Persónuvernd - 2020010550
Persónuvernd - 2020010550 | |
---|---|
Authority: | Persónuvernd (Iceland) |
Jurisdiction: | Iceland |
Relevant Law: | Article 4(1) GDPR Article 6 GDPR Recital 18 GDPR Article 9 of the Icelandic Act no. 90/2018 Article 3(2) of the Icelandic Act no. 90/2018 Article 8 ECHR Article 10 ECHR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 27.08.2020 |
Published: | 28.09.2020 |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | 2020010550 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Icelandic |
Original Source: | Persónuvernd (in IS) |
Initial Contributor: | n/a |
The Icelandic Data Protection Authority (Persónuvernd) held that the publication of an individual's personal information about another person on their Facebook page occurred in breach of Article 6 GDPR.
English Summary
Facts
A data subject complained to the Persónuvernd that his personal data was published by another individual on the latter's Facebook page. The complainant also attached a screenshot with the complaint to the DPA, and the individual who had posted the information did not respond to the DPA's invitations to submit explanations regarding the complaint.
More specifically, the data published on the Facebook page included the complainant's ID number, account number, and summary of payments to the complainant's bank account. Furthermore, the defendant's Facebook page was open and accessible to all those who are registered on social media. If a URL that directly refers to the post in question and the documents that accompany it were used, they were also accessible to those who are not registered.
Dispute
Was the publishing of the information regarding the claimant lawful based on Article 9 of Act no. 90/2018 (the national implementation of Article 6 GDPR)?
Holding
The Persónuvernd held that the publishing of the complainant's information constituted an unlawful processing of personal data in breach of Article 6 GDPR.
In its reasoning, the DPA first examined whether the publishing of the complainant's ID number, account number, and summary of payments to the complainant's bank account constituted processing of personal data. Despite the DPA not having explicitly mentioned Recital 18 GPDR, it did state that the processing did not only cover personal information intended for personal use. A main reason for the household exemption not applying was that the Facebook page was not closed, but open to be accessible to anyone who had the URL of the post in question.
The DPA then examined the defendant's potential exercise of his freedom of expression based on Article 10 ECHR and its relation to Article 8 ECHR. The Persónuvernd first noted that expressing one's views and beliefs, as well as value judgements based on facts, do not constitute personal data and the DPA would not be competent to assess whether an individual has violated the Icelandic Constitution which protects the aforementioned ECHR rights and freedoms. However, the Persónuvernd then noted that the photos and screenshots posted on Facebook constituted information which can be objectively verifiable, for example by consulting the national register and the customer systems of the financial undertaking in question. The DPA reasoned that this information went beyond merely expressing one's views and value judgements, and constituted personal data processing which the DPA was competent to examine.
As there was no valid legal basis for the personal data processing, the Persónuvernd held that the publishing of the complainant's information in the form of Facebook posts occurred in breach of Article 6 GDPR. The DPA therefore ordered that the electronic summary of payments be removed from the Facebook page.
Comment
A similar case was published by the Persónuvernd on the same day (Case no. 2020010610). This complaint differed in the information which was published, as the Facebook post in this case concerned the complainant's address.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.
Publication of personal information on an individual's Facebook page Case no. 2020010550 28.9.2020 The Data Protection Authority has ruled that the publication of an individual's personal information about another person on their Facebook page is not in accordance with Act no. 90/2018, on personal protection and processing of personal information. This was the complainant's ID number, account number and summary of payments to the complainant's bank account. The ruling also states that the opinions of individuals and value judgments about another individual are not considered personal information about the latter and therefore do not fall within the scope of the Act. The aforementioned information on the complainant's ID number, account number and summary of payments into the complainant's bank account is, on the other hand, considered personal information and the Data Protection Authority is therefore competent to rule on the legality of its processing. The conclusion of the Data Protection Authority was that the processing of the information in question did not support the authorization according to Article 9. Ruling At a meeting of the Board of the Data Protection Authority on 27 August 2020, the following ruling was issued in case no. 2020010550 (formerly 2019030709): I. Procedure 1. Outline of case On March 18, 2019, the Data Protection Authority received a complaint from [A] ([hereinafter the complainant]) regarding the publication of [the individual Y]'s personal information about [the complainant] on the Facebook page [Y]. The complaint was accompanied by a screenshot of the information in question. By letter dated On 8 July 2019, repeatedly on 28 August and 29 October, [Y] was invited to submit explanations regarding the complaint. No responses were received. The handling of the case has been delayed due to a lot of work by the Data Protection Authority. 2. The complainant's views The complainant is based on the fact that [Y] published a summary of payments into the complainant's bank account without […] consent on his Facebook page. The summary contained information on the amounts of payments, the complainant's ID number and account number […]. [Y] had violated the complainant's rights with the publication. II. Assumptions and conclusion 1. Scope - Responsible party Scope of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automatic and the processing by other methods than automatic of personal data that are or are to become part of a file. Personal information includes information about a person who is personally identifiable or personally identifiable, and an individual is considered personally identifiable if it is possible to identify him or her, directly or indirectly, with reference to his or her identity or one or more factors that are characteristic of him or her, cf. 2. tölul. Article 3 of the Act and point 1. Article 4 of the Regulation. Processing refers to an operation or series of operations in which personal information is processed, whether the processing is automatic or not, cf. Number 4 Article 3 of the Act and point 2. Article 4 of the Regulation. According to para. Article 4 Act no. 90/2018, their provisions and the Regulation do not apply to an individual's processing of personal information that only concerns his or her personal interests or his or her family or is intended solely for personal use. In Article 18 The preamble to the regulation states, among other things, that processing that is only for the benefit of an individual or his family can, for example, include the use of social media and Internet use that takes place in connection with such processing. This case concerns the publication of information on ID number, account number and payments to the complainant on the Facebook page [Y], but the site is open and accessible to all those who are registered on social media. If a URL that directly refers to the post in question and the documents that accompany it are used, they are also accessible to those who are not registered in the medium. Therefore, it will not be considered that the processing, contained in the publication only covers personal information intended for personal use. In this respect and with regard to the above provisions, this case concerns the processing of personal information which falls within the scope of Act no. 90/2018. The person responsible for the processing of personal information complies with Act no. 90/2018 is named the responsible party. According to point 6. Article 3 of the Act refers to an individual, legal entity, government authority or other party who decides alone or in collaboration with other purposes and methods of processing personal information, cf. 7. tölul. Article 4 of the Regulation. As such, [Y] is considered to be responsible for the processing in question. [...] 2. Privacy - Freedom of expression and protection of personal information As such, the significance of the fact that the processing of personal data complained of constitutes an expression protected by Article 73 may be considered. The Constitution of the Republic of Iceland, no. 33/1944, Coll. also Article 10. European Convention on Human Rights. In the first paragraph. Article 73 of the Constitution states that everyone is free in their opinions and convictions, and in para. the same article states that every person has the right to express his or her thoughts, but to be held accountable in court. Then it says in the 1st paragraph. Article 10 the European Convention on Human Rights states that everyone has the right to freedom of expression. This right shall also include the freedom to hold opinions, receive and pass on information and ideas at home and abroad without government intervention. When a party exercises its freedom to express its views and beliefs in accordance with the above, as well as value judgments about individuals based on facts, the Data Protection Authority has considered that the institution is not competent to assess whether a party has violated the Constitution. his freedom of expression in relation to the privacy of an individual who enjoys protection under Article 71. of the Constitution and Article 8. of the Convention on Human Rights and thus take responsibility for the law. Since people's opinions or ideas about individuals are not considered personal information about the latter within the meaning of point 2. Article 3 Act no. 90/2018, disputes do not fall within the scope of the law, but it is up to the courts to decide where the boundaries lie between the constitutionally protected rights in each case. The complaint that is being resolved here concerns, as stated above, the dissemination of information on the amounts of payments [...] to the complainant, ID number […] and account number with the publication of a summary to that effect. The summary in question was one of several photos and screenshots that the responsible person published with two posts on his Facebook page [...]. It is clear that the text of the entries includes the responsible person's expression of [his own views] and convictions. The text also implies that the guarantor has published a copy of the statement in question of payments to the complainant in order to support the allegations made therein. On the other hand, it cannot be ignored that the summary only contains facts that can be verified in an objective manner, for example by looking up in the national register and the customer systems of the financial undertaking in question. It contains personal information about the complainant which the Data Protection Authority is competent to discuss on the basis of Act no. 90/2018. 3. Legality of processing All processing of personal data must be covered by one of the authorization provisions of Article 9. Act no. 90/2018. It may be mentioned that personal data may be processed if the data subject has given his consent to the processing for the benefit of one or more specific purposes, cf. 1. tölul. of that article, or if the processing is necessary due to legitimate interests that the responsible party or a third party may pursue, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data outweigh, cf. 6. tölul. same articles. In addition to the authorization according to the above, the processing of personal data must satisfy all the principles of the first paragraph. Article 8 Act no. 90/2018, Coll. Article 5 Regulation (EU) 2016/679. Among other things, it stipulates that personal information shall be processed in a lawful, fair and transparent manner towards the data subject (point 1); that they shall be obtained for clearly defined, legitimate and objective purposes and not further processed for other and incompatible purposes (point 2); and that they shall be sufficient, appropriate and not in excess of what is necessary for the purpose of the processing (point 3). As stated above, no responses were received from the responsible party during the operation of the case. In the opinion of the Data Protection Authority, the dissemination of personal information in question could not be based on sources other than point 6. Article 9 Act no. 90/2018. It is clear from the wording of the provision that before a decision is made on the basis of it, a certain assessment of interests must be carried out. Without further information or arguments on the part of the guarantor in this regard, however, it cannot be considered that the interests which may have called for the publication of information about the complainant in the guarantor's opinion outweighed the complainant's interests because the information would not be published. It is then clear that the complainant [opposes] the publication. In view of the above, the conclusion of the Data Protection Authority is that [Y]'s processing of personal information about the complainant is not in accordance with Act no. 90/2018, on personal protection and processing of personal information. In accordance with this conclusion, and with reference to points 6 and 7. Article 42 Act no. 90/2018, it is hereby proposed that [Y] remove from its Facebook page an electronic summary of payments [...] to the complainant, more specifically in entries published on [...]. Confirmation that these instructions have been followed shall be received by the Data Protection Authority no later than 24 September 2020. Ú r s k u r ð a r o r ð: Processing [Y] of personal information about [A] by publishing personal information about [complainant] on Facebook is not in accordance with Act no. 90/2018, on personal protection and processing of personal information. With reference to points 6 and 7. Article 42 Act no. 90/2018, it is hereby proposed that [Y] remove from its Facebook page an electronic summary of payments [...] to the complainant, more specifically in entries published on [...]. Confirmation that these instructions have been followed shall be received by the Data Protection Authority no later than 24 September 2020. In Privacy, August 27, 2020 Björg Thorarensen chairman Ólafur Garðarsson Björn Geirsson Vilhelmína Haraldsdóttir Þorvarður Kári Ólafsson