AEPD (Spain) - PS/00377/2021: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD (Spain) |DPA_With_Country=AEPD (Spain) |Case_Number_Na...") |
mNo edit summary |
||
(7 intermediate revisions by 3 users not shown) | |||
Line 55: | Line 55: | ||
=== Facts === | === Facts === | ||
The | The data subject, an employee of the Municipality, filed a complaint with the AEPD because of a video surveillance system that recorded employees and citizens actions within the Municipality's premises, even though no proper authorisation was requested and granted. Moreover, since the cameras could also record audio, personal conversations of employees and visitors could be recorded. Lastly, although there was a sign that informed visitors and employees of the presence video surveillance cameras, it was unclear for which purpose these cameras were installed. The AEPD informed the Municipality (hereafter: respondent) regarding the complaint but never got a reply. Hence, it agreed to process the complaint. | ||
=== Holding === | |||
The AEPD upheld the complaint. | |||
First, the recording of personal conversations is an invasion of privacy. This is therefore strictly forbidden and can lead to a violation of [[Article 5 GDPR|Article 5(1)(c) GDPR]]. | |||
Second, the cameras must be limited to the purpose for which they are intended. Also, the way of capturing and processing this data must be proportionate in relation to this purpose (surveillance/security). | |||
Third, the AEPD recalls that, in order to comply with [[Article 12 GDPR]], a clear sign must be placed in a visible area (e.g. access door) indicating that it is a video-surveilled area, and it must indicate: | |||
- | |||
* the existence of the processing. | |||
* the identity of the data controller. | |||
* the possibility of exercising the rights provided for in Articles 15 to 22 GDPR. | |||
If there is not a clear sign informing employees of the video-surveillance area, which provides this information, this leads to a violation of [[Article 13 GDPR]]. Respondent had failed to install and show a clear sign that provided this information. Moreover, the purpose of security had not been known to the legal representatives of all the public employees of the aforementioned entity, although they must be aware of the purpose(s) of the images obtained. Hence, this constituted an infringement, attributable to the respondent, for violation of Articles 5(1)(c) and 13 GDPR. | |||
Therefore, the AEPD (1) imposed a warning on the Municipality and (2) ordered respondent to: | |||
* Place information signs duly approved to the current GDPR at the main entrances to the Town Hall within one month of the decision. | |||
* Inform all public employees of the measures adopted, in particular those related to the purpose(s) of the processing. | |||
* To place the entrance camera so that it is used for the security function of the Town Hall, but avoids capturing the work area of the employees exclusively, disabling the audio option if necessary. | |||
== Comment == | == Comment == | ||
'' | 1. In its decision, the AEPD mentioned ''"exception of prior judicial authorisation and recordings made by persons competent to do so in "exceptional" situations"'' as grounds for exception to the prohibition of the recording of personal conversations. However, this was not further explained. | ||
2. It is likely, however, that the AEPD referred to Article 5 [https://boe.es/buscar/doc.php?id=BOE-A-1997-17574 Ley Orgánica 4/1997, de 4 de agosto, por la que se regula la utilización de videocámaras por las Fuerzas y Cuerpos de Seguridad en lugares públicos]. | |||
== Further Resources == | == Further Resources == |
Latest revision as of 12:44, 20 October 2021
AEPD (Spain) - PS/00377/2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(c) GDPR Article 13 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 18.10.2021 |
Fine: | None |
Parties: | Municipality of [Redacted Location] |
National Case Number/Name: | PS/00377/2021 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | aepd.es (in ES) |
Initial Contributor: | Giel Ritzen |
The Spanish DPA (AEPD) warned a Municipality for failing to meet its information obligations to its employees regarding the placement of video surveillance cameras that also record audio.
English Summary
Facts
The data subject, an employee of the Municipality, filed a complaint with the AEPD because of a video surveillance system that recorded employees and citizens actions within the Municipality's premises, even though no proper authorisation was requested and granted. Moreover, since the cameras could also record audio, personal conversations of employees and visitors could be recorded. Lastly, although there was a sign that informed visitors and employees of the presence video surveillance cameras, it was unclear for which purpose these cameras were installed. The AEPD informed the Municipality (hereafter: respondent) regarding the complaint but never got a reply. Hence, it agreed to process the complaint.
Holding
The AEPD upheld the complaint.
First, the recording of personal conversations is an invasion of privacy. This is therefore strictly forbidden and can lead to a violation of Article 5(1)(c) GDPR.
Second, the cameras must be limited to the purpose for which they are intended. Also, the way of capturing and processing this data must be proportionate in relation to this purpose (surveillance/security).
Third, the AEPD recalls that, in order to comply with Article 12 GDPR, a clear sign must be placed in a visible area (e.g. access door) indicating that it is a video-surveilled area, and it must indicate:
- the existence of the processing.
- the identity of the data controller.
- the possibility of exercising the rights provided for in Articles 15 to 22 GDPR.
If there is not a clear sign informing employees of the video-surveillance area, which provides this information, this leads to a violation of Article 13 GDPR. Respondent had failed to install and show a clear sign that provided this information. Moreover, the purpose of security had not been known to the legal representatives of all the public employees of the aforementioned entity, although they must be aware of the purpose(s) of the images obtained. Hence, this constituted an infringement, attributable to the respondent, for violation of Articles 5(1)(c) and 13 GDPR.
Therefore, the AEPD (1) imposed a warning on the Municipality and (2) ordered respondent to:
- Place information signs duly approved to the current GDPR at the main entrances to the Town Hall within one month of the decision.
- Inform all public employees of the measures adopted, in particular those related to the purpose(s) of the processing.
- To place the entrance camera so that it is used for the security function of the Town Hall, but avoids capturing the work area of the employees exclusively, disabling the audio option if necessary.
Comment
1. In its decision, the AEPD mentioned "exception of prior judicial authorisation and recordings made by persons competent to do so in "exceptional" situations" as grounds for exception to the prohibition of the recording of personal conversations. However, this was not further explained.
2. It is likely, however, that the AEPD referred to Article 5 Ley Orgánica 4/1997, de 4 de agosto, por la que se regula la utilización de videocámaras por las Fuerzas y Cuerpos de Seguridad en lugares públicos.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/9 Procedure No.: PS / 00377/2021 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following FACTS FIRST: Mrs. A.A.A. (* hereinafter, the complaining party) dated April 17, 2021 filed a claim with the Spanish Data Protection Agency. The claim is directed against CITY COUNCIL OF *** LOCALIDAD.1 with CIF P4626100D (hereinafter, the claimed part). The reasons on which the claim are the following, as collected in your writing, “On March 12, video surveillance cameras were installed in the City Hall. location of *** LOCALIDAD.1 (Valencia). These cameras were installed at the entrance to the Town Hall and at the counter, from where they record employees and citizens damages that enter the municipal offices (...) On several occasions I showed my disagreement to the mayor and the secretary on these aspects. I called the Government Delegation to check if there was granted authorization for its installation in accordance with the provisions of the Decree 596/1999 and Organic Law 4/1997, and there was no such authorization, but it is that neither if- want it had been requested ”. “I have not been informed about the installation of the system (…) I can only think that I have been recorded without prior notice of the camera's start-up, that's why They are knowledgeable about my private conversations held in these dependencies (…) ”. Together with the claim, it provides documentary evidence (photograph No. 1) that It accredits the presence of the poster even though it is not filled in in its essential aspects. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), said claim was transmitted to the claimed party in fe- cha *** DATE.1, so that it could proceed with its analysis and inform this Agency in the period of one month, of the actions carried out to adapt to the prerequisites seen in the data protection regulations. No response to this letter has been received to date from this Agency, nor no explanation has been given to that effect. THIRD: On July 19, 2021, the Director of the Spanish Agency for Pro- Data protection agreed to admit for processing the claim presented by the complaining party. keep. FOURTH: On September 7, 2021, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure for the complained party, by the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/9 alleged violation of Article 5.1.c) of the RGPD, typified in Article 83.5 of the GDPR. FIFTH: In accordance with article 73.1 of the LPCAP, the term to formulate allegations to the Initiation Agreement is ten days computed from the following of the notification. Article 64.2. LPACAP, indicates that the accused will be informed of the right to formulate allegations, the "right to a hearing in the procedure and the deadlines for its exercise, as well as the indication that in case of not making allegations in The term foreseen on the content of the initiation agreement may be considered a resolution proposal when it contains a precise pronouncement about the imputed responsibility ”. (The underlining is from the AEPD) The agreement to initiate the disciplinary proceedings at hand contained a precise statement on the responsibility of the claimed entity: in the aforementioned agreement was specified what was the offending conduct, the type of sanction in which it was subsumable, the circumstances of the responsibility described and the sanction that in judgment of the AEPD proceeded to impose. In consideration of the foregoing and in accordance with the provisions of article 64.2.f) of the LPACAP, the agreement to initiate PS / 00375/2021 is considered Resolution Proposal: Notified the initiation agreement, the one claimed at the time of the This resolution has not submitted a brief of allegations, so it is application of what is stated in article 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations, which in its section f) establishes that in case of not making allegations within the established period on the content of the initiation agreement, it may be considered a proposal for resolution when it contains a precise pronouncement about the responsibility imputed, for which a Resolution is issued. In view of all the actions, by the Spanish Agency for Data Protection In this proceeding, the following are considered proven facts: First. The facts bring cause of the claim dated 04/17/21 through the which is transferred to this AEPD the following: “On March 12, video surveillance cameras were installed in the City Hall. location of *** LOCALIDAD.1 (Valencia). These cameras were installed at the entrance to the Town Hall and at the counter, from where they record employees and citizens damage that enters the municipal offices (...) On several occasions I showed my disagreement to the mayor and the secretary on these aspects. I called the Government Delegation to check if there was granted authorization for its installation in accordance with the provisions of the Decree 596/1999 and Organic Law 4/1997, and there was no such authorization, but it is that neither if- want it had been requested ”. “I have not been informed about the installation of the system (…) I can only think that I have been recorded without prior notice of the camera's start-up, that's why C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/9 They are knowledgeable about my private conversations held in these dependencies (…) ”- folio nº 1--. Second. The entity City Council of *** LOCALITY. 1. Third. It is proven that the installed video surveillance system is not duly reporting, suffering from irregularities, such as the fact of mentioning a repealed regulation or failure to indicate the person responsible for data processing. Room. The presence of a video surveillance device in the area of entrance to the property, without claiming whether it can obtain audio of the area where it is installed. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and to re- solve this procedure. II On 04/17/21 the claim of the epigraph is received at this Agency by means of from which the following is transferred as the main fact: “On March 12, video surveillance cameras were installed in the City Hall. location of *** LOCALIDAD.1 (Valencia). These cameras were installed at the entrance to the City Hall and at the counter, from where employees and citizens are taxed. damages that enter the municipal offices (...) On several occasions I showed my disagreement to the mayor and the secretary on these aspects. I called the Government Delegation to check if there was granted authorization for its installation in accordance with the provisions of the Decree 596/1999 and Organic Law 4/1997, and there was no such authorization, but it is that neither if- want it had been requested ”. The initial events took place in the presence of video-visual devices gilancia that could record conversations (audio / video) inside the municipal pendencies, without the system being duly informed for this purpose. The recording of personal conversations both in the company and in community owners' entities, supposes an invasion of the privacy of the user, therefore which is strictly prohibited, with the exception of an authorization judicial review and the recordings are made by the competent persons to make- it in "exceptional" situations. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/9 The cameras installed must be limited to the purpose pursued with the same moreover, the legal representatives of public employees must be informed of such aspects, as well as having the corresponding signage that informs that it is a video-monitored area. The Spanish Agency for Data Protection refers to how they should treat take and capture the images from the security cameras in your guide to video surveillance. lance, emphasizing that there must be a relationship of proportionality between the purpose pursued (in this case security) and the way in which the data. Access to security camera recordings is only allowed to the owner of the company, the contracted security company or the personnel in charge of such effect, as stipulated in the LOPDGDD. Surveillance teams at work and viewing and storage rooms of images should be located in rooms with access restricted to personnel authorized. Recording the conversations of public employees can lead to a violation of art. 5.1 c) RGPD, as the obtaining of conversations is excessive private rights of the same, without prejudice to the affectation to the privacy of these in their conversations whatever their nature or context. Cameras must adhere to their role protecting access security to municipal agencies, without them being able to be oriented in any way permanent connection to their workstations (eg computer monitor), nor allow the audio recording of the private conversations of the em- employed in auxiliary tasks of entry and documentary registration. The installed posters denote that they are incomplete in terms of the required information, which implies an affectation to art.-13 RGPD. Reporting on video surveillance according to RGPD is an obligation included in this legislative framework. An information device must be available in a visible area (eg. access) indicating that it is a video-monitored area, it must indicate car: the existence of the treatment. the identity of the person in charge. possibility of exercising the rights provided for in articles 15 to 22 of Regulation (EU) 2016/679. The image of a person insofar as it identifies or can identify the person It constitutes a personal data, which can be processed for various purposes. Article 22 section 4 of the LOPDGDD provides the following: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/9 "The duty of information provided for in article 12 of the Regulation (EU) 2016/679 will be understood as fulfilled by placing an information device in a sufficiently visible place identifying, at least, the existence of the treatment, the identity of the person in charge and the possibility of exercising the rights provided in the Articles 15 to 22 of Regulation (EU) 2016/679. It may also be included in the device informative site a connection code or internet address to this information (…) ”. III In accordance with the evidence available in this proceeding sanctioner, it is considered that the complained party has proceeded to install a system of video surveillance cameras, which are provided with "audio", lacking the same of information badges duly homologated to the regulations in force. The documentary evidence provided makes it possible to verify the "irregularities" of the poster in the access area, as well as the presence of a web-cam confirms the presence of a device at the reception desk with the possibility of audio (video) without having been informed about the purpose (s) thereof. It is recalled that any labor control measure must be put into knowledge of the legal representatives of all public employees of the cited entity, having to be aware of the purpose (s) of the images that are obtain with it, considering in any case the preservation of the privacy of conversations that could take place during working hours without further ado Additional considerations. The known facts constitute an infringement, attributable to the party claimed, for violation of the content of articles 5.1 c) and 13 RGPD, above- mind described. IV The facts described suppose an administrative offense (s) typified in the Article 83.5 letters a) and b) RGPD. "Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of of a company, of an amount equivalent to a maximum of 4% of the volume of total annual global business of the previous financial year, opting for the one with the highest amount: a) the basic principles for the treatment, including the conditions for the treatment consent in accordance with articles 5, 6, 7 and 9; b) the rights of the interested parties in accordance with articles 12 to 22; V C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/9 Without prejudice to the provisions of article 83 of the RGPD, the aforementioned Regulation provides ne in its art. 58.2 b) the following: “2 Each supervisory authority shall have all the following corrective powers in- listed below: (…) b) direct a warning to any person in charge or in charge of the treatment when the processing operations have infringed the provisions of this Regulation;" Likewise, article 77 of the LOPDGDD provides the following: “Regime applicable to certain categories of managers or persons in charge of the work treatment. 1. The regime established in this article will be applicable to the treatment of who are responsible or in charge: a) Constitutional or constitutionally relevant bodies and institutions of the autonomous communities analogous to them. b) The jurisdictional bodies. c) The General State Administration, the Administrations of the Autonomous Communities tonomas and the entities that make up the Local Administration. d) Public bodies and related or dependent public law entities of the Public Administrations. e) The independent administrative authorities. f) The Bank of Spain. g) Public law corporations when finalized from the treatment are related to the exercise of powers of public law. h) Public sector foundations. i) Public Universities. j) Consortia. k) The parliamentary groups of the Cortes Generales and the Legislative Assemblies autonomic, as well as the political groups of the Local Corporations. 2. When the managers or managers listed in section 1 commit any of the infractions referred to in articles 72 to 74 of this organic law. ca, the competent data protection authority will issue a sanction resolution advising them with warning. The resolution will also establish the measures to be taken to stop the conduct or correct the effects of the infraction that had been committed. The resolution will be notified to the person in charge of the treatment, the body of the that depends hierarchically, where appropriate, and those affected who had the condition interested party, if applicable. 3. Without prejudice to the provisions of the previous section, the protection authority of data will also propose the initiation of disciplinary actions when there are Enough sayings for it. In this case, the procedure and the penalties to be applied will be those established in the legislation on disciplinary or sanctioning regime that result of application. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/9 Likewise, when the infractions are attributable to authorities and managers, and certify the existence of technical reports or recommendations for the treatment that had not been duly attended to, in the resolution imposing the The sanction will include a reprimand with the name of the responsible position and will order the publication in the corresponding Official Gazette of the State or Autonomous Region. 4. The data protection authority must be notified of the resolutions that fall in relation to the measures and actions referred to in the sections previous. 5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions of the autonomous communities the actions carried out and the resolutions issued under this article. 6. When the competent authority is the Spanish Agency for Data Protection, This will publish on its website with due separation the resolutions referring to the entities of section 1 of this article, with express indication of the identity of the person in charge or in charge of the treatment that had committed the infringement. When the competence corresponds to an autonomous data protection authority The publicity of these resolutions will be governed by what their specific regulations. " In accordance with art. 58.2 d) RGPD the complained party must clarify everything related to the installed system, as well as documentary proof (vgr. photograph date and time) that has an informative mark (s) homologated to the norm valid, without prejudice to the allegations that it deems necessary to make, such as measures taken to inform the legal representatives of the employees of the City Council or to them on the installed video-surveillance system. It is recalled that this body can travel to the scene of the events effects of carrying out the inquiries it deems necessary, being able to demand the fulfillment of implementation of the widely indicated measures for the sake of the protection of legality valid. The rest of the issues exceed the competence framework of this Agency, narrowly This Resolution is addressed to the accredited issues in the framework of the protection of data. Therefore, in accordance with the applicable legislation and the graduation criteria assessed tion of the sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE TO THE CITY COUNCIL OF *** LOCALIDAD.1, with CIF P4626100D, for a violation of Article 5.1.c) of the RGPD and 13 RGPD, typified in Article 83.5 a) and b) of the RGPD, a sanction of APPEARANCE. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/9 SECOND: ORDER the claimed entity *** LOCALITY CITY COUNCIL- DAD.1 so that within a period of one month from the notification of this act, the gives: -Place informational badge duly approved to the current RGPD in the main accesses to the Town Hall. -Inform all public employees of the measures adopted in particularly those related to the purpose (s) of the treatment. -Credit the reorientation of the inlet camera so that it is adheres to the security function of the Town Hall, avoiding capturing the traffic area low of the employees exclusively, deactivating the option audio of it. THIRD: NOTIFY this resolution to the entity denounced FAST- *** LOCALITY LIE. 1. FOURTH: COMMUNICATE this resolution to the Ombudsman, of in accordance with the provisions of article 77.5 of the LOPDGDD. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the inte- Residents may file, optionally, an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month from the day after notification of this resolution or directly contentious appeal administrative before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the additional provision Fourth nal of Law 29/1998, of July 13, regulating the Contentious Jurisdiction- administrative, within a period of two months from the day following the notification tion of this act, as provided in article 46.1 of the aforementioned Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party do manifests its intention to file a contentious-administrative appeal. Of being In this case, the interested party must formally communicate this fact in writing addressed to the Spanish Agency for Data Protection, presenting it through the Re- Electronic registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or to through any of the other records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also forward the documentation to the Agency that certifies the effective filing of the contentious-administrative appeal. If the Agency was not aware of the filing of the contentious-administrative appeal trative within two months from the day following notification of this resolution, would terminate the precautionary suspension. 938-131120 Mar Spain Martí C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/9 Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es