IP - 07121-1/2020/2281

From GDPRhub
Revision as of 07:36, 4 October 2021 by Riealeksandra (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
IP - 07121-1/2020/2281
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Other Outcome
Decided: 18.12.2020
Published: 18.12.2020
Fine: None
Parties: n/a
National Case Number/Name: 07121-1/2020/2281
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Slovenian
Original Source: IP (in SL)
Initial Contributor: Rie Aleksandra Walle

The Slovenian DPA (IP) issued an advisory opinion about the use of personal data for advertising purposes on Facebook and joint controllership. It underlined that each controller needs a legal basis for processing personal data.

English Summary


The Slovenian DPA received a complaint regarding the use of the complainant personal data for advertising purposes inside of a Facebook group. The DPA advised that the group administrator should first provide an appropriate legal basis for transferring the personal data to Facebook for advertising purposes and, second, for transferring personal data to the users of the SNS (Social Networking Service). In such a case, the group administrator will, together with Facebook, act as joint controller for the processing of personal data related to the ads.

For the legal basis of processing personal data in the Facebook group, the DPA advised that this is usually determined by the group rules (terms and conditions), which every group member accepts when joining the group.

Finally, the DPA reasoned that the ad in question, shown only in the Facebook group, was likely only meant for the group members and not for the general public. Publishing the ad inside of a Facebook group, although publicly, doesn't mean it will be read by all Facebook users, but likely only by the group members that are only interested in the content relevant for the group.



The Slovenian DPA advised that each controller of personal data must have a legal basis for such processing.


Interestingly, Slovenia still has not implemented fully the GDPR. They are still relying on ZVOP-1, as ZVOP-2 (national data protection act) still has not been introduced. The DPA issues only non-binding opinions.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.

Search engine according to GDPR
Date: 18.12.2020
Title: An ad on Facebook with a post from the forum
Number: 07121-1 / 2020/2281
Subject matter: Definition of OP, Modern technologies, Legal basis, World Wide Web
Legal act: Opinion

The Information Commissioner (hereinafter IP) received by e-mail your letter regarding the ad on Facebook, which contains the record or. confession of an individual on a forum. You think this is an invasion of that individual’s privacy.


On the basis of the information you have provided to us, hereinafter referred to as Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Directive 95/46 / EC (hereinafter: the General Regulation on Data Protection), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07, officially consolidated text, hereinafter ZVOP-1 ) and Article 2 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter ZInfP), we provide our non-binding opinion regarding your question. IP explains that, in the context of a non-binding opinion, it cannot make concrete assessments regarding the legality of the processing of personal data, but can only do so in the inspection procedure.


The IP generally clarifies that it is competent only for that part of the right to privacy which relates to the protection of personal data and which is regulated by Article 38 of the Constitution of the Republic of Slovenia (Constitution of the Republic of Slovenia; Official Gazette of the RS, no. 33/91-I ). In the case of the described publication, it could (also) be an interference with the right to privacy in a broader sense from Article 35 of the Constitution of the Republic of Slovenia, which is protected by the institutes of civil and criminal protection before the competent courts.


Personal data means any information relating to an identified or identifiable individual. An identifiable individual is one who can be identified directly or indirectly, in particular by indicating an identifier such as name, identification number, location data, web identifier, or by indicating one or more factors specific to the physical, physiological, genetic , the mental, economic, cultural or social identity of that individual (point 1 of Article 4 (1) of the General Data Protection Regulation). Insofar as the individual in the record is identifiable (which, however, cannot be assessed by the IP in the context of a non-binding opinion), it would in this case be the processing of personal data.


There must be an appropriate and lawful legal basis for any processing of personal data. These are set out in Article 6 (1) of the General Data Protection Regulation and are as follows:

    consent (point (a)),
    the conclusion or performance of a contract (point (b)),
    law (point (c)),
    protection of the vital interests of the individual (point (d)),
    implementation of a public task (point (e) in connection with the fourth paragraph of Article 9 of ZVOP-1),
    legitimate interests of the operator (point (f)).

Therefore, in the case of data processing, the forum, as the controller, should first provide an appropriate legal basis for the transmission of personal data to Facebook for advertising purposes and thus the transmission of data to users of the social network - ie. to the general public. In such a case, the forum, together with Facebook, would act as a joint controller for the processing of data related to the display of the advertisement (whereby each of the controllers must provide an appropriate legal basis). Regarding the legal basis of the forum, IP further explains that when using the services of forums, it is usually also relevant what is determined by the general conditions of the forum, with which in this case an unregistered individual agrees before each post on the forum. upon registration, to which the IP cannot go into detail in the opinion. Nevertheless, given the content and nature of the specific record, it could be concluded that this is a record that was intended only for individuals who use the forum, but not for the general public. Namely, the publication of a record on the forum, despite the fact that it is publicly available, does not mean that it is actually read by every Facebook user, but most likely only by forum users who are interested in certain content.


Given that the individual who is the author of the record is not a registered user of the forum, but only publishes the relevant content without the registration process, it could happen that in a given case the individual is not identifiable as defined by personal data, and consequently it would not be data processing within the meaning of the General Data Protection Regulation. In any case, an individual who is convinced that his personal rights have been infringed by a certain act, in accordance with the provisions of Article 134 of the Code of Obligations (Official Gazette of the Republic of Slovenia, No. 83/01 as amended, hereinafter OZ) may requests to prevent such an act or to remove its consequences. In any case, anyone who considers that the conduct of another person has caused a significant encroachment on his privacy and has caused him damage may, on the basis of the OZ, file a claim for damages before the competent civil court.