DPC (Ireland) - DPC Case Reference: 03/SIU/2018: Difference between revisions

From GDPRhub
(changed punctuation)
(Moved the issues that the DPC found from the "Facts" section to the "Holding" section)
 
(2 intermediate revisions by 2 users not shown)
Line 11: Line 11:


|Original_Source_Name_1=Irish DPC
|Original_Source_Name_1=Irish DPC
|Original_Source_Link_1=https://www.dataprotection.ie/sites/default/files/uploads/2022-01/REDACTED_091221_Final%2520DecisionLimerick_03-SIU-2018%2520PDF%2520FINAL.pdf
|Original_Source_Link_1=https://www.dataprotection.ie/sites/default/files/uploads/2022-01/REDACTED_091221_Final%20DecisionLimerick_03-SIU-2018%20PDF%20FINAL.pdf
|Original_Source_Language_1=English
|Original_Source_Language_1=English
|Original_Source_Language__Code_1=EN
|Original_Source_Language__Code_1=EN
Line 19: Line 19:
|Date_Started=
|Date_Started=
|Date_Decided=09.12.2021
|Date_Decided=09.12.2021
|Date_Published=
|Date_Published=12.01.2022
|Year=2021
|Year=2021
|Fine=None
|Fine=€110,000
|Currency=
|Currency=


Line 34: Line 34:




|National_Law_Name_1=38(3) of the Garda Síochána Act 2005
|National_Law_Name_1=Section 38(3) Garda Síochána Act 2005
|National_Law_Link_1=
|National_Law_Link_1=https://www.irishstatutebook.ie/eli/2005/act/20/enacted/en/html


|Party_Name_1=
|Party_Name_1=
Line 57: Line 57:
}}
}}


The Irish DPC imposed an administrative fine of €110,000, against Limerick City and County Council (Council). The fine was imposed for Council’s numerous failings in meeting the data protection obligations in some of the Limerick smart city initiatives, such as data collection using innovative technologies and smart CCTV. The decision was announced on Linkedin on the 12th of January 2022.
The Irish DPC imposed an administrative fine of €110,000 against a city council due to numerous failings in meeting data protection obligations in some of its smart city initiatives.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
In June 2018, the DPC initiated a connected series of own-volition inquiries under sections 110 and 123 of the 2018 Irish Data Protection Act. Their subject was around surveillance technologies deployed by state and local authorities and An Garda Síochána  (the Irish Police) for law enforcement purposes. The DPC inquiries were to establish whether any data processing was in compliance with the data protection laws and to ensure that sufficient accountability measures were in place before further investment into new technologies.
In June 2018, the DPC initiated a connected series of own-volition inquiries under sections 110 and 123 of the 2018 Irish Data Protection Act. They concerned surveillance technologies deployed by state and local authorities and An Garda Síochána  (the Irish Police) for law enforcement purposes. The DPC inquiries were to establish whether any data processing was in compliance with the data protection laws and to ensure that sufficient accountability measures were in place before further investment into new technologies.


The DPC investigation unveiled the inventory of 401 CCTV cameras that were deployed in various locations across Limerick City and County, including bicycle and walkway routes, housing estates, traveller accommodation sites and public spaces. The cameras were subject to constant real time surveillance Separately, Limerick City and County Council had two drones in operation. The DPC identified a total of 48 issues in the course of the inquiry. The most important issues determined that the Council:
The DPC investigation unveiled the inventory of 401 CCTV cameras that were deployed in various locations across Limerick City and County, including bicycle and walkway routes, housing estates, traveller accommodation sites and public spaces. The cameras were subject to constant real time surveillance. Separately, the Limerick City and County Council (Council) had two drones in operation.  


a) had no lawful basis for the processing of personal data by CCTV cameras for traffic management purposes
=== Holding ===
The DPC identified a total of 48 issues in the course of the inquiry. The most important issues determined that the Council:


b) lacked a lawful basis for a number of CCTV cameras used for the purposes of countering crime
a) had no lawful basis for the processing of personal data by CCTV cameras for traffic management purposes;


c) lacked a lawful basis to carry out surveillance with CCTV cameras which employed Automatic Number Plate Recognition technology
b) lacked a lawful basis for a number of CCTV cameras used for the purposes of countering crime;


d) infringed Article 15 of the GDPR by rejecting subject access requests in respect of CCTV cameras used for traffic management purposes
c) lacked a lawful basis to carry out surveillance with CCTV cameras which employed Automatic Number Plate Recognition technology;


e) did not fulfil its transparency obligations under Article 13 by failing to erect signage in respect of its CCTV processing operations
d) infringed Article 15 GDPR by rejecting subject access requests in respect of CCTV cameras used for traffic management purposes;


f) infringed Article 12 of the GDPR by failing to make its CCTV Policy more easily accessible and transparent.
e) did not fulfil its transparency obligations under Article 13 GDPR by failing to erect signage in respect of its CCTV processing operations;
 
f) infringed Article 12 GDPR by failing to make its CCTV Policy more easily accessible and transparent.


=== Holding ===
The DPC exercised the following corrective powers:
The DPC exercised the following corrective powers:


Line 85: Line 87:
b) A temporary ban on the processing of personal data with CCTV cameras used for traffic management purposes until a legal basis can be identified.
b) A temporary ban on the processing of personal data with CCTV cameras used for traffic management purposes until a legal basis can be identified.


c) An order to Limerick City and County Council to bring its processing of personal data into compliance taking certain actions specified in the decision.
c) An order to the Council to bring its processing of personal data into compliance taking certain actions specified in the decision.


d) A reprimand in respect of a number of Limerick City and County Council’s infringements.
d) A reprimand in respect of a number the Council’s infringements.


e) An administrative fine of €110,000.
e) An administrative fine of €110,000.

Latest revision as of 16:13, 2 March 2022

DPC (Ireland) - DPC Case Reference: 03/SIU/2018
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 6 GDPR
Article 12 GDPR
Article 13 GDPR
Article 15 GDPR
Section 38(3) Garda Síochána Act 2005
Type: Investigation
Outcome: Violation Found
Started:
Decided: 09.12.2021
Published: 12.01.2022
Fine: €110,000
Parties: n/a
National Case Number/Name: DPC Case Reference: 03/SIU/2018
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: Irish DPC (in EN)
Initial Contributor: czapla

The Irish DPC imposed an administrative fine of €110,000 against a city council due to numerous failings in meeting data protection obligations in some of its smart city initiatives.

English Summary

Facts

In June 2018, the DPC initiated a connected series of own-volition inquiries under sections 110 and 123 of the 2018 Irish Data Protection Act. They concerned surveillance technologies deployed by state and local authorities and An Garda Síochána (the Irish Police) for law enforcement purposes. The DPC inquiries were to establish whether any data processing was in compliance with the data protection laws and to ensure that sufficient accountability measures were in place before further investment into new technologies.

The DPC investigation unveiled the inventory of 401 CCTV cameras that were deployed in various locations across Limerick City and County, including bicycle and walkway routes, housing estates, traveller accommodation sites and public spaces. The cameras were subject to constant real time surveillance. Separately, the Limerick City and County Council (Council) had two drones in operation.

Holding

The DPC identified a total of 48 issues in the course of the inquiry. The most important issues determined that the Council:

a) had no lawful basis for the processing of personal data by CCTV cameras for traffic management purposes;

b) lacked a lawful basis for a number of CCTV cameras used for the purposes of countering crime;

c) lacked a lawful basis to carry out surveillance with CCTV cameras which employed Automatic Number Plate Recognition technology;

d) infringed Article 15 GDPR by rejecting subject access requests in respect of CCTV cameras used for traffic management purposes;

e) did not fulfil its transparency obligations under Article 13 GDPR by failing to erect signage in respect of its CCTV processing operations;

f) infringed Article 12 GDPR by failing to make its CCTV Policy more easily accessible and transparent.

The DPC exercised the following corrective powers:

a) A temporary ban on the processing of personal data with CCTV cameras at a number of locations used for the purposes of criminal law enforcement until a legal basis can be identified.

b) A temporary ban on the processing of personal data with CCTV cameras used for traffic management purposes until a legal basis can be identified.

c) An order to the Council to bring its processing of personal data into compliance taking certain actions specified in the decision.

d) A reprimand in respect of a number the Council’s infringements.

e) An administrative fine of €110,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.