Persónuvernd - 2020010425
|Persónuvernd - 2020010425|
|Relevant Law:||Article 6(1)(a) GDPR|
Article 6(1)(f) GDPR
Article 58(1)(b) GDPR
Recital 38 GDPR
|National Case Number/Name:||2020010425|
|European Case Law Identifier:||n/a|
|Original Source:||Persónuvernd (in IS)|
The Persónuvernd (Icelandic DPA) held that a bank's planned publication of photographs including children on its Facebook page was not in compliance with the GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
The Icelandic DPA was informed that a bank intended to publish photographs from a children's soccer tournament on their Facebook page. They initiated an investigation on the basis of previous advice from the Persónuvernd, which had directed people working with children not to use Facebook for sharing personal information about children. The bank replied that the parents and guardians of the children had given consent for the sharing of the photographs, and that they had several legitimate interests for using Facebook to share the photos, including taking advantage of a communication medium used by most Icelanders and building a positive image.
Dispute[edit | edit source]
Did the bank have a lawful basis to process the data under Article 6(1)(a) GDPR? Did the bank have a lawful basis to process the data under Article 6(1)(f) GDPR?
Holding[edit | edit source]
The Icelandic DPA decided that consent pursuant to Article 6(1)(a) GDPR could not be used as a lawful basis here, as the parents or guardians of the children had not been given a sufficient degree of information by the bank about the processing prior to it taking place.
It also decided that the bank did not have a legitimate interest under Article 6(1)(f) GDPR either. While the DPA accepted that marketing purposes are generally accepted as a legitimate interest for processing, they noted that the Recital 38 GDPR emphasised that the personal data of children should be given special protection, which they interpreted as excluding the use of children's personal data for marketing purposes. In light of this elevated degree of protection for children, the fact that the bank would not have full control over the photographs published on Facebook, was also a factor for the DPA in deciding there was no legitimate interest.
The DPA advised the bank to make the images accessible in an access-controlled manner to the sports clubs involved in the tournament as an alternative to using Facebook.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.