DPC (Ireland) - 07/SIU/2018: Difference between revisions
m (→Facts) |
m (→Facts) |
||
Line 78: | Line 78: | ||
On the 25 June 2018, the Irish DPA (Data Protection Commission - DPC) began an ex-officio investigation into the controller, a local County Council (Sligo). | On the 25 June 2018, the Irish DPA (Data Protection Commission - DPC) began an ex-officio investigation into the controller, a local County Council (Sligo). | ||
CCTV cameras | The controller had installed CCTV cameras at bottle banks and in housing estates stating that they were to aid the enforcement of the Irish Litter Pollution Act 1997 and to help detect anti-social behaviour. The cameras therefore constantly filmed public and private areas This video footage was then stored by the controller. The controller could not demonstrate any records of logs regarding the data processing and it was unclear for how long the data was stored. | ||
The | The cameras, as they were installed in public spaces filmed passers-by and individuals using nearby facilities such as a community centre. Some of the monitoring screens were in public spaces (such as the community centre) and could therefore be accessed by unauthorised persons. One CCTV footage store monitor was not password protected while another had the capability to log all access to the system but staff had not been trained to use this function. | ||
=== Holding === | === Holding === | ||
Line 93: | Line 89: | ||
The DPC found the following violations of the GDPR showing negligence on the part of the controller: | The DPC found the following violations of the GDPR showing negligence on the part of the controller: | ||
For failing to ensure the appropriate security of the CCTV monitoring screens, the controller had breached [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] and [[Article 32 GDPR#1|Article 32(1) GDPR]]. | For failing to ensure the appropriate security of the CCTV monitoring screens, the controller had breached [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] and [[Article 32 GDPR#1|Article 32(1) GDPR]]. The DPC highlighted that passers-by could easily take pictures of what was being shown on the monitoring screens. | ||
For excessively monitoring and processing footage of public spaces the DPC found violations of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] and [[Article 25 GDPR|Article 25 GDPR]] in relation to the purposes. | For excessively monitoring and processing footage of public spaces the DPC found violations of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] and [[Article 25 GDPR|Article 25 GDPR]] in relation to the purposes. The DPC highlighted that the controller could have implemented "privacy masking" so that private areas would not be recorded by the cameras. | ||
For retaining the data for longer than necessary the DPC found a violation of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]]. | For retaining the data for longer than necessary the DPC found a violation of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]]. |
Revision as of 21:01, 10 December 2024
DPC - 07/SIU/2018 | |
---|---|
Authority: | DPC (Ireland) |
Jurisdiction: | Ireland |
Relevant Law: | Article 5(1) GDPR Article 13 GDPR Article 24 GDPR Article 25 GDPR Article 30 GDPR Data Protection Act 2018 |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 15.06.2018 |
Decided: | 13.11.2024 |
Published: | 05.12.2024 |
Fine: | 29,500 EUR |
Parties: | Sligo County Council |
National Case Number/Name: | 07/SIU/2018 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | DPC (in EN) |
Initial Contributor: | ao |
The DPA issued a County Council with a 29,500 fine for the excessive processing of CCTV footage of public spaces as well as footage of speed cameras.
English Summary
Facts
On the 25 June 2018, the Irish DPA (Data Protection Commission - DPC) began an ex-officio investigation into the controller, a local County Council (Sligo).
The controller had installed CCTV cameras at bottle banks and in housing estates stating that they were to aid the enforcement of the Irish Litter Pollution Act 1997 and to help detect anti-social behaviour. The cameras therefore constantly filmed public and private areas This video footage was then stored by the controller. The controller could not demonstrate any records of logs regarding the data processing and it was unclear for how long the data was stored.
The cameras, as they were installed in public spaces filmed passers-by and individuals using nearby facilities such as a community centre. Some of the monitoring screens were in public spaces (such as the community centre) and could therefore be accessed by unauthorised persons. One CCTV footage store monitor was not password protected while another had the capability to log all access to the system but staff had not been trained to use this function.
Holding
The DPC found that the use of the CCTV cameras at the bottle banks could not be justified under the Litter Pollution Act 1997 nor the Waste Management Act 1996. Article 8(2) of the Law Enforcement Directive does not provide for such a broad scope of CCTV footage to be processed.
The DPC found a total of 14 issues throughout the course of the inquiry ranging from unlawful processing to failing to conduct a Data Protection Impact Assessment. The DPC found violations of the GDPR as well as the Irish Data Protection Act 2018 which transposes the GDPR into national law.
The DPC found the following violations of the GDPR showing negligence on the part of the controller:
For failing to ensure the appropriate security of the CCTV monitoring screens, the controller had breached Article 5(1)(f) GDPR and Article 32(1) GDPR. The DPC highlighted that passers-by could easily take pictures of what was being shown on the monitoring screens.
For excessively monitoring and processing footage of public spaces the DPC found violations of Article 5(1)(c) GDPR and Article 25 GDPR in relation to the purposes. The DPC highlighted that the controller could have implemented "privacy masking" so that private areas would not be recorded by the cameras.
For retaining the data for longer than necessary the DPC found a violation of Article 5(1)(e) GDPR.
For failing to set up and maintain records of the processing, the DPC found a violation of Article 30 GDPR.
For failing to erect signage informing of the processing and failing to be able to explain a reason for this, the DPC found a violation of Article 13 GDPR.
The DPC issued a fine of €29,500 for the violations and ordered the controller to bring its data processing into compliance.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.