Tag: Television

Waltzing Through Privacy: Strictly Come Dancing Meets GDPR 

The prime time BBC show, Strictly Come Dancing, is currently embroiled in a significant controversy following allegations of bullying and a toxic work environment. Reports have surfaced from celebrity contestants and crew members claiming abuse and mistreatment from some professional dancers and production staff. 

The controversy began in October 2023 when actress Amanda Abbington withdrew from the show, citing “personal reasons.” She later revealed she had experienced difficulties with her professional partner, Giovanni Pernice, and had been diagnosed with PTSD. In January 2024, Abbington requested rehearsal footage, leading to an investigation into Pernice’s teaching methods. Pernice denied any abusive behavior but was not included in the 2024 line-up. 

Around the same time, Graziano Di Prima was also accused of mistreatment by his celebrity dance partner, Zara McDermott. It was alleged that Di Prima had kicked his partner during a training-room session. At the time he apologised for his behaviour, which he said he “deeply regretted”. “My intense passion and determination to win might have affected my training regime,” he said. But since his exit Di Prima has cast doubt on how the incident was portrayed and is seeking to challenge his “dismissal.” 

The Times reported last week that lawyers acting on behalf of Di Prima have made a GDPR subject access request to the BBC for all evidence related to the “decision to sack” the former Strictly Come Dancing professional. They have asked to see “all internal BBC correspondence related to the issue, including emails and text messages”. The information is likely to be used to allow Di Prima’s legal team to assess the strength of the legal grounds to challenge his alleged dismissal.  

The Article 15 Right of Subject Access allows data subjects to see what personal data is held about them, how it is being processed and precisely who it is being shared with. In 2023, Dame Alison Rose, the then CEO of NatWest, resigned after Nigel Farage made a subject access request which disclosed information that contradicted the bank’s justification for downgrading his account. 

In the present case the emails and text messages requested by Di Prima’s legal team will do doubt include lots of personal data about third parties including contestants and production staff. Part 3 of Schedule 2 of the Data Protection Act 2018 states that the GDPR Subject Access right “does not oblige a Data Controller to disclose information to the data subject to the extent that doing so would involve disclosing information relating to another individual who can be identified from the information.” However, disclosure is still required if the other individual has consented, or it is “reasonable” to disclose the information without consent. In determining what is reasonable, the controller must have regard to all the relevant circumstances including, amongst other things, the type of information that would be disclosed and any duty of confidentiality owed to the other individuals. 

It will be interesting to know the outcome of Di Prima’s subject access request. Will it be a slow waltz towards litigation, or will the BBC be able to cha-cha away from legal liability? 

Our upcoming Handling SARs course can help you deal with complex subject access requests.  

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today! 

Oral Disclosure of Personal Data: To GDPR or not to GDPR? 

Here’s a pub quiz question for you, “Can a Data Controller circumvent the requirements of data protection law by disclosing personal data verbally rather than in writing?” The answer was “Yes” under the old Data Protection Act 1998.
In Scott v LGBT Foundation Ltd [2020] WLR 62, the High Court rejected a claim that the LGBT foundation had breached, amongst other things, the claimants data protection rights by disclosing information about him to a GP. The court held that the 1998 Act did not apply to purely verbal communications.  

Nowadays though, the answer to the above question is no; the oral disclosure of personal data amounts to “processing” as defined by Article 4(2) of the GDPR.
So said the Court of Justice of the European Union (CJEU), on 7th March 2024, in a preliminary ruling in the Endemol Shine Finland

The subject of the ruling is a television company which makes a number of reality TV shows in Finland. It had been organising a competition, and was seeking information from the District Court of South Savo for information about possible criminal proceedings involving one of the competition participants. It requested the District Court to disclose the information orally rather than in writing. The District Court refused the request on the basis that there was no legitimate reason for processing the criminal offence data under Finnish law, implementing Article 10 of the GDPR.
On appeal Endemol Shine Finland argued that the GDPR did not apply as the oral disclosure of the information would not constitute processing of personal data under the GDPR. 

Article 4(2) GDPR defines “processing” as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means”. On the face of it, this covers oral processing. However, Article 2 states that GDPR applies to processing of personal data “wholly or partly by automated means”, and processing by non-automated means which “forms or is intended to form part of a filing system.” Article 4(6) GDPR defines “filing system” broadly, covering “any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis”. 

The Finnish Court of Appeal requested a preliminary ruling from CJEU on the meaning of Article 4(2) and whether the particular processing in this case came within the material scope of the GDPR under Article 2. The CJEU held the concept of processing in Article 4(2) of the GPDR necessarily covered the oral disclosure of personal data. It said the wording of the Article made it apparent that the EU legislature intended to give the concept of processing a broad scope. The court pointed out that the GDPR’s objective was “to ensure a high level of protection of the fundamental rights and freedoms of natural persons” and that “circumventing the application of that regulation by disclosing personal data orally rather than in writing would be manifestly incompatible with that objective”. 

The CJEU went on to consider whether the oral processing of the data would fall within the material scope of the GDPR under Article 2. It held that it was clear from the request for a preliminary ruling that the personal data sought from the District Court of South Savo is contained in “a court’s register of persons” which appeared to be a filing system within the meaning of Article 4(6), and therefore fell within the scope of the GDPR. 

UK Data Controllers should note the wording of Article 4 and Article 2 of the UK GDPR is the same as in the EU GDPR. So whilst this ruling from the CJEU is not binding on UK courts, it would be wise to assume that picking up the phone and making an oral disclosure of personal data will not allow the UK GDPR to be circumvented.   

This and other GDPR developments will be discussed by Robert Bateman in our forthcoming GDPR Update workshop. We have also just launched our new workshop, Understanding GDPR Accountability and Conducting Data Protection Audits.