Banner2.png

DSB (Austria) - DSB-D213.2544

From GDPRhub
DSB - DSB-D213.2544
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 9 GDPR
Article 85(2) GDPR
Type: Complaint
Outcome: Upheld
Started: 20.12.2023
Decided: 11.02.2025
Published: 26.03.2025
Fine: n/a
Parties: n/a
National Case Number/Name: DSB-D213.2544
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): German
Original Source: DSB (in DE)
Initial Contributor: cwa

An individual (controller) was ordered to delete photos of individuals that they had taken and published online. The photos included those of children, one taken from an angle revealing a woman’s cleavage, one revealing the subjects’ religious beliefs, and one of people dining in a restaurant.

English Summary

Facts

The controller was an individual who took photos of people on the street and uploaded them online. Some of the photos taken were of children. In one instance, a photo revealed that the children were Jewish, evidenced by their hairstyle and the kippah they were wearing. In another instance, a photo taken from a high angle was uploaded, revealing a large amount of a woman’s cleavage. Other photos uploaded depicted people eating in restaurants.

The controller did not seek consent for the taking and uploading of these photos, although sometimes offered a business card to data subjects (or their guardians, in the case of children) with his contact details.

The DSB (Austrian DPA) received an anonymous complaint about the processing activity. In their submissions, the controller sought to invoke their constitutional right to artistic freedom.

Holding

The DPA referenced the exception in favour of artistic freedom in Article 85(2) GDPR and noted that a balancing of interests in each specific case is required to reconcile the competing rights.

In balancing the interests at hand, the DPA referenced Recital 38 GDPR, noting that children are vulnerable data subjects and worthy of additional protection under the GDPR.

In relation to the photograph exposing the woman’s cleavage, the DPA referenced other legislation which criminalises unwanted images of female body parts in certain circumstances. The DPA reasoned that there is therefore an increased interest on the part of the data subject that such images not be processed, in particular without consent.

In relation to the photographs revealing the religious beliefs of the data subjects, the DPA found that the inclusion of religious beliefs in the general prohibition on processing in Article 9 requires a higher level of protection and indicates an increased interest on the part of the data subject to not have such data processed and published without consent. The DPA noted that this was particularly important as members of the Jewish faith can be exposed to increased threats.

In respect of the photos depicting individuals dining at a restaurant, the DPA referenced EDPB Guidelines 3/2019 which notes that, in the EDPB’s opinion, data subjects can assume they are not being monitored in publicly accessible areas, especially ones used for recreation, relaxation and leisure activities. The Guidelines specifically reference tables in restaurants in the non-exhaustive list of examples. As such, the DPA reasoned that these photos should be subject to a higher level of protection and the data subjects depicted therein have an increased interest in their photo not being processed and published without consent.

The DPA held that in all of the forgoing instances, the interests of the data subject override the legitimate interests of the controller’s artistic freedom.

Although accepting that the requirement to obtain consent in advance of the taking of street photography would render the art of street photography unlawful, the DPA noted that it would be reasonable for the controller to seek consent retrospectively, strengthening the legal basis for processing on grounds of artistic freedom.

The controller was ordered to delete the photographs within a period of two weeks.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details. 

Text

Reference No. 2024-0.195.679 of February 11, 2025 (Case No. DSB-D213.2544)

[Note from the editor: Names and companies, legal forms and product names, addresses (including URLs, IP and email addresses), file numbers (and the like), statistical information, etc., as well as their initials and abbreviations, may be abbreviated and/or altered for pseudonymization purposes. Obvious spelling, grammatical, and punctuation errors have been corrected.

DECISION

RULING

The Data Protection Authority, within the scope of the data protection review pursuant to Art. 58 (1) (b) GDPR, rules against Dieter A*** (controller of the website https://www.a***-photo.com/****/f***/), I***straße **3, **** P***, as follows:

The Data Protection Authority, within the scope of the data protection review pursuant to Article 58 (1) (b) GDPR, rules against Dieter A*** (controller of the website https://www.a***-photo.com/****/f***/), I***straße **3, **** P***, as follows:

1. The controller violates the GDPR by taking photos of children and religious beliefs within the meaning of Art. 9 (1) GDPR and publishing them on his website https://www.a***-photo.com/****/f***/. Pursuant to Art. 58 (2) (g) GDPR, the controller is ordered to delete the photos pursuant to points C.2 and C.3 of the findings of fact of this decision within a period of two weeks, failing which the court will enforce the order.

2. The controller violates the GDPR by taking a photo taken from above in such a way that a large part of the cleavage or part of the breasts of the women concerned, as well as the top of their bras, is visible, and publishing it on its website https://www.a***-photo.com/****/f***/. Pursuant to Art. 58 (2) (g) GDPR, the controller is ordered to delete the photo "P*** 2017" (C.4 of the findings of fact) within a period of two weeks, failing which the order will be enforced.

3. The controller violates the GDPR by taking a photo showing people eating their meals and publishing it on its website https://www.a***-photo.com/****/f***/. Pursuant to Art. 58 (2) (g) GDPR, the controller is ordered to delete the photo described in more detail under C.5 within two weeks, failing which it will be executed.

Legal basis: Art. 8 and Art. 13 of the Charter of Fundamental Rights of the European Union (CFR), OJ C 202 of 7 June 2016, p. 389; Article 4, Article 5(1)(a) and (c), Article 6(1)(a) and (f), Article 7, Article 8, Article 51(1), Article 57(1)(a) and (h), Article 58(1), (2)(d) and (g), Article 77(1) and Article 85 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ L 119, 4 May 2016, p. 1; Sections 1, 9 (2), 18 (1) of the Data Protection Act – DSG, Federal Law Gazette I No. 165/1999 as amended. Legal basis: Articles 8 and 13 of the Charter of Fundamental Rights of the EU (EU Charter of Fundamental Rights), OJ No. C 202 of 7 June 2016, Session 389; Article 4,, Article 5, paragraph one, letters a, and c, Article 6, paragraph one, letters a and f,, Article 7,, Article 8,, Article 51, paragraph one,, Article 57, paragraph one, letters a and h,, Article 58, paragraph one,, paragraph 2, letters d and g,, Article 77, paragraph one, and Article 85 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ L 119 of 4 May 2016, Session 1; paragraph one,, 9 paragraph 2,, 18 paragraph one, of the Data Protection Act – DSG, Federal Law Gazette Part One, No. 165 of 1999, as amended.

EXPLANATORY STATEMENTS

A. Arguments of the parties and course of proceedings

1. The data protection authority was informed, following an anonymous complaint, that images of individuals had been uploaded online to the website https://www.a***-photo.com/****/f***/color/page/3, which is the subject of the proceedings and is operated by the controller. It was alleged that this had occurred without the consent of the data subjects. The data protection authority subsequently initiated an ex officio investigation procedure pursuant to Art. 58 (1) (b) GDPR with regard to the "F***" tab by a first letter dated December 20, 2023. 1. The data protection authority was informed, following an anonymous complaint, that images of individuals had been uploaded online to the website https://www.a***-photo.com/****/f***/color/page/3, which is the subject of the proceedings and is operated by the controller. It was alleged that this had occurred without the consent of the data subjects. The Data Protection Authority subsequently initiated an ex officio review procedure pursuant to Article 58, paragraph 1, letter b, GDPR regarding the "F***" tab with its first letter dated December 20, 2023.

2. In a submission dated March 8, 2024, the legally represented controller of the website in question argued in summary that it had not obtained consent from the identifiable persons in the photo in question (page 5 under F*** G*** 2015). The controller predominantly practices the genre of street photography and pursues artistic purposes. However, consent to the production and distribution of the photos is generally not required because it would make the genre of street photography impossible. Consent under data protection law is unsuitable as a basis for artistic photography because such consent can be revoked by the data subject at any time.

In response to the data protection authority's question as to how compliance with the modalities for the data subjects' rights, in particular Article 15 GDPR (right to information), Article 17 GDPR (right to erasure), and Article 21 GDPR (right to object), is ensured in accordance with Articles 12 et seq. of the GDPR, the controller replied that, where possible, it will inform data subjects about their rights after the photo has been taken. In response to the data protection authority's question as to how compliance with the modalities for the data subjects' rights, in particular Article 15 GDPR (right to information), Article 17 GDPR (right to erasure), and Article 21 GDPR (right to object), is ensured in accordance with Articles 12 et seq. of the GDPR, the controller replied that, where possible, it will inform data subjects about their rights after the photo has been taken.

In response to the data protection authority's question regarding the legal basis, the controller relied on a case-specific assessment based on Section 9 (2) of the Data Protection Act (DSG). In response to the data protection authority's question regarding the legal basis, the controller relied on a case-by-case assessment based on Section 9, Paragraph 2, of the Data Protection Act (DSG).

3. By resolution of March 11, 2024, the data protection authority again requested the controller to disclose whether the data subjects (in particular the children's legal guardians) had been informed (subsequently) within the meaning of Articles 13 and 14 of the GDPR, (in particular) that the photos would be published on the website in question.

3. By resolution of March 11, 2024, the data protection authority again requested the controller to disclose whether the data subjects (in particular the children's legal guardians) had been informed (subsequently) within the meaning of Articles 13 and 14 of the GDPR, (in particular) that the photos would be published on the website in question.

4. In a submission dated March 25, 2024, the controller submitted that the persons he had previously photographed had been verbally informed, whenever the opportunity arose, about the possible distribution and nature of the possible distribution of the photographs he had taken in public spaces. The only occasional provision of information was due, on the one hand, to the exceptionally fleeting nature of the situation (passers-by coming and going) and, on the other hand, to the controller's activities in a foreign-speaking country. In the future, the controller would provide the persons he photographed or their presumed legal guardians with his business card with website information, thus granting them the opportunity to access the data protection information on his website.

B. Subject Matter

The subject matter of the proceedings is the question of whether the processing of personal data in the form of images on the website https://www.a***-photo.com under the link "F***" is lawful.

C. Findings of Fact

1. Dieter A***, as the controller, operates the website https://www.a***-photo.com, on which he publishes (the subject matter of these proceedings) photographs of individuals he photographed in public spaces under the name "F***" (https://www.a***-photo.com/****/f***/). This website is accessible to everyone.

The controller occasionally informed the individuals photographed and occasionally obtained (oral) consent. As of March 25, 2024, the controller did not hand over his business card with website information to the individuals photographed or their presumed legal guardians.

Evaluation of Evidence: The findings are based on the controller's submissions in the present proceedings and the official research conducted by the Data Protection Authority (https://www.a***-photo.com/****/f***/, last accessed February 11, 2025). The finding that the controller had not provided his business card with the website information by March 25, 2024, is particularly evident from the statement of March 25, 2024, in which he stated that he would provide his business card and website information "in the future," i.e., only in the future, and that he had only occasionally provided "oral" information (in the past).

2. Children: The website depicts children who were photographed by the controller before March 25, 2024.

2.a. P*** 2 2019: This photo also clearly reveals the (Jewish) religious affiliation of the two persons depicted, and in particular the child depicted, e.g., based on their hairstyle and kippah (Jewish head covering).

[Editor's note: The five digital photographs reproduced here and below cannot be meaningfully pseudonymized and have therefore been removed for reasons of data protection and copyright.]

2.b. P*** 2018

[Note: as previously stated]

2.c. F***portrait – U*** 2018 - K***

[Note: as previously stated]

2.d. P*** 2018

[Note: as previously stated]

2.e. F***portrait - U*** 2018- K***

[Note: as previously stated]

Evaluation of evidence: The findings made under C.2. are based on the submissions of the controller in the present proceedings and the official investigations of the data protection authority (https://www.a***-photo.com/****/f***/, last accessed February 11, 2025)

3. Children (see below): The controller did not obtain consent from the children or their legal guardians for the following photo, which depicts children. The photo was located on page 5 of the website in question under "F***" at least until March 11, 2024, and can now be found on page 8 of the website in question under "F***". (Excerpt, formatting not reproduced 1:1, marked by the data protection authority)

3.a. G*** 2015:

[Editor's note: The two digital photographs reproduced here cannot be meaningfully pseudonymized and have therefore been removed for reasons of data protection and copyright.]

Evaluation of evidence: The findings made under C.3. are based in particular on the Controller's submission of March 8, 2024, based on the Data Protection Authority's explicit question in its decision of December 20, 2023, as to whether it had obtained consent for the photo "G*** 2015," as well as the Data Protection Authority's official investigation (accessed on March 11, 2024, and last accessed on February 11, 2025).

4. The Controller has published the following photo on its website. The photo was originally located on page 3 of the website in question under "F***" until at least March 11, 2024, and is now on page 4. The person responsible for the photo was unable to provide consent for the photo in question and only "occasionally" informed about its publication on the website.

P*** 2017

[Editor's note: The two digital photographs reproduced here cannot be meaningfully pseudonymized and have therefore been removed for data protection and copyright reasons.]

Evaluation of evidence: The findings regarding C.4. are based on the submissions of the controller in the present proceedings and the ex officio research conducted by the data protection authority (https://www.a***-photo.com/****/f***/, last accessed on February 11, 2025).

5. The controller photographed and published these individuals eating in restaurants on its website.

[Editor's note: The digital photograph reproduced here cannot be meaningfully pseudonymized and has therefore been removed for data protection and copyright reasons.]

Evaluation of evidence: The findings are based on the submissions of the controller in the present proceedings and the ex officio research conducted by the data protection authority (https://www.a***-photo.com/****/f***/, last accessed on February 11, 2025).

D. From a legal perspective, this leads to the following:

1. On the relationship between data protection and artistic freedom

According to Article 8 (1) of the EU Charter of Fundamental Rights According to Article 8, paragraph 1 of the Charter of Fundamental Rights of the European Union (CFR) – or, at the constitutional level, according to Section 1 of the Data Protection Act – every person has the right to the protection of personal data concerning them.

According to Article 13 of the Charter of Fundamental Rights of the European Union – or, at the constitutional level, according to Article 17a of the Federal Constitutional Court Act – art and research are free. Academic freedom is respected.

According to Article 13 of the Charter of Fundamental Rights of the European Union – or, at the constitutional level, according to Article 17a of the Federal Constitutional Court Act – art and research are free. Academic freedom is respected.

In the data processing in question, the complainant invokes his right to artistic freedom, guaranteed by primary and constitutional law.

Pursuant to Article 85(1) GDPR, Member States shall, by law, reconcile the right to the protection of personal data under this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and for scientific, artistic or literary purposes.


Pursuant to Article 85(1) GDPR, Member States shall, by law, reconcile the right to the protection of personal data under this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and for scientific, artistic or literary purposes.

Article 85(2) GDPR stipulates that for processing carried out for journalistic purposes or for scientific, artistic or literary purposes, Member States shall provide for derogations or exceptions from Chapter II (Principles), Chapter III (Rights of the data subject), Chapter IV (Controller and processor), Chapter V (Transfer of personal data to third countries or to international organizations), Chapter VI (Independent supervisory authorities), Chapter VII (Cooperation and consistency) and Chapter IX (Rules applicable to specific processing situations) if this is necessary to reconcile the right to the protection of personal data with freedom of expression and information.Article 85(2) GDPR stipulates that for processing carried out for journalistic purposes or for scientific, artistic or literary purposes, Member States shall provide for derogations or exceptions from Chapter II (Principles), Chapter III (Rights of the data subject), Chapter IV (Controller and processor), Chapter V (Transfer of personal data to third countries or to international organizations), Chapter VI (Independent supervisory authorities), Chapter VII (Cooperation and consistency) and Chapter IX (Rules applicable to specific processing situations). Data to third countries or international organizations), Chapters VI (Independent Supervisory Authorities), VII (Cooperation and Consistency) and IX (Rules for Specific Processing Situations) where this is necessary to reconcile the right to the protection of personal data with freedom of expression and information.

Section 9 (2) of the DSG stipulates that, to the extent necessary to reconcile the right to protection of personal data with freedom of expression and freedom of information, Chapters II (Principles), with the exception of Article 5, Chapter III (Rights of the data subject), Chapter IV (Controller and processor), with the exception of Articles 28, 29 and 32, Chapter V (Transfer of personal data to third countries or to international organisations), Chapter VI (Independent supervisory authorities), Chapter VII (Cooperation and consistency) and Chapter IX (Provisions for special processing situations) of the GDPR shall not apply to processing carried out for scientific, artistic or literary purposes. Of the provisions of this federal law, Section 6 of the Data Protection Act (Data Secrecy) applies in such cases. Paragraph 9, Paragraph 2 of the Data Protection Act stipulates that, to the extent necessary to reconcile the right to the protection of personal data with freedom of expression and freedom of information, Chapters Roman II (Principles), with the exception of Article 5, Chapter Roman III (Rights of the Data Subject), Chapter Roman IV (Controller and Processor), with the exception of Articles 28, 29, and 32, Chapter Roman V (Transfer of Personal Data to Third Countries or to International Organizations), Chapter Roman VI (Independent Supervisory Authorities), Chapter Roman VII (Cooperation and Consistency), and Chapter Roman IX (Provisions for Special Processing Situations) of the GDPR do not apply to processing carried out for scientific, artistic, or literary purposes. Paragraph 6 of the Data Protection Act (Data Secrecy) applies in such cases.

In the explanatory notes to the Data Protection Adaptation Act 2018 (ErläutRV 1664, AB 1761, BlgNR 25), the legislator specified the following (emphasis added by the data protection authority):

"With regard to the applicability of data protection regulations to processing for such purposes, appropriate exceptions should be created within the framework of the provisions of Art. 85 GDPR. However, the provisions of the GDPR on the principles for the processing of personal data (Art. 5 GDPR), on the processor (Art. 28 and 29 GDPR), on the security of processing (Art. 32 GDPR), and generally on those chapters of the GDPR for which Art. 85 GDPR does not provide for exceptions, remain applicable. In terms of content, this is intended to largely The exceptions for such processing provided for in Section 48 of the Data Protection Act 2000 are to be retained. "With regard to the applicability of data protection regulations for processing for such purposes, appropriate exceptions are to be created within the framework of the provisions of Article 85 of the GDPR. However, the provisions of the GDPR on the principles for the processing of personal data (Article 5 of the GDPR), on the processor (Articles 28 and 29 of the GDPR), on the security of processing (Article 32 of the GDPR) and, in general, those chapters of the GDPR for which Article 85 of the GDPR does not provide for exceptions remain applicable. In terms of content, the exceptions for such processing provided for in Section 48 of the Data Protection Act 2000 are thus to be largely retained.

Of the provisions of this Federal Act, only Section 6 (data secrecy) shall apply; This does not affect the application of the constitutionally enshrined fundamental right to data protection pursuant to Section 1. "Of the provisions of this Federal Act, only Section 6 (data secrecy) shall apply; this does not affect the application of the constitutionally enshrined fundamental right to data protection pursuant to Section 1 of the Data Protection Act.

The materials therefore point out that the application of the constitutionally enshrined fundamental right to data protection pursuant to Section 1 of the Data Protection Act remains unaffected, and that, in the case of processing pursuant to Section 9 (2) of the Data Protection Act, in particular the principles for the processing of personal data, including the principle of data minimization pursuant to Article 5 (1) (c) GDPR, as well as the principle of lawfulness, fairness, and transparency pursuant to Article 5 (1) (a) GDPR, remain applicable. The materials therefore point out that the application of the constitutionally enshrined fundamental right to data protection pursuant to Section 1 of the Data Protection Act remains unaffected, and that, in the case of processing pursuant to Section 9 (2) of the Data Protection Act, in particular the principles for the processing of personal data, including the principle of data minimization pursuant to Article 5, paragraph 1, letter c, GDPR, as well as the principle of lawfulness, fairness, and transparency of Article 5, paragraph 1, letter a, GDPR, remain applicable.

The applicability of Article 5 GDPR in the areas covered by Section 9 (2) DSG means that the principles set out therein apply without restriction to processing for artistic purposes (see Rohner in Knyrim, DatKomm Art 85 GDPR, margin no. 47). The applicability of Article 5 GDPR in the areas covered by Section 9 (2) DSG means that the principles set out therein apply without restriction to processing for artistic purposes (see Rohner in Knyrim, DatKomm Article 85 GDPR, margin no. 47).

Since the GDPR recognizes exceptions in favor of artistic freedom in Article 85(2), and artistic freedom is further enshrined in primary law in Article 13 of the Charter of Fundamental Rights of the European Union, a balancing of interests is required in each individual case in order to reconcile the fundamental right to data protection under Article 8 of the Charter of Fundamental Rights of the European Union (or Section 1 of the Data Protection Act) with the fundamental right to artistic freedom. Since the GDPR recognizes exceptions in favor of artistic freedom in Article 85(2), and artistic freedom is further enshrined in primary law in Article 13 of the Charter of Fundamental Rights of the European Union, a balancing of interests is required in each individual case in order to reconcile the fundamental right to data protection under Article 8 of the Charter of Fundamental Rights of the European Union (or Section 1 of the Data Protection Act) with the fundamental right to artistic freedom.

2. On the admissibility of image processing

The taking (photographing) of the photographs in question, on the one hand, and the subsequent publication of the photographs in question, on the other hand, are indisputably regarded as processing within the meaning of Article 4(2) GDPR (see ECJ 14.02.2019, C-345/17, paras. 37 et seq.). The taking (photographing) of the photographs in question, on the one hand, and the subsequent publication of the photographs in question, on the other, are indisputably regarded as processing within the meaning of Article 4(2) GDPR (see ECJ 14.02.2019, C-345/17, paras. 37 et seq.).

Mr. Dieter A*** has declared himself as the controller of the website in question and the image processing in question, and based on his submissions, is also the person who has control over the purposes and means of the image processing in question within the meaning of Article 4(2). Art. 4(7) GDPR decides. Mr. Dieter A*** has declared himself as the controller for this website and the image processing in question and, based on his statement, is also the person who decides on the purposes and means of this image processing within the meaning of Article 4(7) GDPR.

According to Art. 5(1)(a) GDPR, which is expressly declared applicable pursuant to Section 9(2) DSG, all data processing must be lawful, fair, and transparent for the data subject (principle of lawfulness, fair and trustworthy processing, and transparency). According to Article 5(1)(a) GDPR, which is expressly declared applicable pursuant to Section 9(2) DSG, all data processing must be lawful, fair and trustworthy, and transparent for the data subject (principle of lawfulness, fair and trustworthy processing, and transparency).

Accordingly, any data processing must be based on a legal basis, whereby in this case, Article 13 of the Charter of Fundamental Rights of the European Union in conjunction with Article 85 (2) of the GDPR in conjunction with Section 9 (2) of the Data Protection Act (DSG) comes into consideration. Accordingly, any data processing must be based on a legal basis, whereby in this case, Article 13 of the Charter of Fundamental Rights of the European Union in conjunction with Article 85 (2) of the GDPR in conjunction with Section 9 (2) of the Data Protection Act comes into consideration.

3. On the balancing of interests in general

Pictures or photographs of a living, identifiable natural person are also personal data (cf. Supreme Court of November 27, 2019, 6 Ob 150/19 f). Pictorial or photographic images of a living, identifiable natural person are also personal data (see Supreme Court of Justice, November 27, 2019, 6 Ob 150/19 f).

Because the faces of the data subjects are clearly visible in the photos, the data subjects are identifiable and thus constitute personal data within the meaning of Article 4(1) GDPR.

According to the case law of the Supreme Court of Justice, which can be used as a guideline in the present case, the right to one's own image represents a special manifestation of the general right of personality. Therefore, the mere creation of a portrait without the consent of the person depicted can constitute an impermissible interference with their general right of personality. The general personality rights of the person concerned are not only violated when images of a person are taken in their private sphere for the purpose of making them accessible to the public. Rather, the creation of images of a person in publicly accessible areas and without the intention of dissemination can also constitute an impermissible infringement of the personality rights of the person concerned. The mere photographic recording of a specific activity or situation that this entails can be perceived as unpleasant by the person depicted and prevent them from freely developing their personality. This is particularly true given the possibilities for distribution and manipulation offered by modern (digital) technology, as the person photographed can never know in advance how the photographer will subsequently use the image (OGH 27.02.2013, 6 Ob 256/12h with further references).

Image processing by private individuals in public spaces is only possible under certain conditions (see Administrative Court Decision 19.440 A/2016 on the legal situation under the DSG 2000, whereby the statements in paragraph 25 of this decision also apply to the legal situation under the GDPR and the DSG). Image processing by private individuals in public spaces is only possible under certain conditions (see Administrative Court Decision 19.440 A/2016 on the legal situation under the DSG 2000, whereby the statements in paragraph 25 of this decision also apply to the legal situation under the GDPR and the DSG).

In the conflict between artistic freedom and general personality rights in street photography, artistic freedom must, in exceptional cases, give way to general personality rights if the personality rights of the person concerned are seriously impaired (cf. German Federal Constitutional Court, June 13, 2007, 1 BvR 1783/05).

In the conflict between artistic freedom and general personality rights in street photography, artistic freedom must, in exceptional cases, give way to general personality rights if the personality rights of the person concerned are seriously impaired (cf. German Federal Constitutional Court, June 13, 2007, 1 BvR 1783/05).

Applied to the present case, this results in the following:

4. Balancing of interests in the present case

4.a. Regarding the children

When balancing interests in this case, it must be taken into account that some of the photos also depict (underage) minors, and that children, as vulnerable data subjects, are particularly deserving of protection (see Recital 38 GDPR).

The age of the children in the photos in question (see, for example, photos C.2. and C.3. of the findings of fact) cannot be determined. However, based on the photos, it can be assumed that they are children under 14 or 16 years of age.

Even if the term "child" is not defined in the legal definitions of Art. 4 GDPR, it follows directly from Art. 8 (1) GDPR that it refers to a person between the ages of thirteen and sixteen. The GDPR assumes an age limit of sixteen years, but Member States have the option of providing for a lower age limit of up to the age of thirteen due to an optional opening clause. The Austrian legislature has made use of this option and set the age limit at the age of 14 in Section 4 (4) of the Data Protection Act. This corresponds to the distinction between mature and minors as stipulated in Section 21 in conjunction with Section 170 (1) of the Austrian Civil Code (ABGB). Even if the term “child” is not defined in the legal definitions of Article 4 of the GDPR, it is clear from Article 8 (1) of the GDPR that it refers to a person up to the age of 13. The GDPR assumes an age limit of 16, but member states have the option of providing for a lower age limit of up to the age of 13 due to an optional opening clause. The Austrian legislature has made use of this option and set the age limit at the age of 14 in Section 4 (4) of the Data Protection Act. This corresponds to the distinction between adult and incompetent minors as stipulated in paragraph 21, in conjunction with paragraph 170, paragraph one, of the Austrian Civil Code (ABGB).

"Another important element of the fair processing principle is related to the balance of power, as the fair processing principle, pursuant to Article 5(1)(a) GDPR, underpins the entire data protection framework and aims to eliminate power asymmetries between controllers and data subjects in order to counteract the negative effects of such asymmetries and ensure the effective exercise of data subjects' rights. "Another important element of the fair processing principle is related to the balance of power, as the fair processing principle, pursuant to Article 5(1)(a) GDPR, underpins the entire data protection framework and aims to eliminate power asymmetries between controllers and data subjects in order to counteract the negative effects of such asymmetries and ensure the effective exercise of data subjects' rights.

Children deserve special protection with regard to their personal data, as they may be less aware of the risks, consequences, safeguards, and their rights related to data processing.

Recital 75 of the GDPR explicitly lists the processing of personal data, in particular of children, as a situation in which a risk to fundamental rights and freedoms may result from the processing, with varying degrees of likelihood and severity, which could lead to physical, material, or non-material harm.

In this sense, children can be considered particularly "vulnerable" data subjects, as they can be assumed to be unable to knowingly and deliberately object to or consent to the processing of their personal data (cf. EDPB, Binding Decision 2/2023 on the dispute submitted by the Irish SA regarding TikTok Technology Limited (Article 65 GDPR), August 2, 2023, para. 107).

4.b. Regarding C.4. of the statements of facts, photo of a female cleavage or breast area, "P*** 2017"

As stated, the photo in question was taken from above in such a way that a large part of the cleavage or part of the breasts of the first woman concerned, as well as the top of her bra, is visible. A large part of the second woman's cleavage/breasts is also visible.

Even if this is not a "nude photograph" (see Supreme Court of September 17, 1996, 4 Ob 2249/96f), there is nevertheless a significant infringement of the data protection rights of the persons concerned (image of themselves), as they are shown in a position that approximates exposure.

In addition, the legislature has made a provision that criminalizes the taking of unwanted images of female body parts – provided the relevant conditions are met (Section 120a, Paragraph 1, of the Criminal Code). Furthermore, the legislature has made a provision that criminalizes the taking of unwanted images of female body parts – provided the relevant conditions are met (Section 120a, Paragraph 1, of the Criminal Code).

Although the subject matter does not concern the entire female breast or nude photos, it can be inferred from the explanations to Section 120a of the German Criminal Code (StGB) that it is important to the legislature to legally protect women from unwanted (photo) recordings that include only parts of the breast and the top of their bra ("covering underwear").

Thus, such photos are also subject to a higher degree of protection and therefore a greater interest of those affected that their image is not processed and, in particular, not published without their consent.

4.c. On Art. 9 GDPR (religious beliefs)4.c. Regarding Article 9 GDPR (religious beliefs)

As stated under C.2.a, the photo clearly reveals the religious beliefs of the two people depicted (Jewish faith based on their appearance).

According to Article 9 (1) GDPR – which, although not applicable in this case pursuant to Section 9 (2) of the Data Protection Act (DSG), can be used as a guideline for balancing interests – the processing of personal data that, among other things, reveals religious or ideological beliefs is prohibited.According to Article 9 (1) GDPR – which, although not applicable in this case pursuant to Section 9 (2) of the Data Protection Act (DSG), can be used as a guideline for balancing interests – the processing of personal data that, among other things, reveals religious or ideological beliefs is prohibited.

In its judgment of August 1, 2022, Case C-184/20, the ECJ ruled that the scope of Article 9(1) GDPR (processing of special categories of personal data) must be interpreted broadly. Accordingly, the provision is already applicable if these data categories can only be indirectly derived from the information. In its judgment of August 1, 2022, Case C-184/20, the ECJ ruled that the scope of Article 9(1) GDPR (processing of special categories of personal data) must be interpreted broadly. Accordingly, the provision is already applicable if these data categories can only be indirectly derived from the information.

Thus, these photos are also subject to a higher degree of protection and therefore a greater interest of the data subjects in ensuring that their image is not processed and, in particular, not published without their consent, especially since members of the Jewish faith in particular may be exposed to increased threats.

4.d. Regarding the image referred to in point C.5

The subject matter of the proceedings (as described in point C.5 of the description of the facts) was captured while eating in a situation of "letting oneself go, outside of their professional and daily duties."

The EDPB considers that data subjects can assume that they will not be monitored in publicly accessible areas, especially if these areas are typically used for recreation, relaxation, and leisure activities, as well as in places where people congregate and/or communicate, such as seating areas, tables in restaurants, parks, cinemas, and fitness facilities. In these cases, the interests or rights and freedoms of the data subject often outweigh the legitimate interests of the controller (see EDPB, Guidelines 3/2019 on the processing of personal data by video devices, para. 38). The EDPB considers that data subjects can assume that they will not be monitored in publicly accessible areas, especially if these areas are typically used for recreation, relaxation, and leisure activities, as well as in places where people gather and/or communicate, such as seating areas, tables in restaurants, parks, cinemas, and fitness facilities. In these cases, the interests or rights and freedoms of the data subject often outweigh the legitimate interests of the controller (see EDPB, Guidelines 3/2019 on the processing of personal data by video devices, para. 38).

Therefore, this photo is also subject to a higher degree of protection and therefore a greater interest of the data subject in ensuring that their image is not processed and, in particular, not published without their consent.

5. Conclusion

Overall, the interests of the data subjects outweigh the legitimate interests of the controller's artistic freedom, particularly with regard to:

● of children,

● the depiction of female body parts in an exposed manner,

● religious beliefs, and

● taking photographs during meals.

As explained with reference to the case law of the Supreme Court, the mere creation of a portrait without the subject's consent can constitute an impermissible interference with their general personality rights.

The Data Protection Authority does not fail to recognize that obtaining consent before taking the photograph would largely make the art form of street photography impossible, because it is primarily based on spontaneity and on the fact that the people depicted are photographed unnoticed.

Nevertheless, it would have been reasonable for the controller to obtain consent at least retrospectively, especially in these cases, which would undoubtedly have strengthened the legal basis for data processing based on artistic freedom.

However, if the processing step of creating the image is already unlawful, this must apply even more to the subsequent publication of the images, which constitutes a separate processing step.

Therefore, the controller was instructed within the meaning of Article 58 (2) (g) GDPR to delete the aforementioned photos within a period of two weeks.

The deadline is reasonable and proportionate.
Retrieved from "https://gdprhub.eu/index.php?title=DSB_(Austria)_-_DSB-D213.2544&oldid=46823"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki