Читать книгу Privacy and Data Protection based on the GDPR - Leo Besemer - Страница 46
Household activities
ОглавлениеThe GDPR also does not apply to the processing of personal data by a natural person “in the course of a purely personal or household activity”. GDPR Recital (18) details this as “activities with no connection to professional or commercial activity, such as personal correspondence and an address book that is kept for that purpose, or social networking and online activities within that context”.
Example: Keeping an address book or an ordered file with names and addresses in order to send the people in it season’s greetings, invitations to a party or any other correspondence is a purely personal matter and not subject to the requirements of the GDPR. The same goes for texts and photos posted on a social networking website.
Where a sports club has an automated member administration system, this is not “purely personal”. Therefore, the sports club needs to fulfill the requirements of the GDPR.
The fact that processing is not connected to professional or commercial activities does not necessarily mean that the derogation applies. If the scale or frequency of the processing suggest a semi-professional activity, you should be very careful, even more so when the data is potentially shared with a lot of people, as the case may be when using social media or a website. There is no case law yet under the GDPR, but the CJEU has ruled in 2003 on a very similar situation13:
Example: Bodil Lindqvist, a Swedish woman, posted text concerning her volunteer work at a Swedish church on her own website. The pages included information about Ms. Lindqvist and 18 of her fellow church volunteers. This information included some full names, telephone numbers and references to hobbies and jobs held by her colleagues. In relation to one lady, Ms. Lindqvist also revealed that the volunteer had injured her foot and was working part-time on medical grounds.
Lindqvist did not obtain her co-workers’ permission to post information about them on her website. In fact, she did not even tell them about the postings beforehand. She did, however, remove the web pages as soon as she received a request from her colleague to do so.
The CJEU ruled that the derogation for processing for purely personal or domestic activities, “must (...) be interpreted as relating only to activities which are carried out in the course of private or family life of individuals”, which is clearly not the case when posting personal data of identifiable persons on an internet page, and as such sharing it with an infinitive number of persons.
It is difficult to predict how the CJEU would rule today about a complaint regarding a person posting information on friends and colleagues using Facebook, given how relatively easy it is to accidentally share your posting with “all”, being over a billion people.