DSB (Austria) - 2020-0.759.615: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(3 intermediate revisions by 3 users not shown)
Line 19: Line 19:
|Date_Started=07.01.2020
|Date_Started=07.01.2020
|Date_Decided=23.11.2020
|Date_Decided=23.11.2020
|Date_Published=
|Date_Published=11.04.2022
|Year=2020
|Year=2020
|Fine=None
|Fine=None
Line 51: Line 51:
}}
}}


The Austrian DPA held that a ski lift operator is allowed to take pictures of its customers each time they are passing access controls to manually check whether a customer illegitimately transferred their ticket to a third person.
The Austrian DPA held that a ski lift operator is allowed to take pictures of its customers each time they are passing access controls to manually check whether customers illegitimately transfer their tickets to third persons.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The controller owns and runs the ski lifts in a ski resort (name is not known). It sells hourly tickets, day tickets and multi-day tickets. When a day ticket or multi-day ticker holder passes through the access controls the first time, the controller takes a reference photo of the ticket holder. After that, each time the ticket holder passes an access control, another photo is taken, which is compared with the reference photo by an authorised employee to check whether the ticket holder transferred their ticket to a third person, which is prohibited according to the terms and conditions of the controller. The reference photo is deleted after the expiry of the ticket. The pictures which are compared to the reference picture are deleted 30 minutes after the ticket holder passed the access control.  
The controller runs the ski lift service in a ski resort (name is not known). When a day ticket or multi-day ticker holder passes through the access controls the first time, the controller takes a first photo of the user. After that, each time the user passes an access point, another photo is taken and compared with the first one by an authorised employee to check whether the ticket holder transferred their ticket to a third person, which is prohibited according to the terms and conditions of the service. The first photo is deleted after the ticket is expired while the other(s) after 30 minutes the user has passed a certain control point. The data subject used the controller's service from 27 to 29 December 2019. On 7 January 2020, he lodged a complaint with the Austrian DPA (Datenschutzbehörde - DSB) alleging that the controller's conduct was unlawful since no consent had ever been provided by the user. The controller counterargued that it did not rely on consent but rather on its legitimate interest to check whether a customer violates the terms and conditions by transferring the ticket to a third person.  
 
The data subject used the controller's lifts from 27 December to 29 December 2019 with day tickets. On 7 January 2020, he lodged a complaint with the Austrian DPA (Datenschutzbehörde - DSB) alleging that the controller's conduct was unlawful, since the services of the controller could not have been used without consenting to the processing. The controller, on the other hand, argued that it does not rely on consent but has a legitimate interest to check whether a customer violates the terms and conditions by transferring the ticket to a third person.
=== Holding ===
=== Holding ===
The DSB rejected the complaint because the controller's conduct was justified under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. It reasoned that the controller's interest to check whether the data subject violated the terms and conditions was legitimate and that it was not overridden by the data subject's interest to privacy. By referring to sentence 3 of Recital 51 GDPR, the DSB found that the pictures taken from the data subject did not constitute biometric data according to [[Article 9 GDPR#1|Article 9(1) GDPR]] because they did not result from "specific technical processing", as required by [[Article 4 GDPR#14|Article 4(14) GDPR]], but are rather used to manually check the identity of the customer. It then held that the measures taken by the controller are not unusual nowadays and, therefore, the data subject could have reasonably expected them (first sentence of Recital 47 GDPR).
The DSB rejected the complaint because the controller's conduct was justified under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. It reasoned that the controller's interest to check whether the data subject violated the terms and conditions was legitimate and that it was not overridden by the data subject's interest to data protection. By referring to sentence 3 of Recital 51 GDPR, the DSB found that the pictures taken from the data subject did not constitute biometric data according to [[Article 9 GDPR#1|Article 9(1) GDPR]] because they did not result from "specific technical processing", as required by [[Article 4 GDPR#14|Article 4(14) GDPR]], but are rather used to manually check the identity of the customer. It then held that the measures taken by the controller are not unusual nowadays and, therefore, the data subject could have reasonably expected them (first sentence of Recital 47 GDPR).


== Comment ==
== Comment ==

Latest revision as of 15:52, 20 April 2022

DSB (Austria) - 2020-0.759.615
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 6(1)(f) GDPR
Article 9(1) GDPR
Type: Complaint
Outcome: Rejected
Started: 07.01.2020
Decided: 23.11.2020
Published: 11.04.2022
Fine: None
Parties: n/a
National Case Number/Name: 2020-0.759.615
European Case Law Identifier: ECLI:AT:DSB:2020:2020.0.759.615
Appeal: n/a
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in DE)
Initial Contributor: Heiko Hanusch

The Austrian DPA held that a ski lift operator is allowed to take pictures of its customers each time they are passing access controls to manually check whether customers illegitimately transfer their tickets to third persons.

English Summary

Facts

The controller runs the ski lift service in a ski resort (name is not known). When a day ticket or multi-day ticker holder passes through the access controls the first time, the controller takes a first photo of the user. After that, each time the user passes an access point, another photo is taken and compared with the first one by an authorised employee to check whether the ticket holder transferred their ticket to a third person, which is prohibited according to the terms and conditions of the service. The first photo is deleted after the ticket is expired while the other(s) after 30 minutes the user has passed a certain control point. The data subject used the controller's service from 27 to 29 December 2019. On 7 January 2020, he lodged a complaint with the Austrian DPA (Datenschutzbehörde - DSB) alleging that the controller's conduct was unlawful since no consent had ever been provided by the user. The controller counterargued that it did not rely on consent but rather on its legitimate interest to check whether a customer violates the terms and conditions by transferring the ticket to a third person.

Holding

The DSB rejected the complaint because the controller's conduct was justified under Article 6(1)(f) GDPR. It reasoned that the controller's interest to check whether the data subject violated the terms and conditions was legitimate and that it was not overridden by the data subject's interest to data protection. By referring to sentence 3 of Recital 51 GDPR, the DSB found that the pictures taken from the data subject did not constitute biometric data according to Article 9(1) GDPR because they did not result from "specific technical processing", as required by Article 4(14) GDPR, but are rather used to manually check the identity of the customer. It then held that the measures taken by the controller are not unusual nowadays and, therefore, the data subject could have reasonably expected them (first sentence of Recital 47 GDPR).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

GZ: 2020-0.759.615 from November 23, 2020 (case number: DSB-D124.1978)


[Note editor: Names and companies, legal forms and product names,
Addresses (incl. URLs, IP and email addresses), file numbers (and the like), etc., as well as
their initials and abbreviations may be abbreviated for reasons of pseudonymization
and/or changed. Obvious spelling, grammar and punctuation errors
have been corrected.]



                                    NOTICE

                                      S P R U C H


Data Protection Authority decides on Robert A***'s privacy complaint
(complainant) of January 7, 2020 against N*** Lift GmbH (respondent),

represented by the lawyers Dr. Rudolph L*** & Dr. Sebastian L***, due to injury in

Right to confidentiality as follows:

       -   The complaint is dismissed as unsubstantiated.

Legal basis: Sections 1 (1), 18 (1) and 24 (1) and (5) of the

Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; Art. 4 nos. 1 and 2, Art. 5 para. 1 lit. c,

Article 6 paragraph 1, Article 51 paragraph 1, Article 57 paragraph 1 letter f and Article 77 paragraph 1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ No. L 119 of

4.5.2016 p. 1.




                               REASON

A. Submissions of the parties and course of the proceedings

1. With a procedural submission dated January 7, 2020, the complainant submitted that

the Respondent is the sole operator of the lift system on the Z***berg. find there

In addition to checking the validity of the lift ticket for access control, a photo is also taken
and a comparison of this photo with a previously stored reference photo takes place. Without

A lift ticket cannot be purchased with this automatic photo comparison, as is the

Consent to take photos linked to the use of the lift ticket. Don't agree
on, the lift system cannot be used. About this automated photo processing

no further information could be found. The complainant means that here an opt-in

Procedure analogous to e-mail addresses would have to be applied. Of the

Complainant used this lift from December 27, 2019 to December 29, 2019. December 2019
used.

As attachments, the complainant sent various photos, screenshots and e-mail

traffic.,2. With a statement dated March 6, 2020, the Respondent, represented by counsel, led

that it is correct that, for the purpose of access control, a reference photo of the

Lift ticket holder when first stepping through the equipped with a camera
Turnstile at the valley station of the Z***bergbahn I and at the valley station of the *** gondola

will be made. In the general tariff regulations, which are in the checkout area

were posted and on the homepage it was pointed out that a

photographic capture, storage and processing for control purposes to avoid
of improper use of the card. These dates will expire at the end of each year

the period of validity of a ski pass is deleted.

This access control is permissible, especially since it is only at special entry points, namely the

already described turnstiles, successes. There is at the valley station of the Z***bergbahn I

Furthermore, two access areas, one north-west and one east, whereby the
Reference photo only when passing through the north-west access system. be this

announced by appropriate stickers and information signs. It suits every ski guest

free to traverse one of the two areas. At the mountain station, the skier

In addition to the *** gondola, ten other lifts are available as an alternative, with neither one
Reference- another control photo to be taken. Furthermore, there is the possibility

to purchase hourly tickets for which no reference photo is taken. Sohin be the

Use of the lift system not linked to the respective consent.

The image files would be encrypted automatically. The inspector who makes the comparison

To do this, you have to log into the system with a password. Sohin succeeds
Control not automated, but based solely on the personal

Perception of the authorized employee on the screen. A control photo will

deleted within 30 minutes after passing through the turnstile.

As a result, access control with image comparison protects those who are authorized

Respondent's interests in delaying misuse of the
Lift tickets, which is why there are no violations of the GDPR or the DSG.


3. With a statement dated April 15, 2020, the complainant - if
relevant to the procedure - from the fact that in the best case it would require twice the financial effort,

to cover a day's skiing with hourly tickets, which is why the complainant did not

recognize proportionality. It can also be expected from the classic skier that this

spend at least one day on the slopes. The references given are only at or
shortly before passing through the relevant turnstile. Because of the big

Andrangs it is then no longer possible to decide otherwise and is not one of them

It can be assumed that no photo capture will take place at other turnstiles. Be on the trail map
not shown at which points a photo was taken. The use of the ski area is also possible without the *** gondola lift as the central connection point of the ski

area impractical. The complainant denied that the access controls with

Image comparison supported the predominantly legitimate interests of the respondent, this
may be given for multi-day tickets. Based on an email from an employee

Furthermore, it was to be assumed that use without a photo ID would not be possible

would have been.

B. Subject of Complaint

Based on the submissions of the complainant, the object of the complaint is whether

the Respondent informed the complainant by processing his image data for the

Purpose of access control to cable car and ski lift systems in the period from 27. to

December 29, 2019 violated his basic right to secrecy according to § 1 paragraph 1 DSG
Has.


C. Findings of Facts

1. The Respondent operates a cable car and ski lift company in *3 St. U*** am
Z***berg. There it becomes more abusive for the purpose of access control or delaying

Use of ski passes (unauthorized transfer of ski pass) a reference photo of a

every lift ticket holder when crossing the turnstile for the first time

north-western access to the valley station of the Z***bergbahn I and at the valley station of the
*** Gondola made and subsequently a control photo. ski passes are

according to point. * of the Respondent's general tariff provisions

transferable. The image capture is through appropriate stickers as well as information signs respectively
marked.


The position of the turnstiles with image control is as follows:

[Editor's note: the graphic file (piste map) was removed because it was not in the RIS

can be represented.]

Evidence assessment: The findings made are based on the credibly presented

Respondent's statements. The General Tariff Conditions
Respondent and the piste map including the marked turnstiles

submitted by the respondent. That stickers as well as information signs in front of

Appropriate image capturing is installed at the turnstiles

Complainant confirms, even if he complains, that after viewing this
Due to the large crowds, it was not possible to turn back.

2. The complainant has for the period from December 27 to 29, 2019

Purchased ski day tickets from the Respondent for the Z***berg and the facilities of

Respondent used. On the respective day ticket - in accordance with the tariff provisions of the Respondent - there is a note that the ski pass is not

is transferrable. Furthermore, there is a reference on the ski pass that the

Tariff regulations as posted apply.

This information is shown as follows (excerpts) on the ski pass:

[Editor's note: the graphic file (photograph of the ski pass) was removed because it

cannot be represented in the RIS.]

As described above, a reference photo was taken for the purpose of access control

as well as subsequently control photos of the complainant to the appropriate

turnstiles made. The reference and control photos were compared using a
Control person who had to log in to a password-protected system.

The reference photo was used until the ski pass expired

saved. The respective control photo was taken within 30 minutes after walking through

of the turnstile deleted.

Assessment of evidence: The findings that the complainant is the subject
has used the facility and that the ski passes are not transferable are based on the

undisputed information provided by the complainant and the submitted photos of the ski passes

from December 27th and 28th, 2019 and the ski pass number from December 29th

2019. The findings made on the handling of the control and reference photos
based on the credibly presented statements of the Respondent.


D. In legal terms it follows that:

1. § 1 para. 1 DSG stipulates that everyone, in particular with regard to respect

of his private and family life, right to secrecy of those concerning him
personal data, insofar as there is a legitimate interest in it.


The affected data of the complainant (photographs) are undisputed
personal data.

However, the fundamental right to data protection is not absolute, but may be

permissible interventions are restricted.

According to § 1 para. 2 DSG, a restriction of the right to secrecy in

vital interest of the person concerned or with his consent, otherwise

only to protect overriding legitimate interests of another, namely at

Interventions by a state authority only on the basis of laws resulting from the provisions of Art. 8 Para. 2
ECHR reasons are necessary.,The GDPR and in particular the principles enshrined therein are also

Interpretation of the right to secrecy must be taken into account in any case (cf. the

Notice of July 4, 2019, GZ: DSB-D123.652/0001-DSB/2019).

2. The complainant sometimes justified his complaint with the fact that he had no free

would have had a choice and to use the appendices of the Respondent in the
had to consent to data processing. He also explained that, as with e-mail

Registrations, an “opt-in procedure” is used. That's what he's pointing to

Complainant states that consent to data processing within the meaning of Article 6 Paragraph 1 lit

DSGVO has not occurred voluntarily or can never occur voluntarily, since the
Use of the facilities is linked to the consent. According to recital 42 of

DSGVO should only then be assumed that consent is voluntary

considered if the data subject has a genuine and free choice and is able
to refuse consent without suffering any detriment. On this subject has

the OGH with a decision of August 31, 2018, according to which the coupling of the

consent to the processing of non-contractual personal data

the conclusion of a contract, the consent is generally not voluntary, unless in individual cases
special circumstances speak for their voluntariness (cf. OGH 31.8.2018, 6 Ob 140/18h,

RS0132251).

However, these considerations can be left aside, especially since the Respondent

The data processing in question expressly does not rely on the consent of the

supports those affected.

3. The Respondent submits that the data on the basis of their predominant

to process legitimate interests, which is why the existence of this intervention
iSd Art. 6 Para. 1 lit. f GDPR must be checked. Sohin has an assessment of the legitimate

To take place in the interests of the complainant and if these are in line with the legitimate interests of the

confront the respondent and third parties. As part of this
Balancing interests, it must be taken into account that there are two cumulative requirements

must be, so that the Respondent can rely on this legal basis

can:

On the one hand, the processing must be carried out to protect the legitimate interests of the

Controller or a third party may be required, on the other hand, fundamental rights and

Fundamental freedoms of the data subject, which require the protection of personal data,
do not predominate (cf. on Art. 7 lit. f of Directive 95/46/EC the judgment of the ECJ of

24 November 2011, C-468/10 and C-469/10 [ASNEF and FECEMD] para. 38) (cf. the

Notice of the DSB from 4.7.2019, GZ: DSB-D123.652/0001-DSB/2019, RIS,
license plate recognition).,4. In this context it should be noted that the present

Data processing system essentially the same as those under the designation

"PHOTOCOMPARE - access control in connection with the use of personal (image) data
of ski lift card users” by the Data Protection Authority until the end of May 25, 2018 in

Data processing register in accordance with §§ 17 ff in conjunction with §§ 8 Para. 1 Z 4 (mainly authorized

interests), 8 Para. 3 Z 4 (performance of contract), 6 Para. 1 Z 5 and § 24 DSG 2000 registered

became.

In the course of these registrations, the existence of overriding legitimate interests

of those responsible affirmed, which is why the complainant's complaint is already settled
for this reason proves to be unfounded.


5. The details are as follows:

On the one hand, the complainant has a legitimate interest in keeping his information secret

to concede data, specifically his photograph. If the complainant submits
that sensitive personal data are affected by the image recording is dem

to counter that the processing of photographs only has a special category

of personal data if this differs from the definition of the term
"biometric data" is collected; in other words, if those with special technical

Means are processed that uniquely identify or authenticate a

natural person (DSGVO recital 51, see also Guidelines 3/2019 on
processing of personal data through video devices of the European

Data Protection Committee, version 2.0, page 17 para. 62). A simple digital photo that like

stored here for visual comparison purposes only and displayed on a screen

without being subjected to "special technical processes" therefore does not meet any
Fact of the processing of special data categories according to Art. 9 Para. 1 DSGVO.


On the other hand, the Respondent has a legitimate interest in it
recognize that their contractual partners behave in accordance with the contract and are therefore in their own interest

that compliance with the tariff conditions is monitored by controls in order to

unauthorized transfer of the ski pass, which - as stated - is expressly prohibited
will to hold out. This not least, especially since day passes or multi-day passes - like the

Complainant recognizes - are more cost-effective than hourly tickets. Is to

It should be noted that with hourly tickets there is a risk of unauthorized disclosure

is to be regarded as more negligible due to the shorter period of validity than with (multiple)
day tickets. Accordingly, the complainant's argument that no

Proportionality is given, especially since almost twice the financial effort is required

be, to cover a day's skiing with hourly tickets, into emptiness. That from the
The system implemented by the Respondent is quite suitable to ensure effective access control and therefore to fulfill its purpose. Due to the

established facts that the acquisition of reference or control images only

two important hubs of the system takes place as well as the storage period only in this way

long as necessary, the measures taken turn out to be not
overly intrusive. Furthermore, the control is carried out exclusively by authorized persons

Employees, which is why the respective photographs do not have a significant group of recipients

get.

It must also be taken into account that according to recital 47 first sentence GDPR

reasonable expectations of a data subject regarding the use of their

data is to be considered as an important factor when weighing up interests
(cf. Heberlein in Ehmann/Selmayr, General Data Protection Regulation Commentary [2018] Art. 6

para. 28). It should be noted that access control systems, such as those used by the Respondent

starts, at least – like the numerous registrations mentioned above in the former

data processing register - are now not uncommon (cf. the
Considerations of the data protection authority in the decision of July 4th, 2019 already cited, GZ: DSB-

D123.652/0001-DSB/2019, number plate recognition). In addition, the complainant had

Knowledge of access control and expected in advance. This can sometimes be the result
infer that the complainant had already sent an email dated December 24, 2019 - hence

before using the Respondent's facilities - inquired whether the acquisition of a

ski pass without image capture is possible. If the complainant submits that

The answer given by the Respondent's employee was incorrect, since it was obviously possible
insisted on purchasing hourly tickets for which no photographs were taken

to counter that this was not part of the complainant's request.

Apparently he had only asked about ski passes and not about hourly tickets.

6. Based on the above, the Data Protection Authority concludes that

here the legitimate interests of the respondent are those of the complainant

predominate, which is why the Respondent is right to rely on its legitimate
Interests as the basis for the lawfulness of the processing in accordance with Art. 6 Para. 1

lit. f GDPR. The Respondent therefore does not have the Appellant in its

violated the right to secrecy.

It had to be decided accordingly.