IP - 07121-1/2020/527
|IP - 07121-1/2020/527|
|Relevant Law:||Article 58(3) GDPR
Article 49(1)(g) ZVOP
Article 2 ZInfP
|National Case Number:||07121-1/2020/527|
|European Case Law Identifier:||n/a|
|Original Source:||Informacijski Pooblaščenec (SI)|
The Slovenian DPA (IP) issued a non-binding opinion under Article 58(3) GDPR regarding the lawfulness of processing of a photograph. The IP clarified that a photograph can be considered personal data, especially when a photo depicts an individual clearly and unambiguously allowing for their identification. Such processing must be based on a consent under Article 6(1)(a) GDPR collected in advance of such processing.
Facts and questions arising
The Information Commissioner (hereinafter referred to as IP) received a request for an opinion. The applicant provided that stranger took a photo of their employee in the office despite that employee's objection to a request for a photograph. The photo was then published in an article. The applicant wanted to clarify whether such a processing constitutes a violation of the data protection law.
The IP reminded the applicant that it can make a specific assessment of whether the case describing is a violation of personal data protection rules only through an inspection process.
The IP then explained what constitutes personal data in accordance with Article 4(1) GDPR. In light of the definition contained therein, photographs may be considered personal data protected under the GDPR if they determine or enable the determination of an individual, especially when the individual is clearly and unambiguously visible on the photograph and could thus be identified, or when other personal information about the individual is processed together with the photo (eg, first and last name, birth year, etc.). Therefore, if a photograph can be considered as personal data, most likely, its collection, storage as well as all subsequent processing operations, e.g. by posting can qualify as processing personal data.
Any processing of personal data must rely on a legitimate and appropriate legal basis. These are set out in Article 6(1) GDPR. The controller is responsible for choosing the right legal basis for the processing of personal data, taking into account the specific circumstances and purpose of the processing.
According to previous opinions issued by the IP, the operators shall obtain in advance a consent from an individual in accordance with Article 6(1)(a) GDPR for the processing of photographs in a way that can easily identify the depicted individual.
Share your comments here!
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the original. Please refer to the Slovenian original for more details.
Search engine according to GDPR + - Date: 04/07/2020 Title: Posting a photo without consent Number: 07121-1 / 2020/527 Subject matter: Legal bases, Commercial activity Legal act: Opinion The Information Commissioner (hereinafter referred to as IP) has received your request for an opinion. You state that an unknown gentleman took a picture of a worker in your office despite rejecting his request for a photograph. Her photo was then published in an article. You are convinced that this is a violation of your personal data protection. You are curious about the application process. On the basis of the information you have provided to us, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Directive 95/46 / EC (General Data Protection Regulation, hereinafter referred to as the General Regulation), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette RS, No. 94/07-UPB1, hereinafter ZVOP-1 ) and Article 2 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter ZInfP) provide our non-binding opinion regarding your question. First of all, we emphasize that IP can make a specific assessment of whether the case you are describing is a violation of personal data protection rules only through an inspection process. Therefore, we provide you with general explanations and legal background and conditions for the legitimate processing of personal data, and explain how to submit your application. We would like to point out that IP is only responsible for the part of the right to privacy that relates to the protection of personal data and is regulated by Article 38 of the Constitution of the Republic of Slovenia (Official Gazette RS, No. 33/1991 with amendments and supplements, hereinafter Of the RS Constitution). In the case you describe (publication of a photograph of an individual in the media), it may also be an interference with the right to privacy in the broad sense referred to in Article 35 of the Constitution of the Republic of Slovenia, which falls within the jurisdiction of the courts and is protected by institutes of civil and criminal justice. It should be stressed that none of these constitutional rights is absolute. This means that the right to privacy and the right to data protection must also be understood in the context of their relationship to the right to freedom of expression, which is guaranteed in Article 39 of the Constitution of the RS. In accordance with Article 4 (1) of the General Regulation, personal data is any information relating to an identified or identifiable individual; an identifiable individual is one that can be determined, directly or indirectly, in particular by specifying an identifier such as name, identification number, location data, web identifier, or by indicating one or more factors specific to the physical, physiological, genetic , the mental, economic, cultural or social identity of that individual. In the light of the above, photographs are protected data under the General Regulation if they determine or enable the determinability of an individual, especially when the individual is clearly and unambiguously visible in the photograph and could thus be identified, identified and determined, or when processed with the photograph also other personal information about the individual (eg, his first and last name, his birth year, etc.). Therefore, if a photograph of a particular individual can be considered as protected personal data, it is most likely a collection of personal data that is processed only by its storage as well as by all subsequent processing operations, e.g. by posting. Any processing of personal data, including for the collection, storage, use, disclosure, disclosure, dissemination or otherwise of access, of a person must have a legitimate and appropriate legal basis. These are set out in Article 6 (1) of the General Regulation and are for the private sector as follows: - consent (point (a)), - the conclusion or performance of the contract (point (b)), - law or performance of public tasks (point (c) and (e) respectively), - legitimate interests that outweigh the interests of the individual (point (f)). Choosing the right legal basis for the processing of personal data, taking into account the specific circumstances and purpose of the processing, is the responsibility of the controller. For legal basics in the private sector, you can also view the infographics published on the IP website: https://www.ip-rs.si/fileadmin/user_upload/png/infografike/pravne_podlage_zasebni_sektor_s_pogoji_privolitve.pdf. IP has previously answered questions about posting photos, so we recommend that you familiarize yourself with the content of the optional reviews you find through a search engine at https://www.ip-rs.si/vop/ ( "Photos as OP" or "Media" category). From the IP Opinions issued, the recommendation is that, in order to use the photographs in a way that can easily identify the depicted individual, the operators obtain in advance the personal consent of that individual in accordance with Article 6 (1) (a) of the General Regulation.You can read more about the conditions for valid consent on the IP website https://www.ip-rs.si/zakonodaja/reforma-evropskega-zakonodajnega-okvira-za-varstvo-osebnih-podatkov/kljucna-podrocja-uredbe/privolitev/. Anyone who believes that anyone is in breach of the General Regulation or ZVOP-1 (in the section still applicable) can file a complaint with the IP. The IP then execute the appropriate inspection procedures ex officio. However, the application can be made by the worker herself or you as her employer. Reporting a violation of personal data protection has only the nature of an initiative to initiate an inspection procedure under the Inspection Act (Official Gazette of the Republic of Slovenia, No. 43/07 - Official Consolidated Text and 40/14). The applicant is therefore not a party to any inspection procedure. You can also read more about filing an application at the IP website https://www.ip-rs.si/varstvo-osebnih-podatkov/pravice-posameznika/vlozitev-prijave/. It is recommended that the application be submitted on the "ZIN APPLICATION FORM" form, which can be accessed at https://www.ip-rs.si/obrazci/varstvo-osebnih-podatkov/. The application can be sent by e-mail to email@example.com; or by regular mail to Dunajska cesta 22, 1000 Ljubljana.