AEPD (Spain) - PS/00224/2021: Difference between revisions
No edit summary |
|||
Line 50: | Line 50: | ||
}} | }} | ||
The Spanish DPA fined an individual €1500 for inadequately installing a video surveillance system in breach of the data minimisation principle. | The Spanish DPA fined an individual €1500 for inadequately installing a video surveillance system in breach of the data minimisation principle as well as failing to provide sufficient information to data subjects on where to exercise their rights. | ||
== English Summary == | == English Summary == |
Revision as of 18:06, 24 January 2022
AEPD (Spain) - PS/00224/2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(c) GDPR Article 13 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 13.01.2022 |
Fine: | 1500 EUR |
Parties: | n/a |
National Case Number/Name: | PS/00224/2021 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | FA |
The Spanish DPA fined an individual €1500 for inadequately installing a video surveillance system in breach of the data minimisation principle as well as failing to provide sufficient information to data subjects on where to exercise their rights.
English Summary
Facts
The complainant is a city council. The respondent is an individual.
The city council filed a complaint with the Spanish DPA regarding two video surveillance cameras that the individual put up on their property. The cameras faced the public highway, and the poster signalling their existence did not contain sufficient information on the data controller for the data they collected as well as on who data subjects would need to contact to enforce their rights.
Holding
After restating the law on installing video surveillance cameras, the Spanish DPA held the respondent violated Article 5(1)(c) GDPR and Article 13 GDPR by intentionally or negligently positioning the cameras to record public areas without justified cause, therefore processing data of identifiable natural persons, and by failing to provide sufficient information as to the identity of the controller and where data subjects can go to exercise their rights under the GDPR.
As such, the DPA imposed a fine of €1500 on the individual and ordered them to move the cameras to comply with the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/10 File No.: PS/00224/2021 RESOLUTION OF PUNISHMENT PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: Dated November 11, 2020 it is received in this Agency claim filed by CITY COUNCIL OF ***CITY COUNCIL.1 (as regards hereafter, the complaining party) against A.A.A. with NIF ***NIF.1 (hereinafter, the part claimed) for having installed two video surveillance cameras on the facade of his housing, C/ ***DIRECTORY.1, ***CITY COUNCIL.1, facing the public highway, with an informative poster without information regarding the owner of the recording file or who go to exercise the rights established in the regulations for the protection of data. For this reason, file E/09874/2020 was opened, sending a letter to the party claimed informing you of the requirements to carry out treatment of personal data through such devices. This letter was returned by the postal service with the annotation "Returned to Origin due to surplus (not withdrawn in office)". Likewise, the claimant organization was informed that if the non-compliance adoption of measures would be initiated, where appropriate, the actions provided for in the data protection regulations. On February 9, 2021, it had entry in this Spanish Protection Agency of Data a document presented by the complaining party, by means of which it formulates new claim against the claimed party for the installation of a video surveillance oriented towards public roads and with the incomplete information poster, There are indications of a possible breach of the provisions of the regulations of Personal data protection. It provides a photographic report, and a police report where it is indicated: “(…) That during the intervention, this officer realizes that the house of the applicant has two recording video cameras on the facade of the property, facing public roads, one on ***CALLE.1 street, the other on ***CALLE.2 street, with the corresponding informative poster established in the regulations on protection of data (photos are attached), although they are blank, without data related to the owner of the recording file or who to contact to exercise the rights established in the regulations on data protection. That in addition to being a sign not adjusted to current regulations. (…)” SECOND: Prior to the acceptance of this claim for processing, it is transferred to the claimed party, in accordance with the provisions of article 65.4 the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/10 Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), being notified with dated March 12, 2021, as stated in the proof of delivery issued by the mail service. There is no record in this Agency of any response from the party complained against. THIRD: The claim was admitted for processing by resolution of May 11 of 2021. FOURTH: On July 9, 2021, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against the claimed party, for the alleged infringement of articles 5.1.c) and 13 of the RGPD, typified in the article 83.5 of the RGPD. FIFTH: After the period granted for the formulation of allegations to the agreement to start the procedure, received by the claimed party on 05 August 2021, it has been verified that this Agency has not received an allegation some to the same Article 64.2.f) of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter LPACAP) -provision of which the party claimed was informed in the agreement to open the proceeding- establishes that if allegations are not made within the stipulated period on the content of the initiation agreement, when it contains a precise statement about the imputed responsibility, may be considered a resolution proposal. At present case, the agreement to initiate the disciplinary proceedings determined the facts in which the imputation was specified, the infraction of the RGPD attributed to the claimed and the sanction that could be imposed. Therefore, taking into account that the party complained against has made no objections to the agreement to initiate the file and In accordance with the provisions of article 64.2.f) of the LPACAP, the aforementioned agreement of beginning is considered in the present case resolution proposal. In view of everything that has been done, by the Spanish Data Protection Agency In this proceeding, the following are considered proven facts: FACTS FIRST: On February 9, 2021, this Agency received a claim against A.A.A. with NIF ***NIF.1 for having two video surveillance cameras installed in the facade of your home, C/ ***DIRECTORY.1, ***CITY COUNCIL.1, facing towards the public thoroughfare, with an informative poster without data related to the owner of the file of recording or who to contact to exercise the rights established in the regulations of data protection. SECOND: Several photographs and a police report of the Town Hall of *** TOWN HALL.1. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/10 THIRD: The Agreement to Start this sanctioning procedure was notified dated August 5, 2021, without, to date, having received in this Agency allegations by the respondent. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and according to the provisions of articles 47 and 48.1 of the LOPDGDD, the Director of the Spanish Agency for Data Protection is competent to resolve this process. II The physical image of a person under article 4.1 of the RGPD is personal data and its protection, therefore, is the subject of said Regulation. Article 4.2 of the GDPR defines the concept of “treatment” of personal data. Article 22 of the LOPDGDD establishes the specificities of data processing for video surveillance purposes, indicating the following: "one. Natural or legal persons, public or private, may carry out the processing of images through camera systems or video cameras with the purpose of preserving the safety of people and property, as well as their facilities. 2. Images of public roads may only be captured to the extent that is essential for the purpose mentioned in the previous section. However, it will be possible to capture the public road in an extension superior when necessary to guarantee the security of goods or strategic installations or infrastructures linked to transport, without In no case may it involve capturing images of the interior of a home private. 3. The data will be deleted within a maximum period of one month from its collection, except when they had to be kept to prove the commission of acts that threaten the integrity of persons, property or facilities. In that case, the images must be made available to the competent authority in within a maximum period of seventy-two hours from the date of knowledge of the existence of the recording. The blocking obligation provided for in article 32 of this organic law. 4. The duty of information provided for in article 12 of the Regulation (EU) 2016/679 will be understood to be fulfilled by placing an informative device in a sufficiently visible place identifying, at least, the existence of the treatment, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/10 the identity of the person in charge and the possibility of exercising the rights provided for in the Articles 15 to 22 of Regulation (EU) 2016/679. It may also be included in the informative device a connection code or internet address to this information. In any case, the data controller must keep available to those affected the information referred to in the aforementioned regulation. 5. Under article 2.2.c) of Regulation (EU) 2016/679, it is considered excluded from its scope of application the treatment by a natural person of images that they only capture the interior of their own home. This exclusion does not cover processing carried out by a security entity private that had been contracted for the surveillance of a home and had access to the images. 6. The processing of personal data from the images and sounds obtained through the use of cameras and video cameras by the Armed Forces and Security Bodies and by the competent bodies for surveillance and control in penitentiary centers and for the control, regulation, vigilance and discipline of the traffic, will be governed by the legislation transposing Directive (EU) 2016/680, when the treatment is for the purposes of prevention, investigation, detection or prosecution of criminal offenses or execution of criminal sanctions, including protection and prevention against threats to public safety. Out of In these cases, said treatment will be governed by its specific legislation and additionally by Regulation (EU) 2016/679 and this organic law. 7. What is regulated in this article is understood without prejudice to the provisions of Law 5/2014, of April 4, on Private Security and its development provisions. 8. The treatment by the employer of data obtained through information systems cameras or video cameras is subject to the provisions of article 89 of this law organic.” III In accordance with the foregoing, the processing of images through a video surveillance system, to be in accordance with current regulations, must comply with the following requirements: - Respect the principle of proportionality. - When the system is connected to an alarm center, you can only be installed by a private security company that meets the requirements contemplated in article 5 of Law 5/2014 on Private Security, of April 4. - The video cameras will not be able to capture images of the people who are outside the private space where the security system is installed. video surveillance, since the processing of images in public places can only be carried out, unless there is government authorization, by the Forces and Corps of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/10 Security. Nor can spaces owned by third parties be captured or recorded without the consent of their owners, or, as the case may be, of the persons who are find. This rule admits some exceptions since, on some occasions, for the protection of private spaces, where cameras have been installed on facades or inside, it may be necessary to guarantee the security purpose the recording of a portion of public road. That is, cameras and video cameras installed for the purpose of security will not be able to obtain images of public roads unless it is essential for said purpose, or it is impossible to avoid it due to the location of those and, extraordinarily, the minimum space for said purpose. Therefore, the cameras could exceptionally capture the portion minimally necessary for the intended security purpose. - The duty to inform those affected provided for in the articles 12 and 13 of the RGPD, and 22 of the LOPDGDD, in the terms already indicated. - The person in charge must keep a record of treatment activities carried out under its responsibility, including the information to which it makes reference article 30.1 of the RGPD. - The installed cameras cannot obtain images from private space of third party and/or public space without duly accredited justified cause, nor can affect the privacy of passers-by who move freely through the area. No this allowed, therefore, the placement of cameras towards the private property of neighbors with the purpose of intimidating them or affecting their private sphere without just cause. - In no case will the use of surveillance practices be admitted beyond the environment object of the installation and in particular, not being able to affect the spaces surrounding public, adjoining buildings and vehicles other than those accessing the guarded space. In summary and to facilitate the consultation of interested parties, the Spanish Agency for Data Protection offers through its website [https://www.aepd.es] access to the legislation on the protection of personal data, including the RGPD and the LOPDGDD (section “Reports and resolutions” / “regulations”), as well as the Guide on the use of video cameras for security and other purposes, as well as the Guide for compliance with the duty to inform (both available in the section “Guides and tools”). It is also of interest, in the event of carrying out low-risk data processing, the facilitates free tool (in the “Guides and tools” section), which, through specific questions, allows to assess the situation of the person in charge with respect to the treatment of personal data that it carries out, and where appropriate, generate various documents, informative and contractual clauses, as well as an annex with measures guidelines considered minimum. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/10 IV In the present case, the claim was filed because the respondent has installed two video surveillance cameras on the facade of his home, oriented towards the public thoroughfare, with an informative poster without data related to the owner of the file of recording or who to contact to exercise the rights established in the regulations of data protection. As proof of these manifestations, the evidence indicated in the “Facts” section of this agreement. The corrective powers available to the Spanish Agency for the Protection of Data, as a control authority, is established in article 58.2 of the RGPD. Between they have the power to issue a warning -article 58.2.b)-, the power to impose an administrative fine in accordance with article 83 of the RGPD - article 58.2 i)-, or the power to order the controller or processor that the treatment operations comply with the provisions of the RGPD, when appropriate, in a certain way and within a specified period -article 58. 2 d)-. According to the provisions of article 83.2 of the RGPD, the measure provided for in article 58.2 d) of the aforementioned Regulation is compatible with the sanction consisting of a fine administrative. v In accordance with the evidence available and which has not been distorted in the sanctioning procedure, the claimed party has installed two video surveillance cameras that could be capturing images of third parties, and In addition, the informative poster of the existence of said chamber is incomplete, so It is considered that these facts violate the provisions of articles 5.1.c) and 13 of the RGPD, which supposes the commission of infractions typified in article 83.5 of the GDPR, which provides the following: "Infringements of the following provisions shall be sanctioned, in accordance with paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the global total annual turnover of the previous financial year, opting for the largest amount: a) the basic principles for the treatment, including the conditions for the consent under articles 5, 6, 7 and 9; b) the rights of the interested parties according to articles 12 to 22; […].” For the purposes of the limitation period for infractions, the infractions indicated in the previous paragraph are considered very serious and prescribe after three years, in accordance with Article 72.1 of the LOPDGDD, which establishes that: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/10 "According to the provisions of article 83.5 of Regulation (EU) 2016/679 are considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: a) The processing of personal data violating the principles and guarantees established in article 5 of Regulation (EU) 2016/679. b) The processing of personal data without the concurrence of any of the conditions of legality of the treatment established in article 6 of the Regulation (EU) 2016/679. (…) h) The omission of the duty to inform the affected party about the treatment of their personal data in accordance with the provisions of articles 13 and 14 of the Regulation (EU) 2016/679 and 12 of this Organic Law. (…)» SAW The fine imposed must be, in each individual case, effective, proportionate and dissuasive, in accordance with the provisions of article 83.1 of the RGPD. Therefore, It is appropriate to graduate the sanction to be imposed in accordance with the criteria established by the article 83.2 of the RGPD, and with the provisions of article 76 of the LOPDGDD, regarding to section k) of the aforementioned article 83.2 RGPD: In the initial assessment, the following have been considered: - The nature of the offense by having a video surveillance system that is oriented towards public transit areas without just cause, trying to data of identifiable natural persons (art. 83.5 a) RGPD. - The intention or negligence of the infraction, the cameras are oriented to the outside of your establishment (83.2.b) RGPD). - The informative poster that appears on the façade does not indicate who the responsible for the treatment and where the interested parties can go to exercise your rights recognized in the RGPD. SAW However, as already indicated in the initial agreement and in accordance with the established in the aforementioned article 58.2 d) of the RGPD, according to which each authority of control may "order the person responsible or in charge of processing that the processing operations comply with the provisions of this Regulation, where appropriate, in a certain manner and within a specified period […].” The respondent is required to take the following steps: - provide the images observed with the devices in question, indicating on a location map the parts that correspond to its private property. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/10 - Prove that you proceeded to remove the cameras from the places current, or to the reorientation of the same towards their particular area. - certifies having proceeded to place the informative device in the video-monitored areas or to complete the information offered in the same (must identify, at least, the existence of a treatment, the identity of the person in charge and the possibility of exercising the rights foreseen in said precepts), locating this device in a sufficiently visible, both in open and closed spaces. - certifies that it keeps the information available to those affected referred to in the aforementioned RGPD. It is warned that not meeting the requirements of this organization may be considered as an administrative offense in accordance with the provisions of the RGPD, typified as an infraction in its article 83.5 and 83.6, being able to motivate such conduct the opening of a subsequent sanctioning administrative proceeding. Therefore, in accordance with the applicable legislation and having assessed the criteria for graduation of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES FIRST: IMPOSE A.A.A. with NIF ***NIF.1, for a violation of article 5.1.c) of the RGPD, typified in article 83.5 of the RGPD, a fine of €1,000 (one thousand euros). SECOND: IMPOSE A.A.A. with NIF ***NIF.1, for a violation of article 13 of the RGPD, typified in article 83.5 of the RGPD, a fine of €500 (Five hundred euros). THIRD: ORDER A.A.A. with NIF ***NIF.1 which, by virtue of article 58.2.d) of the GDPR, within ten days, take the following measures: - provide the images observed with the devices in question, indicating on a location map the parts that correspond to its private property. - Prove that you proceeded to remove the cameras from the places current, or to the reorientation of the same towards their particular area. - certifies having proceeded to place the informative device in the video-monitored areas or to complete the information offered in the same (must identify, at least, the existence of a treatment, the identity of the person in charge and the possibility of exercising the rights foreseen in said precepts), locating this device in a sufficiently visible, both in open and closed spaces. - certifies that it keeps the information available to those affected referred to in the aforementioned RGPD. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/10 FOURTH: NOTIFY this resolution to A.A.A. FIFTH: Warn the sanctioned party that he must make the imposed sanction effective once Once this resolution is enforceable, in accordance with the provisions of the article 98.1.b) of the LPACAP, within the voluntary payment term established in article 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to article 62 of Law 58/2003, of December 17, by entering, indicating the NIF of the sanctioned person and the procedure number that appears at the top of this document, in the restricted account number ES00 0000 0000 0000 0000 0000, opened in the name of the Spanish Protection Agency of Data in the banking entity CAIXABANK, S.A.. Otherwise, it will proceed to its collection in executive period. Received the notification and once executed, if the date of execution is between the 1st and 15th of each month, both inclusive, the term to make the payment voluntary will be until the 20th day of the following month or immediately after, and if between the 16th and last day of each month, both inclusive, the payment term It will be until the 5th of the second following month or immediately after. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month from counting from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned Law. Finally, it is pointed out that in accordance with the provisions of article 90.3 a) of the LPACAP, The firm resolution may be provisionally suspended in administrative proceedings if the The interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact by writing addressed to the Spanish Agency for Data Protection, presenting it through Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other records provided for in article 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would end the precautionary suspension. 938-26102021 Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/10 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es