APD/GBA (Belgium) - 42/2020: Difference between revisions

From GDPRhub
No edit summary
m (Mh moved page APD/GBA - DOS-2019-01240 to APD/GBA - 42/2020 without leaving a redirect)

Revision as of 18:58, 11 November 2020

APD/GBA - 42/2020
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 2(1) GDPR
Article 4(7) GDPR
Article 6(1)(f) GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided: 30.06.2020
Published:
Fine: None
Parties: n/a
National Case Number/Name: 42/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: GBA (in FR)
Initial Contributor: n/a

Belgium DPA looked into the complaint of a person whose Facebook profile picture was shared by the defendant by email without his consent. The organization that shared the picture was looking to comply with the prior judgement of the Sports Court prohibiting the complainant from attending training sessions, championships or other competitions organized by one defendant. Belgium DPA decided that this kind of processing was allowed under the legal basis of legitimate interest of the controller.

English Summary

Facts

On 25 of February 2019 the complainant has submitted a complaint against Organization 2. The essence of the complaint was: screenshot of his Facebook profile picture was shared by Organization 2 without his consent. The complainant asserted that his profile picture was not publicly available. On 8 July 2019 DPA declared the complaint admissible. On 23 July 2019 the Disputes Chamber decided that the file was ready to be considered on the merits. On 4 September 2019 the Disputes Chamber received the response of both organizations involved in this processing (defendants). On 8 October 2019 the Disputes Chamber received the conclusion response of the complainant, limiting the subject of the complaint to the sharing of the picture via email. On 30 October 2019 Disputes Chamber accepted another comment from the defendants, stating that the complainant violated article 124 of the electronic communications law by deliberately accessing the email that was not addressed to him. On 27 May 2020 the parties were heard by the Disputes Chamber.

Dispute

The defendants were able to demonstrate that the Facebook profile picture of the complainant was publicly available and in no way protected. The organizations are also of the opinion that no personal data processing took place in this case because the complainant failed to demonstrate that his picture was structured according to the specific criteria. In case if the DPA finds that personal data processing took the place, the defendants invokes legitimate interest as a legal basis of processing and refers DPA to the judgement of the Sports Court prohibiting the complainant from attending training sessions, championships or other competition organized by Organization 1 for the period of one year.

On 8 October the complainant agreed that his profile pictures were publicly accessible. However, in his opinion legitimate interest was not applicable in this case because it was possible to find his picture by searching on Facebook directly. So the sharing of his picture via email was not necessary.

Holding

DPA held that: 1) Organization 2 was acting as a processor on behalf of Organization 1 when it shared complainant's pictures via email with third parties; 2) Personal data processing via automated means took place. The argument of the defendants that the complainant failed to demonstrate that his picture was structured according to the specific criteria was not relevant because the filing system criterion applies to manual processing only; 3) The fact that profile picture was publicly available doesn't mean that it can be used without legal basis; and 4) Legitimate interest was a valid legal basis in this case:

   Purpose test satisfied, purpose: enforcing the judgement of the Sports Court;
   Necessity test satisfied: picture of the complainant was necessary to identify him. In addition, the controller edited the picture of the complainant is such a way, that another person on that photo was no longer visible, complying with the principle of data minimization;
   Balancing test satisfied: DPA took into account the reasonable expectations of the complainant and found that because the complainant made his picture publicly available, it was within his reasonable expectations that third parties might access that picture and use it. Moreover, according to the Sports Court judgement, organization 1 (controller) was required to communicate the prohibition to all organizers of completions in Belgium. Although the judgement did not specifically instruct organization 1 to share pictures of the complaint, DPA considered this necessary for the purpose of identifying the complainant. 



Comment

It was not clear whether the legitimated interest assessment was provided by the defendant or executed by the DPA.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.


Page 1
1/11
Litigation room
Substance decision 35/2020 of 30 June 2020
File number: DOS-2019-01240
Subject: Reuse of profile picture available on Facebook
The Litigation Chamber of the Data Protection Authority, composed of Mr. Hielke Hijmans, chairman and Messrs Dirk Van Der Kelen and Jelle Stassijns, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data and repealing Directive
95/46 / EC (General Data Protection Regulation), hereinafter GDPR;
Having regard to the Law of 3 December 2017 establishing the Data Protection Authority, hereinafter
WOG;
Having regard to the internal rules of procedure, as approved by the Chamber of
Representatives on December 20, 2018 and published in the Belgian Official Gazette on
January 15, 2019;
Having regard to the documents in the file;
Page 2
Substance decision 35/2020 - 2/11
has taken the following decision on:
- Mr. X; hereafter “the complainant”
- Y; hereinafter “first respondent”
and
Mr. Z; hereinafter “second defendant”
1. Facts and procedure
1. On 25 February 2019, the complainant lodged a complaint with the Data Protection Authority against
the defendants.
2. The subject of the complaint concerns the distribution by e-mail to third parties, namely W
as well as volunteers and employees of Y, from a screenshot of one on Facebook
available profile picture of the complainant without his consent. According to the
the complainant cannot be freely accessible, as he enjoys the highest level of protection through his
settings. Also, the photo would have been edited by the second defendant so only it
the complainant's face was made visible.
3. On 8 July 2019, the complaint will be declared admissible pursuant to Articles 58 and 60 WOG,
the complainant is informed of this on the grounds of Article 61 of the WOG and the complaint is filed
pursuant to Article 62, §1 WOG transferred to the Disputes Chamber.
4. On 23 July 2019, the Disputes Chamber will decide on the basis of Article 95, §1, 1 ° and Article 98 of the WOG
the file is ready for thorough examination.
5. On 24 July 2019, the parties concerned will be notified of by registered mail
the provisions as stated in Article 95, §2, as well as those in Article 98 WOG. Also
they shall be informed of the deadlines for them pursuant to Article 99 WOG
to submit defenses. The deadline for receipt of the reply
of the defendants was thereby recorded on 6 September 2019, this for the conclusion of
the complainant's reply on 7 October 2019.
6. On 6 August 2019, the defendants request a copy of the file (Article 95, §2, 3 ° WOG)
7. On 7 August 2019, a copy of the file will be sent to the defendants.
Page 3
Substance decision 35/2020 - 3/11
8. On 14 August 2019, the defendants indicate that they will submit defenses
(Article 98, 2 ° WOG), as well as to adjust the conclusion calendar.
9. On 23 August 2019, the parties will be notified by the Disputes Chamber of the
adjusted conclusion terms. The deadline for receipt of the Opinion of
The defendants' reply was recorded on 6 September 2019, this one for the
The complainant's reply of 7 October 2019 to the defendants on 7
November 2019.
10. On 4 September 2019, the Disputes Chamber will receive the conclusion of an answer from the
defendants. The defendants contend that the second defendant acted in his capacity of
employee who acted on behalf of and for the account of the first defendant. The defendants
then show that the photo has been determined by a bailiff
to which the complaint relates is publicly accessible to everyone and was therefore by no means
shielded. First, according to the defendants, no processing would take place because the
the complainant does not demonstrate that the photo was structured according to specific criteria. The defendants
refer in this regard to recital 15 GDPR. Insofar as there would be one
processing, the defendants invoke the legitimate interest as a legal basis (Article
6.1 f) GDPR) and for this purpose refers to the judgment of the Sports Court in which the complainant
ban was imposed on attending training courses, championships for 1 year
or any other competition of any kind, organized under the sports
authority of the first defendant.
11. In its conclusion, the defendants also consider the complainant's request to take action
his right to erasure, which was not responded to by the defendants
in accordance with the requirements of Article 12 GDPR. The defendants give the reason for this
that the complainant's request did not indicate that any response was requested. The
The Disputes Chamber can only determine in this respect that the absence of a response due to the
defendants at this request are not part of the complaint.
12. On 8 October 2019, the Disputes Chamber will receive the reply from the complainant. In there
informs the complainant that his complaint was initially directed against the second defendant
he may have been mistaken in the facts, as the first defendant formally states that the
second defendant acted on her instructions and by no means as a person in her own right
capacity. Furthermore, the complainant claims to have never contradicted that the photo is free
is accessible and can therefore be viewed and copied by everyone. The object of the
complaint is the distribution of the photo as an attachment to an e-mail. The complainant argues that there is
Page 4
Substance decision 35/2020 - 4/11
there is a data processing by stating that recital 15 GDPR is not in the
regulations are included. According to the complainant, the defendants cannot rely on it
legitimate interest as a legal basis for processing the photo as an attachment to an e-
mail, since the recipients of the email could have found the photo themselves by
to surf to the social network site Facebook.
13. On 30 October 2019, the Disputes Chamber receives the reply from the defendants.
In it they indicate that they want to make use of the possibility of becoming
heard (Article 98, 2 ° WOG). The defendants recall the elements of the Opinion of
reply and add that the complainant referred to Article 124 of the Law of 13 June 2005
concerning electronic communication , because he deliberately has knowledge
taken from an email message that was not addressed to him.
14. On 29 April 2020, parties will be informed that the hearing will take place
on May 20, 2020.
15. On 27 May 2020, the parties will be heard by the Disputes Chamber.
2. Legal basis
• Controller
Article 4. 7) GDPR
For the purposes of this Regulation:
[…]
7) "controller" means a natural or legal person, a public authority,
a service or other body that, alone or with others, the purpose and means
for the processing of personal data; when the goals of and means
may be set out in Union or Member State law for such processing
determine who the controller is or according to which criteria it is designated;
Page 5
Substance decision 35/2020 - 5/11
• Legitimacy of processing
Article 6.1. GDPR
1. Processing is lawful only if and to the extent that at least one of the following is provided
conditions are met:
[…]
(f) the processing is necessary for the defense of the legitimate interests of the
controller or of a third party, except where interests or fundamental rights and
the fundamental freedoms of the data subject requiring the protection of personal data,
outweigh those interests, especially when the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing by public authorities under the
performing their duties.
3. Justification
3.1. Controller
16. The complainant expressly addresses his complaint only to the second defendant and considers the first
respondent is not responsible for the use of the photo without his permission and for
sharing it with third parties, as respondent 1 would not have been aware.
17. The first defendant refutes this assertion and shows that the second defendant is in
capacity of employee, acted entirely in the name and on behalf of the former
defendant. As an employee of the second defendant, the second Respondent is ordered with the
administration of its disciplinary and judicial bodies and has thus been appointed as “Registrar of
the Sports Court ”.
18. The Disputes Chamber finds that the complainant became Y pursuant to a judgment of the Sports Court Y.
sentenced to “ a general ban on attending training, championships or
any other competition of any kind organized under the authority of sport
of the Y, this for a period of 1 year. This prohibition extends to any place where the
competition is taking place, including - but not limited to - the […] ” .
Page 6
Substance decision 35/2020 - 6/11
19. For the implementation of this prohibition of attendance imposed on the complainant, In
order of respondent 1 by respondent 2 an e-mail addressed to the sports commissioners
of a specific, upcoming event in the W, as well as in “carbon copy” (cc) to the organizing party
institution. Defendant 1 confirms that a photo of the complainant has been attached
in order to allow the recipients of the email to recognize it if the complainant is
would register despite the ban on attendance.
20. The entirety of these findings leads the Disputes Chamber to decide that the first
defendant the purpose and means of execution of the judgment of the Sports Court
has determined that the email with the photo attached was in her name and assignment
dispatched by the second defendant acting solely as an employee of the
first respondent and in that capacity is obliged to perform the duties assigned to him
to accomplish. Thus, the first defendant should be classified as
controller within the meaning of Article 4. 7) GDPR.
3.2. Processing
21. Insofar as the defendant argues that the reuse of the profile picture is freely available
would not constitute processing on Facebook within the meaning of Article 4. 2) GDPR because of the fact
that the complainant does not demonstrate that the photo was structured according to specific criteria, the
Disputes Chamber in that regard on that article 2.1) GDPR read in conjunction with recital 15
of the GDPR, although an exclusion from the scope of the GDPR provides for
files or a collection of files and their covers, which do not meet specific criteria
are structured, but this exception applies only to manual processing 1 . In
in the present case, however, it concerns the reuse of an online accessible photo taken by
is sent to specific third parties by means of an e-mail message.
22. The Disputes Chamber is of the opinion that there is indeed a processing within the meaning
of Article 4. 2) GDPR 2, since the photo is determined automatically in accordance with certain
1 Consideration 15 GDPR. In order to avoid a serious risk of circumvention, the protection of natural ones should be
persons should be technology neutral and should not depend on the technologies used. The protection of
natural persons should apply to both automated processing of personal data and manual processing
thereof if the personal data has been stored or is intended to be stored in a file. Files or one
collection of files and their folders, which are not structured according to specific criteria, should not be included in the
scope of this Directive.
2 Article 4.2) GDPR: For the purposes of this Regulation, the following definitions apply: 'processing' means an operation or a whole
of operations relating to personal data or a set of personal data, whether or not performed via
automated processes, such as collecting, recording, organizing, structuring, storing, updating or changing, retrieving,
consult, use, provide by forwarding, dissemination or otherwise make available,
aligning or combining, shielding, erasing or destroying data;
Page 7
Substance decision 35/2020 - 7/11
technologies was consulted for subsequent use and forwarded to
third parties.
3.3. Lawfulness of processing
23. Although the complainant claims that the photo that is the subject of the complaint is the highest
is protected through its institutions, the defendant shows by means of a finding
to a bailiff that the photo in question is publicly accessible on the
The complainant's Facebook page and profile picture can be reached without any hindrance
and copied. The complainant then states in its reply that “everyone
know that a profile photo is freely accessible ”, thus confirming that the photo is located
in the public area of ​​Facebook.
24. The Disputes Chamber states that both consulting and using a photo are one
processing is within the meaning of the GDPR and that this processing is only permitted on the basis of a
processing basis in Article 6.1 GDPR. The fact that the photo was made freely accessible
by the person concerned, in no way allows the free reuse of the photo by third parties
consult it.
25. The GDPR significantly limits the possibility of reusing
publicly accessible personal data. The Dispute Chamber emphasizes that it
the principle is that the fact that someone's profile photo is freely accessible to the public,
does not mean that others may use it freely. Its use is only possible
if there is a legal basis for this. The defendant appeals to that effect
legitimate interest (Article 6.1 f) GDPR).
26. In accordance with Article 6.1 f) GDPR and the case law of the Court of Justice of the European Union
Union (hereinafter “the Court”) must meet three cumulative conditions for one
controller can legally invoke this legitimacy ground, " te
know, first of all, the defense of a legitimate interest of the
processing of the controller or of the third party (ies) to whom the data is provided, in the
secondly, the need for the processing of the personal data for representation
of legitimate interest, and, thirdly, the condition that the fundamental
rights and freedoms of the person involved in data protection do not prevail "
(judgment in “Rigas” 3 ).
3 CJEU, 4 May 2017, C-13/16, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA
Rīgas satiksme, recital 28. See also CJEU, 11 December 2019, C-708/18, TK t / Asociaţia de Proprietari bloc M5A-ScaraA,
recital 40.
Page 8
Substance decision 35/2020 - 8/11
27. In order to be able to invoke the lawfulness of law in accordance with Article 6.1 f) GDPR
in other words, the “legitimate interest” should be submitted by the controller
show that:
- the interests which it pursues with the processing can be recognized as justified
(the “target test”);
the intended processing is necessary for the realization of these interests (the
“Necessity test”); and
the balancing of these interests against the interests, fundamental freedoms and
fundamental rights
from
stakeholders
weighs
in
it
benefit
from
the
controller (the “balancing test”).
28. As regards the first condition (the so-called “target test”), the Disputes Chamber of
consider that the purpose of the exercise of the judgment of the
Sports court can be classified for a legitimate interest. The importance
that the defendant as controller may pursue in accordance with recital
47 GDPR are considered to be justified in themselves. Consequently, the
first condition contained in Article 6.1 f) GDPR.
29. In order to fulfill the second condition, it must be demonstrated that the processing
is necessary for the achievement of the objectives pursued. This means more
provides that the question should be asked whether the same result can be achieved by other means
be achieved without processing personal data or without unnecessarily drastic action
processing for data subjects.
30. The complainant maintains that it was absolutely unnecessary to add the profile photo as an attachment
attach to the email notifying the Sports Court's judgment to the
sports commissioners, since the latter could have done the image themselves
by consulting the social network site Facebook. The Dispute Chamber draws up
on the basis of this, it is established that the complainant does not dispute that, on the grounds of the sports commissioners
there is a real need for a photo as an identifier in order to allow the sports commissioners and the
enable the organizer to maintain the prohibition of attendance imposed on the complainant.
The complainant does not object to this either. The complainant only disputes that it was unnecessary
add profile picture as an attachment to the e-mail sent to the sports commissioners and the
organizer was sent and after it was edited additionally.
Page 9
Substance decision 35/2020 - 9/11
31. The Disputes Chamber notes that the editing of the profile picture consisted of the others
person who was on the profile picture was no longer visible, so only the image of
the complainant could be seen in the photo. This gives the defendants the principle of minimum
data processing (Article 5.1. c) GDPR) as the image of the other
person was in no way required for the intended purpose of maintaining the
ban on attendance.
32. In addition, the Dispute Chamber finds that the complainant's photograph was necessary for his
identification, since the purpose is to maintain the ban on attendance
imposed on the complainant cannot reasonably be achieved in any other way 4 than
by processing a photo. The way in which the photo is made available, either
via attachment to the relevant e-mail, or by direct consultation of the Facebook
The complainant's page is irrelevant. Also on this point, the principle of minimum
data processing (Article 5.1. c) GDPR).
33. In order to check whether the third condition of Article 6.1 f) GDPR - the so-called
"Balancing test" between the interests of the controller on the one hand, and the controller
fundamental freedoms and fundamental rights of the data subject, on the other hand - can be met,
In accordance with recital 47 GDPR, reasonable ones should be taken into account
expectations of the data subject. More specifically, it is necessary to evaluate whether
“ Data subject at the time and in the context of the collection of the personal data
may reasonably expect processing to take place for that purpose ” 5 .
4 Recital 39 GDPR. Any processing of personal data must be done properly and lawfully. For natural
persons it should be transparent that they are collected, used, consulted or concerning them
otherwise processed and to what extent the personal data are processed or will be processed. In accordance with it
transparency principle, information and communication related to the processing of those personal data should be simple
be accessible and understandable, and clear and simple language should be used. That principle concerns in particular the
informing data subjects about the identity of the controller and the purposes of the processing,
as well as further information to ensure proper and transparent processing with regard to natural persons
in question and their right to receive confirmation and communication of their personal data being processed. Natural
individuals should be made aware of the risks, rules, safeguards and rights associated with the processing of
personal data, as well as how they can exercise their rights regarding this processing. Lake
determined, the specific purposes for which the personal data are processed must be explicit and justified
and be determined when the personal data is collected. The personal data must be adequate and relevant
serve and be limited to what is necessary for the purposes for which they are processed. This requires with
in particular, ensuring that the storage period of the personal data is kept to a strict minimum.
Personal data may only be processed if the purpose of the processing is not reasonably in any other way
can be accomplished. To ensure that personal data is not kept longer than necessary, it is necessary
set deadlines for the erasure of data or for periodic review.
All reasonable measures must be taken to ensure that incorrect personal data is rectified
or erased. Personal data must be processed in a manner that provides appropriate security and confidentiality
that data, including to prevent unauthorized access to or unauthorized use of
personal data and the equipment used for the processing. (own underline)
5 Recital 47 GDPR.
Page 10
Substance decision 35/2020 - 10/11
34. This is also emphasized by the Court in its judgment in “TK t / Asociaţia de Proprietari bloc
M5A-ScaraA ”of December 11, 2019 6 , in which it states:
“Also relevant to this consideration are the reasonable expectations of the data subject that they are or
her personal data will not be processed when, in the circumstances
in such a case, the data subject cannot reasonably continue to process the data
expect".
35. Because the complainant himself published the photo in such a way that it is freely accessible
for anyone, the Disputes Chamber considers that it is within the reasonable expectations of
the complainant complains that third parties access and share publicly shared information
use. The collection and use of the published personal data by
however, these third parties are only lawful insofar as the processing of those personal data is carried out
is based on a legal basis as provided in Article 6.1. GDPR. The Disputes Chamber will determine
that the defendants rightly invoke Article 6.1. f) GDPR 7, since the verdict of the
In addition to the ban on attendance imposed on the complainant, the sports court also stipulates that the
Registrar at the Secretariat of Defendant 1 is requested to inform this prohibition
bringing all organizers of competitions on Belgian territory. Although the verdict
does not impose a photo of the complainant on this notification of the ban on attendance
it is necessary, however, to check compliance with it
ban on attendance on the part of the complainant, that the organizers of competitions on Belgian
territory have any means whatsoever, such as the photograph of the complainant, to correct it if necessary -
in case of non-compliance with the prohibition.
6 CJEU, 11 December 2019, C-708/18, TK t / Asociaţia de Proprietari bloc M5A-ScaraA, recital 58.
7
Recital 47 GDPR. The legitimate interests of a controller, including that of a controller
controller to whom the personal data may be provided, or from a third party, may have a legal basis
for processing, provided that the interests or fundamental rights and freedoms of the data subject are not overridden
taking into account the reasonable expectations of the data subject based on his relationship with the
controller. Such a legitimate interest may exist, for example, when there is a
relevant and appropriate relationship between the data subject and the controller, in situations where the data subject
is a customer or is employed by the controller. In any case, a careful assessment is required to
determine whether there is a legitimate interest, as well as to determine whether a data subject is concerned at the time and in the context
may reasonably expect the collection of the personal data to be possible for that purpose to be processed.
In particular, the interests and fundamental rights of the data subject may override the interests of the data subject
controller when personal data are processed in circumstances where the data subjects
do not reasonably expect further processing. Since it is for the legislator to provide the legal basis for this
that legal basis should not apply to the processing of personal data by public authorities
processing by public authorities in the performance of their duties. The processing of personal data that
strictly necessary for the prevention of fraud is also a legitimate interest of the controller concerned.
The processing of personal data for direct marketing purposes can be considered as performed for the purpose of
a legitimate interest. (own underline)
Page 11
Substance decision 35/2020 - 11/11
36. The Disputes Chamber is of the opinion that the defendants rightly invoke Article 6.1 f)
GDPR and no elements are provided that indicate that the defendants would
have acted in violation of the requirements of the GDPR.
3.4. Publication of the decision
37. Having regard to the importance of transparency regarding the decision-making of the
Dispute Chamber, this decision will be published on the
Data protection authority. It is not necessary, however, for this to be the identification data
of the parties are published directly.
FOR THESE REASONS,
The Dispute Chamber of the Data Protection Authority, after deliberation, decides on the basis of
of Article 100, §1, 1 ° WOG, to dismiss the present complaint . Based on the information about which
the Disputes Chamber at this time, although it does not currently consider it possible to take further action
give to the complaint.
Pursuant to Article 108, §1 WOG, an appeal can be lodged against
a period of thirty days, from the notification, at the Marktenhof, with the
Data protection authority as defendant.
(get.) Hielke Hijmans
Chairman of the Disputes Chamber