Right to erasure: Controller ordered to delete photos
Right to erasure is behind Slovenia supervisory authority IPRS’s recent decision, ordering a controller to delete 88 photos.
Slovenian SA recently ordered a data controller to delete a collection of 88 photos of a data subject, taken over a period of time 7 to 15 years ago. The order, which came this July, was on the basis of the data subject’s right to erasure, as reported by the EDPB. Article 17 of the GDPR gives data subjects the right to obtain, from the controller, the erasure of personal data concerning him or her without undue delay, under certain conditions. The controller in this case, a content production agency, creating content on the topic of lifestyle, processed a collection with a total of 88 photos of the data subject, and complainant in this case. The data subject claimed she did not give permission to have her personal data processed, and then explicitly objected to the processing of her personal data stating also that there were no compelling legitimate grounds for the processing of her data.
The controller declined the data subject’s demand to have the photos deleted, claiming that the processing was lawful.
The controller refused the data subject’s demands to have her photos removed claiming that the processing was lawful under Article (6) (1) (f) of the GDPR. However, controller’s claims that the processing was needed for exercising his freedom of expression with regard to media activities, as well as for the public’s right to information and on the basis of legitimate interests did not hold up. The Supervisory Authority maintained that the data subject in this case has the right to erasure of her personal data, and that the right to personal data protection needs to be balanced with the right to freedom of expression and information.
The photos and other data features on the website were organized in such a way that a profile could be created on the data subject through a search of her name.
The Slovenian Supervisory Authority found that all the photos indeed represented personal data which formed part of a filing system. The thumbnail and the description of the photos were accompanied by the first and last name of the individual. From the photos and the information provided,it was possible to determine which events she attended, who her company was, and also her personal characteristics. A search for the data subject’s name through the website’s search engine could create a profile highlighting the photos and data about her in particular. The content of the website cannot be understood as reporting on a specific event, because it enables a search on the basis of first and last name.
The Supervisory Authority ordered the removal of the photos and any related data, upholding the data subject’s right to erasure.
The Supervisory Authority ordered that the controller must delete, not just the photos from the website, but also the name of the individual, URL address and any metadata that enabled access to photographs. Publications of this nature are usually intended only for revealing interesting information to satisfy the curiosity of members of the public who seek information about public events and on the personal lives of specific people. However, by the Slovenian Supervisory Authority’s measure, the data subject was not an absolute public figure, and the content of the website did not contribute to any debate of social importance nor did they relate to any topic of public interest. In addition, the controller failed to demonstrate its legitimate interests. As a result, the Slovenian SA decided to uphold the complaint.
Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today
- Facial recognition payment system launched in Moscow - October 21, 2021
- Non-transparent data checks by utility company result in a fine - October 19, 2021
- National Police Board of Finland reprimanded over data breach during facial recognition trial - October 14, 2021