Two years ago, when I was studying the GDPR, I read that, if I asked, Facebook was obliged to give me the list of data they have about me (Article 15).
This was strange to me. Every day photos of us—which are personal data (Article 4 item 1)—are uploaded by other people without our consent (Facebook knows a lot about you even if you don’t have an account). As much as I think this habit is bad practice, I didn’t consider it likely that a law would oblige Facebook to tell me “we have this 1987 photo of yours that was uploaded by an old schoolmate”.
I concluded that Facebook could make use of a provision that says that they don’t need to disclose this data to me if it’s “subject to an obligation of professional secrecy” (Article 14, paragraph 5, item d). In other words, Alice is a Facebook user and thus has accepted Facebook’s terms of service, which say that any data Alice uploads are confidential; Alice uploads Bob’s photo. Facebook won’t disclose the existence of Bob’s photo to Bob, since it’s subject to Facebook’s obligation of secrecy to Alice.
So the first problem is solved: Facebook doesn’t need to disclose this information to Bob. But there’s another problem: how can it be that Facebook accepts the uploading of Bob’s picture by Alice in the first place?
This is a subject for next time.
Disclaimer: I am not a lawyer.