AZOP (Croatia) - Decision 16-11-2021
|AZOP - Decision 16-11-2021|
|Relevant Law:||Article 4(1) GDPR|
|National Case Number/Name:||Decision 16-11-2021|
|European Case Law Identifier:||n/a|
|Original Source:||AZOP (in HR)|
|Initial Contributor:||Presido Croatia|
The Croatian DPA determined that a photograph of a person camouflaged in a jacket and wearing a protective mask did not consitute personal data according to Article 4(1) GDPR because it was impossible for the average person to identify the individual. As a result, the publication did not infringe the GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
The Croatia DPA received a complaint in which, in essence, the complainant pointed out that a real estate agency (the controller) published their photograph taken during a viewing of an apartment that was advertised for sale, without their consent and knowledge. The photo was available on a public website via an URL link.
At the request of the Croatian DPA, the controller stated that they deleted, in good faith, the disputed parts of the photo allegedly representing the complainant. At the same time, the controller argued that they did not believe that, in this case, it was about the complainant's personal data, since the person in the initial photograph was camouflaged in a jacket and a protective face mask. Moreover, the person voluntarily entered the frame during the photo shoot.
Holding[edit | edit source]
The Croatian DPA rejected the complaint as unfounded. It pointed out that it was not possible to determine the data subject's identity from the contested photo. In particular, the assessment of identity should be based on objective and reasonable factors so that the average person could determine in an unequivocal way (directly/indirectly) the identity of an individual.
The DPA concluded that the identity of the applicant was impossible to determine by objective factors available to the average person, who was not an acquaintance of the complainant, from just looking at the attached photo. The photo was not clear and the face was not visible (mostly covered by a surgical mask).
Therefore, the photograph in question could not be referred to as personal data in the sense of Article 4(1) GDPR, so there was no obligation of the controller to delete the photograph. It was only about publishing a photo of a property intended for sale and did not contain personal data.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.
Agency for the protection of personal data based on Article 57 paragraph 1 and 58 paragraph 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals in relation to processing personal data and on the free movement of such data and on repealing the Directive 95/46/EC (General Data Protection Regulation) SLEU L119 and Article 34 of the Law on the Implementation of the General Regulation on data protection ("Official Gazette", number 42/18) and Article 41 paragraph 1 and Article 96 paragraph 1 of the Law on General Administrative Procedure ("Official Gazette" No. 47/09), and acting on the request to determine the violation of the right to the protection of personal data xy, provides the following SOLUTION The request to determine the violation of the right to the protection of personal data xy is rejected as unfounded. Form layout The Agency for the Protection of Personal Data (hereinafter: the Agency) received a request for determination violation of the right to protection of personal data xy (hereinafter: the applicant) in which In essence, he points out that the real estate agency x (hereinafter referred to as: the agency for real estate real estate) published her through classifieds websites without her consent and knowledge photograph during a viewing of an apartment that was advertised for sale, contrary to the provisions General Data Protection Regulation, which photo is available via URL link. In Attachment of the request, the applicant submitted a copy of the complete correspondence she had from above the said real estate agency. The request is not founded. Following on from the above, we point out that as of May 25, 2018, in all member states of the European Union, as well as in the Republic of Croatia, in the area of personal data protection, binding i directly applies Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals in connection with the processing of personal data and the free movement of such data, and o 2 repealing Directive 95/46/EC (General Data Protection Regulation) SL EU 119, and for which application and enforcement in the territory of the Republic of Croatia is the responsibility of the Personal Protection Agency data. Before elaborating the normative part of the General Data Protection Regulation, it is necessary to refer to the introductory part statement number 26 to the General Regulation on data protection, in which it is defined in more detail that the code assessment of whether an individual's identity can be established should take into account all means, such as for example selections, which the controller or any other person can apparently use for the purpose of direct or indirect identification of an individual. In order to determine whether, according to all appearances, it is likely that means are used to determine the identity of an individual, should be taken into account all objective factors, such as costs and time required to establish identity, taking into account both the technology available at the time of processing and technological developments. Article 2, paragraph 1 of the General Data Protection Regulation prescribes how it applies to processing personal data, which is fully automated and non-automated processing of personal data data that are part of the storage system or are intended to be part of the storage system. The aforementioned General Data Protection Regulation in Article 4, Paragraph 1, Point 1 stipulates that they are personal data all data relating to an individual whose identity has been determined or can be determined, a an individual whose identity can be determined is a person who can be identified directly or indirectly, especially with the help of identifiers such as name, identification number, location data, network identifier or with the help of one or more factors specific to physical, physiological, genetic, mental, economic, cultural or social identity of that individual. Pursuant to Article 5 of the General Data Protection Regulation, personal data must be lawful, fair and processed transparently with respect to the respondent (principle of legality, fairness and transparency); collected for special, explicit and legal purposes and may not be further processed in a way that is not in in accordance with these purposes (principle of purpose limitation); appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed (principle of reducing the amount of data); accurate and according to up-to-date if necessary (accuracy principle); stored in a form that allows the identification of the respondent only as long as necessary for the purposes for which personal data are processed (principle of limitations storage); processed in a way that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage by applying appropriate technical or organizational measures (principle of integrity and confidentiality). Article 6, paragraph 1 of the General Regulation on Data Protection prescribes the processing of personal data legal only if and to the extent that at least one of the following is met: the respondent has given consent to the processing of your personal data for one or more specific purposes; processing is necessary for execution of a contract to which the respondent is a party or to take actions at the request of the respondent before the conclusion of the contract; processing is necessary to comply with the legal obligations of the controller; processing is necessary to protect the key interests of the controller's legal obligations; processing is necessary for 3 performing a task of public interest or when performing the official authority of the data controller; processing is necessary for the legitimate interests of the data controller or a third party. In this administrative matter, the Agency is based on the submitted evidence, more precisely the correspondence between of the applicant and the real estate agency determined that the applicant is from February 26, 2021, was in communication with the real estate agency via e-mail regarding the publication of the disputed photo, which is available via a URL link, and where the applicant clearly indicated that she was against the publication of the said photo, for which she was not gave her consent and how she requests its deletion. At the request of real estate agencies stated on March 1, 2021 that they deleted the disputed parts of the photo in good faith, and that they do not believe that in this case it is about the applicant's personal data, since that it is a person (the applicant) who is camouflaged in a jacket and a protective mask and who voluntarily entered the frame during the photo shoot. The agency also determined, based on the submitted photo, that a smaller one can be found on it an apartment in the area of the city of Zagreb, the sale of which is advertised via the URL link, with an area of 20 m2 on which shows the wardrobe in the studio in question, the sleeping bed, the television, the table, the window. Except mentioned in the initial photo that was published on February 26, 2021 is also located a female person in a long brown jacket with a protective (surgical) mask on her face. Photography is (in relation to the person in the photo) made from a profile without the constitution being seen in its entirety person, his face or eyes. In this direction, we point out that it is not possible to determine the identity with certainty from the attached photo of the person (the applicant) who is in the contested photo, since the assessment possible determination of identity should be based on objective/reasonable factors of that time need to be invested so that the average person could determine in an unequivocal way (directly/indirectly). the identity of the individual respondent. Considering that the identity of the applicant is impossible determined by objective factors available to the average person who is not an acquaintance of the applicant from just looking at the attached photo, which is not clear a visible face that is mostly covered by wearing a surgical mask, in the situation in question cannot be referred to as personal data in the sense of Article 4, Paragraph 1, Point 1 of the General Regulation on Protection data, so there was no obligation of the real estate agency to delete it a photo in which (according to the applicant) the applicant is, since it is only about publishing a photo of a property that is intended for sale and that does not contain personal data in the sense of Article 4, paragraph 1 of the General Data Protection Regulation. Following the above, it was decided as in the Proclamation of the Decision. LEGAL REMEDY An appeal against this decision is not allowed, but an administrative dispute can be initiated before the Administrative Court by the court in Split within 30 days from the date of delivery of the decision.