Acti­vi­ty Report of the Saxon Data Pro­tec­tion Com­mis­sio­ner 2017/2018

The Saxon data pro­tec­tion com­mis­sio­ner has published his Acti­vi­ty report for the years 2017 and 2018 published. Among other things, it sta­tes the following:

• Real estate mana­ger are not order pro­ces­sors of the homeow­ners, but inde­pen­dent respon­si­ble parties.
• The use of a Dash­cam is in any case not in the legi­ti­ma­te inte­rest if the traf­fic situa­ti­on is recor­ded per­ma­nent­ly and wit­hout any reason.
• The Taking pho­tos at public events can be in the legi­ti­ma­te inte­rest of the orga­ni­zer, inso­far as the taking of the pho­tos has a con­nec­tion to the event, espe­ci­al­ly sin­ce the par­ti­ci­pan­ts of the public event will assu­me that pho­to­graphs will be taken.
  

  “Howe­ver, this can no lon­ger be assu­med if the per­sons to be pho­to­gra­phed obvious­ly refu­se to be pho­to­gra­phed, pho­tos are taken covert­ly or secret­ly, pho­tos may dis­credit the per­sons pho­to­gra­phed, or the pri­va­cy of the per­sons pho­to­gra­phed is affected.”

  When child­ren are admit­ted, the balan­cing of inte­rests must be car­ri­ed out with par­ti­cu­lar care. – Beco­me Pho­tos published on the Inter­netAccor­ding to Sec­tion 23 of the Ger­man Copy­right Act (KUG), publi­ca­ti­on wit­hout consent

  “in par­ti­cu­lar, [is] per­mis­si­ble when the per­sons in the images appear only as inci­den­tal fea­tures next to a land­scape or other locality.”

  Here, too, the respon­si­ble par­ty may be able to invo­ke a legi­ti­ma­te inte­rest, but the event par­ti­ci­pan­ts must be made awa­re of the plan­ned publi­ca­ti­on on the Inter­net. – Pho­tos of peo­p­le wea­ring glas­ses, for exam­p­le, are not in prin­ci­ple spe­cial cate­go­ries of per­so­nal data:

  “Using a pho­to­graph that shows a lar­ge num­ber of peo­p­le, inclu­ding, for exam­p­le, peo­p­le wea­ring glas­ses, at a public event does not con­vey health infor­ma­ti­on about tho­se peo­p­le but rather docu­ments the event. If, on the other hand, a pho­to is published with an accom­pany­ing text that refers to a spe­ci­fic han­di­cap of the per­sons pho­to­gra­phed, and if the pho­to ser­ves, for exam­p­le, to indi­ca­te pos­si­ble the­ra­pies, the­re may be a pro­ce­s­sing of health data.”

• The­re are refe­ren­ces to the Data pro­tec­tion in sports com­pe­ti­ti­ons.
• When noti­fy­ing the infor­ma­ti­on accor­ding to Art. 13 DSGVO (Pri­va­cy poli­cy) applies:
  

  “The “com­mu­ni­ca­ti­on” of the infor­ma­ti­on does not requi­re an acti­ve approach to the data sub­ject, but is to be under­s­tood with the Eng­lish ver­si­on “pro­vi­de” as a “making available”. This can be done “by appro­pria­te mea­su­res” of the con­trol­ler (Artic­le 12(1) GDPR), which can com­ple­ment each other (noti­ce, info sheet, state­ment on web­site, text part in the con­tract, oral noti­ce, …). Cru­cial, that the infor­ma­ti­on can be rea­son­ab­ly obtai­ned by the data sub­ject.“

  In the con­tract initia­ti­on rela­ti­on­ship, it can be par­ti­cu­lar­ly dif­fi­cult to pro­vi­de all of the rele­vant infor­ma­ti­on at first contact.

  “To the ext­ent that infor­ma­ti­on is miss­ing from this first coll­ec­tion step (e.g., the cont­act details of the data pro­tec­tion offi­cer, Artic­le 13(1)(b) GDPR, or the desi­gna­ti­on of the legal basis, Artic­le 13(1)(c) GDPR), the super­vi­so­ry aut­ho­ri­ty con­siders that this may be take place at a later coll­ec­tion or pro­ce­s­sing step (e.g. as Link in the signa­tu­re of an e‑mail respon­se). The decisi­ve fac­tor here is whe­ther the cir­cum­stances of the first sur­vey are ’sui­ta­ble’ (or not ’sui­ta­ble’) to make this infor­ma­ti­on pro­per­ly possible.”

• At com­pre­hen­si­ve request for infor­ma­ti­on the con­trol­ler may ask the data sub­ject whe­ther initi­al infor­ma­ti­on is suf­fi­ci­ent and may be asked to spe­ci­fy other­wi­se to which infor­ma­ti­on or pro­ce­s­sing ope­ra­ti­ons the request for infor­ma­ti­on rela­tes. A rea­sonable peri­od of time should be allo­wed for the reply.
• If online pro­vi­ders offer the pos­si­bi­li­ty to stay log­ged in (through a coo­kie), but pre­check a cor­re­spon­ding “stay log­ged in” but­ton, they ther­eby vio­la­te the Obli­ga­ti­on for data pro­tec­tion-fri­end­ly default set­tings (Artic­le 25 (1) of the GDPR).
• The­re are refe­ren­ces to the Weig­hing inte­rests when using online tools.
• The Whats­App use in the busi­ness envi­ron­ment is “pro­ble­ma­tic”. Becau­se Whats­App acce­s­ses cont­act data by default, the prin­ci­ple of “pri­va­cy by design” is vio­la­ted. Howe­ver, the use of Whats­App is per­mis­si­ble if Whats­App can­not access cus­to­mers’ cont­act data, if cus­to­mers are infor­med in advan­ce of the “data pro­tec­tion issues”, if they are pro­vi­ded with an alter­na­ti­ve secu­re com­mu­ni­ca­ti­on chan­nel and if Whats­App can­not access data of cus­to­mers who do not com­mu­ni­ca­te via Whats­App (e.g. becau­se their cont­act data is not stored on the device).
• The aut­ho­ri­ty recei­ved only a few inqui­ries about joint­ly respon­si­ble one.
• Main­ten­an­ce and remo­te main­ten­an­ce ser­vices even after the ent­ry into force of the GDPR as a mat­ter of prin­ci­ple. Job pro­ce­s­sing unless it is “purely a tech­ni­cal main­ten­an­ce of the infras­truc­tu­re of an IT by ser­vice pro­vi­ders”, e.g. “work on power sup­p­ly, coo­ling, hea­ting)” and if per­so­nal data can only be taken note of “inci­den­tal­ly” in a purely sup­port and repair activity.
• At Trans­la­ti­on ser­vices a dif­fe­ren­tia­ti­on must be made: The clas­si­fi­ca­ti­on as com­mis­sio­ned pro­ce­s­sing “depends, on the one hand, on the con­tent of the texts to be trans­la­ted, i.e., the que­sti­on of whe­ther they (also or pri­ma­ri­ly) invol­ve per­so­nal data. On the other hand, it must be taken into account what free­dom the trans­la­tor has in his acti­vi­ty, i.e. whe­ther he must adhe­re strict­ly and word-for-word to the ori­gi­nal – as in the case of the trans­la­ti­on of offi­ci­al docu­ments – or whe­ther it is ulti­m­ate­ly only a mat­ter of a trans­fer in accordance with the mea­ning, in which the trans­la­tor is gran­ted cor­re­spon­ding lee­way. Even if a pri­va­te per­son exclu­si­ve­ly sub­mits docu­ments or texts con­cer­ning him/herself for trans­la­ti­on, one will not be able to assu­me a com­mis­sio­ned processing”.
• The Payroll accoun­ting by tax con­sul­tant is not com­mis­sio­ned processing.
• At Pene­tra­ti­on test­ing (pen­tests) and for Main­ten­an­ce con­tracts be ”
  

  the pro­ce­s­sing of per­so­nal data is not actual­ly the core of the con­tract. Nevert­hel­ess, the cli­ent knows about the pos­si­bi­li­ty of dis­clo­sure and orders qua­si ‘with con­di­tio­nal intent’.” “Thus, I con­sider it in the inte­rest and neces­sa­ry to bind the cli­ent in the event of know­ledge of per­so­nal data from the area of the cli­ent, as in the case of com­mis­sio­ned pro­ce­s­sing.“

• In the event of data secu­ri­ty brea­ches, the Mis­pla­ce­ment of docu­ments in the foreground.
• In the desi­gna­ti­on of Data Pro­tec­tion Offi­cer The Saxon Data Pro­tec­tion Com­mis­sio­ner accepts the desi­gna­ti­on of legal enti­ties. In addi­ti­on, the name of the data pro­tec­tion offi­cer does not have to be sta­ted in the data pri­va­cy state­ment; it is suf­fi­ci­ent to sta­te a tele­pho­ne num­ber or a gene­ric e‑mail address. Howe­ver, the spe­ci­fi­ca­ti­on of a name is permissible.