DSB (Austria) - 2020-0.759.615
|DSB (Austria) - 2020-0.759.615|
|Relevant Law:||Article 6(1)(f) GDPR|
Article 9(1) GDPR
|National Case Number/Name:||2020-0.759.615|
|European Case Law Identifier:||ECLI:AT:DSB:2020:2020.0.759.615|
|Original Source:||Rechtsinformationssystem des Bundes (RIS) (in DE)|
|Initial Contributor:||Heiko Hanusch|
The Austrian DPA held that a ski lift operator is allowed to take pictures of its customers each time they are passing access controls to manually check whether customers illegitimately transfer their tickets to third persons.
English Summary[edit | edit source]
Facts[edit | edit source]
The controller runs the ski lift service in a ski resort (name is not known). When a day ticket or multi-day ticker holder passes through the access controls the first time, the controller takes a first photo of the user. After that, each time the user passes an access point, another photo is taken and compared with the first one by an authorised employee to check whether the ticket holder transferred their ticket to a third person, which is prohibited according to the terms and conditions of the service. The first photo is deleted after the ticket is expired while the other(s) after 30 minutes the user has passed a certain control point. The data subject used the controller's service from 27 to 29 December 2019. On 7 January 2020, he lodged a complaint with the Austrian DPA (Datenschutzbehörde - DSB) alleging that the controller's conduct was unlawful since no consent had ever been provided by the user. The controller counterargued that it did not rely on consent but rather on its legitimate interest to check whether a customer violates the terms and conditions by transferring the ticket to a third person.
Holding[edit | edit source]
The DSB rejected the complaint because the controller's conduct was justified under Article 6(1)(f) GDPR. It reasoned that the controller's interest to check whether the data subject violated the terms and conditions was legitimate and that it was not overridden by the data subject's interest to data protection. By referring to sentence 3 of Recital 51 GDPR, the DSB found that the pictures taken from the data subject did not constitute biometric data according to Article 9(1) GDPR because they did not result from "specific technical processing", as required by Article 4(14) GDPR, but are rather used to manually check the identity of the customer. It then held that the measures taken by the controller are not unusual nowadays and, therefore, the data subject could have reasonably expected them (first sentence of Recital 47 GDPR).
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the German original. Please refer to the German original for more details.
GZ: 2020-0.759.615 from November 23, 2020 (case number: DSB-D124.1978) [Note editor: Names and companies, legal forms and product names, Addresses (incl. URLs, IP and email addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated for reasons of pseudonymization and/or changed. Obvious spelling, grammar and punctuation errors have been corrected.] NOTICE S P R U C H Data Protection Authority decides on Robert A***'s privacy complaint (complainant) of January 7, 2020 against N*** Lift GmbH (respondent), represented by the lawyers Dr. Rudolph L*** & Dr. Sebastian L***, due to injury in Right to confidentiality as follows: - The complaint is dismissed as unsubstantiated. Legal basis: Sections 1 (1), 18 (1) and 24 (1) and (5) of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; Art. 4 nos. 1 and 2, Art. 5 para. 1 lit. c, Article 6 paragraph 1, Article 51 paragraph 1, Article 57 paragraph 1 letter f and Article 77 paragraph 1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ No. L 119 of 4.5.2016 p. 1. REASON A. Submissions of the parties and course of the proceedings 1. With a procedural submission dated January 7, 2020, the complainant submitted that the Respondent is the sole operator of the lift system on the Z***berg. find there In addition to checking the validity of the lift ticket for access control, a photo is also taken and a comparison of this photo with a previously stored reference photo takes place. Without A lift ticket cannot be purchased with this automatic photo comparison, as is the Consent to take photos linked to the use of the lift ticket. Don't agree on, the lift system cannot be used. About this automated photo processing no further information could be found. The complainant means that here an opt-in Procedure analogous to e-mail addresses would have to be applied. Of the Complainant used this lift from December 27, 2019 to December 29, 2019. December 2019 used. As attachments, the complainant sent various photos, screenshots and e-mail traffic.,2. With a statement dated March 6, 2020, the Respondent, represented by counsel, led that it is correct that, for the purpose of access control, a reference photo of the Lift ticket holder when first stepping through the equipped with a camera Turnstile at the valley station of the Z***bergbahn I and at the valley station of the *** gondola will be made. In the general tariff regulations, which are in the checkout area were posted and on the homepage it was pointed out that a photographic capture, storage and processing for control purposes to avoid of improper use of the card. These dates will expire at the end of each year the period of validity of a ski pass is deleted. This access control is permissible, especially since it is only at special entry points, namely the already described turnstiles, successes. There is at the valley station of the Z***bergbahn I Furthermore, two access areas, one north-west and one east, whereby the Reference photo only when passing through the north-west access system. be this announced by appropriate stickers and information signs. It suits every ski guest free to traverse one of the two areas. At the mountain station, the skier In addition to the *** gondola, ten other lifts are available as an alternative, with neither one Reference- another control photo to be taken. Furthermore, there is the possibility to purchase hourly tickets for which no reference photo is taken. Sohin be the Use of the lift system not linked to the respective consent. The image files would be encrypted automatically. The inspector who makes the comparison To do this, you have to log into the system with a password. Sohin succeeds Control not automated, but based solely on the personal Perception of the authorized employee on the screen. A control photo will deleted within 30 minutes after passing through the turnstile. As a result, access control with image comparison protects those who are authorized Respondent's interests in delaying misuse of the Lift tickets, which is why there are no violations of the GDPR or the DSG. 3. With a statement dated April 15, 2020, the complainant - if relevant to the procedure - from the fact that in the best case it would require twice the financial effort, to cover a day's skiing with hourly tickets, which is why the complainant did not recognize proportionality. It can also be expected from the classic skier that this spend at least one day on the slopes. The references given are only at or shortly before passing through the relevant turnstile. Because of the big Andrangs it is then no longer possible to decide otherwise and is not one of them It can be assumed that no photo capture will take place at other turnstiles. Be on the trail map not shown at which points a photo was taken. The use of the ski area is also possible without the *** gondola lift as the central connection point of the ski area impractical. The complainant denied that the access controls with Image comparison supported the predominantly legitimate interests of the respondent, this may be given for multi-day tickets. Based on an email from an employee Furthermore, it was to be assumed that use without a photo ID would not be possible would have been. B. Subject of Complaint Based on the submissions of the complainant, the object of the complaint is whether the Respondent informed the complainant by processing his image data for the Purpose of access control to cable car and ski lift systems in the period from 27. to December 29, 2019 violated his basic right to secrecy according to § 1 paragraph 1 DSG Has. C. Findings of Facts 1. The Respondent operates a cable car and ski lift company in *3 St. U*** am Z***berg. There it becomes more abusive for the purpose of access control or delaying Use of ski passes (unauthorized transfer of ski pass) a reference photo of a every lift ticket holder when crossing the turnstile for the first time north-western access to the valley station of the Z***bergbahn I and at the valley station of the *** Gondola made and subsequently a control photo. ski passes are according to point. * of the Respondent's general tariff provisions transferable. The image capture is through appropriate stickers as well as information signs respectively marked. The position of the turnstiles with image control is as follows: [Editor's note: the graphic file (piste map) was removed because it was not in the RIS can be represented.] Evidence assessment: The findings made are based on the credibly presented Respondent's statements. The General Tariff Conditions Respondent and the piste map including the marked turnstiles submitted by the respondent. That stickers as well as information signs in front of Appropriate image capturing is installed at the turnstiles Complainant confirms, even if he complains, that after viewing this Due to the large crowds, it was not possible to turn back. 2. The complainant has for the period from December 27 to 29, 2019 Purchased ski day tickets from the Respondent for the Z***berg and the facilities of Respondent used. On the respective day ticket - in accordance with the tariff provisions of the Respondent - there is a note that the ski pass is not is transferrable. Furthermore, there is a reference on the ski pass that the Tariff regulations as posted apply. This information is shown as follows (excerpts) on the ski pass: [Editor's note: the graphic file (photograph of the ski pass) was removed because it cannot be represented in the RIS.] As described above, a reference photo was taken for the purpose of access control as well as subsequently control photos of the complainant to the appropriate turnstiles made. The reference and control photos were compared using a Control person who had to log in to a password-protected system. The reference photo was used until the ski pass expired saved. The respective control photo was taken within 30 minutes after walking through of the turnstile deleted. Assessment of evidence: The findings that the complainant is the subject has used the facility and that the ski passes are not transferable are based on the undisputed information provided by the complainant and the submitted photos of the ski passes from December 27th and 28th, 2019 and the ski pass number from December 29th 2019. The findings made on the handling of the control and reference photos based on the credibly presented statements of the Respondent. D. In legal terms it follows that: 1. § 1 para. 1 DSG stipulates that everyone, in particular with regard to respect of his private and family life, right to secrecy of those concerning him personal data, insofar as there is a legitimate interest in it. The affected data of the complainant (photographs) are undisputed personal data. However, the fundamental right to data protection is not absolute, but may be permissible interventions are restricted. According to § 1 para. 2 DSG, a restriction of the right to secrecy in vital interest of the person concerned or with his consent, otherwise only to protect overriding legitimate interests of another, namely at Interventions by a state authority only on the basis of laws resulting from the provisions of Art. 8 Para. 2 ECHR reasons are necessary.,The GDPR and in particular the principles enshrined therein are also Interpretation of the right to secrecy must be taken into account in any case (cf. the Notice of July 4, 2019, GZ: DSB-D123.652/0001-DSB/2019). 2. The complainant sometimes justified his complaint with the fact that he had no free would have had a choice and to use the appendices of the Respondent in the had to consent to data processing. He also explained that, as with e-mail Registrations, an “opt-in procedure” is used. That's what he's pointing to Complainant states that consent to data processing within the meaning of Article 6 Paragraph 1 lit DSGVO has not occurred voluntarily or can never occur voluntarily, since the Use of the facilities is linked to the consent. According to recital 42 of DSGVO should only then be assumed that consent is voluntary considered if the data subject has a genuine and free choice and is able to refuse consent without suffering any detriment. On this subject has the OGH with a decision of August 31, 2018, according to which the coupling of the consent to the processing of non-contractual personal data the conclusion of a contract, the consent is generally not voluntary, unless in individual cases special circumstances speak for their voluntariness (cf. OGH 31.8.2018, 6 Ob 140/18h, RS0132251). However, these considerations can be left aside, especially since the Respondent The data processing in question expressly does not rely on the consent of the supports those affected. 3. The Respondent submits that the data on the basis of their predominant to process legitimate interests, which is why the existence of this intervention iSd Art. 6 Para. 1 lit. f GDPR must be checked. Sohin has an assessment of the legitimate To take place in the interests of the complainant and if these are in line with the legitimate interests of the confront the respondent and third parties. As part of this Balancing interests, it must be taken into account that there are two cumulative requirements must be, so that the Respondent can rely on this legal basis can: On the one hand, the processing must be carried out to protect the legitimate interests of the Controller or a third party may be required, on the other hand, fundamental rights and Fundamental freedoms of the data subject, which require the protection of personal data, do not predominate (cf. on Art. 7 lit. f of Directive 95/46/EC the judgment of the ECJ of 24 November 2011, C-468/10 and C-469/10 [ASNEF and FECEMD] para. 38) (cf. the Notice of the DSB from 4.7.2019, GZ: DSB-D123.652/0001-DSB/2019, RIS, license plate recognition).,4. In this context it should be noted that the present Data processing system essentially the same as those under the designation "PHOTOCOMPARE - access control in connection with the use of personal (image) data of ski lift card users” by the Data Protection Authority until the end of May 25, 2018 in Data processing register in accordance with §§ 17 ff in conjunction with §§ 8 Para. 1 Z 4 (mainly authorized interests), 8 Para. 3 Z 4 (performance of contract), 6 Para. 1 Z 5 and § 24 DSG 2000 registered became. In the course of these registrations, the existence of overriding legitimate interests of those responsible affirmed, which is why the complainant's complaint is already settled for this reason proves to be unfounded. 5. The details are as follows: On the one hand, the complainant has a legitimate interest in keeping his information secret to concede data, specifically his photograph. If the complainant submits that sensitive personal data are affected by the image recording is dem to counter that the processing of photographs only has a special category of personal data if this differs from the definition of the term "biometric data" is collected; in other words, if those with special technical Means are processed that uniquely identify or authenticate a natural person (DSGVO recital 51, see also Guidelines 3/2019 on processing of personal data through video devices of the European Data Protection Committee, version 2.0, page 17 para. 62). A simple digital photo that like stored here for visual comparison purposes only and displayed on a screen without being subjected to "special technical processes" therefore does not meet any Fact of the processing of special data categories according to Art. 9 Para. 1 DSGVO. On the other hand, the Respondent has a legitimate interest in it recognize that their contractual partners behave in accordance with the contract and are therefore in their own interest that compliance with the tariff conditions is monitored by controls in order to unauthorized transfer of the ski pass, which - as stated - is expressly prohibited will to hold out. This not least, especially since day passes or multi-day passes - like the Complainant recognizes - are more cost-effective than hourly tickets. Is to It should be noted that with hourly tickets there is a risk of unauthorized disclosure is to be regarded as more negligible due to the shorter period of validity than with (multiple) day tickets. Accordingly, the complainant's argument that no Proportionality is given, especially since almost twice the financial effort is required be, to cover a day's skiing with hourly tickets, into emptiness. That from the The system implemented by the Respondent is quite suitable to ensure effective access control and therefore to fulfill its purpose. Due to the established facts that the acquisition of reference or control images only two important hubs of the system takes place as well as the storage period only in this way long as necessary, the measures taken turn out to be not overly intrusive. Furthermore, the control is carried out exclusively by authorized persons Employees, which is why the respective photographs do not have a significant group of recipients get. It must also be taken into account that according to recital 47 first sentence GDPR reasonable expectations of a data subject regarding the use of their data is to be considered as an important factor when weighing up interests (cf. Heberlein in Ehmann/Selmayr, General Data Protection Regulation Commentary  Art. 6 para. 28). It should be noted that access control systems, such as those used by the Respondent starts, at least – like the numerous registrations mentioned above in the former data processing register - are now not uncommon (cf. the Considerations of the data protection authority in the decision of July 4th, 2019 already cited, GZ: DSB- D123.652/0001-DSB/2019, number plate recognition). In addition, the complainant had Knowledge of access control and expected in advance. This can sometimes be the result infer that the complainant had already sent an email dated December 24, 2019 - hence before using the Respondent's facilities - inquired whether the acquisition of a ski pass without image capture is possible. If the complainant submits that The answer given by the Respondent's employee was incorrect, since it was obviously possible insisted on purchasing hourly tickets for which no photographs were taken to counter that this was not part of the complainant's request. Apparently he had only asked about ski passes and not about hourly tickets. 6. Based on the above, the Data Protection Authority concludes that here the legitimate interests of the respondent are those of the complainant predominate, which is why the Respondent is right to rely on its legitimate Interests as the basis for the lawfulness of the processing in accordance with Art. 6 Para. 1 lit. f GDPR. The Respondent therefore does not have the Appellant in its violated the right to secrecy. It had to be decided accordingly.