We often receive questions and complaints related to the publication of personal data in closed groups on social platform applications such as WhatsApp, Facebook and others. Such groups have become an integral part of everyday communication – they are used both for work purposes and for communication with neighbors, family, teachers, etc. Therefore, this time we will explain what signs indicate that a group was created for private purposes.
The parents of the preschool educational institution group “Ābolīši” have created a joint WhatsApp chat, which serves as a convenient and effective way of communication. This closed group has access only to the parents of the group, and current issues are discussed in the chat – for example, organizing fundraising for gifts, the group’s daily activities, etc. Sometimes dissatisfaction with the kindergarten staff is also expressed.
Similar to such a group could be other closed communication platforms, where communication takes place between family members (even if they do not live in the same household), neighbors, colleagues, classmates, etc.
If the Inspectorate comes across a question about data processing in a closed group, it must first assess whether the processing falls within the scope of the Data Protection Regulation and our competence. Accordingly, if the data processing does not fall within the scope of the Data Protection Regulation, the Inspectorate will not conduct an inspection, and therefore the problem will have to be resolved through the courts, by contacting the police or another competent authority.
To understand that data processing in a closed group is not within the scope of the Data Regulation and therefore not within the competence of the State Data Inspectorate, the following criteria are assessed:
- The person (in the published photo, post, comment) is not clearly identifiable, it is impossible to recognize and clearly distinguish them from other people. For example, one of the parents posted a photo in the chat of the “Ābolīšu” group, showing all the children in the group singing at a national holiday concert.
- The group members are connected by private or household relationships without commercial intent (parents of students, colleagues, relatives, friends, neighbors, ex-spouses) . For example, neighbors of an apartment building have created a joint WhatsApp group in which they discuss current events in the building.
- Personal data is distributed to a limited community (closed access, approval by the group administrator). For example, a closed forum has been created for car owners and fans of a particular brand, where participants discuss the problems, advantages and experience of using their own or the model of interest. The forum can only be accessed by registered users. Some users have chosen their username as “first name.last name”.
- The group generally discusses issues within the private life or family life of an individual, as well as other everyday issues within the group, information about a private event or actions related to a private event. For example, in a WhatsApp group created by a family of relatives, questions about an upcoming family reunion are discussed – what snacks and dishes each person should bring.
- The information published in the group indicates a mutual dispute between two or more persons, and the entry is directly or indirectly related to this dispute. For example, in a chat for parents of 5th grade students, an argument broke out between two fathers about the usefulness of training, mentioning the names of their children. Such an argument has been repeated on various topics several times.
- The purpose of a closed group is not related to professional or commercial activities, such as the permanent sale of goods, placing advertisements, or acting on behalf of a merchant for profit. For example, a closed forum on the Internet where various new and forgotten food recipes are discussed. Only registered users can access the forum. Some users have chosen their username as “firstname.lastname”.
- A group of several people jointly resolves a personal issue that is binding on all (one-time or regularly), exchanging information and comments. For example, a closed support group has been created on Facebook, which provides information about the dates when candles will be lit in the trenches in support of the Ukrainian troops.
- Group members are connected by a common interest, hobby, or habit. For example, a Facebook group where members exchange tips on how to travel cheaper and more interestingly.
As we have already mentioned, the Data State Inspectorate is not responsible for resolving personal relationships or verifying the lawfulness of data processing carried out within the framework of these relationships. Similarly, the Inspectorate does not have the competence to evaluate intentional or unintentional data processing carried out in private groups. Often, personal disputes and disagreements also arise in such groups, as a result of which personal data may also be published. The Data State Inspectorate does not resolve personal disputes. They should be resolved in an orphan’s court, a civil court or another organization – depending on the nature of the disputes.
As Christmas approaches, the parents of the “Ābolīši” group are planning a budget for a gift for the children’s teacher. The teacher’s name and interests are mentioned in the discussion so that the gift is useful. Almost every parent expresses their opinion on the choice of gift and provides ideas on how to best implement this plan.
In this situation, too, private information is being discussed that does not directly concern the kindergarten management, other parents, and is not publicly available. Such processing, even if everyone expresses their own opinion, is harmless, private, and only applies to this closed group. Data processing carried out within such a group does not fall within the scope of the Data Regulation, as several of the criteria mentioned above apply to it.
The Data State Inspectorate invites you to carefully read and evaluate the above criteria before contacting us. If at least one of them applies to your situation, the Data State Inspectorate will most likely not consider such a case.
In the next #DVIexplain, we will talk about how to determine whether the created group and the personal data of its members, as well as the messages published in the group (comments, posts containing personal data), relate to data processing to which the requirements of the Data Regulation apply.