Notes on Photo and Film
The following is a detailed list of the rights of data subjects under the DSGVO. This applies to all public events organised by sternkopf-consulting GmbH.
You can find a pdf version of the DSGVO-document here: DSGVO_stc GmbH
The EU Data Protection Basic Regulation (DS-GVO) significantly strengthens the rights of data subjects, i.e. those whose personal data are processed. The DS-GVO contains extensive information obligations regarding data collection, rights of access, rights of rectification, deletion, restriction of processing and data transferability, rights of objection as well as the right not to be subject to an automated individual decision. As a rule, the claim is directed against the person responsible. He is obliged to make it easier for the data subjects to exercise their rights (Art. 12 para. 2 DS-GVO). The responsible company must respond to the applications of the data subject in accordance with Articles 15 to 22 within one month. Although there are possibilities for extending the deadline, the reasons for this must also be communicated within the monthly deadline, so that a rapid response is required in any case. If the company does not comply with a request from the person concerned, a fine is imminent. The person responsible in the company must therefore implement processes that ensure that the applications of the persons concerned are processed correctly and on time.
The person in charge is aware of his duty to provide information and will process and answer this in the following paragraphs.
The person responsible for this photo and film information is the sternkopf-consulting GmbH.
The person concerned has the following rights:
- Information rights
- Rights to rectification, erasure, limitation of processing and transferability of data
- Rights of objection
- The right not to be the subject of an automated individual decision
Art. 12 DSGVO – Transparent information, communication and modalities for the exercise of data subjects’ rights.
Already at the beginning of the processing there is an obligation to provide the data subject with comprehensive information in accordance with the principle of transparency. According to Art. 12, the data controller must take appropriate measures to provide the data subject with all information relating to data processing in a precise, transparent, comprehensible and easily accessible form in clear and simple language. The information shall be provided in writing or in any other form, in particular by electronic means; exceptionally, orally, if the data subject so requests and if the identity of the data subject has been established.
Art. 13 DSGVO – Obligation to provide information when collecting data from the data subject
As a matter of principle, personal data can either be directly processed by the data subject (Art.
13) or with a third party (Art. 14). “Direct collection” means any collection of personal data with the knowledge or cooperation of the data subject. If the data are collected from the data subject, the controller must inform the data subject comprehensively about the processing at the time of data collection (Art. 13 para. 1).
The following information must be observed with regard to the processing of images and photographs by the person responsible at sternkopf-consulting GmbH:
- Responsible: Thomas Sternkopf, Mail: firstname.lastname@example.org
- representative of the responsible person: Melanie Bühne, Mail: email@example.com
- Data Protection Officer: Thomas Sternkopf, Mail: firstname.lastname@example.org
- Legal basis for the production and processing of the pictures: Legitimate interest of the responsible person, the sternkopf-consulting GmbH, in order to be able to publish information on social networks and in the sense of company marketing.
- The person concerned has the right to information, correction, deletion, restriction of processing, right of objection and right to data transfer. Each of these rights is explained below.
- Right to revoke consent (in case of processing with 6 para. 1 a or Art. 9 para. 2 a).
- Existence of a right of appeal to a supervisory authority.
- The provision of personal data is not required by law or necessary for the conclusion of a contract but is based on the legitimate interest of the company.
- The person responsible does not process the data in the sense of automated decision-making including profiling (Art. 22).
If the person responsible intends to process the personal data for a purpose other than that for which the personal data were collected, this requires the person concerned to be informed again in advance. About this other purpose and all other relevant information pursuant to Art. 13 para. 2 (examination of whether such a change of purpose is permissible under Art. 6 para. 4 at all).
Exceptions: According to Art. 13 para. 4, the information does not apply in the case of direct collection if and insofar as the data subject already possesses the information. Further minor exceptions to this are contained in § 32 of the new BDSG, which will enter into force on 25 May 2018. Here, the legislator has made use of the opening clauses and included further limitations.
Art. 15 DSGVO – Right to information
The data subject’s right to information on personal data stored by the person responsible is the central right to assert further rights, e.g. the right to correction, deletion, etc., if required. The data subject may request confirmation from the data controller as to whether personal data relating to him or her will be processed there. If this is the case, the data subject has a right of access to this personal data:
- Purposes of processing: Photographs and films are used for publication on the Internet, for further optimisation of the external presentation of our company, e.g. pictorial and continuous presentation of events / decorative design of the website of our company, sternkopf-consulting GmbH. In addition, film footage can be cut and used for informative as well as promotional purposes and uploaded to social media. Photographs can also be used in print media such as future invitations. The latter, however, only applies to photographs of groups or the event as a whole.
- Categories of personal data that are processed: Photography and filming.
- Possible recipients of the photo and film recordings: First and foremost, the photos and films are processed internally and can therefore be viewed by all sternkopf-consulting GmbH employees. In the course of the online publication everyone can see the data, which goes on the online sides of the sternkopf-consulting GmbH and looks at the contributions. Furthermore, the data controller, sternkopf-consulting GmbH, is obliged to provide the data subject with image and video material, as the data subject has the right to receive the personal data concerning him/her, which he/she has provided to a data controller, in a structured, common and machine-readable format (right to data transferability). In the case of group shots, several data subjects may be present. However, such data transferability must always ensure that no rights, freedoms or interests of a third party are violated.
- The person responsible, sternkopf-consulting GmbH, has no intention of transferring to a third country/international organization.
- The duration of the data storage cannot be limited at the moment. The photos and films are stored on the internal sharepoint and are therefore available for an unlimited period of time. The data storage serves for informative distribution in marketing as well as internal information for future events.
- Information on the rights to correction, deletion, restriction of processing and on the right to object to processing will follow.
- The data subject has the right to appeal to a supervisory authority if he or she is of the opinion that the data have not been processed lawfully.
The person responsible must ensure that the information is provided only to the data subject or to a person authorised by him and that the rights and freedoms of other persons are not infringed. Recital 63, fourth sentence, refers to remote access by the data subject to his or her own data via a secure system as the most data protection-friendly option.
Art. 16 DSGVO – Right to rectification
The data subject shall have the right to obtain from the controller without delay the rectification of personal data concerning him or her if they are inaccurate. Taking into account the purposes of the processing, the data subject shall have the right to request the completion of incomplete personal data, including by means of a supplementary statement.
Art. 17 DSGVO – Right to cancellation, right to be forgotten
The data subject shall have the right to obtain from the data controller the immediate erasure of data relating to him or her for the following reasons (Article 17(1)):
- Data are no longer necessary for the purposes for which they were collected or otherwise processed,
- the data subject withdraws his/her consent (Art. 6 1 a or Art. 9 para. 2 a) and there is no other legal basis for the processing,
- the data subject objects to the processing and there are no overriding legitimate reasons for further processing,
- the personal data have been processed unlawfully,
- the deletion of personal data is required by a more specific law, i.e. to fulfil a legal obligation under Union law or the law of the Member States to which the data controller is subject,
- the personal data have been processed in relation to Information Society services offered directly to a child
This is about the idea of the “digital eraser”, whereby this does not only apply to the online area. If the data controller has made the personal data public and is obliged to delete them (Art. 17 para. 1), he must, in accordance with Art. 17 para. 2, take appropriate measures, including technical measures, taking into account the available technologies and the implementation costs, to inform other data controllers processing the personal data that a data subject has requested him to delete all links to this personal data or copies or replications of this personal data. A data controller must therefore inform other data controllers that the data subject requests the deletion of all links or copies.
Exceptions (Art. 17 para. 3): The data controller is not obliged to delete personal data if further storage is necessary for one of the following reasons:
- Exercise of freedom of expression and information,
- fulfilment of a legal obligation (e.g. legal storage obligations) which requires processing under Union or national law or for the performance of a task in the public interest or in the exercise of official authority vested in the controllers,
- Reasons of public interest in the field of public health,
- archival, scientific or historical research or statistical purposes in the public interest,
- Assertion, exercise or defence of legal claims
Further exceptions, e.g. for data stored in paper form, are provided for in § 35 BDSG-neu.
Art. 18 DSGVO – Right to restriction of processing
The term “limitation of processing” is used in the recitals to refer to methods of limiting the processing of personal data, such as the temporary transfer of selected personal data to another processing system, their blocking for users or the temporary removal of published data from a website. The data subject shall have the right to request the controller to restrict the processing if the following conditions are met:
- The accuracy of the personal data is contested by the data subject for a period of time which allows the data controller to verify the accuracy of the data,
- the processing is unlawful and the data subject refuses to erase the data and instead requests a limitation of the processing,
- the controller no longer needs the personal data for the purposes of processing, but the data subject needs them for the assertion, exercise or defence of legal claims,
- the data subject has lodged an objection to processing based on the legitimate interests of the controller and it is not yet clear whether the legitimate interests of the controller outweigh those of the data subject.
Where processing has been restricted at the request of the data subject, such personal data, with the exception of their storage, may not be processed without the consent of the data subject or for the purpose of the exercise, protection or defence of a legal right or of the rights of a natural or legal person or for reasons of an important public interest of the Union or of a Member State. In addition, the controller must inform the data subject before lifting the restriction (Article 18(3)).
Exceptions can be found in the new BDSG (§ 35).
Art. 20 DSGVO – Right to data transferability
A data subject who has provided personal data relating to him or her to a data controller shall have the right to obtain such data in a structured, common and machine-readable format. In addition, the data subject has the right to communicate this data to another controller without being hindered by the controller to whom the personal data were originally provided. However, this shall only apply if the processing
- is based on a consent or a contract and
- with the aid of automated procedures
The person concerned can therefore obtain the personal data to be transmitted directly by a responsible person, as far as this is technically possible.
Exceptions apply if the processing is carried out for the performance of a task which is in the public interest or in the exercise of official authority assigned to the data controller. Furthermore, the rights and freedoms of other persons must not be adversely affected by the exercise.
Art. 21 DSGVO – Right to opposition
The data subject may object to processing by the controller at any time if such processing is carried out in accordance with Article 6(1)(e) or (f) (tasks carried out in the public interest or in the exercise of official authority, or in order to safeguard the legitimate interests of the controller). This shall also apply to any profiling based thereon. Continued processing by the controller is not permitted, unless the controller can
- establish overriding grounds for processing worthy of protection which override the interests, rights and freedoms of the data subject, or
- the processing serves the assertion, exercise or defence of legal claims
In the case of direct marketing, no balancing of interests takes place. An objection leads to an immediate processing stop. In the case of processing for scientific or historical research purposes or for statistical purposes, the objection also leads to a processing stop, unless the processing is necessary for the performance of a task in the public interest (Art. 21 para. 6).
- 36 BDSG-neu restricts the right of objection vis-à-vis public bodies, in the case of a compelling public interest or a legal provision obliging the processing.
Art. 22 DSGVO – Automated decision in individual cases
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects upon him or her or significantly affects him or her in a similar manner. In particular, the data subject shall have the right to be intervened by a person on the part of the person responsible, to present his or her point of view and also to challenge the decision.
The right not to be subject to a decision based solely on automated processing shall not apply if the decision
- is necessary for the conclusion or performance of a contract between the data subject and the person responsible,
- is authorised by legislation of the Union or of the Member States to which the person responsible is subject and that legislation contains adequate measures to safeguard the rights and freedoms and the legitimate interests of the data subject,
- or with the express consent of the data subject
Minor exceptions can be found in § 37 BDSG-neu.