DVI (Latvia) - SIA "QUANTRUM"

From GDPRhub
Revision as of 10:53, 9 July 2024 by Fb (talk | contribs)
DVI - SIA "QUANTRUM"
LogoLV.png
Authority: DVI (Latvia)
Jurisdiction: Latvia
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 6(1) GDPR
Article 25(1) GDPR
§ 4.24 Ministru kabineta noteikumi Nr. 369
Type: Complaint
Outcome: Partly Upheld
Started: 08.02.2023
Decided: 08.02.2024
Published: 28.06.2024
Fine: n/a
Parties: SIA Quantrum
National Case Number/Name: SIA "QUANTRUM"
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Lithuanian
Original Source: DVI (in LT)
Initial Contributor: fb

The DPA found that a controller cannot be held liable for an action of an employee who deliberately disregarded the controller’s instructions.

English Summary

Facts

The controller is a company which provides security services. In its premises, it uses a CCTV system which records both the video and the audio.

The data subject filed a complaint with the DPA and argued that, after they were recorded by the CCTV system, the footage was sent to them by an employee of the controller on WhatsApp and Telegram.

On 8 February 2023, the DPA opened an investigation.

The controller argued that none of its instructions to employees include copying video material onto any kind of private devices. Therefore, in the present case, the video footage was sent to the data subject by an employee without any instruction or order by the controller.

Moreover, the controller informed the DPA that the footage had been deleted and the employment relationship with the employee had been terminated.

Holding

Firstly, the DPA noted that the controller has established procedures to manage access authorisations, access control, for organising video surveillance, for viewing the archive of video surveillance recordings, and for creating, issuing and storing a copy of recordings. The DPA held that these technical and organisational measures adopted by the controller comply with the requirements of Article 25(1) GDPR.

Moreover, the DPA found that the controller cannot be held liable for the action of its employees who deliberately disregarded the rules set by the controller and obtain CCTV footage without the appropriate authorisation.

On these grounds, the DPA did not find an infringement and dismissed the complaint.

However, the DPA decided ex officio to extend the scope of the investigation with regard to the fact that the CCTV was equipped with an audio recording function. The DPA noted that this audio recording had been conducted on the basis of the Cabinet of Ministers Regulation of 21 June 2022 No. 369. Sub-paragraph 4.24 of this regulation states that the conversations between security personnel that take place by means of remote communication must be recorded and stored for three months.

The DPA, after asking an opinion to the Ministry of the Interior, stated that the audio recording through CCTV cameras does not fall into the scope of sub-paragraph 4.24, as it only recorded the voice of one of the two people having the conversation.

Therefore, the DPA found that this processing activity was not compliant with Articles 5(1)(a) and (c) and 6(1) GDPR.

On these grounds, the DPA ordered to the controller to cease the recording of audio in connection with the video surveillance.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Lithuanian original. Please refer to the Lithuanian original for more details.

Elijas iela 17, Riga, LV-1050, tel. 67223131, e-mail pasts@dvi.gov.lv, www.dvi.gov.lv


                                                                                                 In case no. [..]


                                                                                      SIA "QUANTRUM"
                                                                                                     in e-Address


                                                 The decision

Riga, February 8, 2024 No. [..]

On the application of the corrective measure

      [1.] The Data State Inspectorate (hereinafter - the Inspectorate) has received [..] (hereinafter - the Data Subject)

submission, in which the Data Subject informed about [..] actions, downloading from SIA without a corresponding order
"QUANTRUM" (hereinafter - SIA) video surveillance system video surveillance camera recording, that
by sending the Data to the subject in the online network application for smartphones WhatsApp, as well as by uploading it
in Telegram, an online networking app for smartphones.

      [2.] In order to verify the compliance of the technical and organizational measures introduced by the SIA
In accordance with the requirements of the General Data Protection Regulation (hereinafter - the Data Regulation) and in accordance with the Individual
of the data processing law (hereinafter – the Data Law), Article 4, Part 1, Clause 1 and Article 5, First
parts 1. point 1 of Article 57 of the Data Regulation. Clauses a) and h) Inspection carried out the following actions

and found the following conditions.
      [2.1.] On February 8, 2023, examination case no. [..] about the technical and
compliance of organizational measures with the requirements of the Data Regulation.
      [2.2.] Inspections of February 8, 2023, June 29, 2023 and September 11, 2023
         2
in the letters invited SIA to provide information about the technical and organizational measures introduced by SIA
measures, ensuring the integrity of the video surveillance system.
      [2.3.] SIA provided its explanations on March 7, 2023, September 14, 2023
letters .

      [3.] As a result of the actions indicated in points [1-2] of this decision, the following has been clarified.
      [3.1.] The video surveillance carried out by SIA in the security control center did not foresee the actions of employees such as
refilming or copying of video material on any kind of private data media, incl. on mobile phones.
In the specific case [..], acting without the order or instruction of SIA, the video material was obtained arbitrarily.
      Upon receiving information about a possible data protection violation, SIA took steps to correct it

terminated, that is, the obtained video material would have been deleted from private data carriers. At the same time SIA
informed that the employment legal relationship between [..] and SIA was terminated.


1Regulation of the European Parliament and the Council of April 27, 2016 No. 2016/679 on the protection of natural persons in relation to
processing of personal data and free circulation of such data and repealing Directive 95/46/EC
2Inspection's letter of February 8, 2023 [...] "On the initiation of the inspection and request for information", dated 2023
Letter of June 29 No[..]"Regarding additional information request", September 11, 2023 letter No[..] "Regarding
repeated request for additional information"
3
  SIA letter b/n of March 7, 2023 (registered in the inspection on March 7, 2023 a[..), September 14, 2023
letter b/n (registered in the inspection on September 14, 2023 [..),.                                                   2

      [3.2.] In view of the data protection violation that occurred, SIA reviewed the technical and
organizational measures, as well as reviewing the rules of the personal data processing system.

      [3.3.] At the same time, from the information provided by SIA, it can be established that the security control center of SIA
the video surveillance system is equipped with an audio recording function. Audio recording by SIA, based on
Regulation of the Cabinet of Ministers of June 21, 2022 No. 369 "Rules on the activity register of security guards,
registration of security operations and requirements for the security control center" (hereinafter - Regulations No. 369)
4.21. and 4.24. subsection.

      [4.] In accordance with the points [1-3] of this decision, the Inspection concludes the following.
      [4.1.] In accordance with Article 4, subsection 7) of the Data Regulation on the compliance of personal data processing is
responsible manager.
      [4.2.] Clause 1 of Article 24 of the Data Regulation stipulates that, taking into account the nature and extent of the processing,
context and intentions, as well as risks of varying likelihood and severity with respect to physical
rights and freedoms of individuals, the manager implements appropriate technical and organizational measures,

to ensure and be able to demonstrably demonstrate that processing takes place in accordance with this regulation. If necessary,
the mentioned measures are reviewed and updated.
      Article 25(1) of the Data Regulation states that, taking into account the state of the art, implementation costs
and the nature, extent, context and purposes of the processing, as well as various likelihoods and severities
degree of risks regarding the rights and freedoms of natural persons caused by the processing, both by the controller

appropriate technical and
organizational measures, such as pseudonymization, which are designed to effectively implement the data
protection principles such as data minimization and to integrate the necessary safeguards into the processing
in order to fulfill the requirements of this regulation and to protect the rights of data subjects.
      [4.3.] In accordance with the basic principles of data processing referred to in Article 5, Clause 1 of the Data Regulation, 5

incl. in accordance with subsection (f), the controller must ensure the security of personal data, including protection against
against unauthorized or unlawful processing and against accidental loss, destruction or damage,
using appropriate technical or organizational measures (integrity and confidentiality).
Recital 39 of the Data Regulation explains that [...] personal data should be processed in a way that ensures
adequate security and confidentiality of personal data, including preventing unauthorized access to personal data
data or its unauthorized use and unauthorized access to equipment used for processing.

In addition, in accordance with the principle of accountability established in Article 5, Clause 2 of the Data Regulation, directly to the controller
is obliged to provide such a personal data processing process that allows to prove that the controller performed
processing of personal data complies with the requirements of the data protection regulatory framework. On the other hand
in accordance with Article 32, Clause 4 of the Data Regulation, the manager and the processor take measures to ensure,
that any natural person acting under the authority of the controller or processor and having access

personal data, they are not processed without the controller's instructions, except when the said person is required to do so
in accordance with Union or Member State law.
      [4.4.] The inspection, after evaluating the personal data processing rules submitted by SIA, finds that
SIA has determined the management of access permits, access control, organization of video surveillance
procedures, procedures for viewing the archive of video surveillance records and making copies of records,
issuance and storage procedures.

      Thus, it can be concluded that SIA has introduced and is implementing such technical and organizational measures
measures that meet the requirements of Article 25, Paragraph 1 of the Data Regulation. At the same time, the Inspection takes
taking into account that SIA cannot be responsible for the actions of employees who deliberately disregard the rules of SIA, and
obtaining video surveillance footage without proper authorization.
      In view of the aforementioned, in the part of the examination file on the technical and

organizational measures, ensuring the integrity of the video surveillance system, are
completed without finding a violation.

4 a natural or legal person, public institution, agency or other body that alone or jointly with others determines
the purposes and means of personal data processing [..]
5a) legality, integrity and transparency, b) purpose limitations; c) data minimization, d) accuracy; e) storage
restriction; f) integrity and confidentiality 3

      [5.] At the same time, observing 3.3 of this decision. personal data of the SIA found in sub-para

processing – audio recording with video surveillance in the security control center – Self-inspection
initiatives expanded the scope of the examination and concluded the following.
      [5.1.] Pursuant to Article 5, Clause 2 of the Data Regulation, the controller is obliged to perform data processing
in accordance with the basic principles of data processing referred to in Article 5 of the Data Regulation and Article 6 of the Data Regulation
to the established legal basis. Article 5(1)(a) of the Data Regulation provides that persons

data is processed lawfully, in good faith and in a manner transparent to the data subject ("lawfulness",
"integrity" and "transparency"), while subparagraph (c) requires that the data are adequate, relevant and
include only what is necessary for the purposes of their processing ("data minimization").
      Therefore, every processing of personal data carried out by the manager must be in accordance with Article 6 of the Data Regulation
for the specified legal basis. Only in that case can it be considered that personal data is being processed

done legally
      [5.2.] Regulation no. 369 4.24. subsection stipulates that there must be a security control center
means of communication with other security personnel, security commercial mobile groups,
security service recipients, other persons and institutions. Contact information is available
recorded and stored for at least three months.

      According to the information provided by SIA, SIA Regulation No. 369 4.24. subsection is executed with
for video surveillance cameras installed in the security control center, which are equipped with audio recording
performance function.
      [5.3.] Considering that from Regulation No. 369 4.24. the redactions of subsection are not unambiguous
it can be concluded that a CCTV camera equipped with an audio recording function is
                                                                                   6
sufficient Regulation No. 369 4.24. for the implementation of subsection, the Inspectorate asked for the opinion of the Internal Affairs
to the Ministry on whether the security merchant in the security control center should make an audio recording for them
for conversations that take place between persons in the security control center, or however this subsection
for enforcement, the security merchant must make a record only for the communication that took place through the communication
means (such as a telephone or radio).
                                                     7
      [5.4.] According to the opinion of the Ministry of the Interior, the security merchant is obliged to provide
the existence of means of communication (for example, a radio station, telephone) through which communication takes place between
employees of the security merchant with other employees located outside the control center,
for the security merchant's mobile groups, security service recipients, other persons and
institutions, and is also instructed to ensure the recording and storage of the mentioned communication information.

      [5.5.] Thus, it can be concluded that the security merchant, which is also an LLC, in order to ensure the Regulation
No. 369 4.24. the execution of sub-paragraph, the conversations that are carried out through communication must be recorded
funds. The inspection takes into account that, when guarding the object, it is essential to have in the event of an incident
available as large a body of evidence as possible to help reveal both the circumstances of the incident and
actions of the security guards, therefore it is essential that the communications provided during communication are recorded

information so that, if necessary, you can listen to what both participants of the conversation said.
      When making an audio recording with video surveillance, SIA does not provide Regulation No. 369
4.24. full implementation of the subsection, because the audio recording made by the video surveillance camera records
only what the security control center employee says, but what the other participant in the conversation says is not recorded.
In addition, during audio recording with video surveillance, SIA processes (obtains, stores) conversations between

to persons who are in the security control center, and these conversations may be unrelated to anyone
security incident.
      Taking into account the above, it can be established that the data processing carried out by SIA, when making an audio recording,
does not meet the requirements of Article 5(1)(a) and (c) and Article 6(1) of the Data Regulation.
      [6.] We inform you that the Inspection implements the "Consult first" principle in its activities, which provides that

The primary tasks of the inspection are the effective protection of data of natural persons (instructions on the controller

6
7Inspection's letter of September 29, 2023[.. "Regarding the request for an opinion"
 The letter of the Ministry of the Interior dated October 30, 2023[..]"About giving an opinion" (Registered in the Inspectorate in 2023
On 31 October with [..) 4

deficiencies identified in the personal data processing and providing suggestions for their elimination)
and in case of illegal processing of personal data, performing the necessary actions with the aim of
to stop it as soon as possible, thereby reducing the damage caused to the data subject.

      [7.] Article 58, paragraph 2, subparagraph d) of the Data Regulation provides for the authority of the Inspectorate to issue
an order to the manager or processor to coordinate processing activities with the provisions of the Data Regulation,
if necessary - in a specific way and in a specific period of time. Article 23 of the Data Regulation stipulates that
The inspection, when making decisions regarding the imposition of a legal obligation, applies the Administrative
process law (hereinafter - APL).
      According to the first part of Article 66 of the APL, it is necessary to decide on the issuance of an administrative act

utility. Namely, when making a decision on the prevention of data processing of an unlawful person, the Inspection
the possibility of deciding on a smaller limitation of personal rights should be evaluated.
      Evaluating the necessity and necessity of the administrative act, the Inspectorate concludes that the decision
adoption is both necessary and necessary to achieve the goal of preventing Data Regulations
violations of the rules in the personal data processing carried out by SIA, by making an audio recording with
video surveillance.

      The administrative act is a suitable means to achieve the goal, as it creates a legal obligation for SIA
to prevent detected violations within a specific procedural term, as well as prevent similar violations
occurrence in the future.
      The administrative act can be considered as the most proportionate means for achieving the goal, because in comparison
with the decision on imposing an administrative penalty is considered more lenient. At the same time, legal
the imposition of the obligation is aimed at the data subject in the Data Regulation, the Data Law and other regulatory acts

provision of the expected basic rights to personal data protection.
      In compliance with the above, the Inspection, on the basis of Article 58, paragraph 1, subparagraph e) of the Data Regulation
and sub-paragraph d) of paragraph 2, Article 23 of the Data Regulation, Article 5 of the first part 3 of the Data Law and
Clause 6 and Clause 2) of the first part of Article 63 of the APL,

                                               decides:


      oblige SIA to stop audio recording with video surveillance, par
to notify the execution of the decision in writing by March 12, 2024, by submitting information to the Inspectorate
about the measures taken by SIA.

      According to the first and second parts of Article 70 of the APL, the decision enters into force from the moment it is announced

to the addressee, while the decision is notified to the addressee in accordance with the Notification Law. Notification Act
The second part of Article 4 provides that the legal entity is notified of the document at its legal address. Notifications
The third and fourth parts of Article 8 of the law stipulate that a document notified as registered mail,
shall be considered notified on the seventh day after its delivery to the post office, as well as if a statement is received from the post office
delivery of a shipment or a returned document does not in itself affect the notification of the document
fact.

      This decision in accordance with the first and second parts of Article 76, Article 79 of the Law on Administrative Procedure
the first part and 24 of the Data Law. the first part of the article can be appealed within one month of its entry into force
days Data to the Director of the State Inspection.
      [8.] The Inspectorate informs that Article 83, Clause 5 of the Data Regulation provides for the application of administrative
fines of up to EUR 20,000,000 or, in the case of a company, up to 4% of its total
worldwide annual turnover of the previous financial year, depending on the amount

greater, in accordance with Clause 2 for violations of the following rules: on the basic principle of processing, including
conditions for consent, subject to Articles 5, 6, 7 and 9, the data subject's rights under Data
Articles 12 - 22 of the regulation, if the order of the supervisory authority or temporary or final processing is not followed



8 the last day for submitting a written answer by post or sending it electronically with a secure electronic signature 5

or restriction of data circulation in accordance with Article 58, paragraph 2 of the Data Regulation, or access has not been granted,
in violation of Article 58, paragraph 1 of the Data Regulation.
      In compliance with the above, the Inspectorate informs that in the event that the provisions of this decision are not complied with
order, the Inspectorate will exercise other powers granted to the Inspectorate in the Data Regulation.



Deputy Director L. Dilba


[..]