This is an interesting case concerning a cyclist who took photographs of cars that were illegally parked and sent them to the police. The court decided that this was not personal and domestic use as defined in article 2 of the GDPR. Instead, the court concluded that the cyclist was a data controller as the photograph was not confined just to a private setting and therefore the cyclist had a legitimate interest to share potential illegal acts with the police. This has some relevance to cases I have dealt with where staff members have used their own phones to record other members of the team or in one case where a resident has set up their own CCTV to record a public area.
The controller is a cyclist who took pictures of parking offences and, together with a short description, sent it to the police authority in charge to report the offence. The case at hand concerned photographs taken in June 2020 of various vehicles that showed the parking situation and the vehicles’ license plates.
In June 2021, the competent DPA issued a reprimand against the controller in accordance with Article 58(2)(b) GDPR. The DPA argued that taking and redirecting pictures of the parking offences constitutes processing of personal data and that the controller did not fulfil their informational duties pursuant to Articles 13(1)(d) and 14(2)(b) GDPR. The authority claimed that there was no legitimate legal basis under Article 6(1) GDPR for the processing, as the controller neither obtained a consent of the vehicle owners nor had a legitimate interest that would justify the processing. The controller was requested to pay an administrative fee of 100 euros.
The controller filed a complaint against the DPA’s decision in a written statement at the Administrative Court of Ansbach.
The Administrative Court Ansbach overturned the DPA’s decision. It held that the reprimand issued by the DPA is unlawful because the claimant did not violate any provisions of the GDPR, which is a condition for a reprimand pursuant to Article 58(2)(b) GDPR.
Material scope of the GDPR
According to the court, the GDPR applies in the case at hand since taking pictures of vehicles and forward them to the police constitutes the processing of personal data in accordance with Article 2(1) GDPR and Article 4(1) GDPR. A license plate is information that allows the identification of a natural person, despite the fact that the provision of additional information from authorities is necessary to identify the data subject. Furthermore, the household exemption laid down in Article 2(2) GDPR is not applicable since the processing of personal data is leaving the private sphere. The pictures taken were intended to be forwarded to the police which is not a purely personal activity.
Legal basis of processing
The court states that the controller could rely on Article 6(1)(f) GDPR to process the personal data at stake as the controller had a legitimate interest in being able to report an offence, which includes the submission of photographs to the police. Reference point for this claim is Recital 50, which states that “Indicating possible criminal acts or threats to public security by the controller and transmitting the relevant personal data in individual cases or in several cases relating to the same criminal act or threats to public security to a competent authority should be regarded as being in the legitimate interest pursued by the controller.” Although the first part of Recital 50 is referring to a change of purpose in the processing activity, the court held that the reporting of criminal offences generally constituted a legitimate interest on which controllers may rely.
The court further noted that within the scope of the GDPR (consequently, also within the scope of Article 6(1)(f) GDPR and Recital 50 GDPR), the notion of “criminal offences” has to be interpreted autonomously under EU law. In accordance with the common legal tradition of the Member States, the notion “criminal offence” is not defined quantitatively (in terms of the severity of the sanction imposed), but qualitatively (in terms of the form of the imposed legal consequences). Since the commission of an administrative offence is punishable by a fine and the prosecution of an administrative offence has a “repressive character” under German law, the court held that a German administrative offence has to be regarded as a criminal act within the GDPR. For the processing to be in accordance with Article 6(1)(f) GDPR, the controller does not have to be personally affected. Furthermore, a claim to anonymity within road traffic does not exist under German law, rather the license plate has to be visible at all times (see § 23 StVO).
The court stated that the controller’s information requirements under the GDPR and other rights of the data subjects were not relevant in this case since the reprimand of the DPA only addressed allegedly illegal processing of the personal data by the transmission of the photographs. No other data protection obligations, rights or violations of the GDPR were touched upon.