Datatilsynet - 2019-431-0052
|Datatilsynet - 2019-431-0052|
|Relevant Law:||Article 4(11) GDPR|
Article 5(1)(e) GDPR
Article 6(1)(a) GDPR
Article 13(1) GDPR
Article 13(2) GDPR
|National Case Number/Name:||2019-431-0052|
|European Case Law Identifier:||n/a|
|Original Source:||Datatilsynet (in DA)|
The Danish DPA published a decision in which it expressed severe criticism of Epic Booking for publishing and keeping extensive number of pictures of children and young people on its Facebook page without having a valid lawful basis for processing. The DPA found that the company failed to provide the data subjects with all information pursuant to Article 13 GDPR as well as to set a retention period for the personal data.
English Summary[edit | edit source]
Facts[edit | edit source]
Following an investigation conducted by the DPA on 17 January 2020, it was found that almost 500,000 images of children and young people were published on Epic Booking´s Facebook page. The photos were taken at parties and other similar events since 2013 primarily using a selfie camera.
Epic Booking argued that the company does not process information about children below the age of 14 years, as it is against the company´s policy.
In its comments submitted to the DPA, Epic Booking stated that the company used a consent as a lawful bases for processing of the data subjects´ personal data (cf. Article 6(1)(a) of the GDPR) and the data subjects were informed about a possibility to revoke their consent.
Moreover, Epic Booking has submitted to the DPA a text with the information that had been provided to the data subjects prior to giving their consent for processing, and claimed that the company fulfilled its obligation under Article 13 of the GDPR.
Epic Booking also argued that the company has not set specific time limits for storing images on its Facebook page due to the data subjects´ expectation.
Dispute[edit | edit source]
The DPA investigated if the company met requirements set out in Articles 5(1)(e), 6(1)(a), 13(1) and (2) of the GDPR, such as, whether:
- the company obtained a valid consent for publication of data subjects´ images on its Facebook page,
- the data deletion conducted in the scope of storage limitation, and
- the data subjects have been provided with all required information pursuant to Article 13(1) and (2).
Holding[edit | edit source]
The DPA severely criticized Epic Booking for unlawful processing of personal data and issued an order to delete all pictures that were published on the company´s Facebook page without valid data subjects´ consent. The DPA found that the data subjects, at the time of giving consent, were not informed that the processing has multiple purposes and consequently, not be able to choose the purposes for which they wish to give their consent.
Additionally, the DPA expressed criticism for failing to set a specific time limit for storage of images on Epic Booking´s Facebook page. The DPA ordered the company to set a retention period for deletion of pictures, which will be published on its Facebook in the future, to maximum 60 days.
The DPA also severely criticized Epic Booking for failing to meet the obligation set out in Article 13(1) and (2) of the GDPR. The DPA found that the text provided to the data subjects at the time when personal data are obtained did not contain information on the purposes of the processing and the period for which the images will be stored on the company´s Facebook page.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
Epic Booking's processing of personal data Published 01-03-2021 Decision The Danish Data Protection Agency has investigated the publication of photos on Epic Booking's Facebook page. The audit found, among other things, that a number of images have been processed in violation of the data protection rules. Journal number: 2019-431-0052 Summary On 17 January 2020, the Danish Data Protection Agency decided to investigate the publication of photos on Epic Booking's facebook page (https://www.facebook.com/pg/EPICBooking/photos/?tab=albums). The Danish Data Protection Agency hereby returns to the case. An extensive number of photos - almost 500,000 - of especially children and young people were to be found on the company's Facebook page. The photos, which were from 2013 onwards, were taken at parties and similar events primarily using a selfie camera. In the case, the Danish Data Protection Agency found that the consent given by the persons in the pictures did not sufficiently live up to the requirements that a consent must be informed, specific and voluntary. In addition, the Danish Data Protection Agency found that it was contrary to the principle of retention of storage that Epic Booking had not set a specific deletion deadline. According to the Danish Data Protection Agency's assessment, when setting deletion deadlines, the depicted persons and the special protection that children and young people enjoy under the data protection rules must be taken into account. The Authority therefore issued an order to Epic Booking to set a deletion deadline of a maximum of 60 days for images that are published on the company's Facebook page in the future. Decision The Danish Data Protection Agency finds - after the case has been considered at a meeting of the Data Council - that there are grounds for expressing serious criticism that Epic Booking's processing of personal data has not taken place in accordance with Article 5 (1) of the Data Protection Regulation. 1, letter e, and Article 6, para. 1, cf. Article 4, point 11. The Danish Data Protection Agency finds further grounds for expressing serious criticism that Epic Booking has not complied with the obligation to inform data subjects pursuant to Article 13 of the Data Protection Regulation. 2. Order 2.1. The Danish Data Protection Agency also issues an order to Epic Booking to delete all photos from Epic Booking's Facebook page, which have been processed without valid consent from the data subjects. 2.2. In addition, the Danish Data Protection Agency issues an order to Epic Booking to set a general deadline of a maximum of 60 days for deleting images, which will in future be published by Epic Booking on Epic Booking's facebook page. The injunctions are notified pursuant to Article 58 (1) of the Data Protection Regulation. 2, letter d. The deadline for compliance with the orders is 3 weeks from today's date. The Danish Data Protection Agency must request to receive a confirmation that the orders have been complied with no later than the same date. The Danish Data Protection Agency draws attention to the fact that according to the Data Protection Act, section 41, subsection 2, no. 5, it is a criminal offense to fail to comply with an order issued by the Danish Data Protection Agency pursuant to Article 58 (1) of the Data Protection Regulation. 2, letter d. Below is a more detailed review of the case and a justification for the Danish Data Protection Agency's decision. 3. Case presentation Following an inquiry about the publication of photos on Epic Booking's Facebook page, the Danish Data Protection Agency became aware that a very large number of photos - almost 500,000 - of children and young people in particular had been published on the company's Facebook page. The photos were taken at parties and similar events since 2013 primarily using a selfie camera. By letter dated 17 January 2020, the Danish Data Protection Agency has asked Epic Booking a number of questions for use in the Authority's processing of the case. On 12 February 2020, Advodan Aalborg Advokataktieselskab (hereinafter Advodan) responded on behalf of Epic Booking to the Authority's inquiry and submitted, among other things, copy of the information text, which is set up in a more defined zone by and in front of the selfie camera. The following appears from the information text: The pictures are coming on Facebook! By pressing save / or wait 5 sec. after the photo has been taken (auto save), you also allow EPIC Booking to post the photo on their publicly available Facebook page. You can regret it at any time and ask for a picture to be deleted from Facebook, this is done by sending the link to the picture, in a message to EPIC Booking's Facebook page. Then it is deleted immediately. If you are in doubt about how to do it, just contact EPIC Booking in a message on Facebook, and they will probably be helpful and guide you. * Pictures of bare buttocks, breasts and the like are sorted out, cf. EPIC Booking's policies, which MAY, however, be human error, and pictures may therefore risk being uploaded anyway, therefore it is strongly encouraged to completely refrain from these Pictures!" By letter dated 24 June 2010, the Danish Data Protection Agency requested Epic Booking to answer a number of additional questions, including the possibilities of revoking a consent to publication and the deadline for deleting images on the company's Facebook page. Advodan answered the questions in a supplementary opinion of 6 July 2020. The matter was discussed at a meeting of the Data Council on 17 December 2020. 3.1. Epic Bookings comments Advodan has confirmed that Epic Booking is the data controller for the processing of information on the Facebook page https://www.facebook.com/pg/EPICBooking/photos/?tab=albums. The basis of treatment The mobile selfie box (epiCAM) is part of Epic Booking's services and thus product portfolio, which customers demand the selfie box with great interest. It is important for the company's business model that photos from various events are posted on the Facebook page. The actual exposure that is achieved by the participants "tagging" each other and sharing the photos from the Facebook page is of crucial marketing importance. The operational and marketing reasons undoubtedly constitute objective considerations. Regarding the basis for processing, Advodan has referred to Article 6 (1) of the Data Protection Regulation. 1, letter a, on consent. However, processing images from an event may also be necessary for the purpose of fulfilling a contract, e.g. in cases where a school enters into a contract with the company to hold a party with a mobile disco and at the same time agrees that a selfie box must be set up as part of the service, cf. Article 6 (1) of the Data Protection Regulation. 1, letter b. At every use of the selfie box for an event, Epic Booking arranges for the installation of a sign in A4 size, which contains the information text, where Epic Booking makes guests aware of the procedure when using the selfie camera. It appears from the information text that the data subject can only give consent to the processing of personal data if he or she chooses to be photographed and / or photographed by the selfie box during an active action. In connection with the start of an event, it is announced over loudspeakers that there is a selfie camera in the room and that a cameraman will be present during the event. The cameraman also asks for consent before taking pictures, and is instructed that in addition to a positive consent, only pictures of guests who stand up for it are taken. In connection with the end of all events, it is again informed via loudspeakers how the procedure is around photos and where to go if you want photos deleted afterwards. The active action on the part of the data subject means that there is unequivocal and valid consent. At the same time, the expression of will appears to be voluntary and specific on the part of the data subject, as the person, by taking pictures, selecting and pressing "save" of a picture, thereby taking an active and voluntary action. The manner in which the consent is given is specific, concrete and simple for the data subject. The expression of will from the data subject is made solely on the basis of the information that the participants in an event can clearly see on the sign, which contains the consent text. It is Epic Booking's opinion that the company can demonstrate an express consent regarding the images taken with epiCAM. The consent is secured by hanging signs, from which it appears that an express consent is given when using the selfie box. Furthermore, the user's print constitutes "save" documentation for the consent. On special occasions, Epic Booking has obtained prior written consent. It is correct that an image is automatically saved after five seconds if the image is not saved by pressing the "save" button. The purpose of the automatic save function is to ensure a good user experience. It is Epic Booking's experience that partygoers previously left the selfie box without pressing save, which meant that others could not use the selfie box as there was an open image. In addition, users were previously of the opinion that the images were automatically saved, and became dissatisfied when it turned out not to be the case. It is also common practice in the industry that selfie boxes automatically save photos. Epic Booking has investigated the possibilities for reprogramming the selfie box, so that the images are only saved if the photographer himself actively presses "save". Previous programming has cost almost DKK 50,000. Epic Booking is available if a registrant wishes to revoke their consent. The data subject can thus revoke his consent by any contact with Epic Booking. Then the company helps to find the images that you want to delete. The data subject can also revoke his consent by requesting that all images of that person be deleted without linking to specific images. This is done by Epic Booking in collaboration with the data subject identifying possible images of the person in question. If such a collaboration is not possible, Epic Booking will contact a possible party committee with information about possible deletion of the entire photo album or with a view to finding other solutions. The duty to provide information Regarding Epic Booking's compliance with the disclosure obligation, Advodan has referred to the submitted disclosure text, which the data subjects receive prior to giving consent for photography. The information text contains an unambiguous statement from Epic Booking about how the images are used for objective purposes. In addition, information also appears about the possibility of deleting the images and how the data subject can object. In view of the above, the obligation to provide information under Articles 13 and 14 of the Data Protection Regulation has been fulfilled. Deletion Epic Booking has not set deletion deadlines for deleting images on the Facebook page. This is because the company's customers demand continued storage of the images, which constitute memories of a given event. In this connection, Advodan has stated that previous participants often "tag" each other in several-year-old photos, which is why the continued storage is factually and commercially justified. If Epic Booking set a deletion deadline, this would be to the great annoyance of the customers, and it would in the worst case have a negative impact on the customer's choice of Epic Booking as a mobile disco, as the majority of other companies in the industry store images permanently. Upon any request from a registered person, Epic Booking immediately deletes stored photos, and it is clear from each Facebook post that deletion can take place and how the registered person can contact Epic Booking about this. Protection of children Advodan has stated that Epic Booking does not process information about children of primary school age, as it follows from the company's policy that no pictures are taken for primary school events. The youngest children for whom information is processed are 14 years old and are typically after-school students. Prior to an event with e.g. photography, Epic Booking has used for children either a statement of consent or clear oral agreements with both the children and their parents. Epic Booking strives to be as thorough as possible in the information process regarding the processing of personal data. It is always ensured, and especially by children and young people, that the participants understand the concept and agree on what the processing of images and the like has of effects. Epic Booking guides both before, during and after the events in the form of e.g. oral information via the mobile disco speakers. 4. Justification for the Danish Data Protection Agency's decision Publication of images of identifiable persons on the Internet, including on social media, is considered as a processing of personal data covered by the data protection rules. 4.1. The legal basis for the treatment 4.1.1. It is clear from Article 6 (1) of the Data Protection Regulation 1, letter a, that the processing of personal data is lawful if the data subject has given consent to the processing of his personal data for one or more specific purposes. Article 4 (11) of the Data Protection Regulation states that a consent means any voluntary, specific, informed and unambiguous expression of intent by which the data subject agrees by declaration or clear confirmation that personal data concerning the person concerned are made subject to processing. The Data Protection Council (EDPB) has adopted guidelines on consent, which describe the understanding of the Regulation's definition of consent. According to the EDPB's guidelines, the requirement of voluntariness implies that the data subject has a real and free choice. There is a voluntary expression of will if the following four criteria are met: i) the data subject must be free to choose the purposes for which their consent is given (granularity), ii) the data subject must be able to refuse to give or withdraw his consent without it being to the detriment of the person concerned, (iii) performance of a contract must not be made conditional on consent to the processing of personal data which is not necessary for the performance of the contract; and (iv) there must be no clear imbalance (an unequal relationship) between the data subject; and the data controller. Furthermore, it follows from recital 32 in the preamble to the Data Protection Regulation that: Consent should cover all treatment activities performed for the same purpose or purposes. When the treatment serves several purposes, consent should be given to all of them ”. Recital 43 states the following: "Consent is not presumed to have been given voluntarily if it is not possible to give separate consent to different processing activities concerning personal data, even if it is appropriate in the individual case […]." 4.1.2. On the basis of Epic Booking's information text, the Danish Data Protection Agency assumes that the processing, including the publication, of information in the form of images, takes place on the basis of consent. Furthermore, the Danish Data Protection Agency assumes that the information provided in connection with the recording of images, including when recording images in the selfie boxes, is included in the basis for obtaining consent from the data subjects. It appears from the information in the case that Epic Booking processes the information for several purposes, including for operational and business purposes (eg sale of images) as well as for marketing to new customers. The Danish Data Protection Agency finds that Epic Booking's publication of images on the company's Facebook page is in breach of Article 6 (1) of the Data Protection Regulation. 1, letter a, as no valid consent has been obtained from the data subjects, cf. Article 4, no. 11. The Danish Data Protection Agency has emphasized that the data subjects at the time of giving their consent have not had the opportunity to select or deselect the various processing purposes, which is not in accordance with the data protection rules' requirements for a valid consent. Thus, the data subjects have not had the opportunity to make an informed choice, nor have they had real control over the processing of information about them. Furthermore, the Authority has emphasized that the consent text (information text) used does not state what the purposes of the processing are, including that the images are also processed for marketing purposes, just as the text does not contain information about the storage period. It is against this background that the Danish Data Protection Agency's assessment is that the consent text used is not sufficiently specific and informed, just as the persons in question have not given real free consent. The consents used thus do not comply with the requirements for a valid consent under Article 4 (11) of the Regulation. The Danish Data Protection Agency then finds grounds for expressing serious criticism that Epic Booking's processing of information on the Facebook page has not taken place in accordance with Article 6 (1) of the Data Protection Regulation. 1, cf. Article 4, point 11. Furthermore, the Danish Data Protection Agency finds grounds for notifying Epic Booking of an order to delete all images from Epic Booking's Facebook page, which have been processed without valid consent from the data subjects. 4.2. The duty to provide information Article 13 (1) of the Data Protection Regulation 1, it follows that if personal data about a data subject is collected from the data subject, the data controller at the time when the personal data is collected, gives the data subject all of the following information: identity and contact details of the data controller and his / her representative, if any contact information for any data protection adviser the purposes of the processing for which the personal data are to be used and the legal basis for the processing the legitimate interests pursued by the controller or a third party if the processing is based on Article 6 (1); 1 (f) any recipients or categories of recipients of the personal data where relevant, the data controller intends to transfer personal data to a third country or an international organization and whether the Commission has decided on the adequacy of the level of protection, or in the case of transfers under Article 46 or 47 or Article 49 (2). 1, second subparagraph, point (h), reference to the necessary or appropriate guarantees and how a copy can be obtained or where they have been made available. In addition to this information, the data controller shall, in accordance with Article 13 (2), 2, at the time the personal data is collected, the data subject has a number of additional information necessary to ensure a fair and transparent processing. According to the provision, the data controller must provide the data subject with information on, inter alia, the period during which the personal data will be stored or, if this is not possible, the criteria used to determine this period, in accordance with Article 13 (1). 2, letter a. It also follows from Article 12 (1) of the Data Protection Regulation 1, that the data controller takes appropriate measures to provide any information as referred to, inter alia. in Article 13 on processing to the data subject in a concise, transparent, easily understandable and easily accessible form and in a clear and simple language, in particular when information is specifically directed at a child. The information is provided in writing or by other means, including, if appropriate, electronically. The Danish Data Protection Agency finds that the content of the information text that is set up in a more defined zone by and in front of the selfie camera, and the "speak" that is given at an event, does not meet the requirements of Article 12 (1) of the Data Protection Regulation. And Article 13 (1). 1 and 2. In this connection, the Danish Data Protection Agency has emphasized in particular that the information text does not contain information on the purposes of the processing, cf. Article 13 (1). 1, letter c, and information on the time of publication of the images on the Facebook page, cf. Article 13, para. The information on the storage period is, in the opinion of the Authority, necessary to ensure a fair and transparent treatment, cf. Article 13 (2) (a). 2, letter a, and is thus an (additional) information to which the data subject is entitled, and should be given immediately to the data subject at the time of photography. Against this background, the Danish Data Protection Agency finds reason to express serious criticism of Epic Booking's failure to comply with the duty to provide information when collecting personal data in connection with photography for Epic Booking's events. 4.3. Storage restriction The basic principles for the processing of personal data, as set out in Article 5 of the Data Protection Regulation, must be observed in any processing of personal data. This means, among other things, that personal data must be stored in such a way that it is not possible to identify the data subjects for a longer period than is necessary for the purposes for which the personal data in question is processed, cf. 1 (e) ('storage restriction'). Epic Booking has stated that images on the Facebook page are published (stored) without time limit, as customers expect this. The Danish Data Protection Agency considers that a publication without a time limit is contrary to the principle of storage limitation in Article 5 (1) of the Data Protection Regulation. 1, letter e. The Danish Data Protection Agency has hereby emphasized the consideration for the persons depicted, including the special protection that children and young people enjoy according to the data protection rules, and the nature of the processing (publication on Facebook). Furthermore, the Danish Data Protection Agency has emphasized that a maximum period of 60 days in the Authority's opinion will be sufficient to meet customers' needs to be able to access the images. Against this background, the Authority finds reason to express serious criticism of Epic Booking's practice for storing images. Furthermore, the Danish Data Protection Agency finds grounds for notifying Epic Booking of an order to set a deletion deadline of a maximum of 60 days in respect of images that will in future be published on the company's Facebook page.