Clearview AI: condannata in Danimarca, 53 pagine. L'indice.

On the basis of what is stated above in this decision, the AP first of all finds that for the purpose of the
'Clearview for law-enforcement and public defenders' service, ClearView AI Inc. has no legal basis for the
processing of personal data of data subjects who are within the territory of the Netherlands. In doing so,
Clearview AI Inc. violates Article 5(1), opening words and subsection (a) GDPR, read in conjunction with
Article 6(1) GDPR.

The AP also finds that for the purpose of said service, ClearView AI Inc. unlawfully processes a special
category of personal data, namely biometric data, of data subjects who are within the territory of the
Netherlands. In doing so, ClearView AI Inc. violates Article 9(1) GDPR.

The AP also comes to the conclusion that ClearView AI Inc. fails to take appropriate measures in order for
data subjects who are within the territory of the Netherlands to receive all information as referred to in
Article 14 GDPR. In doing so ClearView AI Inc. acts contrary to Article 12(1) GDPR, read in conjunction
with Article 14(1) and (2) GDPR, and contrary to Article 5(1), opening words and subsection (a) GDPR

Contents
1. Reason and course of the proceedings 5
2. Facts 5
2.1 Clearview's business activities and processing operations 5
2.2 How the algorithm operates and a description of the 'Clearview for law-enforcement and public
defenders' service7
3. Assessment 8
3.1 Material scope of the GDPR 8
3.1.1 Legal framework 8
3.1.2 Factual findings  9
3.1.3 Legal assessment  9
3.2 Territorial scope of the GDPR  11
3.2.1 Legal framework  11
3.2.2 Factual findings  12
3.2.3 Legal Assessment 13
3.3 Controller  16
3.3.1 Legal framework  16
3.3.2 Factual findings  16
3.3.3 Legal Assessment 17
3.4 Lawfulness: Articles 5 and 6 GDPR  17
3.4.1 General  17
3.4.2 Legitimate interest (condition 1)  18
3.4.3 Necessity (condition 2)  21
3.4.4 The balancing of interests (condition 3)  22
3.4.5 Conclusion as regards the lawfulness (Articles 5 and 6 GDPR) 27
3.5 Lawfulness: Article 9 GDPR 27
3.5.1 Legal framework 27
3.5.2 Factual findings  28
3.5.3 Legal assessment  28
3.5.4 Conclusion as regards lawfulness (Article 9 GDPR)  29
3.6 Transparency obligations: Articles 5, 12 and 14 GDPR 29
Date
16 May 2024
Our reference
4/53
3.6.1 Legal framework 29
3.6.2 Factual findings  30
3.6.3 Legal Assessment 34
3.6.4 Conclusion as regards the transparency obligations (atricles 5, 12 and 14 GDPR) 35
3.7 (Facilitating) right of access of data subjects: Articles 12 and 15 GDPR 35
3.7.1 Legal framework 35
3.7.2 Factual findings 35
3.7.3 Legal Assessment and conclusion as regards the rights of data subjects (Articles 12 and 15
GDPR)  36
3.8 Representative of a controller who is not established in the Union: Article 27 GDPR 36
3.8.1 Legal framework 36
3.8.2 Factual findings 37
3.8.3 Legal Assessment and conclusion as regards a representative of a controller who is not
established in the Union (Article 27 GDPR) 37
4. Fines 38
4.1 Methodology for determining the amount of the fine  40
4.2 Starting amounts for the violations  40
4.2.1 Step 1: Identifying the processing operations and defining infringements  40
4.2.2 Step 2: Starting amounts41
4.3 Assessment of mitigating or aggravating circumstances for the violations45
4.4 Assessment of the fine maximum (Article 83(3) GDPR) and whether the fines are effective,
proportionate and dissuasive  46
5. Orders subject to a penalty for non-compliance 47
6. Decision  51
Fines 51
Orders subject to a penalty for non-compliance  51
Remedy clause .53