AKI (Estonia) - 2.1.-5/24/2203-8: Difference between revisions
Norman.aasma (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Estonia |DPA-BG-Color= |DPAlogo=LogoEE.png |DPA_Abbrevation=AKI |DPA_With_Country=AKI (Estonia) |Case_Number_Name=2.1.-5/24/2203-8 |ECLI= |Original_Source_Name_1=Ettekirjutused |Original_Source_Link_1=https://www.aki.ee/ettekirjutused |Original_Source_Language_1=Estonian |Original_Source_Language__Code_1=ET |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code_2= |Type=Other |Out...") |
mNo edit summary |
||
| Line 69: | Line 69: | ||
}} | }} | ||
The DPA issued an injunction to a retain company for the violation of articles 5,6, 12 and 13 of the GDPR in relation to the use of security cameras. | |||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The DPA received an alert that Simtan Kaubandus OÜ, a retail company (the controller) used on-site security cameras on its territory with the purpose of monitoring its employees in real-time. The DPA decided to launch an investigation into the use of cameras in order to find out the the legal basis on which and the purposes for which the controller used the security cameras, and to verify compliance with [[Article 13 GDPR]]. | |||
The controller notified the DPA that the legal basis used for the security cameras is | |||
The controller notified the DPA that the legal basis used for the security cameras is [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], i.e. legitimate interest (fraud or abuse of services). However, the controller did not submit to the DPA a legitimate interest analysis demonstrating that the processing of personal data by means of security cameras is actually necessary for the purposes of the legitimate interest pursued by the controller. Additionally, the legitimate interests of the controller outweigh the interests or fundamental rights or freedoms of the data subject. In addition, the controller provided the DPA photos of the information labels indicating the use of security cameras. | |||
The DPA was of the opinion that in order to rely on the article 6(1)(f) if the GDPR, i.e. the legitimate interest, there shall be legitimate interest analysis conducted. More specifically, the controller is obliged to compare its own legitimate interests with the interests and fundamental rights of the data subject to see whether the article 6(1) (f) of the GDPR can be invoked as a legal basis for the processing. | The DPA was of the opinion that in order to rely on the article 6(1)(f) if the GDPR, i.e. the legitimate interest, there shall be legitimate interest analysis conducted. More specifically, the controller is obliged to compare its own legitimate interests with the interests and fundamental rights of the data subject to see whether the article 6(1) (f) of the GDPR can be invoked as a legal basis for the processing. | ||
Revision as of 07:30, 4 June 2024
| AKI - 2.1.-5/24/2203-8 | |
|---|---|
 | |
| Authority: | AKI (Estonia) |
| Jurisdiction: | Estonia |
| Relevant Law: | Article 5(1) GDPR Article 6(1)(f) GDPR Article 12 GDPR Article 13 GDPR |
| Type: | Other |
| Outcome: | n/a |
| Started: | 21.09.2023 |
| Decided: | 02.01.2024 |
| Published: | 02.01.2024 |
| Fine: | n/a |
| Parties: | Simtan Kaubandus OÜ Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) |
| National Case Number/Name: | 2.1.-5/24/2203-8 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Estonian |
| Original Source: | Ettekirjutused (in ET) |
| Initial Contributor: | Norman Aasma |
The DPA issued an injunction to a retain company for the violation of articles 5,6, 12 and 13 of the GDPR in relation to the use of security cameras.
English Summary
Facts
The DPA received an alert that Simtan Kaubandus OÜ, a retail company (the controller) used on-site security cameras on its territory with the purpose of monitoring its employees in real-time. The DPA decided to launch an investigation into the use of cameras in order to find out the the legal basis on which and the purposes for which the controller used the security cameras, and to verify compliance with Article 13 GDPR.
The controller notified the DPA that the legal basis used for the security cameras is Article 6(1)(f) GDPR, i.e. legitimate interest (fraud or abuse of services). However, the controller did not submit to the DPA a legitimate interest analysis demonstrating that the processing of personal data by means of security cameras is actually necessary for the purposes of the legitimate interest pursued by the controller. Additionally, the legitimate interests of the controller outweigh the interests or fundamental rights or freedoms of the data subject. In addition, the controller provided the DPA photos of the information labels indicating the use of security cameras.
The DPA was of the opinion that in order to rely on the article 6(1)(f) if the GDPR, i.e. the legitimate interest, there shall be legitimate interest analysis conducted. More specifically, the controller is obliged to compare its own legitimate interests with the interests and fundamental rights of the data subject to see whether the article 6(1) (f) of the GDPR can be invoked as a legal basis for the processing.
Moreover, the DPA highlighted that the data processing must be transparent. The principle of transparency of the GDPR requires that all information and messages related to the processing of personal data must be easily accessible and easy to understand, and that clear and plain language be used. In order to comply with the principle of transparency the privacy notice must be put in place. The content of privacy notice is governed by the articles 12 to 14 of the GDPR.
In addition, the DPA noted that a compliant sign must be created to notify data subjects about the use of security cameras,
Holding
The Estonian Data Protection Inspectorate found a violation of the articles 5,6, 12 and 13 of the GDPR in relation to the use of security cameras. More specifically, the DPA found that the retail company did not have a proper legal basis for the use of security cameras and thus such surveillance should be suspended.
The DPA found that a proper legitimate interest analysis must be carried out for the use of cameras for the described work. In addition, the DPA found that appropriate informative signs must be created and installed for the use of security cameras. In addition to the mentioned, the DPA found that for such a plan, a new privacy policy.
Considering that the use of security cameras in the abovementioned retail company is currently unlawful, such a practice should be suspended until the controller has submitted a legitimate interest analysis to the DPA.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details.
Send a letter Please digitally sign electronic appeals and send them to info[at]aki.ee. Please post paper appeals to: Data Protection Inspectorate Tatari 39, 10134 Tallinn Request for clarification With a request for clarification, you can ask the inspectorate for the institution's views, interpretations or practical information. The request for clarification will be answered within 30 days on the basis of the Act on responding to a memo and a request for clarification and submitting a collective appeal. Information request You can submit a request for information to us if you want to receive a document that is already available in the Data Protection Inspectorate. With a request for information, you can request, for example, an earlier letter or a decision that has already been made. Filing a complaint You can submit an objection to the inspection's own actions if you want a review of the inspection's decision or action that affects your rights. The appeal must be filed within 30 days of learning about the contested decision or action. You cannot file an appeal if you have gone to court on the same matter.
