Editing DSB (Austria) - 2020-0.759.615

From GDPRhub

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 19: Line 19:
 
|Date_Started=07.01.2020
 
|Date_Started=07.01.2020
 
|Date_Decided=23.11.2020
 
|Date_Decided=23.11.2020
|Date_Published=11.04.2022
+
|Date_Published=
 
|Year=2020
 
|Year=2020
 
|Fine=None
 
|Fine=None
Line 56: Line 56:
  
 
=== Facts ===
 
=== Facts ===
The controller runs the ski lift service in a ski resort (name is not known). When a day ticket or multi-day ticker holder passes through the access controls the first time, the controller takes a first photo of the user. After that, each time the user passes an access point, another photo is taken and compared with the first one by an authorised employee to check whether the ticket holder transferred their ticket to a third person, which is prohibited according to the terms and conditions of the service. The first photo is deleted after the ticket is expired while the other(s) after 30 minutes the user has passed a certain control point. The data subject used the controller's service from 27 to 29 December 2019. On 7 January 2020, he lodged a complaint with the Austrian DPA (Datenschutzbehörde - DSB) alleging that the controller's conduct was unlawful since no consent had ever been provided by the user. The controller counterargued that it did not rely on consent but rather on its legitimate interest to check whether a customer violates the terms and conditions by transferring the ticket to a third person.  
+
The controller owns and runs the ski lifts in a ski resort (name is not known). It sells hourly tickets, day tickets and multi-day tickets. When a day ticket or multi-day ticker holder passes through the access controls the first time, the controller takes a reference photo of the ticket holder. After that, each time the ticket holder passes an access control, another photo is taken, which is compared with the reference photo by an authorised employee to check whether the ticket holder transferred their ticket to a third person, which is prohibited according to the terms and conditions of the controller. The reference photo is deleted after the expiry of the ticket. The pictures which are compared to the reference picture are deleted 30 minutes after the ticket holder passed the access control.  
 +
 
 +
The data subject used the controller's lifts from 27 December to 29 December 2019 with day tickets. On 7 January 2020, he lodged a complaint with the Austrian DPA (Datenschutzbehörde - DSB) alleging that the controller's conduct was unlawful, since the services of the controller could not have been used without consenting to the processing. The controller, on the other hand, argued that it does not rely on consent but has a legitimate interest to check whether a customer violates the terms and conditions by transferring the ticket to a third person.
 
=== Holding ===
 
=== Holding ===
The DSB rejected the complaint because the controller's conduct was justified under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. It reasoned that the controller's interest to check whether the data subject violated the terms and conditions was legitimate and that it was not overridden by the data subject's interest to data protection. By referring to sentence 3 of Recital 51 GDPR, the DSB found that the pictures taken from the data subject did not constitute biometric data according to [[Article 9 GDPR#1|Article 9(1) GDPR]] because they did not result from "specific technical processing", as required by [[Article 4 GDPR#14|Article 4(14) GDPR]], but are rather used to manually check the identity of the customer. It then held that the measures taken by the controller are not unusual nowadays and, therefore, the data subject could have reasonably expected them (first sentence of Recital 47 GDPR).
+
The DSB rejected the complaint because the controller's conduct was justified under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. It reasoned that the controller's interest to check whether the data subject violated the terms and conditions was legitimate and that it was not overridden by the data subject's interest to privacy. By referring to sentence 3 of Recital 51 GDPR, the DSB found that the pictures taken from the data subject did not constitute biometric data according to [[Article 9 GDPR#1|Article 9(1) GDPR]] because they did not result from "specific technical processing", as required by [[Article 4 GDPR#14|Article 4(14) GDPR]], but are rather used to manually check the identity of the customer. It then held that the measures taken by the controller are not unusual nowadays and, therefore, the data subject could have reasonably expected them (first sentence of Recital 47 GDPR).
  
 
== Comment ==
 
== Comment ==

Please note that all contributions to GDPRhub are considered to be released under the Creative Commons Attribution-NonCommercial-ShareAlike (see GDPRhub:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)

Template used on this page: