Clarifications regarding the notice received by ANSPDCP in the case of Rise Project
Taking into account the information and articles published in the public area regarding the notification received by ANSPDCP in the case of Rise Project, we mention the following:
Following a notification from a natural person who reported possible violations of personal data protection law through the Rise Project’s posts in the public domain, pursuant to the legal competences of the National Supervisory Authority to monitor and control, information on the reported situation was requested.
Regarding the erroneous information circulated in the public space, we specify that the Supervisory Authority does not issue summons.
We also mention that the Supervisory Authority is an autonomous and independent public authority fulfilling the tasks and exercising its competences according to Article 52 of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), corroborated with Article 2 of the Law no. 102/2005 on the establishment, organization and functioning of the National Supervisory Authority for Personal Data Processing, as subsequently amended and supplemented.
The control powers of our institution are established by Article 57 (1) letters f) and h) and Article 58 (1) and (2) of Regulation (EU) 2016/679, Article 141 of Law no. 102/2005, as subsequently amended and supplemented, by Law no. 190/2018, as well as by Decision no. 161/2018 regarding the approval of the Investigation Procedure.
Thus, Article 57 (1) letter f) of the General Data Protection Regulation (GDPR) confers upon the Authority the power to handle complaints lodged by a data subject, or by a body, organization or association and to investigate the object thereof, and letter h) establishes competence to conduct investigations on the application of the European Regulation.
Also, Article 58 (1) of GDPR establishes the Authority’s investigative powers according to which it may require the data controller to provide any information that the supervisory authority requires in order to carry out its tasks, to obtain from the data controller access to all personal data and all necessary information for the performance of its tasks, as well as to obtain access to any data processing equipment and means, in accordance with Union law or internal procedural law.
In conjunction with the above, Article 141 of the Law no. 102/2018 with the subsequent modifications and completions, provides that the supervisory staff of the Supervisory Authority is entitled to carry out investigations, including unannounced ones, to ask and obtain from the data controller any information and documents, regardless of the storage medium, to take copies of them, to have access to any of the premises of the data controller and the data processor, as well as to have access to and verify any equipment, medium or data storage medium necessary for carrying out the investigation, according to the law.
Regarding the procedure for conducting investigations, it is stipulated that it is regulated by the Decision no. 161/2018, a document published in the Official Journal, according to which the investigations can be carried out on the spot, at the premises of the Supervisory Authority or in writing.
In case of written investigations, a standard address is sent to the controlled entity requesting information, data and documents necessary to handle the case under investigation, in relation to the applicable legal provisions in the field of personal data protection. In this respect, in the response to the investigation, the controlled entity has the opportunity to expose its arguments and defense regarding the method of processing (including disclosure) only the personal data.
Concerning the processing of data for journalistic purposes, we stress out that Article 85 of GDPR states that “Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.”
In this respect, Article 7 of the Law no. 190/2018 provides:
“In order to ensure a balance between the right to the protection of personal data, freedom of expression and the right to information, the processing for journalistic purposes or for the purpose of academic, artistic or literary expression may be carried out if it concerns personal data which have been made publicly manifested by the data subject or closely related to the person’s public status or the public character of the facts in which he or she is involved, by way of derogation from the following chapters of the General Data Protection Regulation:
a)Chapter II – Principles;
b) Chapter III – Rights of the data subject;
c) Chapter IV – Controller and processor;
d) Chapter V – Transfer of personal data to third countries or international organizations;
e) Chapter VI – Independent supervisory authorities;
f) Chapter IX – Specific data processing situations.”
Therefore, the derogations listed in this law are applicable if one of the following conditions are met:
- the processing concerns personal data that have been made publicly manifestly by the data subject
- the data that are closely linked to the person’s public status
- data that are closely related to the public character of the facts in which the person concerned is involved.
In this context, we specify that Article 5 of GDPR sets out a number of principles that must be respected in the data processing, as follows:
- collected for specified, explicit and legitimate purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
As regards the data controller’s responsibility, Article 24 of GDPR provides that “Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.”
Regarding the publication of personal data on the Internet, we underline that the right to privacy and the protection of personal data are guaranteed by Article 26 of the Constitution, Article 8 of the European Convention on Human Rights, as well as Articles 7 and 8 of the EU Charter of Fundamental Rights and the dissemination of the natural persons’ data in the virtual space and, implicitly, making them available to a potentially large number of people without any control over the subsequent use of the data for purposes possibly incompatible with the original purpose may lead to the violation of these fundamental rights.
Thus, according to the relevant case-law of the Court of Justice of the European Union (Judgment of 6th of November 2003 in the Bodil Lindqvist case), it was stated that references to individuals and their identification by names or other means on website constitute “a processing wholly or partly by automatic means” and, by publishing on the Internet, the personal data become accessible to an indefinite number of people.
We mention that the Supervisory Authority, having regard to its role as defender of the right to privacy and the right to the protection of personal data, has consistently expressed and acted since its set up, in 2005, in order to ensure a balance between the right to the protection of personal data, the freedom of expression and the right to information.
In this context, the Supervisory Authority states firmly that its actions fall exclusively within the legal competences, without prejudice to the freedom of the press and without interfering in any way with the exercise of the legal powers and attributions of other state institutions.