Internet and freely available.

Holding

In its decision, the DPA assessed whether the controller had a valid legal basis to publish debt default data of the data subjects on social media.

Firstly, the DPA referred to Recital 46 GDPR and Article 6(1)(d) GDPR, under which processing of personal data is lawful when it is necessary to protect the "vital interests of the data subject or of another natural person". However, the DPA noted that for the protection of vital interests of another natural person (who is not the data subject), this legal basis should only be used when no other, more suitable, legal basis exists. The DPA held that in the case of payment defaults, the creditor must first and foremost use the legal remedies listed in §101 of the Estonian Law of Obligations Act to obtain payment of the debt. According to the DPA, it was illegal to disclose individuals' payment default data solely as a means of retaliation. Therefore, the social media publications by the controller could not be considered as protecting the vital interest of creditors or other natural persons.

Second, the DPA assessed whether the controller had a legitimate interest under Article 6(1)(f) GDPR to post the debt default data on social media. This legal basis would have required an assessment by the controller of the balance between its legitimate interest in informing the public about the debts of the data subjects and the data subjects' right to data protection. However, the controller had not submitted such an assessment to the DPA, making this legal basis not applicable.

Third, the DPA noted under §4 of the Estonian Personal Data Protection Act, personal data can be disclosed for journalistic purposes if three conditions are met: there is a public interest in the disclosure of personal data, the disclosure is in line with journalistic ethics rules, and the disclosure does not prejudice data subject rights. In view of the DPA, the public interest criterion was not met since the disclosure of personal data would have to contribute to the further development of a democratic society. The indebtness of data subjects did not fall within the interest of the public. Since the criteria were cumulative, the DPA did not discuss the further elements.

The DPA concluded that the controller processed personal data without a legal basis. Pursuant to Article 58(2)(d) GDPR, the DPA ordered the controller to stop publishing posts containing personal data on its social media. In case the controller does not comply with the order within the prescribed time limit, the DPA would impose a €1,000 fine as a penalty payment.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details.

PRIVACY PROTECTION AGAINST STATE TRANSPARENCY

                                                        INTERNAL USE
                                                        Note made: 06.12.2022e Inspection
                                                        The access restriction applies until the procedure is completed
                                                        until the decision comes into force
                                                        Basis: AvTS § 35 subsection 1 point 2



                               PRESCRIPTION WARNING

                       personal data protection case no. 2.1.-5/22/2012



Alissa Hmelnitskaja, lawyer of the Data Protection Inspectorate, issued the order


Time of making the prescription 06.12.2022 in Tallinn
and place
                                M&M Inkasso OÜ (12820582)
Addressee of the injunction –
address of the personal data processor: Harju county, Keila city, Pae tn 8-54, 76610
                                email address: madisaus@gmail.com

Copy Representatives: XXX, XXX
                                XXX

Personal data processor Member of the Board
responsible person



RESOLUTION:
§ 56 subsection 1, subsection 2 point 8, § 56 subsection 3 points 3 and
4, § 58 (1), § 10 and Article 58 (1) of the General Regulation on the Protection of Personal Data (GPR)
on the basis of point d and points f and g of paragraph 2, as well as taking into account Article 6 of IKÜM, does

inspection to fulfill the mandatory prescription:
    1. M&M Inkasso OÜ must terminate the company's TikTok, Instagram and Facebook
       disclosure of personal data of debtors in accounts, if there is no person for this purpose
       voluntary consent.


I set the deadline for the execution of the order as 20.12.2022. Report the fulfillment of the prescription
by this deadline at the latest to the e-mail address of the Data Protection Inspectorate at info@aki.ee.



DISPUTE REFERENCE:
This order can be challenged within 30 days by submitting either:
- a complaint to the Data Protection Inspectorate under the Administrative Procedure Act or
- a complaint to the administrative court according to the Code of Administrative Court Procedure (in this case it is no longer possible
to review the argument in the same matter).


Challenging an injunction does not suspend the obligation to fulfill it or the measures necessary for its fulfillment
implementation.


EXTORTION WARNING:
If the injunction has not been fulfilled by the set deadline, the Data Protection Inspectorate will determine

1https://www.facebook.com/profile.php?id=100054229521619; https://www.tiktok.com/@mminkasso.ee;
https://www.instagram.com/mminkasso/?igshid=YmMyMTA2M2Y%3D
Tatari tn 39 / 10134 Tallinn / 627 4135 / info@aki.ee / www.aki.ee

Registration code 70004235 to the addressee of the injunction on the basis of § 60 of the Personal Data Protection Act:
                                  A fine of 1,000 euros.

A fine may be imposed repeatedly - until the injunction is fulfilled. If the recipient does not pay
extortion money, it is forwarded to the bailiff to start enforcement proceedings. In this case, they are added
bailiff's fee and other enforcement costs for the enforcement money.


VIOLATION PENALTY WARNING:
Protection of personal data against failure to comply with the injunction pursuant to Article 58 (2) of the General Regulation
misdemeanor proceedings may be initiated based on § 69 of the Personal Data Protection Act. For this act
a natural person may be fined up to 20,000,000 euros and a legal person
may be punished with a fine of up to 20,000,000 euros or up to 4 percent of his previous one
of the total worldwide annual turnover of the financial year, whichever is the amount

bigger. The out-of-court procedure for a misdemeanor is the Data Protection Inspectorate.

FACTUAL CIRCUMSTANCES: The Data Protection Authority (AKI) received a notification that M&M
Inkasso OÜ publishes debt data of private individuals on its website and on social media.

The inspection started the supervision procedure on the basis of IKS § 56 (3) point 8, within the framework of which there was
made on 01.11.2022 proposal for better fulfillment of personal data protection requirements no. 2.1.-
5/22/2012. According to the proposal, M&M Inkasso OÜ had to terminate the company's website and

disclosure of debtors' personal information on the company's TikTok account and to send about it
confirmation to the inspection no later than 17.11.2022. We also noted that if M&M Inkasso OÜ no
accept the proposal, then the company should have answered additional questions.

The inspection has received the following response from the contractual representative of the company on 10.11.2022:

"You have contacted M&M Inkasso OÜ with a written request for information on 01.11.21 with two questions.

In response to your questions, I confirm that the personal data published on the website of M&M Inkasso OÜ
the basis for publication is the protection of vital interests. I would like to further explain that the published personal data
help prevent malicious exploitation by bona fide individuals. Published personal data
prevent new contractual violations if the disclosed persons do not behave according to their contractual obligations
fulfilling obligations in good faith. I also explain that all published photographic material has been taken
from public space (social media). M&M Inkasso OÜ has considered when publishing the data

the possible infringement of the rights of the persons reflected in the photos and found that the published persons
the damage caused by the activity to other natural persons and its extent outweighs the debtors
the principle of privacy. M&M Inkasso OÜ has not published personal identification codes of individuals.
Only names are published and low quality posts from social media by the individuals themselves
photos. If the published photos are removed, the impact of the published information disappears and is great
the risk that the rights of bona fide persons operating in the same legal space will be acquired by malicious ones
to suffer once again by legal entities."


As of 06.12.2022, personal data of other persons is still published by M&M Inkasso OÜ
accounts on social media (TikTok, Facebook and Instagram). But the company's website
https://mminkasso.ee/ is no longer available as of this date.


GROUNDS FOR DATA PROTECTION INSPECTION:


    1. Legal basis for publishing personal data

In the answer of 10.11.2022, the data processor, i.e. M&M Inkasso OÜ, stated that M&M Inkasso
The basis for publishing personal data published on OÜ's website is the protection of vital interests.
considered legal even if it is necessary for the life of the data subject or other natural person
to protect interests. Personal data could be obtained on the basis of the vital interests of another natural person
in principle, only be processed if the processing cannot obviously be carried out on another legal basis
on the basis of As a result, the disclosure of debtors' data cannot take place IN ACCORDANCE with article 6 par
1 point d.


In addition to the above, IKS § 10(1) stipulates that personal data related to the breach of a debt relationship
disclosure to a third party and processing of the transmitted data by a third party is
permitted for the evaluation of the creditworthiness of the data subject or for other similar purposes and
only if all three conditions are met:
    1. the data processor has verified that there is a legal basis for the transfer of data;
    2. the data processor has checked the correctness of the data;

    3. the data transfer is recorded (keeping information about who and what was transferred).

However, it is not allowed to collect data for the aforementioned purpose and to a third party
transmit if it would excessively harm the rights or freedoms of the data subject and/or the contract
less than 30 days have passed since the violation (ICS § 10 (2) points 3 and 4).

In addition, we note that the inspection is of the opinion that the right to the debtor's default data

to publish does not mean to disclose them to an unlimited number of unidentified persons (on the Internet,
in a newspaper, on the bulletin board of an apartment building, on the company's website, etc.). IKS § 10 also stipulates an obligation
before disclosing the data, check the legal basis of the recipient of the data for obtaining the data.
This obligation cannot be fulfilled if disclosure is made to an unlimited circle. That's why it is
at least one of the prerequisites for publishing data on the basis of IKS § 10 has not been fulfilled.


In the case of payment defaults, it must be borne in mind that the creditor incurs a debt in the event of arrears
to achieve payment, use primarily those listed in § 101 of the Law of Obligations Act
legal remedies, one of which is to demand the fulfillment of an obligation. of persons
the publication of payment default data is not only a pressure measure to achieve payment of the debt
permissible.

The data processor has noted that "M&M Inkasso OÜ has considered photographs when publishing data

the possible infringement of the rights of the reported persons and found that the activities of the persons disclosed
the damage caused to other natural persons and its extent outweighs the private life of the debtors
principle of immunity". From this sentence it can be concluded that M&M Inkasso OÜ relies on
when publishing personal data, Article 6(1)(f) of IKÜM, i.e. legitimate interest. However
in doing so, we explain that even if the disputed data processing could only take place in IKÜM
on the basis of Article 6(1)(f), the data processor has not submitted a legitimate interest to the inspection
analysis.


In addition, we point out that in certain cases it may be possible to disclose the data of some people
justification for journalistic purposes. According to § 4 of the IKS, personal data may be transferred to the data subject
to process without consent for journalistic purposes, in particular to disclose in the media, if for this purpose
is in the public interest and is consistent with the principles of journalistic ethics. Personal data
disclosure must not excessively harm the rights of the data subject.


In order to disclose personal data on the basis of § 4 of the IKS, three conditions must be met:
    1. there is a public interest in the disclosure of personal data;
    2. the disclosure is in accordance with the rules of journalistic ethics;
    3. the disclosure of personal data must not excessively harm the rights of the data subject.

According to AKI, the criterion of public interest is not met in this case. Public interest
its existence can be confirmed if the topic raised and personal data disclosed contribute to the debate in a democratic society. However, the fact of indebtedness of each individual natural person does not
fall into the sphere of public interest, the publication of which contributes to the further development of a democratic society
would help.

Since one criterion for the application of IKS § 4, i.e. the existence of public interest, has not been met, no
analyze the fulfillment of the following criteria of the AKI, because in the absence of even one criterion § 4 of the IKS

on the basis of which personal data cannot be disclosed.

Taking into account the above, there are no other disclosures of personal debt data besides IKS § 10
legal grounds.

Based on the above, the inspection's assessment is that those managed by M&M Inkasso OÜ
The processing of personal debt data on Facebook, Instagram, and TikTok accounts is not

legitimate because by disclosing to an unlimited circle of unidentified persons on the Internet
it is not possible to fulfill the requirements of IKS § 10 with the data of natural persons (including the data processor must
verify that there is a legal basis for the transfer of data). Personal data has been processed without
without a legal basis, which is why M&M Inkasso OÜ must terminate those containing personal data
disclosure of posts on Facebook, Instagram, TikTok managed by him
on pages, accounts, posts and groups.


According to IKS § 58 paragraph 1 and IKÜ Article 58 paragraph 2 p. f and g, the inspection has the right
to issue an order to limit the processing of personal data. Considering that in a particular case
the debt data of natural persons is publicly disclosed illegally and that M&M
Inkasso OÜ did not agree to comply with the proposal of the Data Protection Inspectorate of 01.11.2022, finds
inspection, that making a mandatory injunction in this case is necessary in order to stop it
offense as soon as possible.



(signed digitally)
Alissa Khmelnitskaya
lawyer
on the authority of the Director General