AQAPHOTO – €1,000 Fine (Latvia, 2024)

On 20 May 2023, the DPA carried out an on-site investigation into the operations of a company called AQAPHOTO (‘controller’), carried out the at the Līvu Akvaparks, a water amusement park. The controller’s primary activity was offering photography services to visitors (‘data subjects’) at the amusement park. For the purpose to capture and provide photographic memories, the controller hired photographers which took photos of the visitors and were recognizable by wearing yellow T-shirts saying “AQUA FOTO TEAM”. The visitors could then select their photos on the monitors located at the AQUAPHOTO booth. In addition, the controller used facial recognition technology software to identify the individuals that requested their photos and offer the pictures to them. The controller informed about its data processing operations in 4 different forms available to the visitors. However, their privacy policy was inconsistent across these different places. # On the amusement’s park website, the privacy policy stated that visitors would be photographed by walking up to the photographers and then obtain their photos at the AQUAPHOTO stand. # The section concerning “Visitor rules” published on their website further specified that visitors with minors under their guardianship may be photographed in the amusement park. If the visitors did not wish to be photographed they had to take a distinguishing sign from the employees of the AQUAPHOTO stand. # On the contrary, the “Terms and Conditions of Photo Services and Personal Data Processing” posted at the company’s stand said that distinguishing sign could be obtained from the amusement park’s cash desk or the photographers hired by AQUAPHOTO. # By a visual information poster at the amusement park’s cash desk with a text saying: #* Don't be afraid of the AQUAPHOTO photographer. You do not want to be photographed in red. Green wristbands make many beautiful photographs’; #* The posted also provided that the data subjects would not receive