IP - 07121-1/2020/527: Difference between revisions

From GDPRhub
(Created page with "{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;" ! colspan="2" |IP - 0712-1/2019/2725 |- | colspan="2" style="padding: 20px; background-color:#ffffff"...")
 
No edit summary
(4 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"
{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"
! colspan="2" |IP - 0712-1/2019/2725
! colspan="2" |IP - 07121-1/2020/527
|-
|-
| colspan="2" style="padding: 20px; background-color:#ffffff" |[[File:logoSI.png|center|250px]]
| colspan="2" style="padding: 20px; background-color:#ffffff" |[[File:logoSI.png|center|250px]]
Line 11: Line 11:
|-
|-
|Relevant Law:||[[Article 58 GDPR#3|Article 58(3) GDPR]]
|Relevant Law:||[[Article 58 GDPR#3|Article 58(3) GDPR]]
[[Category:Article 58(3) GDPR]]


Article 49(1)(g) ZVOP   
Article 49(1)(g) ZVOP   
Line 19: Line 18:
|Type:||Advisory opinion
|Type:||Advisory opinion
|-
|-
|Outcome:||Non-binding
|Outcome:||n/a
|-
|-
|Decided:||4. 2. 2020
|Decided:||7.4.2020
[[Category:2020]]
 
|-
|-
|Published:||n/a
|Published:||n/a
Line 30: Line 29:
|Parties:||anonymous
|Parties:||anonymous
|-
|-
|National Case Number:||0712-1/2019/2725
|National Case Number:||07121-1/2020/527
|-
|-
|European Case Law Identifier:||n/a
|European Case Law Identifier:||n/a
Line 39: Line 38:
Slovenian
Slovenian
|-
|-
|Original Source:||[https://www.ip-rs.si/vop/?tx_jzgdprdecisions_pi1%5BshowUid%5D=1244 Informacijski Pooblaščenec (SI)]
|Original Source:||[https://www.ip-rs.si/vop/?tx_jzgdprdecisions_pi1%5BshowUid%5D=1480 Informacijski Pooblaščenec (SI)]
|}
|}


The Slovenian DPA (IP) issued a non-binding opinion as foreseen under [[Article 58 GDPR#3|Article 58(3) GDPR]] regarding spamming e-mails to Slovenian company, which were sent by a travel agency without any prior registration.
The Slovenian DPA (IP) issued a non-binding opinion under [[Article 58 GDPR#3|Article 58(3) GDPR]] regarding the lawfulness of processing of a photograph. The IP clarified that a photograph can be considered personal data, especially when a photo depicts an individual clearly and unambiguously allowing for their identification. Such processing must be based on a consent under [[Article 6 GDPR|Article 6(1)(a) GDPR]] collected in advance of such processing.  


==English Summary==
==English Summary==


===Facts and questions arising===
===Facts and questions arising===
A Slovenian company asked the IP whether a travel agency was allowed to send spams to the company's e-mail "info@..." since it hasn't registered to receive such e-mails.  
The Information Commissioner (hereinafter referred to as IP) received a request for an opinion. The applicant provided that stranger took a photo of their employee in the office despite that employee's objection to a request for a photograph. The photo was then published in an article. The applicant wanted to clarify whether such a processing constitutes a violation of the data protection law.    


===Holding===
===Holding===
The IP found that the protection of personal data refers to the processing of personal data which relate to an individual. Data relating to an entity are not considered to be personal and, therefore, the data protection rules do not apply to them. In this sense, there is no need for prior informed consent in such cases.  
The IP reminded the applicant that it can make a specific assessment of whether the case describing is a violation of personal data protection rules only through an inspection process. 
 
The IP then explained what constitutes personal data in accordance with Article 4(1) GDPR. In light of the definition contained therein, photographs may be considered personal data protected under the GDPR if they determine or enable the determination of an individual, especially when the individual is clearly and unambiguously visible on the photograph and could thus be identified, or when other personal information about the individual is processed together with the photo (eg, first and last name, birth year, etc.). Therefore, if a photograph can be considered as personal data, most likely, its collection, storage as well as all subsequent processing operations, e.g. by posting can qualify as processing personal data.
 
Any processing of personal data must rely on a legitimate and appropriate legal basis. These are set out in Article 6(1) GDPR. The controller is responsible for choosing the right legal basis for the processing of personal data, taking into account the specific circumstances and purpose of the processing.


Finally, the IP advised the company to refer its complaint to the competent Agency for Communication Networks and Services [https://www.akos-rs.si/ (AKOS)].  
According to previous opinions issued by the IP, the operators shall obtain in advance a consent from an individual in accordance with Article 6(1)(a) GDPR for the processing of photographs in a way that can easily identify the depicted individual.


==Comment==
==Comment==
Line 66: Line 69:
<pre>
<pre>
Search engine according to GDPR
Search engine according to GDPR
+
-
Date: 04/07/2020
Title: Posting a photo without consent
Number: 07121-1 / 2020/527
Subject matter: Legal bases, Commercial activity
Legal act: Opinion
The Information Commissioner (hereinafter referred to as IP) has received your request for an opinion. You state that an unknown gentleman took a picture of a worker in your office despite rejecting his request for a photograph. Her photo was then published in an article. You are convinced that this is a violation of your personal data protection. You are curious about the application process.
On the basis of the information you have provided to us, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Directive 95/46 / EC (General Data Protection Regulation, hereinafter referred to as the General Regulation), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette RS, No. 94/07-UPB1, hereinafter ZVOP-1 ) and Article 2 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter ZInfP) provide our non-binding opinion regarding your question.
First of all, we emphasize that IP can make a specific assessment of whether the case you are describing is a violation of personal data protection rules only through an inspection process. Therefore, we provide you with general explanations and legal background and conditions for the legitimate processing of personal data, and explain how to submit your application.
We would like to point out that IP is only responsible for the part of the right to privacy that relates to the protection of personal data and is regulated by Article 38 of the Constitution of the Republic of Slovenia (Official Gazette RS, No. 33/1991 with amendments and supplements, hereinafter Of the RS Constitution). In the case you describe (publication of a photograph of an individual in the media), it may also be an interference with the right to privacy in the broad sense referred to in Article 35 of the Constitution of the Republic of Slovenia, which falls within the jurisdiction of the courts and is protected by institutes of civil and criminal justice. It should be stressed that none of these constitutional rights is absolute. This means that the right to privacy and the right to data protection must also be understood in the context of their relationship to the right to freedom of expression, which is guaranteed in Article 39 of the Constitution of the RS.
In accordance with Article 4 (1) of the General Regulation, personal data is any information relating to an identified or identifiable individual; an identifiable individual is one that can be determined, directly or indirectly, in particular by specifying an identifier such as name, identification number, location data, web identifier, or by indicating one or more factors specific to the physical, physiological, genetic , the mental, economic, cultural or social identity of that individual.
In the light of the above, photographs are protected data under the General Regulation if they determine or enable the determinability of an individual, especially when the individual is clearly and unambiguously visible in the photograph and could thus be identified, identified and determined, or when processed with the photograph also other personal information about the individual (eg, his first and last name, his birth year, etc.). Therefore, if a photograph of a particular individual can be considered as protected personal data, it is most likely a collection of personal data that is processed only by its storage as well as by all subsequent processing operations, e.g. by posting.
Any processing of personal data, including for the collection, storage, use, disclosure, disclosure, dissemination or otherwise of access, of a person must have a legitimate and appropriate legal basis. These are set out in Article 6 (1) of the General Regulation and are for the private sector as follows:


Date: 02/04/2020
- consent (point (a)),
Title: Question about sending messages without prior registration
 
Number: 0712-1 / 2019/2725
- the conclusion or performance of the contract (point (b)),
Subject matter: Direct marketing, sweepstakes, Telecommunications and mail
 
Legal act: Opinion
- law or performance of public tasks (point (c) and (e) respectively),
 
- legitimate interests that outweigh the interests of the individual (point (f)).


The Information Commissioner (hereinafter referred to as IP) has received an e-mail from you stating that the designated travel agency "spam" the Slovenian domain "info @" without first registering on the mailing list. Accordingly, you are interested in whether they are allowed to do this.
Choosing the right legal basis for the processing of personal data, taking into account the specific circumstances and purpose of the processing, is the responsibility of the controller. For legal basics in the private sector, you can also view the infographics published on the IP website: https://www.ip-rs.si/fileadmin/user_upload/png/infografike/pravne_podlage_zasebni_sektor_s_pogoji_privolitve.pdf.


On the basis of the information you have provided, hereinafter referred to as Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and Directive 95/46 / EC (hereinafter referred to as the General Data Protection Regulation or Regulation), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette RS, No. 94/07, officially consolidated text, hereinafter ZVOP-1) and Article 2 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter ZInfP), we provide our non-binding opinion regarding your question.
IP has previously answered questions about posting photos, so we recommend that you familiarize yourself with the content of the optional reviews you find through a search engine at https://www.ip-rs.si/vop/  ( "Photos as OP" or "Media" category). From the IP Opinions issued, the recommendation is that, in order to use the photographs in a way that can easily identify the depicted individual, the operators obtain in advance the personal consent of that individual in accordance with Article 6 (1) (a) of the General Regulation.You can read more about the conditions for valid consent on the IP website https://www.ip-rs.si/zakonodaja/reforma-evropskega-zakonodajnega-okvira-za-varstvo-osebnih-podatkov/kljucna-podrocja-uredbe/privolitev/.


IP explains that the protection of personal data refers to the processing of personal data, with personal data being data that point to an individual. Data relating to a legal entity and other business entities (eg e-mail info@podjetje.si) are not protected personal data, therefore they are not subject to the rules of personal data protection. Prior informed consent is therefore not required in such a case.
Anyone who believes that anyone is in breach of the General Regulation or ZVOP-1 (in the section still applicable) can file a complaint with the IP. The IP then execute the appropriate inspection procedures ex officio. However, the application can be made by the worker herself or you as her employer. Reporting a violation of personal data protection has only the nature of an initiative to initiate an inspection procedure under the Inspection Act (Official Gazette of the Republic of Slovenia, No. 43/07 - Official Consolidated Text and 40/14). The applicant is therefore not a party to any inspection procedure. You can also read more about filing an application at the IP website https://www.ip-rs.si/varstvo-osebnih-podatkov/pravice-posameznika/vlozitev-prijave/.


Corporate marketing rules are governed by the Electronic Communications Act (ZEKom-1) and the Electronic Commerce Market Act (ZEPT). The provisions of ZEKom-1 and ZEPT are overseen by the Agency for Communications Networks and Services (AKOS) and the Market Inspectorate of the RS (TIRS). If you believe that this is a violation of the rules of law, you can report directly to AKOS.
It is recommended that the application be submitted on the "ZIN APPLICATION FORM" form, which can be accessed at https://www.ip-rs.si/obrazci/varstvo-osebnih-podatkov/. The application can be sent by e-mail to gp.ip@ip-rs.si; or by regular mail to Dunajska cesta 22, 1000 Ljubljana.
</pre>
</pre>

Revision as of 11:55, 15 September 2021

IP - 07121-1/2020/527
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 58(3) GDPR

Article 49(1)(g) ZVOP

Article 2 ZInfP

Type: Advisory opinion
Outcome: n/a
Decided: 7.4.2020
Published: n/a
Fine: none
Parties: anonymous
National Case Number: 07121-1/2020/527
European Case Law Identifier: n/a
Appeal: n/a
Original Language:

Slovenian

Original Source: Informacijski Pooblaščenec (SI)

The Slovenian DPA (IP) issued a non-binding opinion under Article 58(3) GDPR regarding the lawfulness of processing of a photograph. The IP clarified that a photograph can be considered personal data, especially when a photo depicts an individual clearly and unambiguously allowing for their identification. Such processing must be based on a consent under Article 6(1)(a) GDPR collected in advance of such processing.

English Summary

Facts and questions arising

The Information Commissioner (hereinafter referred to as IP) received a request for an opinion. The applicant provided that stranger took a photo of their employee in the office despite that employee's objection to a request for a photograph. The photo was then published in an article. The applicant wanted to clarify whether such a processing constitutes a violation of the data protection law.

Holding

The IP reminded the applicant that it can make a specific assessment of whether the case describing is a violation of personal data protection rules only through an inspection process.

The IP then explained what constitutes personal data in accordance with Article 4(1) GDPR. In light of the definition contained therein, photographs may be considered personal data protected under the GDPR if they determine or enable the determination of an individual, especially when the individual is clearly and unambiguously visible on the photograph and could thus be identified, or when other personal information about the individual is processed together with the photo (eg, first and last name, birth year, etc.). Therefore, if a photograph can be considered as personal data, most likely, its collection, storage as well as all subsequent processing operations, e.g. by posting can qualify as processing personal data.

Any processing of personal data must rely on a legitimate and appropriate legal basis. These are set out in Article 6(1) GDPR. The controller is responsible for choosing the right legal basis for the processing of personal data, taking into account the specific circumstances and purpose of the processing.

According to previous opinions issued by the IP, the operators shall obtain in advance a consent from an individual in accordance with Article 6(1)(a) GDPR for the processing of photographs in a way that can easily identify the depicted individual.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Slovenian original for more details. 

Search engine according to GDPR
+
-
Date: 04/07/2020
Title: Posting a photo without consent
Number: 07121-1 / 2020/527
Subject matter: Legal bases, Commercial activity
Legal act: Opinion
The Information Commissioner (hereinafter referred to as IP) has received your request for an opinion. You state that an unknown gentleman took a picture of a worker in your office despite rejecting his request for a photograph. Her photo was then published in an article. You are convinced that this is a violation of your personal data protection. You are curious about the application process.

On the basis of the information you have provided to us, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Directive 95/46 / EC (General Data Protection Regulation, hereinafter referred to as the General Regulation), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette RS, No. 94/07-UPB1, hereinafter ZVOP-1 ) and Article 2 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter ZInfP) provide our non-binding opinion regarding your question.

First of all, we emphasize that IP can make a specific assessment of whether the case you are describing is a violation of personal data protection rules only through an inspection process. Therefore, we provide you with general explanations and legal background and conditions for the legitimate processing of personal data, and explain how to submit your application.

We would like to point out that IP is only responsible for the part of the right to privacy that relates to the protection of personal data and is regulated by Article 38 of the Constitution of the Republic of Slovenia (Official Gazette RS, No. 33/1991 with amendments and supplements, hereinafter Of the RS Constitution). In the case you describe (publication of a photograph of an individual in the media), it may also be an interference with the right to privacy in the broad sense referred to in Article 35 of the Constitution of the Republic of Slovenia, which falls within the jurisdiction of the courts and is protected by institutes of civil and criminal justice. It should be stressed that none of these constitutional rights is absolute. This means that the right to privacy and the right to data protection must also be understood in the context of their relationship to the right to freedom of expression, which is guaranteed in Article 39 of the Constitution of the RS.

In accordance with Article 4 (1) of the General Regulation, personal data is any information relating to an identified or identifiable individual; an identifiable individual is one that can be determined, directly or indirectly, in particular by specifying an identifier such as name, identification number, location data, web identifier, or by indicating one or more factors specific to the physical, physiological, genetic , the mental, economic, cultural or social identity of that individual.

In the light of the above, photographs are protected data under the General Regulation if they determine or enable the determinability of an individual, especially when the individual is clearly and unambiguously visible in the photograph and could thus be identified, identified and determined, or when processed with the photograph also other personal information about the individual (eg, his first and last name, his birth year, etc.). Therefore, if a photograph of a particular individual can be considered as protected personal data, it is most likely a collection of personal data that is processed only by its storage as well as by all subsequent processing operations, e.g. by posting.

Any processing of personal data, including for the collection, storage, use, disclosure, disclosure, dissemination or otherwise of access, of a person must have a legitimate and appropriate legal basis. These are set out in Article 6 (1) of the General Regulation and are for the private sector as follows:

- consent (point (a)),

- the conclusion or performance of the contract (point (b)),

- law or performance of public tasks (point (c) and (e) respectively),

- legitimate interests that outweigh the interests of the individual (point (f)).

Choosing the right legal basis for the processing of personal data, taking into account the specific circumstances and purpose of the processing, is the responsibility of the controller. For legal basics in the private sector, you can also view the infographics published on the IP website: https://www.ip-rs.si/fileadmin/user_upload/png/infografike/pravne_podlage_zasebni_sektor_s_pogoji_privolitve.pdf.

IP has previously answered questions about posting photos, so we recommend that you familiarize yourself with the content of the optional reviews you find through a search engine at https://www.ip-rs.si/vop/  ( "Photos as OP" or "Media" category). From the IP Opinions issued, the recommendation is that, in order to use the photographs in a way that can easily identify the depicted individual, the operators obtain in advance the personal consent of that individual in accordance with Article 6 (1) (a) of the General Regulation.You can read more about the conditions for valid consent on the IP website https://www.ip-rs.si/zakonodaja/reforma-evropskega-zakonodajnega-okvira-za-varstvo-osebnih-podatkov/kljucna-podrocja-uredbe/privolitev/.

Anyone who believes that anyone is in breach of the General Regulation or ZVOP-1 (in the section still applicable) can file a complaint with the IP. The IP then execute the appropriate inspection procedures ex officio. However, the application can be made by the worker herself or you as her employer. Reporting a violation of personal data protection has only the nature of an initiative to initiate an inspection procedure under the Inspection Act (Official Gazette of the Republic of Slovenia, No. 43/07 - Official Consolidated Text and 40/14). The applicant is therefore not a party to any inspection procedure. You can also read more about filing an application at the IP website https://www.ip-rs.si/varstvo-osebnih-podatkov/pravice-posameznika/vlozitev-prijave/.

It is recommended that the application be submitted on the "ZIN APPLICATION FORM" form, which can be accessed at https://www.ip-rs.si/obrazci/varstvo-osebnih-podatkov/. The application can be sent by e-mail to gp.ip@ip-rs.si; or by regular mail to Dunajska cesta 22, 1000 Ljubljana.
Retrieved from "https://gdprhub.eu/index.php?title=IP_-_07121-1/2020/527&oldid=19560"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki