DSB (Austria) - 2020-0.550.322: Difference between revisions
Isabel Hahn (talk | contribs) No edit summary |
m (Mg moved page DSB - 2020-0.550.322 to DSB (Austria) - 2020-0.550.322: consistency) |
Latest revision as of 13:51, 12 May 2023
DSB - 2020-0.550.322 | |
---|---|
Authority: | DSB (Austria) |
Jurisdiction: | Austria |
Relevant Law: | Article 4(2) GDPR Article 5(1)(a) GDPR Article 6(1) GDPR Article 83(5)(a) GDPR § 19 Austrian Administrative Penal Act (Verwaltungsstrafgesetz 1991 - VStG) |
Type: | Other |
Outcome: | n/a |
Started: | |
Decided: | 19.10.2020 |
Published: | 01.12.2020 |
Fine: | 150 EUR |
Parties: | unknown natural person (fined controller) |
National Case Number/Name: | 2020-0.550.322 |
European Case Law Identifier: | ECLI:AT:DSB:2020:2020.0.550.322 |
Appeal: | Not appealed |
Original Language(s): | German |
Original Source: | Rechtsinformationssystem des Bundes (RIS) (in DE) |
Initial Contributor: | n/a |
The Austrian DPA imposed a fine of €150 on a person for secretly filming a woman with his smartphone while she was using a public restroom.
English Summary
Facts
On 02.11.2019, the controller (male natural person, name redacted) filmed a woman while she was using a public restroom by pushing his smartphone under a cubicle partition. The screen of the phone was pointing upwards and the front camera was active during the entire process.
After the woman realised that she was being filmed, she confronted the controller and called the police.
Holding
As the controller had not obtained the consent of the woman he filmed and there was no other legal basis for processing under Article 6 GDPR, the controller had violated Article 5(1)(a) and Article 6(1) GDPR.
Taking into account the low income of the controller, the Austrian Data Protection Authority (DSB) imposed a fine of only EUR 150 under Article 83(5)(a) GDPR.
Comment
It must be noted that the DSB did not apply § 12 and § 13 of the Austrian Data Protection Act (Datenschutzgesetz - DSG) that specifically deal with the processing of pictures (including videos). That is because the Austrian Federal Administrative Court (Bundesverwaltungsgericht - BVwG) had declared these provisions inapplicable in lack of an opening clause under the GDPR (see W211 2210458-1 and here). Hence the DSB only assesed the lawfulness of processing under Article 5 and 6 GDPR only.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Decisive authority Data protection authority Decision date October 19, 2020 Business number 2020-0.550.322 Appeal at the BVwG / VwGH / VfGH This penalty decision is final. text GZ: 2020-0.550.322 of October 19, 2020 (case number: DSB-D550.249) [Note processor: names and companies, legal forms and product names, addresses (incl. URLs, IP and e-mail addresses), file numbers (and the like), etc., as well as their initials and abbreviations can be shortened and / or changed for reasons of pseudonymisation his. Obvious spelling, grammar, and punctuation errors have been corrected.] Penalty judgment Accused: A *** F *** (born DD.MM.YYYY), [ZIP] [City], [Street] [HNr.] Time of the offense: DD.MM.2019, 7:35 p.m. Crime scene: [ZIP] [city], [street, ONr.] (WC facilities on the upper floor next to the police station ***) As the person responsible within the meaning of Art 4 Z 7 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), ABl. No. L 119 of 4.5.2016 S 1, at the above-mentioned time of the offense at the above-mentioned crime scene, the following administrative offense (s) were committed: You captured a female person while she was using one of the toilet cubicles as part of image data processing by pushing a mobile phone (smartphone with camera function) under a toilet cubicle partition, with the mobile phone screen pointing upwards and the front camera of the mobile phone was active during the entire process and thus image data was processed by the person concerned. By carrying out image data processing without legal grounds, you have objected to the principles for processing personal data in accordance with Art. 5 Para. 1 lit. a GDPR, specifically - against the principles of "legality, processing in good faith, transparency", as - against the permissions finally standardized in Art. 6 Para. 1 GDPR violated. This is because the image data processing carried out can neither be based on the consent of the person concerned, nor on one of the other permissions of Art. 6 Para. 1 GDPR. You have thereby violated the following legal provision (s): Art. 5 para. 1 lit. a, Art. 6 Para. 1 in conjunction with Art. 83 Para. 5 lit. a of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data, on the free movement of data and on the repeal of Directive 95/46 / EC (General Data Protection Regulation), ABl L 2016/119, 1 as amended L 2016/314, 72 and L 2018/127, 2 Because of these administrative offense (s) you will be subject to the following penalty: Fine of euros if this is irrecoverable, a substitute imprisonment of according to € 150.00 9 hours Art. 83 para. 5 lit a GDPR in conjunction with § 16 VStG, Federal Law Gazette No. 52/1991 Any further statements (e.g. about the crediting of the preliminary detention, about the forfeiture or about claims under private law): Furthermore, you have to pay according to § 64 of the Administrative Penal Act 1991 - VStG: 15.00 Euro as contribution to the costs of the criminal proceedings, that is 10% of the penalty, but at least 10 Euro (one day imprisonment equals 100 Euro); Euros to replace cash outlays for The total amount to be paid (penalty / costs / cash outlays) is therefore 165.00 Euro Payment term: If no complaint is made, this penalty decision is immediately enforceable. In this case, the total amount is to be paid into the account BAWAG P.S.K., Georg-Coch-Platz 2, 1018 Vienna, IBAN: AT460100000005490031, BIC: BAWAATWW, according to the data protection authority, within two weeks after it becomes legally binding. The transaction number and the completion date should be given as the intended use. If no payment is made within this period, the total amount can be dunned. In this case, a flat fee of five euros has to be paid. If, however, no payment is made, the outstanding amount will be enforced and, in the event that it is uncollectible, the corresponding imprisonment penalty will be enforced. Reason: I. The following facts relevant to the decision have been established based on the evidence procedure carried out: 1. The accused used the public toilet facilities on November 2, 2019 at around 7:35 pm on the upper floor next to the police station *** in [ZIP] [city], [street, ONr]. There he first went to the men's toilet, but left it because two of the three toilet cubicles there were occupied and the third existing toilet cubicle was very dirty. Subsequently, due to the urgency of the bowel movement, he went to the premises of the women's toilet there and entered one of the toilet cubicles to use it. A short time later, several women entered the ladies' toilet and conversed with one another, clearly audible for the accused. One of the female persons then entered the toilet cubicle, which was located immediately next to the toilet cubicle used by the suspect. 2. The accused then started the camera application on his mobile phone and also activated the front camera of the device in order to hold it under the partition wall of the toilet cubicle in order to use the camera of the mobile phone to see in real time on the display who is in the side cabin and to be able to look at the female person - similar to a mirror function. This process was noticed by the female person who used the adjacent toilet cubicle; She saw the mobile phone with the display switched on and the camera activated as the suspect held it through under the cabin partition, while the female person recognized herself on the device's screen. 3. The female person then immediately left the toilet cubicle and asked the suspect to also leave the toilet cubicle and hand over the mobile phone. The accused then handed the used mobile phone out of the cabin, the female took the device and tried to use the photo application to find out whether there were any image data of her as she was in the toilet cubicle. At this point in time, there were image data of other naked women on the memory of the accused's cell phone, which the accused had received from work colleagues in the course of time before the incident in question. 4. Subsequently, the female person affected by the incident went to the women's toilet, where several other people were already waiting to use the toilets, and described the incident to those present. A few minutes later the accused also came out of the rooms of the ladies' room and was prevented from leaving the premises by the waiting people until the police officers who had been called by telephone arrived. 5. The police officers who intervened then transferred the questioning of the accused about the incident to the PI ***. The cell phone was given to the police voluntarily by the accused. The police could not find any pictures or videos of the incident in the picture gallery. The cell phone used by the accused at the time of the crime has not been in his possession since around the end of January 2020 because he lost the device on public transport. 6. According to the confirmation of benefits presented by the accused, the latter receives minimum income benefits (social assistance) in the total amount of € 995.04 per month, a significant part of which is required for housing costs. [Proof: display of LPD *** from TT. November 2019, GZ PAD / ***, minutes of the interrogation of the accused before the data protection authority from TT. August 2020, GZ ***] II. The findings are made on the basis of the following evidence: 1. The findings with regard to the offense of the accused, according to which he pushed his mobile phone with camera function, with an activated front camera, under the toilet cubicle partition with the intention of observing the female person in the neighboring cubicle using the screen of the device as this one Wanted to use the toilet can be found on the basis of the relevant information in the advertisement of the LPD *** and the corresponding statements of the accused during his interrogation before the data protection authority. 2. As to the question of whether the accused had saved image data from the incident on his mobile phone at any time, no conclusions could be made. As part of the reporting by the LPD ***, it is stated that a corresponding image material could not be seen when the officers looked through the device - the accused voluntarily gave the cell phone to the officers for this purpose; the accused himself states to the data protection authority that he has never saved any photo or video recordings of the incident. However, it cannot be completely ruled out that the accused may have deleted any stored image material. The question of whether image data was also saved, however - which will have to be dealt with in the context of the legal assessment - with regard to the behavior punished in the verdict. III. Legally it follows from this: 1. Art. 83 para. 5 lit. a GDPR stipulates that violations of the provisions of Articles 5 and 6 GDPR can result in fines of up to 20,000,000 euros or, in the case of a company, up to 4% of its total worldwide annual turnover in the previous financial year, depending on which of the amounts is higher. According to Section 22 (5) DSG, responsibility for imposing fines on natural and legal persons for Austria as the national supervisory authority lies with the data protection authority. To the saying: 2. The GDPR defines the term processing in Art. 4 Z 2 GDPR by listing a number of possible usage processes. This includes the collection, recording, organization, ordering, storage, adaptation or modification, reading, querying, use, disclosure by transmission, distribution or any other form of provision, comparison or linking , restriction, deletion or destruction. The use of the camera application of the cell phone by the accused in the context of the proceedings in order to observe a female person in a toilet cubicle - similar to a (digital) mirror - constitutes the processing of personal data within the meaning of Art. 4 Z 2 GDPR and the material scope of application of Art. 2 GDPR is thereby opened. This legal classification results from a consideration of the technical process of digital image data processing with the aid of a commercially available mobile phone with camera function. In such a process, light rays fall on the light sensor of the camera, these are then converted by an image processor into digital image data and held ready in the main memory of the device for access by the camera application; The latter displays the live image created on the device's screen; the user can then permanently save the image data by pressing a hardware or software button on the device. Thus, regardless of whether the user activates a button (the trigger), digital image data processing takes place on the mobile phone. In the given context, the data protection authority assumes that the production of live images using a smartphone camera is to be subsumed under the term “collection”. "Collecting" is the gathering of data about the person concerned. As long as the procurement is targeted, the method does not matter. The processor can access data electronically, request documents or interview people. Consultation with an Internet search engine to obtain information on a specific person is also covered by the term (cf. Ernst in Paal / Pauly, General Data Protection Regulation, Art. 4 Rn. 23). Apart from that, every operation that uses personal data is to be regarded as processing, regardless of whether it is carried out with or without automated procedures. Even the collection of data is to be understood as processing (see Klabunde in Ehmann / Selmayr, General Data Protection Regulation, Art. 4 Rn. 19). Thus, the recording of data subjects by means of optical-technical devices (such as video cameras) is in any case to be qualified as processing within the meaning of the GDPR. 3. There is no clear distinction between raising and grasping; the collection relates more to the targeted acquisition of individual data, while the acquisition is more aimed at the continuous recording of a data stream. The collection and the recording can be connected with a storage; However, such a connection is not necessary (see Herbst in Kühling / Buchner, General Data Protection Regulation, Art. 4 marginal number 22). 4. Since in the demonstrative (arg. "How") list of Art. 4 Z 2 GDPR, the word "storage" is also explicitly mentioned, it can also be assumed that this is only one of the processing applications , and not about their basic requirement. The fact that the Union legislature would have forgotten about a regulation regarding live image monitoring, which can massively intervene in the rights of data subjects, or deliberately wanted to exclude such monitoring from the scope of the GDPR, can in any case, in view of the express goal of increased protection of the interests of data subjects in the GDPR, the European legislator not be assumed. 5. As a result, the processing of personal data within the meaning of the GDPR is the subject of the proceedings and the accused must be qualified as the person responsible for this image data processing within the meaning of Art. 4 Z 7 GDPR; Finally, he made the decision to use his smartphone to observe a female person in the toilet cubicle, thereby defining both the purpose and the means for data processing. 6. On the legality of image data processing: Art. 5 GDPR defines the principles for the processing of personal data and determines its Paragraph 1 lit. a that personal data must be processed in a lawful manner, in good faith and in a manner that is understandable for the data subject ("lawfulness, processing in good faith, transparency"). The acquisition of image data in the toilet cubicle, as stated above, was of course not foreseeable for the person concerned and thereby already constitutes a violation of the principle of Art. 5 Para. 1 lit. a GDPR. According to Art. 6 GDPR, processing is only lawful if at least one of the following conditions is met: a) The data subject has given their consent to the processing of their personal data for one or more specific purposes; b) The processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures that are carried out at the request of the data subject; c) the processing is necessary to fulfill a legal obligation to which the controller is subject; d) the processing is necessary to protect the vital interests of the data subject or another natural person; e) the processing is necessary for the performance of a task that is in the public interest or is carried out in the exercise of official authority that has been assigned to the person responsible; f) Processing is necessary to safeguard the legitimate interests of the person responsible or a third party, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, outweigh them, in particular if the data subject is a Child acts. On the legality of processing operations with regard to Art. 6 Para. 1 lit. f GDPR explains recital 47, among other things, that this can be justified by the legitimate interests of a person responsible, provided that the interests or the fundamental rights and freedoms of the data subject do not prevail; the reasonable expectations of the data subject based on their relationship with the controller must be taken into account. In any case, the existence of a legitimate interest must be weighed up particularly carefully, whereby it must also be checked whether a data subject can reasonably foresee at the time the personal data is collected and in view of the circumstances under which it is carried out that processing may be carried out for this person Purpose will be done. In particular, when personal data are processed in situations in which a data subject does not reasonably have to expect further processing, the interests and fundamental rights of the data subject will outweigh the interests of the person responsible. The European Court of Justice (ECJ) has already ruled in the context of video surveillance that three cumulative conditions must be met in order for (image data) processing to be qualified as permissible (see the ECJ judgment of December 11, 2019, C-708 / 18, margin no. 40): On the one hand, this is the perception of a legitimate interest by the person responsible for data processing, then the necessity of data processing to realize this legitimate interest and, ultimately, in the course of a weighing up of interests, the fundamental rights and freedoms of the person affected by data protection must not outweigh the perceived legitimate interest his. 7. In the present case, the legality check with regard to the established image data processing fails because of the first of three conditions. The suspect's interest of whatever kind in observing a female person using a toilet cubicle can under no circumstances be assessed as a legitimate interest within the meaning of Art. 6 Para. 1 lit f GDPR. This eliminates the need for any further examination of the suitability or the weighing of any conflicting interests. The only suitable legal basis for the present image data processing would be the consent of the data subject, although this is of course not available here and the data processing was therefore to be classified as impermissible in any case. 8. In application of the requirements and obligations according to Art. 5 Para. 1 lit. a and lit. b in connection with Art. 6 Para. 1 GDPR as well as § 12 Para. 4 Z 1 DSG on the facts at hand, the investigating authority comes to the conclusion that the accused should not have carried out the image processing under any circumstances without the consent of the person concerned. Against the background of the established facts, the accused, as the person responsible according to Art. 4 Z 7 GDPR, has the objective fact of the administrative violation of Art. 83 Par. 5 lit. a GDPR. IV. The following is to be noted for the determination of the sentence: 1. According to Art. 83 Para. 1 GDPR, the data protection authority must ensure that the imposition of fines for violations in accordance with Paragraphs 5 and 6 is effective, proportionate and dissuasive in each individual case. More specifically, Paragraph 2 leg cit states that when deciding on the imposition of a fine and its amount in each individual case, due consideration must be given to the following: a) the type, gravity and duration of the breach, taking into account the type, scope or purpose of the processing concerned, as well as the number of persons affected by the processing and the extent of the damage suffered by them; b) Willfulness or negligence of the violation; c) any measures taken by the controller or the processor to reduce the damage suffered by the data subjects; d) the degree of responsibility of the controller or processor, taking into account the technical and organizational measures taken by them in accordance with Articles 25 and 32; e) any relevant previous violations by the controller or the processor; f) Extent of working with the regulator to remedy the breach and mitigate its possible adverse effects; g) categories of personal data affected by the breach; h) the manner in which the supervisory authority became aware of the violation, in particular whether and, if so, to what extent the controller or the processor notified the violation; i) [...] j) [...] k) any other aggravating or mitigating circumstances in the respective case, such as financial benefits gained directly or indirectly as a result of the violation or avoided losses. 2. According to Section 19 (1) VStG, the basis for the assessment of the penalty is the significance of the legal interest protected by criminal law and the intensity of its impairment by the act. In addition, according to the purpose of the threat of punishment, the possible aggravating and mitigating reasons must be weighed against each other, unless they already determine the threat of punishment. Particular care must be taken with the extent of the fault. Sections 32 to 35 of the Criminal Code apply mutatis mutandis, taking into account the nature of administrative criminal law. The accused's income and financial circumstances and any duties of care of the accused must be taken into account when assessing fines; However, this is only to the extent that the provisions of the GDPR that are directly applicable do not supersede the provisions of the VStG and to the extent that Art. 83 (8) GDPR and recital 148 are ordered with regard to the procedural guarantees to be guaranteed. 3. In deviation from the accumulation principle standardized in Section 22 (2) VStG, Art. 83 (3) GDPR stipulates that the total amount should be paid in cases of identical or interrelated processing operations that intentionally or negligently violate several provisions of the GDPR the fine does not exceed the amount for the most serious infringement. Thus, in the area of application of the GDPR - as applied in the present case - the absorption principle of Art. 83 (3) GDPR applies. 4. In relation to the facts at hand, the following was taken into account to aggravate the sentencing: - Observing a female person with the help of a smartphone camera while she wants to use a toilet cubicle seriously encroaches on the legal interests of the privacy of those concerned, protected by Art. 8 ECHR and Art. 7 EuGRC. On the part of the accused, the execution of the image data processing with the intention of observing a female person in the adjacent toilet cubicle was granted and is therefore on the subjective side of fault in the form of intent within the meaning of Art. 83 Para. 2 lit. b GDPR. 5. The following was mitigated when determining the sentence: - The accused took part in the administrative criminal proceedings before the data protection authority and admitted to having carried out the image data processing, thereby helping to establish the truth; - To date, the data protection authority has not had any relevant criminal record against the accused. 6. The specifically imposed penalty therefore appears to be appropriate for the act and guilty, taking into account the determined income situation of the accused with regard to the actual inconvenience measured against the available range of penalties under Art. 83 (5) GDPR of up to € 20,000,000 and its imposition is necessary to prevent the accused and third parties from committing the same or similar criminal acts. European Case Law Identifier ECLI: AT: DSB: 2020: 2020.0.550.322