NAIH (Hungary) - NAIH-4177-………./2021: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Hungary |DPA-BG-Color=background-color:#7f0037; |DPAlogo=LogoHU.jpg |DPA_Abbrevation=NAIH (Hungary) |DPA_With_Country=NAIH (Hungary) |Case_Num...") |
(Great summary overall, I appreciate how clear it is and how it links the legal issues to the law really well. I mainly made some small grammar/formatting changes, such as fixing the paragraphs (a problem caused by the form used to submit decisions) and changing some present tense verbs to the past tense.) |
||
Line 56: | Line 56: | ||
}} | }} | ||
The Hungarian DPA held that the use of a | The Hungarian DPA held that the use of a motion-detecting camera to record large areas of a public space in an apartment complex was in breach of the GDPR, because neither the household exemption nor the resident who installed the camera's legitimate interest could be invoked. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
A tenant of a flat in an apartment complex | A tenant of a flat in an apartment complex argued that the motion-detecting camera installed in the complex by another tenant was unlawfully processing their personal data, since it partially recorded public spaces of the building. Moreover, the complainant also questioned whether the single sticker the defendants placed on the wall satisfied the information provision obligations under [[Article 13 GDPR]]. | ||
The defendants argued that the camera | |||
The defendants argued that the camera was used to protect their belongings, such as their door and gas/electricity meters, and therefore fell under the 'legitimate interest' legal ground under [[Article 6 GDPR#1f|Article 6(1)(f)]]. Finally, they noted that after reviewing the recordings captured by the camera, they made sure to delete them on a daily basis. | |||
=== Holding === | === Holding === | ||
The Hungarian DPA noted that the legitimate interest legal | The Hungarian DPA noted that the legitimate interest legal basis under [[Article 6 GDPR#1f|Article 6(1)(f)]] could indeed be invoked for the protection of private property, including for the monitoring of public spaces under limited circumstances, as noted in point 27 of the EDPB in Guidelines 3/2019 on processing of personal data through video devices. However, the DPA held that this legal ground was not applicable in this case, since the camera's angle also captured areas that were not relevant for the purpose of protecting private property, and the defendant's activity therefore did not fulfil the requirements for necessity and proportionality. | ||
Moreover, the DPA recalled that in the [[Ryneš case|CJEU - C‑212/13 - František Ryneš]], the CJEU ruled that the exception for 'purely personal or household activity' under [[Article 2 GDPR#2c|Article 2(2)(c)]] must be interpreted narrowly, and therefore does not apply to the recording of public spaces. | Moreover, the DPA recalled that in the [[Ryneš case|CJEU - C‑212/13 - František Ryneš]], the CJEU ruled that the exception for 'purely personal or household activity' under [[Article 2 GDPR#2c|Article 2(2)(c)]] must be interpreted narrowly, and therefore does not apply to the recording of public spaces. | ||
Subsequently, the DPA ordered the defendant to either restrict the viewing angle of the camera, use blurring or masking technologies achieving the same effect, change the location of the camera, or cease its use altogether. The DPA also noted that one sticker warning that the camera is in use does not | |||
Subsequently, the DPA ordered the defendant to either restrict the viewing angle of the camera, use blurring or masking technologies achieving the same effect, change the location of the camera, or cease its use altogether. The DPA also noted that one sticker warning that the camera is in use does not fulfil the provisions regarding information to be provided under [[Article 13 GDPR]]. However, the DPA did not deem it necessary to impose any fine, given that it was a first offence that caused only limited harm. | |||
== Comment == | == Comment == |
Revision as of 08:44, 27 October 2021
NAIH (Hungary) - NAIH-4177-………./2021 | |
---|---|
Authority: | NAIH (Hungary) |
Jurisdiction: | Hungary |
Relevant Law: | Article 2(2)(c) GDPR Article 6(1) GDPR Article 13(1) GDPR Article 13(2) GDPR Article 58(2) GDPR |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | |
Decided: | 13.09.2021 |
Published: | 22.10.2021 |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | NAIH-4177-………./2021 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Hungarian |
Original Source: | NAIH (in HU) |
Initial Contributor: | Tapir |
The Hungarian DPA held that the use of a motion-detecting camera to record large areas of a public space in an apartment complex was in breach of the GDPR, because neither the household exemption nor the resident who installed the camera's legitimate interest could be invoked.
English Summary
Facts
A tenant of a flat in an apartment complex argued that the motion-detecting camera installed in the complex by another tenant was unlawfully processing their personal data, since it partially recorded public spaces of the building. Moreover, the complainant also questioned whether the single sticker the defendants placed on the wall satisfied the information provision obligations under Article 13 GDPR.
The defendants argued that the camera was used to protect their belongings, such as their door and gas/electricity meters, and therefore fell under the 'legitimate interest' legal ground under Article 6(1)(f). Finally, they noted that after reviewing the recordings captured by the camera, they made sure to delete them on a daily basis.
Holding
The Hungarian DPA noted that the legitimate interest legal basis under Article 6(1)(f) could indeed be invoked for the protection of private property, including for the monitoring of public spaces under limited circumstances, as noted in point 27 of the EDPB in Guidelines 3/2019 on processing of personal data through video devices. However, the DPA held that this legal ground was not applicable in this case, since the camera's angle also captured areas that were not relevant for the purpose of protecting private property, and the defendant's activity therefore did not fulfil the requirements for necessity and proportionality.
Moreover, the DPA recalled that in the CJEU - C‑212/13 - František Ryneš, the CJEU ruled that the exception for 'purely personal or household activity' under Article 2(2)(c) must be interpreted narrowly, and therefore does not apply to the recording of public spaces.
Subsequently, the DPA ordered the defendant to either restrict the viewing angle of the camera, use blurring or masking technologies achieving the same effect, change the location of the camera, or cease its use altogether. The DPA also noted that one sticker warning that the camera is in use does not fulfil the provisions regarding information to be provided under Article 13 GDPR. However, the DPA did not deem it necessary to impose any fine, given that it was a first offence that caused only limited harm.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
Case number: NAIH-4177- ………. / 2021. Subject: Decision initiated in official proceedings DECISION Before the National Authority for Data Protection and Freedom of Information (hereinafter referred to as the Authority) […] applicant ([…] hereinafter referred to as “Applicant”) […] (hereinafter referred to as “Applicant1”) and […] hereinafter referred to as "Applicant2") ([…], hereinafter together referred to as "Applicants") In the data protection authority proceedings initiated following the request received on the 16th day, the Authority has the following makes decisions: In its decision, the Authority partially upheld the applicant 's request and found that: Applicants violated the processing of personal data of natural persons the free movement of such data and Directive 95/46 / EC Article 6 of Regulation (EU) 2016/679 (hereinafter: GDPR) repealing Directive And Article 13 (1) to (2) of the GDPR. II. The Authority instructs the Applicants to comply with Article 30 of this Decision from the date on which it becomes final within 11 days, terminate the illegal camera surveillance and take their data processing operations comply with legal provisions by: (a) the angle of view of the affected camera is adjusted and, if necessary, to the camera an appropriate masking, distortion function is used, or (b) reassemble the camera to a position from which Applicants are only legally they can observe observable areas, or c) disassemble the camera. III. The Authority 's decision to impose a data protection fine on the applicant' s request, and rejects the part concerning the deletion of personal data. There is no administrative appeal against this decision, but it is from the communication within 30 days of the application to the Metropolitan Court in an administrative lawsuit can be challenged. The application must be submitted to the Authority, electronically, which is the case forward it to the court together with its documents. Indicate the request for a hearing in the application must. For those who do not receive a full personal exemption from judicial review the fee of the procedure is HUF 30,000, the lawsuit is subject to the right to record material fees. Before the Metropolitan Court legal representation is mandatory in proceedings. EXPLANATORY STATEMENT I. Facts On 16 April 2021, the Applicant submitted an application to the Authority stating that the Applicants have installed a camera on […] real estate (hereinafter: Real Estate) with which they make unauthorized images or sound recordings forming part of the common area of the Property from the staircase. On the one hand, the Applicant complained about the lack of information provided, as only identified a “camera-monitored area” sticker. The Applicant in connection with data management emphasized that the data subjects did not consent to the data processing and that the data processing was carried out by the Applicants are likely to do so without a legal basis. To the best of the Applicant's knowledge, it is Property camera is a Xiaomi Mi 360 type wireless security camera. THE 2 Applicant further submitted that the fact that the camera was operated was acknowledged by a clerk in the minutes of the proceedings for the protection of property, and the event also proves that during which the Applicant1 questioned the Applicant in connection with the previous day's recording of the camera. The Applicant has made it probable that in addition to the Applicant1, the Applicant2 is also liable can be established in connection with unlawful data processing, as it is the co-owner of the Applicant1. In view of the above, the Applicant addressed the following requests to the Authority: - prohibit the Applicants from operating the camera system; - call for the dismantling of the illegally operated camera system; - order the Applicants to delete the data; - impose a fine on the Applicants. In order to clarify the facts, the Authority in its orders dated 28 April 2021 63. § called on the Applicants to make a statement. It was sent to the Authority by order of the Applicant1 in a reply letter received on 4 May 2021 information. Applicant1 submitted that on the basis of a joint decision with Applicant2 we installed a Mi Home Security Camera 360 ° camera facing the stairs of the condominium. THE Based on the link indicated by applicant1, the camera has the following features: 1080P FHD resolution, 360 ° viewing angle, infrared night mode, motion detection and conversation function (two-way audio). The Applicant1 stated that the camera camera shots were wifin sent to the Applicants' telephone, masking is not applied by the Applicants. THE camera was justified by the Applicant1 on the grounds that it was in the stairwell directly in front of the door shoes and were concerned that the person who had used the garage door regularly in the past spat, changed the position of the plants periodically, or partially eliminated them, next time it damages the electric gas meter or the door. Data processor based on the declaration of the Applicant1 does not work, no data transfer will take place, and only Applicants will be allowed to record have access to. Applicant1 indicated that the camera was recording a few seconds of video, if it detects movement. These recordings are deleted several times a day with Applicant2 together so no storage takes place. Applicant1 added that it was about the Applicant recording was also canceled that day. In addition, Applicant1 recorded that the camera was fitted notified the Joint Representative who supported and approved it, or at the front door of the building a a sticker was affixed at the same time as the camera was put into operation. Finally, the Applicant1 emphasized that, to the best of their knowledge, the Applicant is neither a homeowner nor a landlord. As a statement filed by the Applicant2 on 5 May 2021, it was forwarded by the Applicant1 and requested the Authority to take it into account decision or requested the rejection of the application in view of the Applicant's ownership. Subsequently, the Authority repeatedly invited the Applicants to make a statement in accordance with Ákr. Section 63 and sent a rectification to the Applicant as the Authority found that the application was not contained the facts and arguments in support of the allegations of alleged infringement evidence that it did not include the exact location of the Applicant’s property information. In its supplementary submission, the Applicant stated as follows. He stated that the […] lives in real estate, the apartment is owned by his wife’s family. In his opinion, his apartment ownership is not relevant, only the quality of the data subject matters in the data protection when judging issues. He added that there are three apartments in each other in the stairwell above, and the Applicant’s apartment is located directly below the Applicants residing on the roof level. THE Applicant stated that he approached his apartment with the disputed camera does not use stairs, however, the roof exit can also be reached via the stairs monitored by the camera 3 (immediately adjacent to the camera and its technical condition must be checked periodically), and a window in common ownership at the stairs opposite the camera for views use for access. In addition, the Applicant stated that it was more cloudy in the evening the stagnant camera from the reflection of the window on the mezzanine floor at the stairwell lamp extinguished for days standing in the line of its own front door, it is clearly visible, from which, in the Applicant 's view, the it follows that in such cases the impugned camera will also see the Applicant's front door. The Applicant in his view, the condominium co-representative is not entitled to by any resident of the condominium approve the installation of a camera that you want to operate illegally, you cannot decide to do so yourself authorization. The Applicant further stated that in his opinion the impugned camera was through a window on the mezzanine floor, you can also see the busy Turkish road, and since the camera Based on what was presented by the applicants, it is high resolution, so about the people traveling there may record without authorization. The Applicant submitted that there was no guarantee that the Applicants will actually delete the unauthorized data after the recordings have been made. In their joint statement, the Applicants presented the following. The Applicants consider stated that an application saves the notifications to the memory card, hence to a separate folder the data will not be saved. A screenshot was attached to support their statement. THE According to the applicants' statement, the legal basis for data processing is the General Data Protection Regulation Article 6 (1) (f) for the purpose of promoting their property and personal protection, as on 5 August 2020, the Applicant threatened him with a knife (no action was taken). He attached a copy of the decisions in support of their statement. It is also attached to the Property side view drawing and the content of the correspondence exchanged with the common representative. Finally, the Candidates consider stated that the cabinet under the installed camera only belongs to the Applicants' apartment electricity and gas meter. Following the Applicants' reply, the Applicant lodged a request for access to the file, which was by sending the documents by post. The Applicant submitted the following statement in connection with the submitted documents. The Applicant The Conseil d 'État submitted that, because of the wording, correspondence with the Joint Representative did not prove that the consent to camera recordings and cannot be considered lawful either, as it is common representative is not entitled to authorize on its own without the decision of the residents. The Applicant He added that the property protection proceedings relied on by the Applicants were not in the present case relevant because, on the one hand, it has already been properly assessed by the acting body by rejecting the submission. On the other hand, the facts presented by the Applicants cannot be justified by any resident operation of a camera intended to be operated illegally in the common condominium area. Subsequently, in order to clarify the facts, the Authority again invited the Applicants are listed in the Ákr. 63. In their joint submission, the Applicants stated as follows. Candidates attached the balancing test with the addition that since the ongoing proceedings it has been experienced the following: non-greeting was replaced by an arrogant wide grin; - when the Applicants pass in front of the Applicant's apartment, from within the Applicant knocks loudly on the door; - if they accidentally meet on the street and cross the road in front of the Applicant's car the engine is started by the Applicant. The Authority highlights the following part of the content of the interest balance test attached by the Applicants: "The area in front of the door can otherwise be closed with a separate grille, which allows access to the roof stairwell, but this is not the only way to approach the roof. The first in front of the attic apartment of the staircase there is the same roof access that anyone can only then 4 to get up that one of the residents let him in. […] And […] decided to keep the grid open because for in an emergency I do not want to delay the ascent, and they trust the unwritten as a rule, whoever wants to get to the roof speaks to them. The part under the roof ramp (which is directly at our entrance) are also treated as private because of the above ”. Given that the Applicants have not been subjected to atrocities since the camera was installed, it is that dismantling the camera would perpetuate past inconveniences and increase a sense of threat. Applicants described the location of the two properties and the camera the area observed by. In this regard, the Applicants highlighted that if someone who wants to look out of the affected window does not necessarily get into the camera 's field of view, and observation does not extend beyond the designated area, not pedestrians passing by on Turkish Road detected, and the resolution of the transmitted image is not sufficient to capture pedestrians. THE Applicants submitted that they had never seen one belonging to their apartment in the last five years to look at the Applicant at a stairway, and the Applicant’s window is larger and essentially it is associated with the same sight. The Applicants attached the deed of incorporation of the condominium with which In this connection, it was stated that the deed did not designate the exact location of the joint ownership, thus In the absence of such a rule, the unwritten rule applies that the part directly in front of the apartment, the garden, stairs are treated as private property. Where the ground floor apartments are located in front of the garden would like to take advantage of other residents on a regular basis or want to admire the view from the first, closed staircase, it would do so in consultation with the owners living there. The Applicants added to the roof driveway can be approached through the observed area, directly from the area in front of the Applicants, as they leave the grille in front of their direct entrance open. The Applicants stated that a the technical condition of the roof was not checked in the five years preceding the submission, or two times professionals worked on the roof after prior consultation and once came to assess the roof for bidding, so condominium residents don’t use the roof. If necessary would check that the Joint Representative would notify the Applicants who are temporarily I would dismantle the camera during the inspection. The memorandum of association attached by the Applicants states: “IN THE JOINT PROPERTY RESIDUAL PARTS: I / A residential plots II / Basic and rising walls, pillars, staircase walls, chimneys, ventilation horns […] III. Intermediate and closing slab (without cover) […] VII / Stair structures with cover and railing ’. In their last submission, the Applicants supplemented their statement to the extent that: are concerned that the Applicant has become acquainted with personal information obtained during previous official proceedings used data in the present proceedings, despite the fact that the data were provided by The applicant was not invited by the Authority. In addition, the Applicants were presented with the camera twice since the application, the camera has sensed that the Applicant has been in his field of view, both times, the recordings were deleted along with the telephone recording that the Applicant had mentioned as the recordings do not prove the Applicant’s confused manifestations. The Applicants According to the statement of the Applicant, the window in the partially monitored area in question did not use it to view the view until the date of their submission. Finally, the Applicants recorded that that the roof gangway is not suitable for an escape route, it can only be through a gangway with a separate ladder to get to the roof, however, the ladder upstairs is not specially placed for this purpose and is official not marked as an escape route either. II. Applicable legal provisions Article 2 (1) of the GDPR applies to all or part of personal data automated processing of personal data and the processing of personal data automated part of a registration system, or which are intended to be part of a registration system. Covered by the GDPR Infotv. Pursuant to Section 2 (2) of the General Data Protection Decree there shall apply with the additions indicated. 5 Infotv. Pursuant to Section 60 (1), the enforcement of the right to the protection of personal data To that end, the Authority shall, at the request of the data subject, initiate a data protection authority procedure and may initiate ex officio data protection proceedings. Unless otherwise provided in the GDPR, the data protection authority procedure is general CL of 2016 on administrative order. (hereinafter: Ákr.) apply with the exceptions specified in the Infotv. Pursuant to Article 2 (2) of the GDPR, the Regulation does not apply to personal data treatment if it: (a) carried out in the course of activities outside the scope of Union law; (b) by Member States in the course of activities covered by Chapter 2 of Title V of the TEU; (c) by natural persons exclusively in the course of their personal or domestic activities; (d) the prevention, investigation, detection and prosecution of criminal offenses by the competent authorities or to enforce criminal sanctions, including public security protection against and prevention of such threats. According to recital 18 of the GDPR, the Regulation does not apply to personal data data by a natural person exclusively in the context of a personal or domestic activity which cannot be brought about by any professional or business activity context. For example, correspondence, directory and community activities in the context of those personal and domestic activities networking and online activities. This Regulation shall apply however, to data controllers and processors whose personal data are so personal or the means to manage it in the context of a home activity. According to Article 4 (1) of the GDPR, personal data are identified or identifiable as natural any information about the person ("data subject"); identifiable natural person who directly or indirectly, in particular by means of an identifier such as a name, number, location data, online identification or physical, physiological, genetic, one or more factors relating to his intellectual, economic, cultural or social identity identifiable on the basis of. According to point 2 of this article, the processing of personal data or data files any operation or set of operations carried out in an automated or non-automated manner, such as collecting, recording, organizing, sorting, storing, transforming or altering, querying, made available for inspection, use, communication, transmission, distribution or otherwise harmonization or interconnection, restriction, deletion or destruction. Pursuant to Article 4 (7) of the GDPR, a controller is a natural or legal person public authority, agency or any other body involved in the processing of personal data defines its goals and means independently or together with others; if the purposes of the data processing and determined by Union or Member State law, the controller or the controller Union or Member State law may also lay down specific criteria for the designation of Pursuant to Article 5 (2) of the GDPR, the controller is responsible for compliance with paragraph 1, and must be able to demonstrate this compliance ("accountability"). Pursuant to Article 6 of the GDPR, the processing of personal data is limited to that and to that extent lawful if at least one of the following is met: (a) the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes treatment; (b) processing is necessary for the performance of a contract to which one of the parties is a party; or to take action at the request of the data subject prior to the conclusion of the contract required; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) the processing is in the vital interests of the data subject or of another natural person necessary for its protection; (e) the processing is in the public interest or a public authority conferred on the controller necessary for the performance of the task carried out in the exercise of (f) processing for the legitimate interests of the controller or of a third party necessary, unless those interests take precedence over those interests or fundamental rights and freedoms which require the protection of personal data, especially if the child is affected. Under Article 13 (1) to (2) of the GDPR: 1. Where personal data concerning a data subject are collected from the data subject, the controller provide the data subject with the following information at the time the information is obtained. each of the following information: (a) the identity and contact details of the controller and, if any, of the controller 's representative; (b) the contact details of the Data Protection Officer, if any; (c) the purpose of the intended processing of the personal data and the legal basis for the processing; (d) in the case of processing based on Article 6 (1) (f), the controller or a third party legitimate interests of a party; (e) where applicable, the recipients or categories of recipients of the personal data, if any; (f) where applicable, the fact that the controller is in a third country or an international organization personal data to the Commission and the Commission’s decision on compliance. in Article 46, Article 47 or Article 49 (1). appropriate and suitable guarantees in the case of the transfer referred to in the second subparagraph of and the means by which copies may be obtained or reference to the possibility of 2. In addition to the information referred to in paragraph 1, the controller shall in order to ensure fair and transparent data management, inform the data subject of the following additional information: (a) the period for which the personal data will be stored or, if that is not possible, that period aspects of its definition; (b) the data subject's right to request from the controller the processing of personal data concerning him or her. rectification, erasure or restriction of their use and may object against the processing of such personal data and the right to the data portability concerned. about; (c) data based on Article 6 (1) (a) or Article 9 (2) (a); in the case of treatment, the right to withdraw the consent at any time, which is not affects the lawfulness of data processing carried out on the basis of consent before withdrawal; (d) the right to lodge a complaint to the supervisory authority; (e) that the provision of personal data is required by law or by a contractual obligation based on or a precondition for concluding a contract and whether the person concerned has a personal obligation data and the possible consequences for the lack of support; Act CXXXIII of 2003 on condominiums Section 25 (hereinafter: Condominium Act) (1), the monitoring of parts of the building, premises and areas in common ownership electronic monitoring system with a closed system technical solution for hereinafter referred to as "camera system"), the General Assembly of all property co-owners with a majority of at least two-thirds of the shares may decide by a vote. […] Infotv. 60 / A. § (1), the administrative procedure in the data protection authority is the administrative deadline one hundred and fifty days. Infotv. Pursuant to Section 61 (1) (a), it was taken in a data protection authority proceeding In its decision, the Authority Data management specified in Section 2 (2) defined in the General Data Protection Regulation may apply legal consequences. Pursuant to Article 58 (2) (b) GDPR, the supervisory authority shall condemn the controller or the processor if his data processing activities have infringed the provisions of this Regulation, or under the corrective power of the supervisory authority under point (d) of the same paragraph acting by instructing the controller to carry out its data processing operations, where appropriate in a specified manner and within a specified period, in accordance with the provisions of this Regulation. III. Decision III.1. The identity of the controller Pursuant to Article 4 (7) of the GDPR, a controller is a natural or legal person […] who a determine the purposes and means of the processing of personal data, either individually or in association with others […]. According to Article 26 (1) of the GDPR, if the purposes and means of data processing are two or more jointly defined by the controller, they shall be considered as joint controllers. The Applicants in their declaration to the Authority - as the operator of the camera system Have clearly identified themselves as data controllers and, according to the Applicants' statement, camera was installed themselves, therefore, as determining the purpose and means of data management Article 4 (7) of the GDPR and Article 26 (1) of the GDPR considered by the Authority to be a joint controller. All this does not change the fact that in consultation with the common representative of the Condominium in advance became the fact that in the current situation real estate camera surveillance may be warranted, as Condominium TV. Pursuant to Section 25 (1), only at least two-thirds of all ownership shares the camera shall be deemed to have been approved with the affirmative vote of the majority of the co-owners operation. III.2. Legality of camera data management Under the GDPR, the image of the data subject is considered personal data. Affected by the identified or identifiable natural person. According to all this, if based on a recording natural person can be identified, then the image is taken as personal data, the image is taken considered as data management. The Authority notes that in the course of the proceedings it is not relevant that the Applicant owns or otherwise owns the apartment. All you need to consider is that whether it can be related to data processing, i.e. whether it is included in the camera’s field of view. In the present case, the Authority finds that the Applicant is considered to be concerned, as in two cases camera captured (even if for a short time) the Applicant, as well as by operating the camera on it the possibility still exists. The use of cameras, depending on their position and angle of view, may be suitable for to observe another private area, or a public area, associated with another property make recordings that may violate the personal identity of persons observed by the camera rights, privacy. The angle of view of cameras should not normally be directed at a public area because it is for surveillance purposes only it is possible in a narrow circle, as this activity may infringe on the privacy of the observed person by handling your personal information even against your will. Under Article 2 (2) (c) of the GDPR, they do not fall within the scope of the Regulation and therefore do not the GDPR rules apply to the processing of personal data if it is carried out by natural persons carried out exclusively in the course of their personal or domestic activities (so-called "household data management"). Examples of personal or domestic activities are given in recital 18 of the GDPR, thus, it qualifies as such in the context of correspondence, directory storage, personal and home activities social networking and other online activities. Important 1 however, to emphasize that, as the Court of Justice of the European Union in the so-called Rynes judgment the exception for private data processing should be interpreted narrowly. For the purposes of this Decision, camera surveillance, in so far as the data processing also extends to persons outside the private property of the shooter exception. This practice has been maintained by the European Data Protection Board for the use of video in its Guideline 3/2019 on in-depth data management. The guidelines, in addition to flattens that it is generally a camera designed to monitor its own area monitoring system may extend to the border of the area, recognizes that, in exceptional cases, a situation may arise where the scope of the camera surveillance cannot be reduced to one’s own within this area, as this would not provide sufficiently effective protection. Appropriate technical or organizational measures (such as those not relevant to the purpose of the monitoring). obscuring the area or filtering the observed part by IT means). the individual is entitled to extend the camera surveillance to his own territory. let your immediate surroundings. However, in the event that the individual does not employ the camera in the field of view of another private area - who obscures solutions, or who specifically monitors another private area already operates a camera system, it becomes a data controller, and its activity does not qualify private data management, so it should apply to GDPR data controllers all the requirements set out in Thus, by applying masking, the area monitored by the camera can be narrowed to the area that is in the possession of the controller. However, if the angle of view of the cameras is outside the privacy of the person performing the data management with the system - for example, in a public area, a condominium jointly owned territory or territory owned by another third party, it cannot be considered as a “personal or home” activity covered by the above exception. In the present case, the memorandum of association actually states that the walls of the staircase, the walls, ventilation chimneys, and intermediate and closing slabs are common areas. A Ha- as the forecourt is not separately owned and the intermediate and closing slabs can be considered as a common area and therefore cannot be considered as private area. The Authority 1C 212/13. Case No - http://curia.europa.eu/juris/document/document.jsf?docid=160561&doclang=EN 2https: //edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201903_video_devices_en_0.pdf Chapter 3.1.2, point 27 9 further notes that part of the public space is also observed through the window, as it is a section of road falls within the scope of the camera. The Authority notes that it is presumably not regular to be exclusively for the Applicant third parties appear on the stairs leading to the roof, as well as the use of the exit leading to the roof unlikely without prior notice, so Applicants have the opportunity to turn off the camera. in case of signal. However, this does not change the fact that the Applicants have jointly owned and operated and the management of public data falls within the scope of the GDPR, which In this case, the condition of lawfulness of the data processing is one of those laid down in Article 6 of the GDPR existence of a legal basis. The Authority invited the Applicants to indicate the legal basis for their data processing. on the basis of which the Applicants invoked Article 6 (1) (f) of the GDPR at the same time as attaching a balancing test. According to the Authority, the consent of the stakeholders and the Condominium TV. Section 25 (1) in the absence of a decision under Article 6 (1) (f) of the GDPR legal basis, but its application requires an indication of an appropriate legitimate interest. Of this However, in order to apply it, the controller must examine the circumstances, the necessity and the proportionality as well. The Authority also points out that in order to make a complaint to attach evidence may be a legitimate aim, but in the Authority’s view it is not the common area of the condominium is continuously, to a greater extent (the entire forecourt of the property, stairs). observation. The Authority finds that the harassment and trespass identified by the Applicants prevention of crime, intimidation of the perpetrator and evidence of harassment and trespassing as data could be enforced in such a way that the camera were relve that instead of the entire forecourt of the apartment only the door of the property and its immediate surroundings would record. In this way, it would be possible to prevent anyone from potentially infringing and that there are no adequate means available to the for you. Accordingly, the Authority may, in accordance with Article 6 (1) (f) of the GDPR, pot in its present form is not considered lawful. It should also be emphasized that the Applicants, due to the angle of view of the camera, not only area, but also the public area visible through the window, for which the Applicants did not submit a separate balancing test and use a different legal basis nor was it marked. The legislation referred to - primarily the GDPR - does not allow an individual systematically, with the assistance of himself or others, systematically, for several months monitor the public space, the individuals who are active there, therefore, the observation is contrary to the principle of lawful data management due to the above. Given, therefore, that no proper legal basis has been established either in advance or during the proceedings and, due to the scale of the observation, the Authority considers that the data processing exceeded what was necessary and proportionate, as no fact came to light in the course of the on the basis of which the need to monitor the public space or the common space is therefore the Authority found that the Article 6 (1) of the GDPR. 10 In view of the above, the Authority has condemned the infringement under Article 58 (2) (b) of the GDPR. Applicants because their data processing activities violated the provisions of the GDPR. THE The Authority also ordered, pursuant to Article 58 (2) (d) of the GDPR, that a Applicants will bring their data management operations in line with the provisions of the GDPR. III.3. Informing stakeholders about camera surveillance Stakeholders in accordance with Article 13 (1) and (2) of the GDPR information on the circumstances of the data processing must be provided. In the case of camera surveillance, the preliminary information already needs to be provided as a first step when entering the observed area - that’s the thing due to its nature - at that time it was located outside the observed area (front door, gate) brief information by means of a pictogram is necessary and sufficient, but at the same time as a second step, you must necessarily complete at least one available on site complete (longer and detailed) prospectus. The latter information on the availability of the outsourced Information should be given on a “pictogram” (one of its functions is actually this: the area warnings on unavoidable data management upon entry and the necessary full information availability of this information) and make this information available to the data subject upon request should be released. Applicants affixed a pictogram to the camera, however, in addition no further data management information in accordance with Article 13 (1) and (2) of the GDPR provided. The Authority found that the circumstances of the data processing covered by the GDPR were: Applicants therefore failed to provide adequate information, in breach of Article 13 of the GDPR Paragraphs 1 and 2. III.4. Legal consequences, other issues The Authority examined of its own motion whether data protection against the Applicants was justified imposition of a fine. In this context, the Authority will comply with Article 83 (2) of the GDPR and Infotv. 75 / A. §-the considered all the circumstances of the case of its own motion and found that the present proceedings The imposition of a fine for an infringement detected in the course of that the Applicants are individuals, not previously found to have violated the GDPR and the infringement in the individual case concerned only the Applicant and its surroundings. Of which a Authority was also able to draw a thorough conclusion that even without imposing a data protection fine the request formulated by the Applicant that the Applicants as data controllers a in the future, in accordance with the rules of the GDPR. The Authority points out that the application of a data protection fine to the Applicant's right or legitimate interest does not directly affect, such a decision of the Authority shall not confer any right or obligation on it consequently, this legal consequence, which falls within the scope of the public interest, the Applicant shall not be considered a customer with regard to the imposition of fines CL of 2016 on General Administrative Procedure. Section 10 (1) of the Act (hereinafter: the Act) or, as the Ákr. Does not comply with Section 35 (1) in this regard there is no place to file an application, this part of the petition cannot be interpreted as an application. In addition, due to the fact that the Applicants have already deleted the recordings of the Applicant, the Authority does not order the deletion of personal data. ARC. Other issues The competence of the Authority is limited by the Infotv. Section 38 (2) and (2a), its jurisdiction is covers the whole country. 11 The decision is based on Ákr. 80.-81. § and Infotv. It is based on Section 61 (1). The decision is based on Ákr. 82. § (1), it becomes final with its communication. The Acre. § 112 and § 116 (1), or pursuant to Section 114 (1), it has a place in an administrative lawsuit against the decision redress. * * * The rules of administrative litigation are laid down in Act I of 2017 on the Procedure of Administrative Litigation (a hereinafter: Kp.). A Kp. Pursuant to Section 12 (1) by a decision of the Authority The administrative lawsuit against the court falls within the jurisdiction of the court. Section 13 (3) a) The General Court has exclusive jurisdiction under subparagraph (aa) of A Kp. Pursuant to Section 27 (1) (b), it is an administrative matter within the jurisdiction of the tribunal legal representation is mandatory in litigation. A Kp. According to Section 39 (6) - unless otherwise provided by law the application of the application is deferred until the administrative act takes effect does not apply. A Kp. Section 29 (1) of the Civil Procedure Code of 2016 CXXX. Act (hereinafter: Pp.) applicable pursuant to § 604, electronic administration and CCXXII of 2015 on the general rules of trust services. Section 9 (1) b) of the Act the legal representative of the client is obliged to keep in touch electronically. The time and place of filing the application is set out in the Act. Section 39 (1). THE Information on the possibility to request a hearing in connection with the decision It is based on Section 77 (1) - (2). In connection with the order, the court in a simplified lawsuit out-of-court procedure in accordance with Kp. § 124 (2) c) and Kp. Section 124 (5) based on paragraph The amount of the fee for an administrative lawsuit is set out in Act XCIII of 1990 on Fees. law (hereinafter: Itv.) 45 / A. § (1). From the advance payment of the fee is Itv. Section 59 (1) and Section 62 (1) (h) shall release the party initiating the proceedings. If the Applicant does not duly demonstrate the fulfillment of the required obligations, the Authority shall: considers that it has not fulfilled its obligations within the prescribed period. The Acre. According to § 132, if a Applicant has not complied with its obligation under the Authority 's final decision, executable. The decision of the Authority Pursuant to Section 82 (1), the notification becomes final becomes. The Acre. Section 133 of the Enforcement - unless otherwise provided by law or government decree ordered by the decision-making authority. The Acre. Pursuant to Section 134, the enforcement of the carried out by a state tax authority. Infotv. Pursuant to Section 61 (7) in the decision of the Authority to perform a specific act, conduct, tolerance or the Authority shall enforce the decision in respect of the standstill obligation implements. Budapest, September 13, 2021 Dr. Attila Péterfalvi President c. professor