PROCESS APPLICABLE TO REQUESTS FOR DELETION OF VIDEOS CONTAINING PERSONAL DATA (UPLOADER)

PROCESS APPLICABLE TO REQUESTS FOR DELETION OF VIDEOS CONTAINING PERSONAL DATA

This document describes the current process applicable to requests for the deletion of videos that contain 3^rd party personal data, ex. when content you have uploaded on the Dailymotion Service contains somebody’s else image, name or voice or other personal data.

Even though it makes reference to the GDPR (i.e. the European Union law applicable in the EEA, namely. EU Member States, Norway, Liechtenstein, Iceland) the process described in the present document applies, with slight variations, to requests received from residents of other countries having data protection laws substantially similar to the GDPR (ex. United Kingdom, Switzerland, Brazil).

Note that, as a rule, more protective measures are applied when your content contains sensitive personal data or personal data belonging to minors (as further explained in the FAQ below).

Why is GDPR applicable when I post content on the Dailymotion Service?

GDPR sets rules applicable to processing of personal data of data subjects. Personal data is any information that can be linked to an individual. A data subject is an individual whose personal data is processed. Processing is any operation undertaken on personal data, including its recording, storage, communication, modification and even deletion.

When you post content on the Dailymotion Service that contains personal data other than yours, you processpersonal data. For example, if you post a video of you and your friend Alex, Alex is a data subject, recording of his image and voice is his personal data and your posting of a video is processing of personal data. It is for that reason that GDPR applies to your use of the Dailymotion Service.

What does the law say?

The GDPR, in its chapter 3, provides Data Subjects with several rights, including the right to request deletion of their personal data.

This personal data deletion right can be exercised by a DATA SUBJECT, i.e. an individual residing in the EEA and requesting deletion of his / her own personal data. A Data Subject’s request must be addressed to a DATA CONTROLLER, i.e. to an individual or an entity that determines the purposes and the means of processing personal data. A Data Controller has 1 month to reply to a Data Subject request. This delay can be extended by additional 2 months if necessary.

While processing personal data, a Data Controller may rely on the services of third parties called DATA PROCESSORS. Data Processors process personal data only on instructions and for the purposes determined by Data Controllers. GDPR does not authorize a Data Processor to reply to personal data deletion requests.

For full definitions of the terms used in the GDPR please refer to its article 4.

Who-is-Who when it comes to videos (or other content) available on the Dailymotion Service?

Dailymotion is a content hosting platform, i.e. Dailymotion does not publish the videos that are present on its Service. A decision to post a video (or other content) on our Service belongs exclusively to its Uploader – i.e. to you. It is you who decides whether to post content on the Dailymotion Service. It is also you who decides which content you post, when and in which territory.

When posted content contains other persons’ personal data, it is its Uploader who determines the purpose and the means of processing of that personal data. Content UPLOADERS are DATA CONTROLLERS of that personal data contained in content that they post on the Dailymotion Service. Consequently, when you post a video containing third party personal data on the Dailymotion Service, you are the Data Controller of the processing of that personal data.

Dailymotion only provides technical means to Uploaders (basically, content file hosting and streaming technologies) to be used when Uploaders decide to make their content available to the public. When a content available on the Dailymotion Service contains personal data, Dailymotion is a DATA PROCESSOR for the processing of that personal data. When that personal data belongs to a natural person residing in the EEA that person is a DATA SUBJECT.

To be considered as a PERSONAL DATA DELETION REQUEST, a request to delete a video must (i) identify the notified video (i.e. contain its url), (ii) identify the personal data that a video contains (ex. my image/name appears at 1minute 32 second of a video), (iii) be accompanied by documents reasonably confirming that a requestor is the Data Subject, i.e. that personal data contained in the video belongs to the requestor, and that the requestor is a resident of the EEA (ex. an official ID), (iv) be addressed to the Data Controller and, also (v) contain information on how to communicate with a requestor (ex. email address).

How does it work in practice?

A GENERAL RULE: A Personal Data Deletion Request must be filed by a Data Subject, i.e. a person whose personal data (image, voice, name, etc.) is contained in a notified video, and be addressed to a Data Controller, i.e. an Uploader of that video / an operator of a channel on the Dailymotion Service.
HOW TO FILE A PERSONAL DATA DELETION REQUEST: a Personal Data Deletion Request may be filed directly with the Data Controller. Many channel owners post urls of their websites on their Dailymotion channel pages allowing Data Subjects to contact them directly. However, Data Subjects often file their requests with Dailymotion. They do so mostly because they don’t know how to reach Data Controllers / Uploaders, or because they believe, wrongly, that Dailymotion is competent to delete their personal data present in videos hosted on our Service. Being a Data Processor, and thus not authorized by the GDPR to process Personal Data Deletion Requests that concern personal data present in hosted videos, Dailymotion cannot comply with these requests. Instead, Dailymotion transfers received Personal Data Deletion Requests to competent Data Controllers, i.e. to Uploaders of videos for which deletion is requested.
WHAT DO DATA SUBJECTS PROVIDE TO DAILYMOTION: we ask requestors to provide all information and documents that are part of a valid Personal Data Deletion Request as described above, i.e. identify the video and the Data Controller (video url), identify the personal data contained in that video (description of whether it is the requestor’s image, voice or other data and the exact time stamp when it appears in the video), evidence that a requestor is a Data Subject i.e. that described personal data does belong to the requestor and that the requestor is an EEA resident (ex. a copy of an official ID). When a request is filed by an authorized representative (ex. by an attorney acting on behalf of a client or by a parent acting on behalf of a child) a person filing a request will also need to provide us with a valid authorization to represent the actual Data Subject (ex. power of attorney).
WHAT WILL DAILYMOTION DO WITH A RECEIVED PERSONAL DATA DELETION REQUEST: as a Data Processor we are not competent to process received requests. Upon receipt of a complete Personal Data Deletion Request, we will transfer it and the contact details (ex. an email address used by a Data Subject to contact us) to the Data Controller, i.e. to the Uploader of the notified video. Data Subjects can ask us not to communicate their contact details to Data Controllers in which case we will inform you of that decision and transfer any replies received from you to the Data Subject. As a rule, we will not communicate Data Subjects’ IDs to the Data Controller. Instead, we will inform you that we did receive copies of these IDs and that we reasonably established that a requestor is indeed a Data Subject. The use of the Dailymotion Service is governed by our Terms of Use and its Appendix B – Data Protection Agreement. By accepting our Terms of Use you have agreed to rely on that verification of Data Subject identity. However, if you have valid and documented reasons to request a copy of ID you may always ask a Data Subject to provide it to you or, if you cannot contact a Data Subject, ask Dailymotion to do so on your behalf. Note that we will not share IDs unless a Data Subject consented to it.
HOW DO DATA SUBJECTS OPPOSE TO DAILYMOTION’S SHARING OF THEIR CONTACT DETAILS WITH DATA CONTROLLER (UPLOADER): when a Personal Data Deletion request is filed though the intermediary of Dailymotion, we confirm its receipt to the requestor while explaining our role and applicable process. If Data Subjects do not want Dailymotion to communicate their contact details to the Data Controller, they can inform us about their decision by replying, within 72 ours of receiving it, to that message. In the absence of a timely opposition we will communicate the Data Subject’s contact details to the Data Controller.
HOW SHOULD THE UPLOADER / DATA CONTROLLER COMMUNICATE THEIR DECISION: when you have a Data Subject’s contact details you should use them to reply to a received Personal Data Deletion Request. In such case we ask you to keep Dailymotion on cc of your reply or to inform us otherwise of your reply (ex. by sending us a separate message confirming that you complied with the received request and that you did delete a notified video). When you do not have a Data Subject’s contact details, you may communicate your decision through the intermediary of Dailymotion. We will forward any reply received from you to the Data Subject. Note that Data Controllers should answer Data Subjects’ requests without undue delay and have a maximum period of 1 month (extendable by additional 2 months) to do so.
WHAT IF A DATA CONTROLLER DOES NOT ANSWER A DATA SUBJECT REQUEST: In general, the mere presence of personal data in a video does not make it automatically unlawful. Even in the absence of the Data Subject’s consent, presence of personal data in a video may be justified by another legal basis (ex. legitimate interest or contract). However, the absence of an answer from a Data Controller to a valid Personal Data Deletion Request is a breach of legal obligation by that Data Controller.

When a request filed through the intermediary of Dailymotion is a valid Personal Data Deletion Request (i.e. when it contains all the elements required under the GDPR) and a Data Controller does not respect its GDPR obligation to answer it within the statutory deadline, then the notified video becomes unlawful. In other words, by not answering a Data Subject’s request, a Data Controller fails its legal (GDPR-imposed) obligation to identify a legal basis justifying presence of personal data in a notified video, thus rendering that video unlawful.

Despite not being owners of the videos present on their services, content hosting platforms have authority to deactivate access to videos that they know to be unlawful. As a result, being a video hosting platform, Dailymotion deactivates access to videos whose Uploaders do not comply with their legal obligation to reply to a valid Data Subject request. Consequently, if, as a Data Controller of personal data present in your video, you do not reply to a Data Subject’s request, Dailymotion will deactivate access to your video.

FAQ:

Is consent always needed to post a video? Posting a video that contains somebody’s else personal data is processing of that personal data. Every processing needs to have a justification i.e. a legal basis. GDPR knows 6 possible legal basis. Consent is one of them. A Data Controller can rely on any of the 6 legal basis. However, Controller needs to justify its choice of legal basis. For example, if you rely on legitimate interest you need to explain what that legitimate interest is and why it prevails over privacy rights of a data subject. Additionally, a legal basis that justifies presence of a video today may no longer be an acceptable justification in a few years. For example, a legitimate interest of the public to be informed may justify posting of a video showing somebody participating in a public rally. A few years later that legitimate interest to be informed may be much weaker as the public rally shown in the video is no longer news. Consequently, the rally’s participants may justly claim that this legitimate interest (to be informed) no longer prevails over their privacy rights (not to have their images communicated to the public), and they may ask you to delete their personal data, i.e. to delete the video.

As a Data Controller you are the one who determines the legal basis you rely on while posting videos containing personal data of others. It is your right as well as your responsibility, respect of which you warrant to us. As a good practice, we advise you to ask for Data Subjects’ consent before posting videos that show others. Note that, regardless of the legal basis you rely on, as a Data Controller you also need to inform the Data Subjects (persons whose personal data is present in your videos) about how and why you plan to process their personal data. For further information on this obligation please refer to art. 12, 13 et 14 of the GDPR.

A video contains personal data of a child. Who can request its deletion? A child’s parent or legal guardian is authorized to act on behalf of their child. To do so, they must reasonably show having parental rights over a child whose personal data is contained in a notified video (for detailed description of the applied process please refer to our Help Center article).
A video contains information about a company. Can GDPR be invoked to request its deletion? No, the GDPR applies only to personal data of natural persons. Companies do not benefit from the GDPR deletion right. However, if a video containing corporate data is believed to be unlawful for another reason, it can always be reported to us using our Service’s “illicit content” report feature.
When can a GDPR request be filed by a third party? As a rule, only a Data Subject, i.e. a person whose personal data is included in the video, can ask for its deletion. However, Data Subjects may authorize someone else to file requests on their behalf. In practice, if a request to delete a video is filed on behalf of someone else (on behalf of a Data Subject), it will need to show that the personal data contained in a video belongs to that Data Subject and that a requestor is duly authorized to act on behalf of that Data Subject. The most typical cases are requests filed by attorneys or e-reputation agencies on behalf of their clients or these filed by parents on behalf of their children.
What if the personal data included in a video belongs to a minor or is sensitive data? Sensitive personal data (ex. health data) and personal data belonging to minors require enforced protection. For that reason, and as an exception to the general process, while pending processing of a Personal Data Deletion Request by a Data Controller (i.e. by the Uploader of a notified video) Dailymotion temporarily blocks access to a notified video on our platform (for detailed description of the applied process please refer to our Help Center article).
Why is a Data Subject’s ID not automatically forwarded to Data Controllers? GDPR imposes data minimization and privacy-by-default principles to all processing of personal data. It means that only personal data that is really needed for a given purpose can be used for that purpose.

Data Protection Authorities (ex. CNIL in France) consider that an ID is not systematically needed to establish a Data Subject’s identity and “ownership” of personal data. Other less intrusive means are to be used when available.

Dailymotion asks for IDs to determine whether a received request is a valid GDPR Personal Data Deletion Request. In most cases, ID is the only means available to us to do so.

When we receive a copy of an ID, we verify the authenticity of the document, confirm that the name on the ID corresponds to the name a requestor uses in correspondence with us and to the actual personal data contained in a notified video. We may also compare ID’s photo to the video images if they are part of the personal data claimed to be present in the notified video. The results of these verifications are recorded in our files and the copy of the ID is destroyed once a request ticket is closed (i.e. upon the final decision of a Data Controller or, in the absence of a reply from a Data Controller, upon our deletion of a video).

Our process allows to reasonably establish that a requestor is indeed a person whose personal data is present in your video.

When we forward you a received Personal Data Request you dispose of at least two means of verifying the Data Subject’s identity. You can rely on Dailymotion’s verification, or you can ask a requestor to provide ID (or other documents). Relying on Dailymotion’s verification is less intrusive than asking for an ID. Unless you have a valid and documented reason not to use it, you should not, in conformity with the mandatory data minimization principle, ask for IDs.

I’m not based in Europe, do I have to reply to a Personal Data Deletion Request?

GDPR is applicable to processing of personal data of EEA residents. Pursuant to its art. 3, the GDPR “applies to the processing of personal data of data subjects who are in the Union by a controller (…) not established in the Union, where the processing activities are related to: 1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union.”

When a video you post contains personal data of EEA residents and it is accessible in the EEA, then the GDPR does apply to your processing of that personal data. You are a Data Controller, and you need to respect all the obligations imposed on Data Controllers by the GDPR, including the obligation to reply to Data Subjects’ requests. If you believe the GDPR is not applicable to your processing, you should explain it to requestors. Please note that Data Subjects may file complaints with the European Data Protection Authorities who can investigate your processing activities and, depending on the outcome of their investigations, impose a variety of sanctions.

Do I always need to delete a video following a Personal Data Deletion Request?

Unless you rely on alternative legal basis other than consent (which you need to document and explain to the Data Subject) you need to delete personal data identified to you by the Data Subject. In most cases it means that you need to delete a video you have posted on our Service. However, depending on the circumstances, you may satisfy your obligation to delete personal data by modifying your video. For example, if a Data Subject’s car is filmed and its license plate is visible, blurring a license plate so it cannot be read may be (depending on the context) sufficient to comply with a Personal Data Deletion Request. If only a fragment of your video shows a Data Subject, cutting that fragment out of your video may be an acceptable solution as well. What counts is that none of the personal data continues to be posted. Please remember to verify your video metadata (ex. video description) and make sure that no personal data remains present there.

If Dailymotion is not a Data Controller, why do you ask Data Subjects for so much information and so many documents? When someone files a Personal Data Deletion Request, the main objective is to stop the accessibility of that data on our Service. As a content hosting platform, Dailymotion does not decide which videos to publish on or delete from our Service. Our control over accessibility of content is limitedto the deletion of content that is manifestly unlawful. The mere presence of personal data within a video is not manifestly unlawful. GDPR provides several possible legal basis for personal data processing that may justify presence of personal data in a video (even in the absence of a Data Subject’s consent). For instance, the right to information may be a valid reason to publish a news video containing personal data.

It is the Data Controller who establishes the legal basis justifying the presence of personal data in videos they publish. Dailymotion has no right to do so. We can, however, deactivate access to a video that we know to be manifestly unlawful. Providing us with a valid Personal Data Deletion Request (and in particular, confirming that a Personal Data Deletion Request comes from an EEA resident and that personal data present in a video belongs to the requestor) renders the absence of an Uploader’s / Data Controller’s reply non-compliant with a Data Controller’s legal obligation to process a Data Subject request. It is because we are shown that a received request is a valid Personal Data Deletion Request that, in the absence of Data Controller’s reply, a notified video becomes unlawful, and we can block access to it. If we are not provided with all the required information, we will not know whether a received demand is a valid Personal Data Deletion Request that imposes an obligation on a Data Controller to answer it. We will still transfer such request to you for further processing but, unless we receive additional information (ex. copies of correspondence between you and the requestor), we might not be able to determine whether continuous presence of a notified video on our Service is a non respect of your GDPR obligation to reply to a Data Subject Request.