DSB (Austria) - 2022-0.585.764: Difference between revisions

From GDPRhub
mNo edit summary
No edit summary
 
(One intermediate revision by the same user not shown)
Line 61: Line 61:
}}
}}


The Austrian DPA fined €25,000 an individual for having installed cameras in a public toilette without any legal basis.
The Austrian DPA fined an individual €25,000 for having installed cameras in a public toilet without any legal basis.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The controller installed cameras in a public toilette. The system had a sensor that activated cameras and started recording as soon as a person entered the monitored. A criminal investigation started against the controller. When asked why he decided to install the cameras, the controller claimed to have a “technic interest”: indeed, they needed to test the cameras. They specifically targeted public toilettes because this decision had “a certain appeal of the illicit”.
The controller - an individual - installed cameras in a public toilet. The system had a sensor that activated cameras and started recording as soon as a person entered the monitored area. A criminal investigation started against the controller. When asked why he decided to install the cameras, the controller claimed to have a “technical interest”: indeed, they needed to test the cameras. They specifically targeted public toilets because this decision had “a certain appeal of the illicit”.


Notified by the police in the context of the criminal proceeding, the Austrian DPA opened a second investigation.
Notified by the police in the context of the criminal proceeding, the Austrian DPA opened a second investigation.


The controller claimed to have erased data and not to have disclosed them to third parties. Moreover, the controller pointed out that people appearing in the video recordings were not identifiable. Consequently, processing did not involve personal data and the GDPR did not apply.
The controller claimed to have erased the data and not to have disclosed the data to third parties. Moreover, the controller pointed out that people appearing in the video recordings were not identifiable. Consequently, processing did not involve personal data and the GDPR did not apply, according to the controller.


=== Holding ===
=== Holding ===
The Austrian DPA stressed that, even if personal data were not disclosed to third parties, according the CJEU case law (see [https://curia.europa.eu/juris/liste.jsf?nat=or&mat=or&pcs=Oor&jur=C%2CT%2CF&num=C-212%252F13&for=&jge=&dates=&language=en&pro=&cit=none%252CC%252CCJ%252CR%252C2008E%252C%252C%252C%252C%252C%252C%252C%252C%252C%252Ctrue%252Cfalse%252Cfalse&oqp=&td=%3BALL&avg=&lg=&page=1&cid=783560 C-212/13]), video recording of public space is not covered by the household exemption under [[Article 2 GDPR#2c|Article 2(2)(c) GDPR]]. Therefore, the GDPR applied to the case at issue.
The Austrian DPA stressed that, even if personal data were not disclosed to third parties, according to CJEU case law (see [https://curia.europa.eu/juris/liste.jsf?nat=or&mat=or&pcs=Oor&jur=C%2CT%2CF&num=C-212%252F13&for=&jge=&dates=&language=en&pro=&cit=none%252CC%252CCJ%252CR%252C2008E%252C%252C%252C%252C%252C%252C%252C%252C%252C%252Ctrue%252Cfalse%252Cfalse&oqp=&td=%3BALL&avg=&lg=&page=1&cid=783560 C-212/13]), video recording of public space is not covered by the household exemption under [[Article 2 GDPR#2c|Article 2(2)(c) GDPR]]. Therefore, the GDPR applied to the case at issue.


In terms of legal basis, “technic interest” of the controller could theoretically be thought as a special kind of legitimate interest under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. In practice, there were doubts about the fact that such an interest was really “legitimate”. In any case, processing was not necessary to achieve the goal stated by the controller and by no means able to prevail in the balancing with data subjects’ rights. Thus, the processing had no legal basis and was unlawful.
In terms of legal basis, “technical interest” of the controller could theoretically be thought as a special kind of legitimate interest under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. In practice, it could hardly argued by the controller that such an interest was really “legitimate”. In any case, processing was not necessary to achieve the goal stated by the controller and by no means able to prevail in the balancing with data subjects’ rights. Thus, the processing had no legal basis and was unlawful.


Moreover, the controller violated their transparency obligations under [[Article 12 GDPR|Articles 12]] and [[Article 13 GDPR|13 GDPR]], as they did not display the appropriate informative signs.  
Moreover, the controller violated their transparency obligations under [[Article 12 GDPR|Articles 12]] and [[Article 13 GDPR|13 GDPR]], as they did not display the appropriate informative signs.  

Latest revision as of 14:44, 9 May 2023

DSB - 2022-0.585.764
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 2(2)(c) GDPR
Article 6(1)(f) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 23.08.2022
Published:
Fine: 25,000 EUR
Parties: n/a
National Case Number/Name: 2022-0.585.764
European Case Law Identifier: ECLI:AT:DSB:2022:2022.0.585.764
Appeal: Unknown
Original Language(s): German
Original Source: DSB (Austria) (in DE)
Initial Contributor: n/a

The Austrian DPA fined an individual €25,000 for having installed cameras in a public toilet without any legal basis.

English Summary

Facts

The controller - an individual - installed cameras in a public toilet. The system had a sensor that activated cameras and started recording as soon as a person entered the monitored area. A criminal investigation started against the controller. When asked why he decided to install the cameras, the controller claimed to have a “technical interest”: indeed, they needed to test the cameras. They specifically targeted public toilets because this decision had “a certain appeal of the illicit”.

Notified by the police in the context of the criminal proceeding, the Austrian DPA opened a second investigation.

The controller claimed to have erased the data and not to have disclosed the data to third parties. Moreover, the controller pointed out that people appearing in the video recordings were not identifiable. Consequently, processing did not involve personal data and the GDPR did not apply, according to the controller.

Holding

The Austrian DPA stressed that, even if personal data were not disclosed to third parties, according to CJEU case law (see C-212/13), video recording of public space is not covered by the household exemption under Article 2(2)(c) GDPR. Therefore, the GDPR applied to the case at issue.

In terms of legal basis, “technical interest” of the controller could theoretically be thought as a special kind of legitimate interest under Article 6(1)(f) GDPR. In practice, it could hardly argued by the controller that such an interest was really “legitimate”. In any case, processing was not necessary to achieve the goal stated by the controller and by no means able to prevail in the balancing with data subjects’ rights. Thus, the processing had no legal basis and was unlawful.

Moreover, the controller violated their transparency obligations under Articles 12 and 13 GDPR, as they did not display the appropriate informative signs.

In light of the above, the DPA fined the controller €25.000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

text

GZ: 2022-0.585.764 from August 23, 2022 (case number: DSB-D550.509)

[Editor's note: Names and companies, legal forms and product names, addresses (including URLs, IP and e-mail addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated and/or changed for reasons of pseudonymization be. Corrected obvious spelling, grammar, and punctuation errors.]

penal decision

Accused: A***, born on XXX

As the person responsible within the meaning of Art. 4 Z 7 of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data, on the free movement of data and on the repeal of Directive 95/46/EC (General Data Protection Regulation, hereinafter : "GDPR"), OJ No. L 119 of May 4th, 2016 p /679 on the protection of natural persons with regard to the processing of personal data, on the free movement of data and on the repeal of Directive 95/46/EC (General Data Protection Regulation, hereinafter: "GDPR"), OJ No. L 119 of 04.05.2016 p. 1, as amended, realized the following facts and thereby committed the following administrative offenses:

I.Roman one. In the period from June 1st, 2020 to July 31st, 2020, you, as the person responsible, have a total of three different days, but in any case on July 24th, 2020, for a period of nine to twelve hours each distributed over the respective day (hereinafter "criminal period") in XXX in one of the (public) toilet facilities located there (hereinafter "crime scene"), processed personal data unlawfully and without a legitimate purpose by installing and operating a (hidden) image processing system (WiFi camera) inside a toilet cubicle. In this way, you secretly recorded the people concerned using the toilet facility. The specific processing took place without the knowledge and therefore also without the consent of the persons concerned and can also not be based on any of the other legal permissions standardized in Art. 6 Para. 1 DSGVO three different days, but in any case on July 24th, 2020, for a period of nine to twelve hours spread over the respective day (hereinafter "offence period") in Roman XXX in one of the (public) toilet facilities located there (hereinafter " Tatort"), unlawfully and without a legitimate purpose, processed personal data by installing and operating a (hidden) image processing system (WiFi camera) inside a toilet cubicle. In this way, you secretly recorded the people concerned using the toilet facility. The specific processing took place without the knowledge and therefore also without the consent of the persons concerned and can also not be based on any of the other permissions standardized in Article 6, paragraph one, GDPR.

As a result, as the person responsible, you have violated the following principles of the GDPR:

 Principle of processing personal data lawfully, fairly and in a manner that is transparent to the data subject (“lawfulness, fair processing, transparency”)

 Principle of processing personal data for specified, explicit and legitimate purposes (“purpose limitation”)

 Principle of processing personal data that is appropriate and relevant to the purpose and limited to what is necessary for the purposes of processing ("data minimization")

II.Roman II.     You, as the person responsible, also violated your obligation to provide information under Art. 13 GDPR during the period of the crime at the scene of the crime by not attaching a suitable label with regard to the video surveillance system at the scene of the crime, which the data subjects had at the time their personal data was collected about the image processing within the toilet cabin within the meaning of Art. 12 and 13 GDPR. As the person responsible, you have also violated your obligation to provide information under Article 13, GDPR at the crime scene during the crime period by not providing suitable labeling in relation to the video surveillance system at the crime scene have attached, which would have informed the data subjects at the time their personal data was collected about the image processing within the toilet cubicle within the meaning of Articles 12 and 13 GDPR.

As a result, as the person responsible, you have violated the following principle of the GDPR:

 Principle of processing personal data lawfully, fairly and in a manner that is transparent to the data subject (“lawfulness, fair processing, transparency”)

Administrative offenses after:

Ad. I.:Ad. Roman one.: Art. 5 (1) lit. a, b and c and Art. 6 (1) lit. f in conjunction with Art. 83 (1) and (5) lit. a GDPR OJ L 2016/119, p , as amended Article 5, paragraph one, letters a, b and c and Article 6, paragraph one, letter f, in conjunction with Article 83, paragraph one, and 5 letter a, GDPR OJ L 2016/119, p , idgF

Ad. II.:Ad. Roman II.: Article 5 paragraph 1 letter a in conjunction with Articles 12 and 13 in conjunction with Article 83 paragraphs 1 and 5 letter a GDPR OJ L 2016/119, p. Letter a, in conjunction with Article 12 and 13 in conjunction with Article 83, paragraph one, and 5 letter a, GDPR OJ L 2016/119, p. 1, as amended

For these administrative violations, the following penalty will be imposed:

fine of euros

if this is irrecoverable, substitute imprisonment of

according to

€ 25.000,-

336 hours

Article 83 paragraph 1 and 5 lit. a GDPR in conjunction with § 16 Administrative Penal Act 1991 - VStGArticle 83, paragraph one, and 5 lit. a, GDPR in conjunction with Section 16, Administrative Penal Act 1991 - VStG

You also have to pay according to § 64 of the Administrative Penal Act 1991 - VStG:Furthermore you have to pay according to Section 64 of the Administrative Penal Act 1991 - VStG:

2.500,-

EUR as a contribution to the costs of the criminal proceedings, i.e. 10% of the fine, but at least EUR 10;



Euro as a replacement for the cash expenses for



The total amount to be paid (penalty/costs/cash expenses) is therefore

27,500 euros

Payment term:

If no complaint is lodged, this penal decision is immediately enforceable. In this case, the total amount must be paid into the account BAWAG P.S.K., Georg-Coch-Platz 2, 1018 Vienna, IBAN: AT460100000005490031, BIC: BAWAATWW, made out to the data protection authority, within two weeks after the entry into force of law. The reference number and the completion date may be given as the reference.

If no payment is made within this period, the total amount can be dunned. In this case, a flat-rate fee of five euros must be paid. If no payment is made, the outstanding amount will be enforced and, if it cannot be collected, the equivalent imprisonment penalty will be imposed.

Reason:

1. About the procedure:

1.1. On May 17, 2021, the State Police Headquarters XXX (hereinafter "LPD") submitted a statement of facts to the data protection authority by email (GZ: XXX). The LPD informed the data protection authority (hereinafter "DSB") that the facts of the case were first sent to the public prosecutor's office XXX (hereinafter "StA") because of suspected pornographic depiction of minors. However, the StA would have discontinued the proceedings, since no offense according to the StGB was fulfilled. The StA had informed the LPD that the facts of the case should be sent to the DSB because there was a suspicion of an administrative offence. A report on the occasion, a final report, the interrogation of the suspect at the LPD on January 7th, 2021 and a photograph were attached to the letter from the LPD. The photograph attachment contained pictures of example recordings of the system. The LPD also informed the DSB that the district data security officer was able to secure around 600 videos from the last use of the system. These could be sent to the DPO if necessary. The State Police Directorate Roman XXX (hereinafter "LPD") emailed a statement of the facts to the data protection authority on May 17, 2021 (GZ: Roman XXX). The LPD informed the data protection authority (hereafter "DSB") that the facts of the case were first sent to the Roman XXX public prosecutor's office (hereafter "StA") because of suspected pornographic depiction of minors. However, the StA would have discontinued the proceedings, since no offense according to the StGB was fulfilled. The StA had informed the LPD that the facts of the case should be sent to the DSB because there was a suspicion of an administrative offence. A report on the occasion, a final report, the interrogation of the suspect at the LPD on January 7th, 2021 and a photograph were attached to the letter from the LPD. The photograph attachment contained pictures of example recordings of the plant. The LPD also informed the DSB that the district data security officer was able to secure around 600 videos from the last use of the system. These could be transmitted to the DSB if required.

1.2. The DSB then initiated administrative penal proceedings against the accused and, in a letter dated June 17, 2021, requested him to justify and disclose his income and financial circumstances.

1.3. The accused - represented by a lawyer at that time - submitted a written justification to the DSB in response to this by email dated July 15, 2021 and essentially argued that the GDPR does not apply because the household exception under Art. 2 Para. 2 lit. c GDPR is relevant because the recordings exclusively for the "The accused - represented by a lawyer at that time - submitted a written justification to the DSB in response to this by e-mail dated July 15, 2021 and essentially led to the Agree that the GDPR does not apply, since the household exception under Article 2, Paragraph 2, Litera c, GDPR is relevant because the recordings were made exclusively for the "personal use of the accused". He would then have deleted the recording and in any case not disclosed it to third parties. In addition, no personal data was processed by the accused, since no natural person can be identified from the image recordings. Therefore, the GDPR does not apply either. The accused applied for the suspension of the administrative criminal proceedings.

1.4. In the absence of disclosure of the income and financial circumstances and any duties of care, the DSB again requests the accused in a letter dated May 12, 2022 to disclose this information. In a letter dated May 12, 2022, the DSB also asked the accused to provide a supplementary statement regarding the number and periods of time in connection with the use of the system. In addition, a request for administrative assistance was sent to the LPD in order to receive all videos (approx. 600) secured by the district data security officer from the last use of the system on July 24th, 2020. The LPD then informed the DSB that the request for administrative assistance was to be sent to the StA, since they would keep the videos or instruct the LPD to send the videos to the DSB. The DSB then submitted an application for administrative assistance to the StA and also requested information as to whether criminal proceedings were still being conducted against the accused with regard to Section 63 DSG, since administrative criminal proceedings are only applicable on a subsidiary basis. The StA informed the DSB in a letter dated May 31, 2022 that the criminal proceedings against the accused pursuant to § 190 Z 2 StPO had been discontinued because there was no actual reason for further prosecution and at the same time requested the LPD to transmit the existing backup copies of the videos to the DSB. Lack of disclosure of the income and financial circumstances as well as any duties of care, the DSB again requests the accused in a letter dated May 12, 2022 to disclose this information. In a letter dated May 12, 2022, the DSB also asked the accused to provide a supplementary statement regarding the number and periods of time in connection with the use of the system. In addition, a request for administrative assistance was sent to the LPD in order to receive all videos (approx. 600) secured by the district data security officer from the last use of the system on July 24th, 2020. The LPD then informed the DSB that the request for administrative assistance was to be sent to the StA, since they would keep the videos or instruct the LPD to send the videos to the DSB. The DSB then submitted an application for administrative assistance to the StA and also requested information as to whether criminal proceedings were still being conducted against the accused with regard to Section 63, DSG, since administrative criminal proceedings are only applicable on a subsidiary basis. The StA informed the DSB in a letter dated May 31, 2022 that the criminal proceedings against the accused had been discontinued in accordance with Section 190, Item 2, StPO, as there was no actual reason for further prosecution and at the same time requested the LPD to transmit the existing backup copies of the videos to the DSB.

1.5. On May 25, 2022, in response to the DSB's request of May 12, 2022, the accused submitted a written (supplementary) statement and stated that he last used the system on July 24, 2020 three times throughout the day for three to four times each hours at the crime scene because the battery had to be replaced. He also announced that he is self-employed and earns a monthly income of EUR 1,730. He has no assets or responsibilities.

1.6. The DSB then invited the suspect to be questioned via video conference. The accused followed the summons and was interrogated on June 14, 2022. During the interrogation, the accused admitted the charge and stated that his income would be EUR 4,000 net per month (12 times a year) after duties and taxes. He earns his income from renting XXX and still has to build up reserves for repairs. After forming the reserves, he has EUR 1,730 net per month (14 times a year). In this context, the accused submitted a written breakdown of his income to the DSB after his interrogation. However, the numbers are for 2020 as he has yet to graduate for 2021. As for his net worth, he disclosed that he has three motor vehicles, as well as a condominium and a building society loan (see asset below). Finally, the accused informed the DSB that he was no longer represented by the designated representative of the accused and that the DSB should therefore again address all letters to him personally. The DSB then invited the accused to an interrogation via video conference. The accused followed the summons and was interrogated on June 14, 2022. During the interrogation, the accused admitted the charge and stated that his income would be EUR 4,000 net per month (12 times a year) after duties and taxes. He earns his income from renting out Roman XXX and still has to build up reserves for repairs. After forming the reserves, he has EUR 1,730 net per month (14 times a year). In this context, the accused submitted a written breakdown of his income to the DSB after his interrogation. However, the numbers are for 2020 as he has yet to graduate for 2021. As for his net worth, he disclosed that he has three motor vehicles, as well as a condominium and a building society loan (see asset below). Finally, the accused informed the DSB that he was no longer represented by the designated representative of the accused and that the DSB should therefore again address all letters to him personally.

Evidence assessment: The findings made so far on the course of the proceedings are undisputed and also result from the content of the administrative offense in question.

2. The following facts relevant to the decision are certain:

2.1. The accused initially acquired the facility in question for the purpose of clarifying certain circumstances in the area of his mother's place of residence. Feces and urine were repeatedly left in front of his mother's home. In addition, tomatoes and chillies were eaten inside his mother's greenhouse. For the purpose of clarifying these circumstances, the accused acquired a WiFi camera, since it could be operated both with a connection to the mains and with a battery (wireless). In the course of this application, the accused finally came up with the idea of installing and operating the camera within public toilet facilities at the scene of the crime.

2.2. The accused then installed and operated the image processing system in question in a period that cannot be determined more precisely, but at least in the period from June 1st, 2020 to July 31st, 2020, on a total of three different days, each for a period of nine to twelve hours spread over the respective day within two different (public) toilet facilities at the crime scene. The camera was last used during this period on July 24th, 2020. This final installation was eventually discovered and seized by law enforcement. Based on the seized videos, it could be proven that the suspect was the operator of the facility in question.

2.3. The system was installed and operated at different positions within the affected toilet facilities. The system was installed once under the sink and twice on the tiled wall immediately behind the toilet (about at buttock height and hidden by a cover). The different recording areas of the system within the toilet cubicles are presented as follows:

Recording area 1:

XXX

Recording area 2:

XXX

Recording area 3:

XXX

[Editor's note: The image files inserted here, which show the recording areas of the cameras, are not displayed in the RIS.]

Evidence assessment: The findings made so far are undisputed and are essentially based on the statements made by the accused during his interrogation (see minutes of the accused’s interrogation of June 14, 2022, questions 1 and 2) and the accused’s written statement of May 25, 2022 and on the occasion Report of the LPD from November 25th, 2020 and final report from January 19th, 2021 to the StA including a photograph.

The findings on the specific recording area result from the photo attachment and the videos of the system secured (partially restored) by the district data security officer, which were sent to the DSB by the LPD. The videos are on an encrypted USB stick, which was enclosed with the administrative offence. After reviewing the videos, the DSB was able to determine that the accused, as the operator of the facility, chose the positions shown above for the camera within the toilet cubicles at the crime scene. At this point it is noted that not all 600 videos seized could be viewed by the DSB because, as already explained in more detail by the LPD in its event report, not all videos of the last installation or the last use of the system (on 24.07.2020) could be completely restored by the district data backup. The DSB was therefore only able to view a fraction of the 600 videos. As a result, only the recording areas 1-3 shown above can be determined/proved.

The findings regarding the time and place of the crime result in particular from the accused's own statements and are therefore undisputed. In the written statement dated May 25, 2022, the accused described the installation process in more detail. The accused explained that he operated the system a total of three times throughout the day for three to four hours each, because the battery had to be replaced twice during the day (according to the accused, the battery life of the system was three to four hours). The system was therefore operated for a total of nine to twelve hours spread over the respective day during one operation. When the accused was questioned by the DSB on June 14th, 2022, the accused stated when asked by the DSB (see transcript of the questioning of the accused, question 2) that his statement of May 25th, 2022 was based on the installation of July 24th, which was last found by the executive. 2020 related. The suspect also installed and operated the camera twice in a toilet facility at the crime scene. The accused used the system in question in the period from June to July 2020 on a total of three different days for a period of several hours each. His last installation of the camera on July 24, 2020 was the one discovered and seized by the executive. Since then he has made no further assignments.

The specific period or the specific days of the two other missions could not be determined. The accused only stated that he operated the system two more times in addition to his last installation on July 24, 2020. When asked, the accused stated the period from June to July 2020. The accused could not remember the specific days during his interrogation at the LPD or at the DSB. The concrete period of the two other missions could not be inferred from the secured videos either, as these had already been deleted by the accused. The accused deleted the videos from the storage medium after each use as soon as he viewed the videos.

The statement that the system in question was not operated continuously over the entire day, but for a period of nine to twelve hours spread over the respective day of installation, since the battery in the system had to be replaced in the meantime, also results from our own Statements by the accused (see statement by the accused of May 22, 2022, where he described the course of an operation in more detail based on his last installation of July 24, 2022).

2.4. The system in question was equipped with a motion sensor and therefore did not record continuously. The system was set by the accused to "recording by motion detection". As soon as a person entered the recording area, the system released a recording.

2.5. The system was operated in a concealed manner with a cover each time it was used. Those affected were not informed about the use of the system within the public toilet cubicles or toilet facilities at the scene of the crime. There was no sign of the facility at the scene of the crime.

2.6. The records of the system were kept within the integrated storage medium until the accused saw them. The accused then deleted the recordings from the system's storage medium.

2.7. The suspect was pursuing a “technical interest” with the installations inside the cabins. The accused made the decision to test the camera inside public toilet facilities because it had a "certain allure of being illegal".

Evidence assessment: The findings made so far are also undisputed and result from the event report of the LPD of November 25th, 2020 and from the accused’s own statements during his interrogation of January 7th, 2021 at the LPD and on June 14th, 2022 at the DSB.

The statement that the suspect set the system to "recording by motion detection" and therefore did not record continuously is based on the suspect's statement of May 25, 2022.

The finding that the persons concerned were not informed about the processing due to a lack of labeling results from the fact that the system was operated in a concealed manner through a cover and from the accused's intention to operate the system in a concealed manner within the public toilet facilities. The finding that the system was operated hidden by means of a cover results from the event report of the LPD from November 25th, 2020

2.8. In any case, there was also a minor among those affected, although it cannot be determined whether the minor undressed or changed clothes in the reception area of the facility.

Evidence assessment: The finding regarding the recording of a minor is based on one of the seized videos, which was viewed ex officio by the DSB. The video is on an encrypted USB stick and is enclosed with the administrative offense in question. However, the video only shows the final part of the visit to the toilet. In any case, one minor and one (accompanying) adult can be seen. The underage person is at the washbasin, while the adult flushes the toilet (the sound of the flushing is clearly audible). Then both people leave the toilet facility. In any case, the video does not show that one of those affected undressed in front of the recording area. The recording, which shows the access and further stay of the persons concerned within the toilet facility, could obviously not be restored or this recording could not be reproduced by the DSB. It was therefore not possible to determine whether one of the persons concerned undressed in front of the recording area, although operating the sink could be an indication of this.

2.9. The image processing system in question was a WiFi camera that could also be operated wirelessly using a battery or without being connected to the mains for a period of three to four hours (battery life). A storage medium was also integrated into the camera so that the recordings triggered could be saved. After using the system, the accused dismantled the camera and looked at the recordings. After that, the accused deleted the recordings and prepared the next installation on another day.

2.10. The recordings of the facility with recording area 1 (see above) or the image data per se made it possible to identify a natural person. The recording area covered the entire body and thus also the face of the person concerned. In the case of recording areas 2 and 3, identification was only possible if the person concerned bent down, since the person's face was not usually visible in the recording area.

Evidence assessment: The findings are essentially based on the following evidence: (1) Event report from the LPD dated November 25th, 2020 including photo enclosure, (2) Final report from the LPD dated January 19th, 2021, (3) Minutes of the suspect hearing at the LPD dated January 7th. 2021 and (4) Minutes of the hearing of the accused at the DSB on June 14, 2022 (see questions 2 and 3) and in particular the videos seized that were sent to the DSB.

In his written justification dated July 15, 2021, the accused argued, among other things, that no processing of personal data was carried out by the accused because the information from the recordings does not relate to an identified or identifiable person. This allegation by the accused is qualified as a purely protective allegation and can be refuted in particular by the videos secured by the district data security officer. After reviewing the videos that could be played back, the DSB was able to determine that the recordings with recording area 1 made it possible to identify natural persons based on the image data. Although the recordings had to be converted by the DSB to another file format with a lower resolution so that they could be played, it was still possible to identify the person concerned using the image data even with the reduced resolution. It can also be seen from the photograph attached to the LPD dated November 25, 2020 that the accused essentially chose three different shooting areas. In recording areas 2 and 3, the intimate area of those affected was predominantly recorded. Only in isolated recordings did a person (the cleaning lady responsible for the hygiene plan for the toilet facilities) bend down to clean the toilet. Shooting area 1 can be seen in photographs numbered 13 to 15. It can already be seen from these photographs that the entire body and thus also the face of an affected person was captured when entering the toilet facility. With regard to the resolution of these photographs, it must be taken into account that they were taken using a different device (the LPD officials obviously did not take any screenshots, but photographed the screen on which a recording of the system was played). The recordings per se show a sharper picture.

The remaining findings are undisputed.

2.11. During his interrogation at the DSB on June 14, 2022, the accused showed himself to be remorseful and ashamed of his behavior. The accused admitted the crime. He told the DSB that he will refrain from such installations in the future and that there were no more installations after the last one found by the executive. The accused also told the LPD that he would only “pursue his technical interests through legal channels”.

Evidence assessment: The findings are based on the accused's own statements during his interrogation on June 14, 2022 at the DSB and on January 7, 2021 at the LPD and are therefore undisputed.

2.12. The accused earns a monthly net income of EUR 3,970 from renting XXX (12 times a year, net annual income of EUR 47,640). The accused created reserves totaling EUR 23,426 for the year 2020 for the repair of the XXX. The accused submitted that, after deducting the reserves, he received a monthly net income of EUR 2,018 (12 times a year). The accused earns a monthly net income of EUR 3,970 (12 times a year, net annual income EUR 47,640) from renting roman XXX. The accused created reserves totaling EUR 23,426 for the year 2020 for the repair of the Roman XXX. The accused submitted that, after deducting the reserves, he received a monthly net income of EUR 2,018 (12 times a year).

2.13. The accused has no debts and no duty of care.

2.14. The accused stated in relation to his assets that he had several motor vehicles, including two XXX vehicles with a value of EUR 40,000 each. In addition, the accused has a condominium with a value (according to his own statements) of approximately EUR 120,000 and a home savings contract in the amount of EUR 7,000. The accused stated in relation to his assets that he has several motor vehicles, including two Roman XXX with one Value of EUR 40,000 each. In addition, the accused has a condominium valued at around EUR 120,000 (according to his own statements) and a home savings contract worth EUR 7,000.

Evidence assessment: The findings are based on the accused's own statements during his interrogation on June 14, 2022 at the DSB and the subsequent transmission (by email of June 15, 2022) of the itemized monthly income. The findings made are therefore undisputed.

3. Legally it follows:

3.1. On the scope of the GDPR and the responsibility of the DPO

3.1.1. Both the material and the geographical scope of the GDPR within the meaning of Art. 2 and 3 GDPR apply in the present case. In this context, the accused argued that the material scope of application did not exist because the household exception under Art. 2 (2) (c) GDPR was relevant. The accused only recorded and viewed the recording for personal interests and then deleted ("Both the material and the geographical scope of the GDPR within the meaning of Articles 2 and 3 GDPR apply in the present case. The accused submitted in this context that the material scope of application does not exist because the household exception under Article 2, Paragraph 2, Litera c, GDPR is relevant. The accused only recorded and viewed the recording for personal interests and then deleted it ("personal use of the accused"). Disclosure to third parties would not have taken place (see written justification of July 15, 2021).

3.1.2. The DSB does not support the defendant's view of the budget exception. The accused installed and operated the system within a public toilet facility, which was used by several of those affected both to relieve themselves and to change their clothes. The recording area of the facility thus covered public space and recorded those affected during a very intimate moment.

3.1.3. The European Court of Justice (hereinafter "CJEU") has already held in this context that the operation of a video surveillance system installed by a natural person on his family home to protect the property, health and life of the owners of the home, the video of people on a storage device such as a hard drive and also monitors the public space, does not constitute data processing which, within the meaning of the provision pursuant to Article 3 Paragraph 2, second indent of Directive 95/46/EC, within the meaning of the provision pursuant to Article 3, Paragraph 2, second indent of Directive 95/46/EC for the exercise of exclusively personal or family activities (cf. ECJ 11.12.2014, C-212/13, para. 33 ff). The case law on this directive provision can be applied to the provision under Art. 2 Para. 2 lit. c GDPR with the same content, since this provision was adopted within the framework of the GDPR. In the present case, it is therefore made on the basis of the specific recording area (public space) compare ECJ 11.12.2014, C-212/13, para. 33 ff). The case law on this policy provision can be applied to the provision under Article 2, Paragraph 2, Litera c, GDPR with the same content, as this provision has been adopted within the framework of the GDPR. In the present case, it is therefore impossible, due to the specific recording area (public space), that the exception of the household exception applies.

3.1.4. Art. 83 para. 5 lit. a GDPR stipulates that violations of the provisions of Art. 5, 6, 7 and 9 GDPR are subject to fines of up to 20,000,000 euros or, in the case of a company, of up to 4% of its total worldwide annual turnover of the previous financial year, whichever of the amounts is higher. According to § 22 Para. 5 DSG, Article 83, paragraph 5, litera a, GDPR stipulates that violations of the provisions of Articles 5, 6, 7 and 9 GDPR are subject to fines of up to 20,000,000 euros or in the case A company may be fined up to 4% of its total worldwide annual turnover for the preceding financial year, whichever is greater. According to paragraph 22, paragraph 5, DSG, the responsibility for imposing fines on natural and legal persons for Austria as the national supervisory authority lies with the DSB.

3.1.5. As a result, the GDPR applies to the specific case and the DSB is responsible both factually and locally for the administrative criminal proceedings in question.

3.2. On the illegal operation of the image processing system (Spelling point I.) On the illegal operation of the image processing system (Spelling point Roman one.)

3.2.1. According to the definition in accordance with Art. 4 Z 1 GDPR, personal data is all information relating to an According to the definition in accordance with Article 4, number one, GDPR, personal data is all information relating to an identified or identifiable natural person (hereinafter " data subject”; an identifiable natural person is one who, directly or indirectly, in particular by association with an identifier such as a name, an identification number, location data, an online identifier or one or more special features, expresses the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person can be identified.

3.2.2. According to the ruling of the VwGH on § 4 Z 1 DSG 2000, image data such as video recordings are generally included in the concept of personal data, since they can usually be determined. No determinability and therefore no personal data are only available if the technical resolution of the image does not allow identification (cf. VwGH 09/12/2016, Ro 2015/04/0011). The ECJ has also already commented on the reference to persons in image data and stated on the definition in accordance with Art. 2 lit. a of Directive 95/46/EC that the image of a person recorded by a camera falls under the term personal data if it is the identification of the person concerned (cf. ECJ 11.12.2014, C-212/13, para. 22). According to the case law of the VwGH on paragraph 4, number one, DSG 2000, image data such as video recordings are generally covered by the concept of personal data, since a determinability is given as a rule. No identifiability and therefore no personal data are only available if the technical resolution of the image does not allow identification (compare VwGH 12.09.2016, Ro 2015/04/0011). The ECJ has also already commented on the reference to persons in image data and, with regard to the definition under Article 2, Letter a, of Directive 95/46/EC, stated that the image of a person recorded by a camera falls under the term personal data, provided that it is the identification of the person concerned compare ECJ 11.12.2014, C-212/13, para. 22).

3.2.3. In the present case, as part of the investigation and after reviewing the videos seized, the DSB found that the image data from recording area 1 made it possible to identify the persons concerned. The image data in the context of the recordings of the system is therefore personal data in accordance with Art. 4 Z 1 DSGVO In any case, image data from recording area 1 made it possible to identify those affected. Thus, the image data in the context of the recordings of the system in the sense of the above explanations are personal data in accordance with Article 4, number one, GDPR.

3.2.4. The GDPR defines the term processing in Art. 4 Z 2 GDPR by listing a number of possible usage processes. This includes collecting, recording, organizing, arranging, storing, adapting or changing, reading out, querying, using, disclosing through transmission, distribution or any other form of provision, comparison or linking , restriction, deletion or destruction. The GDPR defines the term processing in Article 4, Paragraph 2, GDPR by listing a number of possible usage processes. This includes collecting, recording, organizing, arranging, storing, adapting or changing, reading out, querying, using, disclosing through transmission, distribution or any other form of provision, comparison or linking , restriction, deletion or destruction.

3.2.5. The recordings made by the image processing system in the present case, which were triggered by motion detectors during the crime period, therefore constitute processing of personal data within the meaning of Art 4 Z 2 GDPR Processing of personal data within the meaning of Article 4, paragraph 2, GDPR.

3.2.6. The accused is also to be qualified as the person responsible for the specific data processing within the meaning of Art. 4 Z 7 DSGVO, since he alone made the decision to install and operate the system within the toilet facilities at the crime scene. An allegation by the accused that he was not responsible was not made throughout the proceedings. The accused conceded much more that he qualified the system from a " within the meaning of Article 4, paragraph 7, DSGVO, since he alone made the decision to install and operate the system within the toilet facilities at the crime scene. An allegation by the accused that he was not responsible was not made throughout the proceedings. The accused conceded much more that he installed and commissioned the system from a "certain attraction of the forbidden" within the toilet facilities.

3.3. To assess the processing in question in the light of the principles of Article 5 GDPRTo assess the processing in question in the light of the principles of Article 5 GDPR

3.3.1. For the assessment of the processing in question, it can first of all be stated that Art. 5 GDPR lays down the principles for the processing of personal data. The principle according to For the assessment of the processing in question, it can first of all be stated that Article 5, GDPR, lays down the principles for the processing of personal data. In this context, the principle according to Art. 5 Para. 1 lit. “lawfulness, fair processing, transparency”). The requirements for lawful processing (of non-sensitive data) are specified in Art. 6 GDPR. According to this, the lawfulness of any processing requires that the processing - cumulatively to the other principles regulated in Art. 5 Para. 1 - must satisfy at least one of the legal grounds finally set out in Art. 6 Para. 1 DSGVO (cf. "). The requirements for lawful processing (of non-sensitive data) are specified in Article 6, GDPR. According to this, the lawfulness of any processing requires that the processing - cumulatively to the other principles regulated in Article 5, paragraph one - must satisfy at least one of the legal grounds conclusively set out in Article 6, paragraph one, GDPR compare Selmayr in Ehmann/Selmayr, Datenschutz- Basic Ordinance, Comment², Art 5 margin no. 8f). , General Data Protection Regulation, Comment², Article 5, margin no. 8f).

3.3.2. The principle according to Art. 5 Para. 1 lit. b GDPR Article 5, paragraph one, litera b, GDPR standardizes that the processed data is only collected for specified, clear and legitimate purposes and not further processed in a way that is incompatible with these purposes may (“purpose limitation”). In addition, the principle according to Art. 5 Para. 1 lit. c GDPR Article 5, paragraph one, litera c, GDPR standardizes that the respective processing must be appropriate and relevant to the purpose and limited to what is necessary for the purposes of the processing (" data minimization"). In the specific case, the accused violated all of the above principles in the course of data processing.

3.3.3. With regard to the lawfulness of the processing, the accused merely argued that he was pursuing a "technical interest" (Article 6 (1) (f) GDPR, Article 6, paragraph one, litera f, GDPR). In addition, the accused did not bring up any other justification for the processing.

3.3.4. Processing based on the consent of the data subject (Art. 6 Para. 1 lit. a GDPR) is out of the question because, as has been established, the processing was carried out secretly or without informing the data subject. Thus, the data subjects could not give their consent to the data processing, even logically. It is also not to be assumed that the data subjects would ever have consented to such processing, since the processing concerns one of the most intimate moments of a person. Processing based on the consent of the data subjects (Article 6, paragraph one, litera a, GDPR) is therefore necessary not to be considered because, as has been established, the processing was carried out secretly or without informing the data subjects. Thus, the data subjects could not give their consent to the data processing, even logically. It is also not to be assumed that the data subjects would ever have consented to such processing, since the processing concerns one of the most intimate moments of a person.

3.3.5. In the present case, after an ex officio examination, only the justification under Art. 6 Para. 1 lit. f GDPR comes into consideration, as already stated by the accused. Therefore, the existence of legitimate interests of the accused or third parties within the meaning of Art. 6 Para. 1 lit. f GDPR had to be checked. In the present case, after an ex officio examination, only the justification under Article 6, paragraph one, lit. Therefore, the existence of legitimate interests of the accused or third parties within the meaning of Article 6, paragraph one, litera f, GDPR had to be checked.

3.3.6. With regard to the legality of processing operations with regard to Art. 6 Para. 1 lit Regarding the lawfulness of processing operations with regard to Article 6, paragraph one, litera f, GDPR, Recital 47 of the GDPR explains, among other things, that this can be justified by the legitimate interests of a person responsible, provided that the interests or the fundamental rights and freedoms of the data subject not predominate; in doing so, the reasonable expectations of the data subject based on their relationship with the controller shall be taken into account. In any case, the existence of a legitimate interest must be assessed particularly carefully, including whether a data subject can reasonably foresee, at the time the personal data is collected and given the circumstances in which it takes place, that processing may be necessary for them purpose will take place. In particular, when personal data is processed in situations where a data subject cannot reasonably expect further processing, the interests and fundamental rights of the data subject will outweigh the interests of the controller.

3.3.7. Article 6(1)(f) of the GDPR permits processing under three cumulative conditions: Article 6(1)(f) of the GDPR therefore permits processing under three cumulative conditions: (i) safeguarding a legitimate interest; (ii) Necessity of processing and (iii) no overriding of the rights and freedoms of others (cf. judgment of the ECJ of December 11, 2019, case C-708/18, margin no. 36 with further references). compare judgment of the ECJ of December 11, 2019, case C-708/18, margin no. 36 with further references).

3.3.8. In the specific case, it is already questionable with regard to the first requirement (exercising a legitimate interest) as to whether the "technical interest" referred to by the accused can represent a legitimate interest at all. Even if one were to assume with regard to Art. 6 Para. 1 lit. f GDPR that the accused had a legitimate interest at the time of the crime, nothing is gained for the accused, since the processing in the sense of the above statements is in any case “a legitimate interest at all can show interest. Even if one were to assume with regard to Article 6, paragraph one, lit the mildest means) and the rights and freedoms of those affected far outweigh the technical interests of the accused.

3.3.9. In any case, the accused could have safeguarded the technical interests in a different way without seriously encroaching on the right to secrecy of the persons concerned. In any case, repeated recording of numerous data subjects within a public toilet facility to guarantee technical interests in an image processing system constitutes a violation of the data minimization principle according to Art. 5 Para. 1 lit. c GDPR. The processing in question was to guarantee technical interests In any case, an image processing system constitutes a violation of the data minimization principle according to Article 5, paragraph one, litera c, GDPR. The processing in question was not appropriate and significant for the purpose and limited to the extent necessary for the purposes of the processing and is in no way for the DPO way understandable. The necessity of the processing in the specific case can therefore not be assumed under any circumstances.

3.3.10. Accordingly, there is no need to weigh up interests, since processing pursuant to Article 6(1)(f) GDPR is simply not required due to a lack of necessity can be considered. At this point, however, it is stated (without going into detail) that even after carrying out a weighing of interests in the specific case one can only come to the conclusion that the confidentiality interests of the persons concerned far outweigh the technical interests of the accused. In addition, the system was not marked or was operated secretly and the persons concerned therefore did not have to expect their personal data to be processed in this form.

3.3.11. In addition, the accused also disregarded the principle of purpose limitation according to Article 5 Paragraph 1 Letter b GDPRPrinciple of purpose limitation according to Article 5 Paragraph 1 Letter b GDPR. The principle of purpose limitation is fundamentally required. Art. 8 para. 2 sentence 1 EU-GRC guarantees the data subjects that their personal data is only “. The principle of purpose limitation is fundamentally required. Article 8, paragraph 2, sentence 1 EU-GRC guarantees data subjects that their personal data may only be processed "for specified purposes [...] or on another legitimate basis regulated by law". A purpose that is clearly defined in advance (before data processing begins) must therefore also be legitimate. The purpose is legitimate if the data subject has approved it with their informed and free consent in accordance with Art. 7 GDPR or if it has been approved by law - even against the will of the data subject (cf. Roßnagel in Simitis/Hornung / Spicker, data protection law, comment, Article 5 margin no. 63 f). " may. A purpose that is clearly defined in advance (before data processing begins) must therefore also be legitimate. The purpose is legitimate if the data subject has approved it through their informed and free consent in accordance with Article 7 GDPR or if it has been approved by law - even against the will of the data subject - compare Roßnagel in Simitis/Hornung/Spicker , data protection law, commentary, Article 5 margin no. 63 f).

3.3.12. In a similar case, the DSB determined that the secret taking of images in the women's changing room was not for legitimate purposes within the meaning of Art. 5 Para. 1 lit. b GDPR (cf. DSB 07/11/2019, D550.185/0002 -DSB/2019). With regard to video surveillance in front of a gambling establishment for the purpose of identifying and categorizing people as "financial police" and "gamblers", the BVwG stated that no legitimate purpose could be recognized (cf. BVwG 06/02/2021, W211 2232587-1) .In a similar case, the DSB determined that the secret taking of images in the women's changing room was not for legitimate purposes within the meaning of Article 5, paragraph one, litera b, GDPR compare DSB 11.07.2019, D550.185/0002- DSB/2019). With regard to video surveillance in front of a gambling establishment for the purpose of identifying and categorizing people as "financial police" and "gamblers", the BVwG stated that no legitimate purpose can be recognized in this (compare BVwG 06/02/2021, W211 2232587-1).

3.3.13. Measured against this, no other result can be reached in this specific case either. The purpose brought forward by the accused is neither provided for nor covered by law, nor have the data subjects consented to the processing. In the opinion of the DSB, the secret/secret preparation of recordings by numerous affected persons during a very intimate moment in order to guarantee technical interests in relation to the image processing system can under no circumstances have a legitimate purpose within the meaning of Art. 5 Para. 1 lit. b GDPR within the meaning of Article 5, paragraph one, litera b, GDPR. The accused was evidently also aware of this at the time of the crime, since, as has been established, he stated to the LPD during his interrogation that he made the decision to test the camera inside public toilet cubicles because he felt a "certain allure of what was forbidden". .

3.3.14. As a result, the legal basis according to Art. 6 Para. 1 lit. f GDPRArt. 6, Para. Another legal basis according to Art. 6 Para. 1 DSGVO also comes after an official examination. Another legal basis according to Article 6, paragraph one, GDPR is also out of the question after an official examination. The processing of the personal image data was therefore unlawful and in disregard of the principles of data minimization and purpose limitation.

3.4. On the lack of labeling of the image processing system (point II) On the lack of labeling of the image processing system (point Roman II)

3.4.1. The principle of transparency according to Art. 5 Para. 1 lit. a GDPR is specified in Art. 12, 13 and 14 GDPR (see also recital 39 and 58 GDPR). Accordingly, it must be clear to data subjects with regard to an image processing system that their personal data is being processed, what data is specifically being processed and for what purposes it is being processed. The identity of the controller must also be disclosed to the data subjects so that they know who is processing their data. In addition, data subjects should be informed about the risks, regulations, guarantees and rights related to the processing and how to exercise these rights. This information must be accurate, easily accessible and understandable, and written in clear and plain language. The importance of the transparency of the processing and thus the obligation to provide information lies in particular in its function as a necessary prerequisite for the exercise of the rights of the data subject: If the data subject is not aware that his data is being processed and/or does not know who is carrying it out, he can do not assert related rights under Article 15-21 GDPR" (cf. The principle of transparency under Article 5, paragraph one, lit. Accordingly, data subjects must be able to identify with regard to an image processing system that their personal data is being processed, which data is being processed specifically and for what purposes they are being processed. The data subjects must also be informed of the identity of the person responsible so that they know through who their data is being processed In addition, data subjects should be informed about the risks, regulations, guarantees and rights related to the processing and how to exercise these rights. This information must be accurate, easily accessible and understandable, and written in clear and plain language. The importance of the transparency of the processing and thus the obligation to provide information lies in particular in its function as a necessary prerequisite for the exercise of the rights of the data subject: If the data subject is not aware that his data is being processed and/or does not know who is carrying it out, he can related rights under Article 15 -, 21, GDPR" compare Hötzendorfer/Tschohl/Kastelitz in Knyrim, DatKomm Art 5 GDPR, margin no. 18f)., DatKomm Article 5, GDPR, margin no. 18f).

3.4.2. Due to the amount of information that is to be provided to a data subject, a "layered access" and a combination of means can be chosen by a person responsible in order to comply with the transparency requirement. In the context of video surveillance, the most important information should be presented in a warning notice, while the necessary further information can be made available by other means (as a second layer) (cf. European Data Protection Board, Guidelines 3/2019 on the processing of personal data by video devices, 29.01 .2020, p. 28ff, available online at: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32019-processing-personal-data-through-video_de - in the following " guidelines"). In any case, those affected must be able to recognize in good time, based on the marking, that they are entering a recording area of an image processing system. correspond to. In the context of video surveillance, the most important information should be presented in a warning notice, while the necessary additional information can be provided by other means (as a second layer) see European Data Protection Board, Guidelines 3/2019 on the processing of personal data by video devices, 29.01.2020 , p. 28ff, available online at: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32019-processing-personal-data-through-video_de - hereinafter "guidelines" ). In any case, those affected must be able to recognize in good time, based on the marking, that they are entering a recording area of an image processing system.

3.4.3. In the specific case, as has been established, the accused did not affix any markings at the scene of the crime in relation to the image processing system. The accused did this knowingly because he wanted to secretly record those affected. The accused has thus violated the transparency requirement pursuant to Art. 5 Para. 1 lit. a GDPR and his duty to provide information pursuant to Art concrete data processing informed. In the absence of identification or signs, those affected did not have to expect that they would be in the recording area of the facility in question during a very intimate moment and be recorded. Therefore, they could not assert their rights under Art 15-21 GDPR against the accused. The accused thus violated the transparency requirement under Article 5, paragraph one, litera a, GDPR and his duty to provide information under Articles 12 and 13 GDPR, by not informing the data subjects of the specific data processing when collecting their personal data within the meaning of Article 13, GDPR. In the absence of identification or signs, those affected did not have to expect that they would be in the recording area of the facility in question during a very intimate moment and be recorded. Therefore, they could not assert their rights under Article 15 -, 21, GDPR against the accused.

3.4.4. Against the background of the facts assumed to be proven, the accused in his role as the person responsible unlawfully processed personal data and violated his duty to provide information. The objective factual side of both claims is thus fulfilled.

3.5. On the subjective factual side

3.5.1. On the subjective side of the facts, it should be noted that the accused deliberately installed and commissioned the image processing system in question within a public toilet facility in order to meet his technical interests. The accused also made a conscious decision not to affix any markings at the crime scene in relation to the image processing system or to inform those affected about the specific data processing, as he wanted to operate the system secretly (hidden by a cover). The accused did not state anything to the contrary throughout the proceedings, but admitted the act and the conscious decision to install the image processing system hidden in a toilet facility.

3.5.2. As a result, the DSB assumes, both with regard to ruling points I. and II., that the accused is. and Roman II assumes that the accused acted with intent. In the course of the entire proceedings, there were no indications that the accused was not at fault for the violation of the provisions in question. The allegations made by the accused during his interrogation at the DSB, according to which he used the recordings exclusively for his own purposes and not to harm or blackmail a person or for economic interests, cannot change anything.

3.5.3. There is therefore fault on the subjective factual side in the form of intent within the meaning of Art. 83 (2) lit. b GDPR. within the meaning of Article 83, Paragraph 2, Letter b, GDPR.

4. The following must be noted for sentencing:

4.1. According to Art. 83 Para. 1 GDPR, the DPO has to ensure that the imposition of fines for violations according to paragraphs 5 and 6 in each individual case. According to Article 83, paragraph one, GDPR, the DPO has to ensure that the imposition of fines for violations according to paragraphs 5 and 6 is effective, proportionate and dissuasive in each individual case. In more detail, paragraph 2 provides that when deciding on the imposition of a fine and its amount, due account must be taken of the following in each individual case: More specifically, paragraph 2 provides that when deciding whether to impose a fine and its amount, due account shall be taken of the following in each individual case:

a) the nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing in question and the number of persons affected by the processing and the extent of the damage suffered by them;

b) intentional or negligent breach;

c) any measures taken by the controller or processor to mitigate the harm caused to data subjects;

d) level of responsibility of the controller or processor, taking into account the technical and organizational measures they have taken pursuant to Articles 25 and 32;

e) any relevant previous breaches by the controller or processor;

f) the extent of cooperation with the supervisory authority to remedy the breach and mitigate its possible adverse effects;

g) categories of personal data affected by the breach;

h) How the breach became known to the supervisory authority, in particular whether and, if so, to what extent the controller or the processor reported the breach;

i) compliance with measures previously ordered under Article 58(2) against the controller or processor concerned in relation to the same subject matter, where such measures have been ordered;

j)[…]

k) any other aggravating or mitigating circumstances in the case at hand, such as any financial benefit gained or loss avoided, directly or indirectly, as a result of the breach.

4.2. The assessment of punishment within a statutory penalty framework is a discretionary decision that is to be made according to the criteria specified by the legislator in § 19 VStG Paragraph 19, VStG (cf. VwGH 05.09.2013, 2013/09/0106). is to be carried out compare VwGH 05.09.2013, 2013/09/0106).

4.3. According to Section 19 (1) of the VStG, the bases for assessing the penalty are the importance of the legal interest protected under criminal law and the intensity of its impairment by the offence. In addition, depending on the purpose of the threat of punishment, the possible aggravating and mitigating reasons, insofar as they do not already determine the threat of punishment, must be weighed against each other. Particular attention should be paid to the degree of culpability. Sections 32 to 35 of the Criminal Code are to be applied mutatis mutandis, taking into account the specific nature of administrative criminal law. The accused's income and assets and any duties of care must be taken into account when assessing fines; However, this only to the extent that the directly applicable provisions of the GDPR do not supersede the provisions of the VStG and to the extent that Art. 83 (8) GDPR and Recital 148 stipulate with regard to the procedural guarantees to be guaranteed. Paragraphs 32 to 35 of the Criminal Code are to be applied analogously, taking into account the specific nature of administrative criminal law. The accused's income and assets and any duties of care must be taken into account when assessing fines; However, this only to the extent that the directly applicable provisions of the GDPR do not supersede the provisions of the VStG and to the extent that Article 83, paragraph 8, GDPR and Recital 148 stipulates with regard to the procedural guarantees to be guaranteed.

4.4. If a fine is imposed on a natural person, according to § 16 Para. 1 VStGparagraph 16, paragraph 1, VStG, a substitute imprisonment is to be determined at the same time in the event that it cannot be collected. The substitute imprisonment may not exceed the maximum imprisonment threatened for the administrative offense and, if no imprisonment is threatened and nothing else is stipulated, two weeks.

4.5. Article 83 (3) GDPR stipulates that, in deviation from the cumulation principle standardized in Section 22 (2) VStG, the total amount of the fine is to be paid in cases of the same or related processing operations which intentionally or negligently violate several provisions of the GDPR does not exceed the amount for the most serious violation. Thus, within the scope of the GDPR - as applied in the present case - Article 83, paragraph 3, GDPR, in deviation from the cumulation principle standardized with paragraph 22, paragraph 2, VStG, stipulates that in cases of the same or interconnected processing operations, who intentionally or negligently violates several provisions of the GDPR, the total amount of the fine does not exceed the amount for the most serious violation. Thus, the absorption principle of Art. 83 Para. 3 GDPR applies within the scope of the GDPR - as applied in the present case. The absorption principle of Article 83 Paragraph 3 GDPR.

4.6. According to Art. 83 Para. 5 GDPRArt. 83 Para. 5 GDPR, the range of penalties in the specific case extends up to an amount of EUR 20,000,000.00.

4.7. With regard to the facts at hand, the following was taken into account when determining the sentence:

 Type, duration and severity of the violation: The accused has unlawfully interfered with the fundamental right to secrecy of numerous data subjects through the processing in question. The accused used the image processing system in question a total of three times (each for a period of several hours spread over the respective day of installation) over a period of two months. The intensity of the encroachment was taken into account as particularly aggravating, since the accused carried out an extremely serious encroachment on the fundamental rights of those affected. The public toilet facilities at the scene of the crime were and are used by those affected to defecate and/or change their clothes. In any case, those affected did not have to expect that they would be secretly captured and recorded by an image processing system during a very intimate moment and that the recordings would subsequently be viewed by the accused. As a result, those affected became difficult in their right to secrecy according to § 1 Para. 1 DSG as well as respect for private and family life and the right to protection of personal data according to Art. 7 and 8 EU-GRC paragraph one, paragraph one, DSG and the Respect for private and family life and the right to protection of personal data under Articles 7 and 8 EU-GRC violated. (Art. 83 para. 2 lit. a and k GDPR). (Article 83, para. 2, lit. a and k GDPR).

 Categories of personal data affected by the breach: In the specific case, there was no sensitive data per se within the meaning of Art. 9 Para. 1 GDPR, In the specific case, there was no sensitive data per se within the meaning of Article 9, paragraph one , GDPR, but particularly intimate image data of data subjects affected by the violation (Art. 83 Para. 2 lit. g GDPR).(Article 83, Para. 2, Litera g, GDPR).

 The violation was intentionally committed by the accused. The fact that the accused knowingly and willingly made the decision several times to meet his technical interest by installing the camera in a public toilet facility was rated as particularly aggravating because it had a “certain allure of being illegal” (Art. 83 Paragraph 2 lit. b GDPR).(Article 83, paragraph 2, litera b, GDPR).

4.8. With regard to the present facts, the following was taken into account as a mitigating factor in the sentencing:

 To date, the DSB has not had any relevant previous convictions against the accused due to violations of the GDPR or the DSG.

 Participation in administrative penal proceedings: The accused responded to the DSB's requests in administrative penal proceedings in a timely manner and complied with the summons to be questioned by video conference. As a result, he took part in the preliminary investigations of the DSB and made a contribution to finding the truth. This was taken into account as a mitigating penalty.

 The accused admitted the secret recording within the toilet facilities (confession) to the DSB and also stated several times that he will fail to do such processing in the future ("It was a unique nonsense"). During his interrogation on June 14, 2022, the accused appeared repentant and gave the impression that he regretted his actions and wanted to close this chapter. These circumstances were also taken into account as a mitigating factor.

4.9. The DSB cannot understand the allegation of the accused, according to which there were no injured persons and that this should also be taken into account as a mitigating measure. As stated above, the accused's interference with the fundamental right to secrecy of the persons concerned was assessed as serious by the DSB and the persons concerned's interests in secrecy were severely violated by the accused. In addition, according to the case law of the VwGH, a lack of damage in the case of a disobedience offense within the meaning of Section 5 (1) second sentence of the VStG is not a reason for mitigation (cf. VwGH 03/31/2000, 99/02/0352; 12/16/1998, 98/03 /0222). In the opinion of the DSB, the allegation that the accused only saw the recordings personally and did not use them to harm or blackmail a person or for economic interests can also be evaluated for the accused and the confidentiality interests of the person concerned were seriously violated by the accused. In addition, according to the case law of the VwGH, a lack of damage in the case of a disobedience offense within the meaning of paragraph 5, paragraph one, second sentence of the VStG is not a reason for mitigation, compare VwGH 03/31/2000, 99/02/0352; 12/16/1998, 98/03/0222). In the opinion of the DSB, the allegation that the accused only saw the recordings personally and did not use them to harm or blackmail a person or for economic interests cannot result in a reduced sentence for the accused either.

4.10. With regard to the accused's income, the DSB assumed a monthly net income of EUR 3,979 (12 times a year). The accused's view that the reserves to be formed by him for the maintenance of the XXX should be deducted when determining his income and that a monthly net income of EUR 2,018 (12 times a year) should be used as the basis for calculating the fine, is not represented by the DSB. out of. The accused's view that when determining his income, the reserves to be formed by him for the maintenance of the Roman XXX should be deducted and thus a monthly net income of EUR 2,018 (12x per year) should be used as the basis for calculating the fine , is not represented by the DSB.

4.11. In this context, it should be pointed out at the outset that according to the case law of the VwGH, the concept of income used in Section 19 (2) VStG is not identical to the concept of taxable income under the Income Tax Act (EStG 1988) (cf. VwGH February 21, 1989 , 88/05/0222). Liabilities such as leasing installments for a motor vehicle (cf. Higher Regional Court Vienna June 28, 1988, 23 Bs 287/88) or loan installments for a condominium (cf. In this context, it should be pointed out at the outset that according to the case law of the Administrative Court in paragraph 19, paragraph 2, VStG, the concept of income used is not identical to the concept of taxable income according to the Income Tax Act (EStG 1988) compare VwGH 02/21/1989, 88/05/0222). Liabilities such as leasing installments for a motor vehicle compare OLG Vienna June 28, 1988, 23 Bs 287/88) or the loan installments for a condominium compare Wessely in Rauscher/Wessely, VStG2 § 19, Rz 21c with reference to OGH ZVR 1989/164) therefore have to be disregarded. Nothing else can apply to the reserves brought up by the accused for the repair work in relation to his rented XXX. At this point, for the sake of completeness, reference can also be made to the established case law of the VwGH on the imposition of fines, according to which fines can also be imposed on people who have little or no income. The fine is also permissible if the financial and income situation of the offender makes it likely that he will not be able to pay it (cf. VwGH January 30, 2014, paragraph 19, margin no. 21c with reference to OGH ZVR 1989/164) must therefore be disregarded. Nothing else can apply to the reserves brought by the accused for the repair work in relation to his rented Roman XXX. At this point, for the sake of completeness, reference can also be made to the established case law of the VwGH on the imposition of fines, according to which fines can also be imposed on people who have little or no income. The fine is also permissible if the financial and income situation of the offender makes it likely that he will not be able to pay it (compare VwGH January 30, 2014, 2013/03/0129). Furthermore, the existence of unfavorable income and financial circumstances does not mean that there is a right to the imposition of the minimum penalty (cf. VwGH October 1, 2014, ). Furthermore, the existence of unfavorable income and financial circumstances does not mean that there is a right to the imposition of the minimum penalty, compare VwGH October 1, 2014, Ra 2014/09/0022 with reference to VwGH September 16, 2009, 2009/09/0150).

4.12. According to the settled case law of the VwGH, considerations of special prevention and general prevention may also be included when assessing the penalty (cf. VwGH 15.5.1990, 89/02/0093, VwGH 22.4.1997, 96/04/0253, VwGH 29.1.1991, 89 /04/0061). According to Art. 83 Para. 1 GDPR, the supervisory authorities must also ensure that the fines are included in each individual case. 89/04/0061). According to Article 83, paragraph one, GDPR, the supervisory authorities must also ensure that the fines are effective, proportionate and dissuasive in each individual case.

4.13. According to Art. 1 Para. 2 GDPR, one of the main goals of the GDPR is the protection of fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data according to Art. 8 EU GRC. The accused has seriously violated the fundamental rights of those affected, as explained above. The imposition of the concrete fine is therefore in any case and in particular their right to the protection of personal data according to Article 8, EU-GRC. The accused has seriously violated the fundamental rights of those affected, as explained above. The imposition of the specific fine is therefore necessary in the general preventive sense in order to sensitize those responsible who operate an image processing system in this context, in particular to the effect that such processing for the purpose of guaranteeing technical interests is not covered by the justification under Art. 6 Para. 1 lit. f GDPR, in order to sensitize those responsible who operate an image processing system in this context, in particular to the effect that such processing for the purpose of guaranteeing technical interests does not cover the justification basis according to Article 6, paragraph one, Litera f, DSGVO finds.

4.14. The DSB assumes that the accused will refrain from making such records in the future. In any case, the accused stated several times to the DSB that he would refrain from such recordings in the future. Therefore, according to the DSB, there are no special preventive reasons.

4.15. The specifically imposed fine of EUR 25,000 therefore appears in the light of the above-mentioned reasons for assessing the penalty, above all the great degree of wrongfulness of the act, for general preventive reasons and the gross negligence of the accused, as well as taking into account the income and financial circumstances of the accused and the The available range of penalties of Art. 83 Para. 5 GDPR therefore appears in the light of the above-mentioned reasons for determining the penalty, above all the great unlawful content of the act, for general preventive reasons and the gross negligence of the accused as well as taking into account the income and financial circumstances of the accused and the available penal framework of Article 83, paragraph 5, GDPR (here up to EUR 20,000,000) in the result appropriate to the crime and to blame.