AZOP (Croatia) - Decision 12-12-2023
From GDPRhub
| AZOP - Decision 12-12-2023 | |
|---|---|
 | |
| Authority: | AZOP (Croatia) |
| Jurisdiction: | Croatia |
| Relevant Law: | Article 5 GDPR Article 6 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 12.12.2023 |
| Published: | 15.04.2024 |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | Decision 12-12-2023 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Croatian |
| Original Source: | AZOP (in hr) (in HR) |
| Initial Contributor: | leeve |
The DPA warned the City Tourist Board that while publishing photos of public events on public squares is lawful, publishing a specific photo of the applicant's minor daughter lacked legal basis and purpose under Articles 5 and 6 GDPR.
English Summary
Facts
The DPA has received a complaint for a determination of a violation of the protection of personal data of minor X (the data subject). The complaint was submitted by the mother of the data subject (the applicant), in which it essentially states that the City Tourist Board (the controller) organized a sports day in the square of the City and that the event itself was photographed, although there was no information regarding GDPR, photography, etc. After the event ended, a report about the event was published in various media outlets (for example, on the Facebook and Instagram pages of City), accompanied by photographs, and some of the photographs in question included the applicant's minor daughter.
The applicant points out that the image was used for promotional purposes, as an advertisement, without her permission (and without the permission of the applicant's husband), and that the applicant saw the image in question on the Facebook and Instagram pages and the website of the City.
The applicant reacted to the above and contacted the data controller as the organizer of the event,
after which they removed the photos from the Facebook profile and website of the City. However, the
photo in question was not removed from City's Instagram page.
The controller later stated that it does not manage the Instagram profile and therefore does not influence its content. However, the DPA inspected the City’s Instagram profile and determined that the photograph was no longer present, indicating that it was subsequently deleted.
Upon receiving such a complaint, the AZOP launched a formal investigation into the processing activities of the controller.
Holding
The DPA found multiple breaches of GDPR.
The DPA held that the controller had a lawful basis under the GDPR to publish photographs from a public event in a public square but violated Articles 5 and 6 of GDPR by publishing a separate photo of the applicant's minor daughter without a lawful basis or purpose.
The DPA further held that taking a photograph of an individual who was a visitor to an event, where the individual stands out in a way that their identity can be clearly established, and using such a photograph for promotional purposes requires consent under Article 6 of the GDPR. Legitimate interest is not a lawful basis in such cases.
While the controller’s removal of the photograph from various platforms was taken into account as a mitigating factor, the gross violation of the minor’s right to data protection led to a formal warning being issued under the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.
(567-UP/I-041-02/23-07/6-1B1)
REPUBLIC OF CROATIA
AGENCY FOR PROTECTION
OF PERSONAL DATA
CLASS:
REGISTRATION NUMBER:
Zagreb, 12.12.2023.
The Personal Data Protection Agency, OIB: 28454963989, pursuant to Article 57, paragraphs 1 and 58,
paragraph 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJEU 119, 119.12.2016, p. 1., Article 34 of the Act implementing the General Data Protection Regulation (Official Gazette, No. 42/18) and Articles 41 and 96 of the Act on General Administrative Procedure (Official Gazette, No. 47/09 and 110/21), and
regarding the request for a determination of a violation of the right to protection of personal data of minor X,
represented by her mother and legal representative X, hereby issues the following
R J SOLUTION
1. The request for establishing a violation of the right to protection of personal data of minor X,
represented by her mother and legal representative X, is founded.
2. It is established that the collection and further processing of personal data of minor X,
by the controller of the Tourist Board of the City of X, without the existence of a legitimate purpose and
legal basis, resulted in the unlawful processing of personal data contrary to Articles 5 and 6
of the General Data Protection Regulation.
3. The Tourist Board of the City of X, as the controller, is issued an official warning for
processing of personal data of minor X, contrary to Article 5, paragraph 1, item a) and Article
6, paragraph 1 of the General Data Protection Regulation.
R e a n t i o n
The Personal Data Protection Agency (hereinafter referred to as: the Agency) has received a request for
establishing a violation of the protection of personal data of minor X. X, which request was submitted by the mother of X
(hereinafter referred to as the applicant), and in which she essentially states that the Tourist Board
1X (hereinafter referred to as the controller) organized a sports day in the square of the City of X in May 2022
and that the event itself was photographed although there was no information regarding GDPR, photography, etc.
After the event ended, a report on the event was published in various media (for example, on the Facebook page of the City
X), accompanied by photographs, and some of the photographs in question
included the applicant's minor daughter.
The applicant further points out that at the beginning of May this year, the controller
published an announcement that X would be held and a photograph was used to announce the event, in which
exclusively the applicant's daughter was in the foreground, without her face being blurred.
The applicant points out that the image was used for promotional purposes, as an advertisement, without her permission (and without the permission of the applicant's husband), and that the applicant saw the image in question on the Facebook and Instagram pages and on the website of the City of X.
The applicant reacted to the above and contacted the controller as the event organizer, after which they removed the photos from the Facebook profile and website of the City of X. However, the image in question was not removed from the Instagram page of the City of X, and is still there.
The following was attached to the request: a copy of the privacy notice of the controller relating to the X event held on … May 2023, emails sent by the applicant to the controller together with their responses, a post from the Facebook profile, a post from the Instagram profile of the City of X, and a post from the website of X for X.
The request is justified.
Considering the allegations from the received request, the Agency, in accordance with its legal authority, requested the controller to provide a statement on the allegations from the received request, namely to state the legal basis for publishing the photograph of minor X. In addition, information was requested on whether the controller informed visitors to the sports event in May 2022 about the privacy rules, i.e. that the event in question may be filmed and that photographs of the event may be used by the controller, and whether the same was done for the sports event that took place in May 2023. Furthermore, the controller was requested to confirm whether he had received the applicant's request and how it was acted upon, with the need to submit a copy of the communication with the applicant, and in particular to provide information on why the photograph in question was not removed from the Instagram page of City X. The agency received the requested statement from the controller, in which they essentially state that on the day of the event, the public was undoubtedly informed by means of a written privacy notice in a large format that the event would be filmed and photographed, and that the notice was posted at the entrance to the training ground on a notice board near the event. As for the Instagram profile mentioned in the applicant's request, the controller stated that he does not manage that profile and therefore cannot influence its content. The controller further states in his statement that this year as part of X, and as part of the
project X which was held on … May 2023, the public was informed via a written notice on
2privacy that the event would be recorded and photographed, which was placed in several
visible locations.
Attached to the statement was the following: Request for a statement from the Personal Data Protection Agency, Personal Data Breach Report submitted in writing (by e-mail) to the Personal Data Protection Agency on 5 May 2023, and accompanying documents related to
the aforementioned case, as well as a statement on the letter (complaint) of the applicant, in accordance with which
the controller acted.
In addition to the above, we would like to point out that since 25 May 2018, in all Member States of the
European Union, including the Republic of Croatia, the General Data Protection Regulation has been directly and bindingly applied in the field of personal data protection.
Article 4(1) of the General Data Protection Regulation states that personal data are any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. According to Article 4(2) of the General Data Protection Regulation, processing means any operation or
set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording,
organization, structuring, storage, adaptation or alteration, retrieval, consultation,
use, disclosure by transmission, dissemination or otherwise making available,
alignment or combination, restriction, erasure or destruction.
Furthermore, according to Article 4(7) of the General Data Protection Regulation, the controller of personal data
is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Article 5 of the General Data Protection Regulation lays down the principles for the processing of personal data.
Personal data must be: (a) processed lawfully, fairly and transparently in relation to the data subject ("lawfulness, fairness and transparency"); (b) collected in special, express and
legitimate purposes and may not be further processed in a way that is inconsistent with these purposes; further
processing for the purposes of archiving in the public interest, for the purposes of scientific or historical research or
for statistical purposes, in accordance with Article 89, paragraph 1, it is not considered incompatible with the original
purposes ("limitation of purpose"); (c) appropriate, relevant and limited to what is necessary in
in relation to the purposes for which they are processed ("reducing the amount of data"); (d) accurate and as appropriate
up-to-date; every reasonable measure must be taken to ensure that personal data that are not
accurate, taking into account the purposes for which they are processed, deleted or corrected without delay ("accuracy");
(e) stored in a form that allows the identification of the data subject only for as long as it is
necessary for the purposes for which personal data is processed; personal data may be stored for longer
periods if the personal data will be processed solely for archiving purposes in the public interest, for
scientific or historical research purposes or for statistical purposes in accordance with Article 89
paragraph 1, which is subject to the implementation of appropriate technical and organisational measures prescribed by
the General Data Protection Regulation to protect the rights and freedoms of the data subjects ("storage limitation"); (f) processed in a manner that ensures appropriate security of the personal data,
including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by applying appropriate technical or organisational measures ("integrity and
confidentiality").
Article 6(1) of the General Data Protection Regulation lists in detail the possible legal bases/conditions for the lawful processing of personal data. Thus, the aforementioned article stipulates that the processing of personal data is lawful only if and to the extent that at least one of the following is met: a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes, b) the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the data subject's request prior to entering into a contract, c) the processing is necessary for compliance with a legal obligation to which the controller is subject, d) the processing is necessary to protect the vital interests of the data subject or another natural person, e) the processing is necessary for the performance of a task carried out in the public interest or in the exercise of the controller's official authority, f) the processing is necessary for the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular if the data subject is a child.
In this administrative matter, the parties' statements/statements on the circumstances of the specific case were taken into account and the documentation attached to the case file was reviewed.
In the specific case, it was determined that it was a public event that took place in a public
place (public square) and it is considered that the photography of the event in question is in the public interest.
It was also determined that the public was informed about the filming and photography of the event itself
through a written privacy notice in large format, which notice was placed at
the entrance to the training ground on a notice board near the event. Therefore, it is considered that in the specific case, there was a legitimate interest of the controller as a lawful legal basis for
processing the personal data of the participants in the event in question, all in accordance with Article 6, paragraph
1, point (f) of the General Data Protection Regulation.
However, for taking a photograph of an individual who was a visitor to an event and who stands out from the crowd in a way that his or her identity can be unambiguously established, and using such a photograph for promotional purposes to announce event “X”, legitimate interest is not a legitimate legal basis. In this case, the legitimate legal basis would be consent, pursuant to Article 6(1)(a) of the General Data Protection Regulation.
Article 4(1)(11) of the General Data Protection Regulation explains that “consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
4In the specific case, it was established that the applicant did not give consent to the recording and photographing of her minor daughter X, or to the public publication of the photograph in question containing a representation of her, and in this sense there is no legal basis under Article 6(1)(a) of the General Data Protection Regulation.
In connection with the above, in this administrative matter it was established that in the specific case
the conditions for fair and lawful processing of the personal data of the applicant's minor daughter were not met, taking into account Article 5(1)(a) of the General Data Protection Regulation, considering that the controller did not adequately establish the legal basis and lawful
purpose for the public publication of the personal data of the applicant's minor daughter.
Article 17(1) of the GDPR stipulates that the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and that the controller shall have the obligation to erase personal data without undue delay where one of the following conditions is met: (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) the data subject withdraws the consent on which the processing is based in accordance with Article 6(1)(a) or Article 9(2)(a) and there is no other legal ground for the processing; (c) the data subject objects to the processing in accordance with Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing in accordance with Article 21(2); (d) the personal data have been unlawfully processed; (e) the personal data must be erased for compliance with a legal obligation under Union or Member State law to which the controller is subject; (f) the personal data were collected in connection with the offering of information society services referred to in Article 8(1).
Where the controller has made the personal data publicly available and is obliged to erase those personal data in accordance with paragraph 1, the controller shall, taking into account available technology and the cost of implementation, take reasonable steps, including technical measures, to inform the controllers processing the personal data that the data subject has requested from those controllers the erasure of any links to them or a copy or reconstruction of those personal data (Article 17(2) of the General Data Protection Regulation). Paragraphs 1 and 2 of that Article shall not apply to the extent that the processing is necessary, inter alia, for the exercise of the right to freedom of expression and information (paragraph 3).
The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves a disproportionate effort. The controller shall inform the data subject of those recipients if the data subject so requests (Article 19 of the General Data Protection Regulation). In early May 2023, the applicant saw a poster with a photograph of her daughter, and the photograph in question, on the Facebook and Instagram profiles of City X, as well as on the website of City X. The applicant immediately reacted and sent a request for the deletion of the photograph in question to the controller. The controller acted in accordance with the aforementioned request and deleted the photograph in question from the aforementioned poster, from the Facebook profile of City X, and from the website of City X. However, the photograph was not deleted from City X's Instagram profile at that time.
5Regarding the aforementioned Instagram profile, the controller stated that it did not manage that profile and therefore did not influence its content.
However, after receiving the aforementioned statement, the Agency inspected City X's Instagram profile and determined that the photograph in question was no longer on it, which made it clear that it had been subsequently deleted.
Therefore, the controller had a legal basis for publishing photographs from a public event that took place in a public square. However, the controller did not have a legal basis and a legitimate purpose for the publication of the separated photograph of the applicant's minor daughter. As a result, in this case, the personal data of the applicant's minor daughter was published without a legal basis, contrary to Articles 5 and 6 of the General Data Protection Regulation. However, the fact that the controller removed/deleted the photograph of the applicant's minor daughter from the aforementioned poster, from the Facebook profile of City X and from the website of City X was taken into account in the proceedings, and the same photograph was subsequently removed from the Instagram profile of City X was also taken into account. Therefore, in this administrative matter, it has been established that due to a gross violation of the right to protection of personal data, the controller did not lawfully process/publish the personal data of the applicant's minor daughter, which violated the provisions of Articles 5 and 6 of the General Data Protection Regulation, and the controller is hereby given a formal warning since his actions violated the provisions of the Regulation. In light of the above, it has been decided as in the operative part of the decision.
INSTRUCTION ON LEGAL REMEDY
This decision is not subject to appeal, but an administrative dispute may be initiated before the competent
Administrative Court in X within 30 days from the date of delivery of the decision.
DEPUTY DIRECTOR
Igor Vulje
Submit:
1. X
2. Tourist Board X
3. Filing, here
6
