Persónuvernd - 2020010610

From GDPRhub
Persónuvernd - 2020010610
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 4(1) GDPR
Article 6(1)(f) GDPR
Recital 18 GDPR
Article 9 of the Icelandic Act no. 90/2018
Article 8 ECHR
Article 10 ECHR
Article 3(2) of the Icelandic Act no. 90/2018
Type: Complaint
Outcome: Upheld
Decided: 27.08.2020
Published: 28.09.2020
Fine: None
Parties: n/a
National Case Number/Name: 2020010610
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: Persónuvernd (in IS)
Initial Contributor: n/a

The Icelandic Data Protection Authority (Persónuvernd) held that the publication of an individual's personal information (address) about another person on their Facebook page occurred in breach of Article 6 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

A data subject complained to the Persónuvernd that his personal data was published by another individual on the latter's Facebook page. The complainant also attached a screenshot with the complaint to the DPA, and the individual who had posted the information did not respond to the DPA's invitations to submit explanations regarding the complaint.

More specifically, the data published on the Facebook page included the complainant's address, which the complainant had previously removed from a telephone directory for security purposes. Furthermore, the defendant's Facebook page was open and accessible to all those who are registered on social media. If a URL that directly refers to the post in question and the documents that accompany it were used, they were also accessible to those who are not registered.

Dispute[edit | edit source]

Was the publishing of the information regarding the claimant lawful based on Article 9 of Act no. 90/2018 (the national implementation of Article 6 GDPR)?

Holding[edit | edit source]

The Persónuvernd held that the publishing of the complainant's information constituted an unlawful processing of personal data in breach of Article 6(1)(f) GDPR.

In its reasoning, the DPA first examined whether the publishing of the complainant's address constituted processing of personal data. Despite the DPA not having explicitly mentioned Recital 18 GPDR, it did state that the processing did not only cover personal information intended for personal use. A main reason for the household exemption not applying was that the Facebook page was not closed, but open to be accessible to anyone who had the URL of the post in question.

The DPA then examined the defendant's potential exercise of his freedom of expression based on Article 10 ECHR and its relation to Article 8 ECHR. The Persónuvernd first noted that expressing one's views and beliefs, as well as value judgements based on facts, do not constitute personal data and the DPA would not be competent to assess whether an individual has violated the Icelandic Constitution which protects the aforementioned ECHR rights and freedoms. However, the Persónuvernd then noted that the photos and screenshots posted on Facebook constituted information which can be objectively verifiable, for example by consulting the national registry. The DPA reasoned that this information went beyond merely expressing one's views and value judgements, and constituted personal data processing which the DPA was competent to examine.

As there was no valid legal basis for the personal data processing, the Persónuvernd held that the publishing of the complainant's information in the form of Facebook posts occurred in breach of Article 6 GDPR. More specifically, the DPA stated that the only potential legal ground for processing would have been Article 6(1)(f), but that the interests of the complainant outweighed the interests of the defendant. The DPA therefore ordered that the electronic summary of payments be removed from the Facebook page.

Comment[edit | edit source]

A similar case was published by the Persónuvernd on the same day (Case no. 2020010550). This complaint differed in the information which was published, as the Facebook post in this case concerned the complainant's ID number, account number, and summary of payments to the complainant's bank account.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Publication of personal information on an individual's Facebook page
Case no. 2020010610
28.9.2020
The Data Protection Authority has ruled that the publication of an individual's personal information about another person on their Facebook page is not in accordance with Act no. 90/2018, on personal protection and processing of personal information. This was information about the complainant's address. The ruling also states that the opinions of individuals and value judgments about another individual are not considered personal information about the latter and therefore do not fall within the scope of the Act. The aforementioned information about the complainant's address is, on the other hand, considered personal information and the Data Protection Authority is therefore competent to rule on the legality of its processing. The conclusion of the Data Protection Authority was that the processing of the information in question did not support the authorization according to Article 9. of the Act and it was proposed that the responsible party eradicate them. 

Ruling

At a meeting of the Board of the Data Protection Authority on 27 August 2020, the following ruling was issued in case no. 2020010610 (formerly 2019040811):

I.
Procedure

1.
Outline of case
On March 29, 2019, the Data Protection Authority received a complaint from [A] ([hereinafter the complainant]) regarding the publication of [documents] where the complainant's address is clear on the Facebook page [Y]. The complaint was accompanied by a screenshot of the Facebook page in question. By letter dated On 8 July 2019, repeatedly on 28 August and 29 October, [Y] was invited to submit explanations regarding the complaint. No responses were received.

The handling of the case has been delayed due to a lot of work by the Data Protection Authority.

2.
The complainant's views
The complainant is based on the fact that [individual Y] has published [documents] on his Facebook page where, among other things, the complainant's address can be seen. For security reasons, the complainant had removed his address, for example from a telephone directory. […] The complainant considers that the publication on the Facebook page [Y] involves the processing of personal information within the meaning of Act no. 90/2018, on the protection of personal data and the processing of personal data, which is not based on any of the authorizations provided for in Article 9. of the Act. Even if [Y] was considered to have a legitimate interest in the publication of the documents, it could well have been published in such a way that personal information which had no value for the substance of the case, such as the complainant's address, was erased.

II.
Assumptions and conclusion

1.
Scope - Responsible party
Scope of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automatic and the processing by other methods than automatic of personal data that are or are to become part of a file.

Personal information includes information about a person who is personally identifiable or personally identifiable, and an individual is considered personally identifiable if it is possible to identify him or her, directly or indirectly, with reference to his or her identity or one or more factors that are characteristic of him or her, cf. 2. tölul. Article 3 of the Act and point 1. Article 4 of the Regulation.

Processing refers to an action or series of actions in which personal information is processed, whether the processing is automatic or not, cf. Number 4 Article 3 of the Act and point 2. Article 4 of the Regulation.

According to para. Article 4 Act no. 90/2018, their provisions and the Regulation do not apply to an individual's processing of personal information that only concerns his or her personal interests or his or her family or is intended solely for personal use. In Article 18 The preamble to the regulation states, among other things, that processing that is only for the benefit of an individual or his family can, for example, include the use of social media and Internet use that takes place in connection with such processing. This case concerns the publication of a document that contains information about the complainant's address on Facebook page [Y], but is open and accessible to all those who are registered on social media. If a URL that directly refers to the post in question and the documents that accompany it are used, they are also accessible to those who are not registered in the medium. Therefore, it will not be considered that the processing, contained in the publication only covers personal information intended for personal use. In this respect and with regard to the above provisions, this case concerns the processing of personal information which falls within the scope of Act no. 90/2018.

The person responsible for the processing of personal information complies with Act no. 90/2018 is named the responsible party. According to point 6. Article 3 of the Act refers to an individual, legal entity, government authority or other party who decides alone or in collaboration with other purposes and methods of processing personal information, cf. 7. tölul. Article 4 of the Regulation. As such, [Y] is considered to be responsible for the processing in question.

2.
Privacy -
Freedom of expression and protection of personal information
As such, the significance of the fact that the disclosure of personal information complained of constitutes an expression protected by Article 73 may be considered. The Constitution of the Republic of Iceland, no. 33/1944, Coll. also Article 10. European Convention on Human Rights.

In the first paragraph. Article 73 of the Constitution states that everyone is free in their opinions and convictions, and in para. the same article states that every person has the right to express his or her thoughts, but to be held accountable in court. Then it says in the 1st paragraph. Article 10 the European Convention on Human Rights states that everyone has the right to freedom of expression. This right shall also include the freedom to hold opinions, receive and pass on information and ideas at home and abroad without government intervention.

When a party exercises its freedom to express its views and beliefs in accordance with the above, as well as value judgments about individuals based on facts, the Data Protection Authority has considered that the institution is not competent to assess whether a party has violated the Constitution. his freedom of expression in relation to the privacy of an individual who enjoys protection under Article 71. of the Constitution and Article 8. of the Convention on Human Rights and thus take responsibility for the law. Since people's opinions or ideas about individuals are not considered personal information about the latter within the meaning of point 2. Article 3 Act no. 90/2018, disputes do not fall within the scope of the law, but it is up to the courts to decide where the boundaries lie between the constitutionally protected rights in each case.

The complaint that is being resolved here relates, as stated above, to the dissemination of information about the complainant's address by publishing [electronic copies of documents] where that information was provided. [Documents in question] published by the responsible party with a post on his Facebook page [...]. It is clear that the text of the entry itself implies the responsible person's expression of [his own views] and convictions, and the same can be said of the substantive content of [the aforementioned documents]. On the other hand, it will not be overlooked that information about the complainant's address is considered to be facts that can be verified objectively, for example by looking up the National Registry. This is therefore personal information about the complainant that the Data Protection Authority is competent to discuss on the basis of Act no. 90/2018.

3.
Legality of processing
All processing of personal data must be subject to one of the authorization provisions of Article 9. Act no. 90/2018. It may be mentioned that personal data may be processed if the data subject has given his consent to the processing for the benefit of one or more specific purposes, cf. 1. tölul. of that article, or if the processing is necessary due to legitimate interests that the responsible party or a third party may pursue, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data outweigh, cf. 6. tölul. same articles.

In addition to the authorization according to the above, the processing of personal data must satisfy all the principles of the first paragraph. Article 8 Act no. 90/2018, Coll. Article 5 Regulation (EU) 2016/679. Among other things, it stipulates that personal information shall be processed in a lawful, fair and transparent manner towards the data subject (point 1); that they shall be obtained for clearly defined, legitimate and objective purposes and not further processed for other and incompatible purposes (point 2); and that they shall be sufficient, appropriate and not in excess of what is necessary for the purpose of the processing (point 3).

As stated above, no responses were received from the responsible party during the operation of the case. In the opinion of the Data Protection Authority, the dissemination of personal information in question could not be based on sources other than point 6. Article 9 Act no. 90/2018. It is clear from the wording of the provision that before a decision is made on the basis of it, a certain assessment of interests must be carried out. Without further information or arguments on the part of the guarantor in this regard, however, it cannot be considered that the interests which may have called for the publication of information about the complainant in the guarantor's opinion outweighed the complainant's interests because the information would not be published. It is then clear that the complainant [opposes] the publication.

In view of the above, the conclusion of the Data Protection Authority is that [Y]'s processing of personal information about the complainant is not in accordance with Act no. 90/2018, on personal protection and processing of personal information.

In accordance with this conclusion, and with reference to points 6 and 7. Article 42 Act no. 90/2018, it is hereby proposed to [Y] to delete information about the complainant's address from an electronic copy of [document], which was published on the Facebook page [Y] with a post of [...]. Confirmation that these instructions have been followed shall be received by the Data Protection Authority no later than 24 September 2020.


Ú r s k u r ð a r o r ð:
Processing [Y] of personal information about [X], by publishing information about [complainant's] address on Facebook, is not in accordance with Act no. 90/2018, on personal protection and processing of personal information.

With reference to points 6 and 7. Article 42 Act no. 90/2018, it is hereby proposed to [Y] to delete information about the complainant's address from an electronic copy of [document], which was published on the Facebook page [Y] with a post of [...]. Confirmation that these instructions have been followed shall be received by the Data Protection Authority no later than 24 September 2020.

In Privacy, August 27, 2020


Björg Thorarensen
chairman


Ólafur Garðarsson Björn Geirsson


Vilhelmína Haraldsdóttir Þorvarður Kári Ólafsson