Persónuvernd - 2020010425

From GDPRhub
Persónuvernd - 2020010425
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 6(1)(a) GDPR
Article 6(1)(f) GDPR
Article 58(1)(b) GDPR
Recital 38 GDPR
Type: Investigation
Outcome: Violation Found
Decided: 25.06.2020
Published: 30.06.2020
Fine: None
Parties: n/a
National Case Number/Name: 2020010425
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: Persónuvernd (in IS)
Initial Contributor: n/a

The Persónuvernd (Icelandic DPA) held that a bank's planned publication of photographs including children on its Facebook page was not in compliance with the GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The Icelandic DPA was informed that a bank intended to publish photographs from a children's soccer tournament on their Facebook page. They initiated an investigation on the basis of previous advice from the Persónuvernd, which had directed people working with children not to use Facebook for sharing personal information about children. The bank replied that the parents and guardians of the children had given consent for the sharing of the photographs, and that they had several legitimate interests for using Facebook to share the photos, including taking advantage of a communication medium used by most Icelanders and building a positive image.

Dispute[edit | edit source]

Did the bank have a lawful basis to process the data under Article 6(1)(a) GDPR? Did the bank have a lawful basis to process the data under Article 6(1)(f) GDPR?

Holding[edit | edit source]

The Icelandic DPA decided that consent pursuant to Article 6(1)(a) GDPR could not be used as a lawful basis here, as the parents or guardians of the children had not been given a sufficient degree of information by the bank about the processing prior to it taking place.

It also decided that the bank did not have a legitimate interest under Article 6(1)(f) GDPR either. While the DPA accepted that marketing purposes are generally accepted as a legitimate interest for processing, they noted that the Recital 38 GDPR emphasised that the personal data of children should be given special protection, which they interpreted as excluding the use of children's personal data for marketing purposes. In light of this elevated degree of protection for children, the fact that the bank would not have full control over the photographs published on Facebook, was also a factor for the DPA in deciding there was no legitimate interest.

The DPA advised the bank to make the images accessible in an access-controlled manner to the sports clubs involved in the tournament as an alternative to using Facebook.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Decision on Arion Bank's proposed publication of photos of children's soccer tournaments on the bank's Facebook page
Case no. 2020010425

06/30/2020

Privacy has taken a decision in the agency's initiative on Arion Bank's proposed release of photographs of teams in the Arion Banking Football Championship 2019 on its Facebook page. The conclusion was that the proposed processing was not permitted under Act no. 90/2018, on Privacy and Processing of Personal Information, and Regulation (EU) 2016/679.
decision


On June 25, 2020, the Board of the Privacy Protection readily made a decision in case no. 2020010425 (formerly 2019081543):
I.
procedures

1.
Start of case

Privacy received an indication that, according to a post on Arion Bank's Facebook page on August 18, 2019, Arion Bank tournament team photos in children's soccer would be included. made available on the bank's Facebook page within a few days. With this in mind, the Data Protection Authority decided to initiate a preliminary examination of the processing of personal data for the intended publication of photographs, cf. Paragraph 3 Article 39 Act no. 90/2018, on privacy and processing of personal information, cf. paragraph 1 (b) Article 58 Regulation (EU) 2016/679. For that reason, the agency sent the bank a letter dated. 20 s., Where reference was made to the Agency's recommendation of September 6, 2018 to kindergartens, elementary schools, leisure homes and sports associations on the use of social media. The letter highlighted that photographs of individuals were generally considered personal information and pointed out that the Recommendation was directed to those who work with children not to use Facebook or similar media for sharing personal information about them, whether for general or sensitive personal information. would be the case. At the same time, the letter requested clarification on what authority under Article 9. Act no. 90/2018, cf. Paragraph 1 Article 6 of the regulation, based on the disclosure and how the education of the registered and parents and custodians had been organized.

2.
Answers Arion banka

On August 30, 2019, Privacy Protection received a response from Arion Bank. Among other things, it says that to prevent photos from being taken by children and posted on Facebook without the consent of parents or guardians, the photo shoot was set up in such a way that it was not possible to enter the photo without leaving the competition area and into a special area where the shooting took place. At the entrance there were signs indicating that the photos were taken there and that the photos would be made available on Arion Bank's Facebook page. In addition, the letter was accompanied by a photograph depicting the said entrance at the 2019 event, as well as photographs of a series of people heading into a photographic area for the 2018 convention.

"Photoshoot
Pictures are taken of everyone
items and will be published on
Arion Bank's Facebook Page “

With reference to this, in a letter from Arion Bank he states that he believes the shooting in question has been authorized on the basis of approval, cf. Item 1 Article 9 Act no. 90/2018, cf. paragraph 1 (a) Article 6 Regulation (EU) 2016/679, as well as legitimate interests, cf. Item 6 the same articles of law, cf. paragraph 1 (f) Article 6 Regulation. In connection with consent states as a processing power that by making a decision to include their children in shooting, parents and guardians have given consent for the shooting, but they have been given the authority not to do so. Information that all pictures would be posted on the bank's Facebook page was made clear and presented in such a way that they did not bypass those who decided to accept the service. No other information has been mixed up with the announcement of the video posting on the bank's Facebook page and the education has been simple and easy to understand. It is not required that written consent be given, but it must be provided with some kind of action on the part of the registered person and the Bank considers that accompanied by a child with a child in such a shooting involves such an action.

With regard to the aforementioned Privacy Recommendation, the Bank's position is that they cannot be barred from the possibility that Arion Bank can obtain consent or have legitimate interests in using Facebook as a communication medium for personal information. The Bank's facilities vis-à-vis the children are different from the facilities of schools and sports clubs, provided that the parties are supervised by children while staying with them part of the day and receiving instruction. Parents and guardians are not close during the day and cannot make decisions about the processing of personal information. At the Arion Bank Tournament, the Bank is a sponsor offering the services of a photographer to take team photos on request and published in a pre-advertised manner. The Bank does not take care of the children and therefore its involvement is in no way comparable to the involvement of kindergartens, elementary schools, leisure homes and sports clubs.

Subsequently, Arion Bank has, among other things, a legitimate interest in taking advantage of Facebook's services as a communication medium, as this is the medium that most Icelanders use in their personal lives. In addition, Arion Bank also has legitimate interests in maintaining relationships with the community, building a positive image with participation in the community and promoting it. Publishing pictures of the tournament in question is the highlight of electronic contact with Icelanders, who are the bank's target audience, and receives the most positive feedback from the public and response. Therefore, significant interests are at stake for the bank.

The letter states that the Bank did not publish the images in question on the Bank's Facebook page in light of the fact that the Data Protection Authority has initiated an initiative on the legitimacy of the processing. It is also stated that similar team photos have been published on the Bank's Facebook page 2017 and 2018. However, the Data Protection Authority does not disclose how the processing was done. In conjunction with this decision, a letter was sent to Arion Bank requesting clarification.

II.
Assumptions and conclusion

1.
Scope - Guarantee

Scope of Act no. 90/2018, on privacy and processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thus the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partially or fully automated and the processing of methods other than automatic processing of personal data that is or should become part of a file.

Personal information includes information about a person or person who is personally identifiable and can be considered as personally identifiable if he or she can be directly or indirectly identified by reference to his or her identity or one or more of the characteristics characteristic of him, cf. Point 2 of Article 3 of the Act and item 1 of Article 4. Regulation.

Processing means an action or series of actions in which personal information is processed, whether the processing is automatic or not, cf. Point 4 of Article 3 2 of the Act and Article 2, Art. Regulation.

This case relates to the planned release of photographs of teams participating in a children's soccer tournament on Arion Bank's Facebook page. Photographs of individuals are generally considered personal information. Respectfully, and with due regard to the above provisions, this matter concerns the processing of personal information that falls under the sphere of privacy.

The person responsible for processing personal data complies with Act no. 90/2018 is named as the guarantor. According to Article 3 (6). the Act refers to an individual, legal entity, governmental authority or other party who decides alone or in collaboration with other purposes and methods for processing personal information, cf. Item 7 Article 4 Regulation. As is the case here, Arion Bank is considered to be the guarantor of the processing in question.

2.
Legality of processing

All processing of personal data must be subject to any of the provisions of Article 9. Act no. 90/2018, cf. Paragraph 1 Article 6 Regulation (EU) 2016/679. In addition, the processing of sensitive personal information, cf. Point 3 Article 3 the same law, cf. Paragraph 1 Article 9 of the Regulation, to comply with any of the additional conditions of Article 11. of the Act, cf. Paragraph 2 Article 9 Regulation. In the cases in question, it will not be considered that this is personal information that can be considered as sensitive or sensitive.

According to point 1. Paragraph 1 Article 9 Act no. 90/2018 the processing of personal data is authorized on the basis of the consent of the data subject, cf. paragraph 1 (a) Article 6 Regulation. According to paragraph 8. Article 3 the same act is deemed to be unrestricted, specific, informed and unambiguous declaration of intent by the data subject that he agrees, with a declaration or unequivocal confirmation, the processing of personal information about him, cf. Item 11 Article 4 Regulation. The definition means that approval must be provided by some action on the part of the data subject. In this case, the registered minors and their custodial parents comply with their legal representation, cf. Paragraph 5 Article 28 Children's Act no. 76/2003, and thus eligible to consent to the processing of their personal information.

In order for consent to be considered informative, the guarantor must provide the registered minimum education, prior to obtaining consent, in order for the data subject to understand what he or she is accepting and its consequences. Among the items that need to be learned are that a registered person has the right to withdraw his consent at any time and that the guarantor must be able to demonstrate that the registered person has accepted the processing of personal data on him. It is clear that the only education that Arion Bank provided to the registered person was on a sign at the site where the shooting took place, which said that photos would be taken by all teams and posted on the bank's Facebook page. According to this, it is clear that the custody of the children in question is unequivocal.

According to paragraph 6. Paragraph 1 Article 9 Act no. 90/2018, the processing of personal data is permissible if it is necessary for legitimate interests that the guarantor may hold except for the interests or fundamental rights and freedoms of the data subject which outweigh the protection of personal data, especially when the data subject is a child, cf. paragraph 1 (f) Article 6 Regulation. In general, the marketing of banks is considered to be authorized on the basis of legitimate interests. However, the nature of the processing in question and the fact that the registered are children must be considered here.

Paragraph 38 of the preamble to the Regulation states that the personal information of children should be given special protection, as they may be less aware of the risks, consequences and rights associated with their processing. This special protection should in particular apply to the use of children's personal information for marketing purposes. In addition, this protection includes, among other things, the right to erase personal information to children and can thus have a greater right than adults to delete information about them, e.g. on the Internet. In the terms of Facebook, which users of the medium accept, Facebook states that the information collected through the site is collected by Facebook. When Arion Bank publishes photographs of children on the bank's Facebook page, they are simultaneously shared to Facebook. It is clear that Facebook shares personal information with companies linked to Facebook, as well as other parties, under specified circumstances. Arion Bank therefore does not have full control over the photographs that the Bank inserts there. In this context, it may be noted that the Privacy Policy of September 6, 2018 for kindergartens, elementary schools, leisure homes, and sports associations recommends that all other public and private entities working with children should not use Facebook or similar media sharing of personal information about children.

At the same time, it should be considered that, as is the case here, legitimate interests could be considered in particular as the legal basis for the processing of personal data in the light of the appropriate relationship between the data subject and the guarantor. Examples of links that are considered here are when the other person is the client of the guarantor or in his service. Such a relationship was not to be disseminated in this matter as the registered children are. In view of the foregoing, as well as the fact that Arion Bank did not provide satisfactory education to the registered person, it will not be considered that Arion Bank can have legitimate interests in the display, but there will be extensive requirements for education for the registered person when working with personal information on the basis of this processing authorization.

In light of the above, the conclusion of the Data Protection Authority is that Arion Bank's proposed publication of photographs of teams participating in the bank's 2019 football tournament on its Facebook page does not comply with Act no. 90/2018, on privacy and processing of personal information, cf. Regulation (EU) 2016/679.

In accordance with this conclusion, and with reference to paragraph 6. Article 42 Act no. 90/2018, it is hereby proposed to Arion Bank to make the images in question accessible only in an access-controlled manner to the sports clubs concerned, so that they can act as intermediaries for the delivery of images to the custodians of the children, cf. paragraph 2 (f) Article 58 Regulation. Confirmation that these instructions have been complied with shall be received no later than July 27, 2020.

At a glance:

Arion Bank's planned publication of photographs of teams in the 2019 football tournament on its Facebook page is not in compliance with Act no. 90/2018, on privacy and processing of personal information, cf. Regulation (EU) 2016/679.

Arion Bank shall only make the images in question accessible to the sports clubs concerned in an access-controlled manner. Confirmation that these instructions have been complied with shall be received no later than July 27, 2020.

In Privacy, June 25, 2020.

Björg Thorarensen
chairman

Ólafur Garðarsson        Björn Geirsson

Vilhelmína Haraldsdóttir   Þorvarður Kári Ólafsson