HDPA (Greece) - 50/2022: Difference between revisions
(Short summary: • When a fine is imposed, mention it in the short summary • Otherwise well written short summary that mentions the most important takeaways from the decision, however I made it focus more on the specific GDPR violations in this case. d Facts: • Added more details to the facts, such as what was the purpose of the surveillance system, what were the arguments submitted by the controller • Assign GDPR roles to the parties involved – who was the data subject/complainant and who is the) |
m (Ar moved page HDPA (Greece) - Decision 50/2022 to HDPA (Greece) - 50/2022) |
||
(4 intermediate revisions by 2 users not shown) | |||
Line 11: | Line 11: | ||
|Original_Source_Name_1=Hellenic DPA | |Original_Source_Name_1=Hellenic DPA | ||
|Original_Source_Link_1=https://www.dpa.gr/sites/default/files/2022-10/50_2022% | |Original_Source_Link_1=https://www.dpa.gr/sites/default/files/2022-10/50_2022%20anonym.pdf | ||
|Original_Source_Language_1=Greek | |Original_Source_Language_1=Greek | ||
|Original_Source_Language__Code_1=EL | |Original_Source_Language__Code_1=EL | ||
Line 40: | Line 40: | ||
|GDPR_Article_6=Article 13 GDPR | |GDPR_Article_6=Article 13 GDPR | ||
|GDPR_Article_Link_6=Article 13 GDPR | |GDPR_Article_Link_6=Article 13 GDPR | ||
|GDPR_Article_7=Article | |GDPR_Article_7=Article 58(2)(i) GDPR | ||
|GDPR_Article_Link_7=Article | |GDPR_Article_Link_7=Article 58 GDPR | ||
|GDPR_Article_8= | |GDPR_Article_8= | ||
|GDPR_Article_Link_8= | |GDPR_Article_Link_8= | ||
Line 84: | Line 84: | ||
=== Facts === | === Facts === | ||
A former teacher (the data subject) at a private | A former teacher (the data subject) at a private primary school (the controller) submitted a complaint to the Greek DPA regarding a video surveillance system in the classrooms, which had been recording them without knowledge or consent. The DPA started proceedings to examine the lawfulness of the processing. | ||
The controller submitted that the video surveillance system had been operating since 2007 in order to provide direct visual contact with dangerous places for students (courtyard, balconies) and to discourage possible intruders. According to the controller, persons with access to the transmitted video were the principal, owner and president of the school, via a computer located in their office. Moreover, persons entering the site were informed by signs and verbally about the existence of the video cameras. Similarly, teachers were informed about it verbally, allegedly with no objections. The controller stated that the legal basis for the processing of personal data related to the video cameras was legitimate interest. | The controller submitted that the video surveillance system had been operating since 2007 in order to provide direct visual contact with dangerous places for students (courtyard, balconies) and to discourage possible intruders. According to the controller, persons with access to the transmitted video were the principal, owner and president of the school, via a computer located in their office. Moreover, persons entering the site were informed by signs and verbally about the existence of the video cameras. Similarly, teachers were informed about it verbally, allegedly with no objections. The controller stated that the legal basis for the processing of personal data related to the video cameras was legitimate interest. | ||
Line 93: | Line 93: | ||
First, the DPA held that information to parents and employees on the operation of the system was incomplete because, according to the controller, it was given orally, in violation of [[Article 5 GDPR|Articles 5(1)(a) and (b)]] as well as [[Article 12 GDPR|Articles 12]] and [[Article 13 GDPR|13 GDPR]]. The controller was not able to prove that such information was given nor which categories of persons were informed. In particular, the DPA noted that children were not appropriately protected in this regard. | First, the DPA held that information to parents and employees on the operation of the system was incomplete because, according to the controller, it was given orally, in violation of [[Article 5 GDPR|Articles 5(1)(a) and (b)]] as well as [[Article 12 GDPR|Articles 12]] and [[Article 13 GDPR|13 GDPR]]. The controller was not able to prove that such information was given nor which categories of persons were informed. In particular, the DPA noted that children were not appropriately protected in this regard. | ||
Second, the DPA stated that the principle of purpose limitation ([[Article 5 GDPR|Article 5(1)(b) GDPR]]) was not respected, since the access to the transmitted image by the manager and employees, | Second, the DPA stated that the principle of purpose limitation ([[Article 5 GDPR|Article 5(1)(b) GDPR]]) was not respected, since the access to the transmitted image by the manager and employees, who were officially unauthorised parties, did not ensure that the purpose of the processing was exclusively the protection of persons and property. | ||
Third, the principle of accountability ([[Article 5 GDPR|Article 5(2) GDPR]]) was not respected because the controller did not keep activity records for the processing of personal data through the video surveillance system, but only provided them after the hearing. | |||
Fourth, with regards to the legal basis for processing, the DPA held that the controller had not ensured that there was an overriding legitimate interest for the installation of cameras to justify the interference with fundamental rights and freedoms of persons, as required by [[Article 6 GDPR|Article 6(1)(f) GDPR]]. The DPA reasoned that the controller's educational establishment was not so large as to justify the need to monitor remote points of the premises by using surveillance cameras instead of milder means. Hence, there was no valid legal basis for the operation of the system. | Fourth, with regards to the legal basis for processing, the DPA held that the controller had not ensured that there was an overriding legitimate interest for the installation of cameras to justify the interference with fundamental rights and freedoms of persons, as required by [[Article 6 GDPR|Article 6(1)(f) GDPR]]. The DPA reasoned that the controller's educational establishment was not so large as to justify the need to monitor remote points of the premises by using surveillance cameras instead of milder means. Hence, there was no valid legal basis for the operation of the system. | ||
Line 111: | Line 111: | ||
<pre> | <pre> | ||
Ave. Kifissias 1-3, 11523 Athens, Greece, T: 210 6475 600 - E: contact@dpa.gr - | |||
www.dpa.gr 2 | |||
"Iordanakeion Modern Schools SA" had surveillance cameras in the classrooms and | |||
was recorded repeatedly without having knowledge of the existence of the cameras | |||
and without its consent. | |||
The Directorate of Primary Education D' Athens by document No. | |||
G/EIS/8305/21-12-2021 also transmitted to the Authority a complaint of a ... teacher | |||
with the same content. | |||
The Authority sent a letter to the complainant company, No.G/EΞ/3/07-01- | |||
2022, informing it about the applicable legal framework, namely Regulation (EU) | |||
2016/679 on the protection of natural persons with regard to the processing of | |||
personal data (hereinafter "GDPR"), Law No. 4624/2019, Directive 1/2011, and | |||
Guideline 3/20191 of the EDPS on the processing of personal data through video | |||
capture devices. A specific questionnaire was included in the document in order to | |||
examine the accountability obligations of the GDPR with regard to the processing of | |||
personal data through the operation of a video surveillance system. | |||
The complainant company responded with the document No. G/EIS/1686/03- | |||
02-2022 in which it states, among other things, that the video surveillance system | |||
has been operating since 2007 in order to provide direct visual contact with | |||
dangerous places for students (courtyard, balconies) and to discourage would-be | |||
destroyers/intruders. These are fixed cameras, they do not transmit sound and the | |||
transmitted image is not recorded. The locations and fields of view of the cameras | |||
include the ground floor, exterior and courtyard areas and fields of the adjacent | |||
sports facilities, the exterior corridors on the balconies of the three floors, the | |||
exterior courtyard area of the 4ου floor, and the school auditorium. Access | |||
1 https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32019-processing- | |||
personal-data-through-video_el | |||
Ave. Kifissias 1-3, 11523 Athens, Greece, T: 210 6475 600 - E: contact@dpa.gr - | |||
www.dpa.gr 3 | |||
to the transmitted image has the principal, owner and president of the school, via a | |||
computer located in his office. The owner and president of the school made the | |||
decision to install the system. | |||
Natural persons entering the site are informed by signs and verbally about | |||
the existence of the video surveillance system. Teachers shall be informed at the | |||
time of their recruitment. Attached are teachers' affidavits, dated 21-1-2022, in | |||
which they certify that they are aware of and have no objection to the video | |||
surveillance system and that there are no cameras in the classrooms. He finally | |||
stated that he does not keep records of activities. | |||
Subsequently, in order to complete its examination of the case, the Authority | |||
invited the complainant company by letter No. C/EXE/434/15-02-2022 to the | |||
meeting of the Department on 2-3-2022. Present at this meeting were, Millas | |||
Dimitrios, with ID ..., A, ... ... and B, ... ... ... | |||
Following the meeting, the complainant company submitted a request for a | |||
hearing, ref. C/EIS/4348/15-3-2022, in which, in addition to the reference to the | |||
mode of operation of the video surveillance system, the following additional | |||
information was submitted: (a) a resolution of the Teachers' Association dated 04- | |||
03-2022, which shows that the elementary - high school grades concerned by the | |||
said system have been consulted with the owner, informed and accept the decision | |||
of the owner - the competent representative body of the Company to operate a | |||
video surveillance system without data recording; (b) a data protection impact | |||
assessment (DIA), which assesses the use of the video surveillance system on the | |||
legal basis of the overriding legitimate interest in the protection of property and | |||
health and which documents the lawfulness of each camera; c) activity records in | |||
accordance with the Authority's template, in electronic form; d) notification texts to | |||
staff on the principles of GDPR in general, on the type of data processed by the | |||
complainant company as a controller under the contract | |||
Ave. Kifissias 1-3, 11523 Athens, Greece, T: 210 6475 600 - E: contact@dpa.gr - | |||
www.dpa.gr 4 | |||
the specific legal basis for video surveillance without keeping an image file, the rights | |||
of workers and how to exercise them. | |||
The Authority, after considering the evidence on the file, after hearing the | |||
rapporteur and clarifications from the co-rapporteur, who was present without the | |||
right to vote, after an extensive discussion, | |||
THOUGHT IN ACCORDANCE WITH THE LAW | |||
1. The installation and operation of video surveillance systems with the capture | |||
and/or recording of images and/or sound through the collection, preservation, | |||
storage, access and transmission of personal data, constitute, as individual | |||
processing operations, interference with the individual rights to respect for | |||
privacy under Art. 9 S., 7 TFEU2 and 8 ECHR as well as the protection of personal | |||
data pursuant to Articles 5 S., 7 CPC and 8 ECHR. 9A CP, 8 ECHR and 8 TFEU3, as | |||
considered by the Authority in its Opinion No 3/2020. | |||
2. In accordance with the CPCS Guidelines 3/2019 on the processing of personal | |||
data through video devices4, in order to determine the lawfulness of the | |||
installation and operation of the video surveillance system, the cumulative | |||
requirements of Articles 5 and 6 para. 1 GDPR and the legality of the processing | |||
must be documented internally at an earlier stage of the installation and | |||
operation of the system and, in fact, when determining the purpose of the | |||
processing, a relevant assessment may be required for each camera separately, | |||
depending on its location. In particular, these Guidelines set out the following: "α | |||
(...) 5. Video surveillance is by definition not necessary if other means are | |||
available to achieve the | |||
2 CJEU Digital Rights Ireland para. 29. | |||
3 CJEU Digital Rights Ireland para. 38. | |||
4 https://edpb.europa.eu/our-worktools/ourdocuments/guidelines/guidelines-32019-processing- | |||
personal-data-through-video_el | |||
Ave. Kifissias 1-3, 11523 Athens, Greece, T: 210 6475 600 - E: contact@dpa.gr - | |||
www.dpa.gr 8 | |||
and 5 par. 2(b) of the GDPR, because the complainant is not able to prove that | |||
such oral information was given and even if it is accepted that oral information | |||
was given, it does not cover every category of subjects, in particular children, | |||
employees and visitors to the premises, not meeting the requirements of | |||
transparency and accountability. | |||
8. The principle of purpose limitation is not respected, since the access to the | |||
transmitted image by the manager and employer does not clearly show or | |||
technically ensure that the purpose of the processing is exclusively the protection | |||
of persons and property. | |||
9. The principle of accountability was not respected with regard to documentation | |||
through the keeping of activity records, in breach of Articles 5(5)(a) and (b) of the | |||
EC Treaty. The controller did not keep activity records for the processing of | |||
personal data through the video-surveillance system, but only provided them | |||
after the hearing. | |||
10. In the light of the above, the Authority considers that it is appropriate to exercise | |||
the remedies provided for in Article 58(1) of the EEA Agreement. 2 of the GDPR | |||
in relation to the infringements found. The Authority also considers that, in the | |||
light of the circumstances found, it is appropriate to impose, in application of the | |||
provision of Article 58(1) of the GGC, a fine in accordance with the provisions of | |||
Article 58(1) of the GGC. 2(i) of the GDPR, the effective, proportionate and | |||
dissuasive administrative fine provided for in Article 83 of the GDPR, both to | |||
remedy compliance and to punish the unlawful conduct. | |||
11. Furthermore, the Authority took into account the criteria for the calculation of | |||
the fine set out in Article 83(1)(a) of the EEA Agreement. 2 of the GDPR, | |||
paragraph 5(a) and (b) of the same article, which have | |||
applicable in present case and the Guidelines on the | |||
application and determination of administrative fines for the purposes of | |||
Regulation 2016/679 adopted on 03- 10-2017 by the Article 29 Working Party (WP | |||
253), as well as the facts of the case under consideration, in particular: | |||
(a) the nature, gravity and duration of the infringement, in view of the nature, | |||
gravity and duration of the infringement; | |||
Ave. Kifissias 1-3, 11523 Athens, Greece, T: 210 6475 600 - E: contact@dpa.gr - | |||
www.dpa.gr 9 | |||
the scope or purpose of the processing in question, as well as the number of data | |||
subjects affected by the breach and the degree of damage suffered by them, and in | |||
particular: | |||
i. the fact that the controller has infringed the obligations laid down in Article | |||
5(5)(a) and (b); 1(a) of the GDPR, the principles of legality, objectivity and | |||
transparency and, in addition, the principle of purpose limitation under Article | |||
5(1)(a) of the GDPR. 1(b) and the obligation (principle) of accountability under | |||
Article 5(1)(b). 2 of the GDPR, that is to say, it has infringed the fundamental | |||
principles of the GDPR on the protection of personal data, | |||
ii. the fact that compliance with the principles laid down by the provisions of | |||
Article 5(5)(a)(ii) of the Directive. 1(a) and (b). 2 of the GDPR are of fundamental | |||
importance, first and foremost the principle of lawfulness, objectivity and | |||
transparency, so that if that principle is lacking, the processing becomes unlawful | |||
in principle, even if the other processing principles have been complied with. | |||
Similarly, both the purpose limitation principle and the principle of accountability | |||
in the context of the new compliance model introduced by the GDPR, where the | |||
burden of compliance and responsibility lies with the controller, who has been | |||
provided by the GDPR with the necessary compliance tools, | |||
iii. the fact that the controller has failed to comply with the requirements of the | |||
processing principles in Article 5(5); 1(a) and (b) of the GDPR and, in addition, | |||
failed to document in the context of compliance the lawfulness of the video | |||
surveillance system, | |||
iv. the fact that the infringement of the above principles is subject to the | |||
provisions of Article 83 para. 5(a) of the GDPR to the highest category provided | |||
for in the system of graduated administrative fines, | |||
v. the fact that, from the information brought to the attention of the Authority, | |||
no material damage to the data subjects has occurred, | |||
vi. the fact that the infringement of the principles of Article 5(5)(b) of the ECHR is | |||
not justified. 1(a), (b) and (c). 2 of the GDPR did not apply, on the basis of the | |||
evidence brought to the Authority's attention, | |||
Ave. Kifissias 1-3, 11523 Athens, Greece, T: 210 6475 600 - E: contact@dpa.gr - | |||
www.dpa.gr 10 | |||
personal data under Articles 9 and 10 of the GDPR, but concerns children, who | |||
require specific protection with regard to personal data (recital 38 and Article | |||
6(1)(f) of the GDPR). | |||
vii. the fact that the system and the cameras in question had been installed and | |||
operated illegally since 2007, while even after the application of the GDPR no | |||
compliance action was found until the Authority's intervention; b) the degree of | |||
fault of the controller. The installation and operation of the video surveillance | |||
system in violation of the principles of legality, objectivity and transparency, | |||
purpose limitation as well as accountability was the result of insufficient | |||
knowledge and application of the provisions of the GDPR attributable to | |||
negligence and therefore mitigating circumstances are taken into account in | |||
relation to the possibility that it may have occurred fraudulently. | |||
(c) any actions taken by the controller to mitigate the damage suffered by data | |||
subjects and the extent of cooperation with the Authority to remedy the breach | |||
and mitigate its possible adverse effects. The complainant took steps to document | |||
the processing and comply with the GDPR after the hearing and its cooperation | |||
with the Authority has been satisfactory. | |||
(d) any relevant previous infringements by the controller. An audit shows that the | |||
complainant company has not yet been subject to an administrative sanction by | |||
the Authority. | |||
(e) the categories of personal data affected by the breach. It is not personal data | |||
within the meaning of Articles 9 and 10 of the GDPR, according to the information | |||
brought to the attention of the Authority, but it concerns children, who require | |||
specific protection with regard to personal data (recital 38 and Article 6(1)(f) of | |||
the GDPR). | |||
(f) the size of the company. | |||
In the light of the above, the Authority unanimously considers that the following | |||
should be imposed on | |||
Ave. Kifissias 1-3, 11523 Athens, Greece, T: 210 6475 600 - E: contact@dpa.gr - | |||
www.dpa.gr 11 | |||
the complainant company as controller, the administrative penalty referred to in the | |||
operative part of the decision, which shall be proportionate to the gravity of the | |||
infringement. | |||
FOR THESE REASONS | |||
The | |||
Authori | |||
ty | |||
Α. Instructs the complainant company named "Iordanakeion Modern Schools SA" as | |||
the controller, to uninstall the cameras within one (1) month from the receipt of this | |||
notice and to inform the Authority in writing. | |||
Β. Impose on the complainant company named "Iordanakion Modern Educational | |||
Schools SA" the effective, proportionate and deterrent administrative fine | |||
appropriate in this case, according to the specific circumstances of this, amounting to | |||
fifteen thousand (15.000,00) euros for the above violations of Articles 5 par. 1(a), 5 | |||
par. 1(b) and 5(1)(b) and 5(b). 2, and Articles 6, 12, 13 and 30 of the GDPR. | |||
</pre> | </pre> |
Latest revision as of 15:32, 6 December 2023
HDPA - Decision 50/2022 | |
---|---|
Authority: | HDPA (Greece) |
Jurisdiction: | Greece |
Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(a) GDPR Article 5(2) GDPR Article 6(1)(f) GDPR Article 12 GDPR Article 13 GDPR Article 58(2)(i) GDPR Guidelines 3/2019 on processing of personal data through video devices Law 4624/2019 |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 09.09.2022 |
Published: | 09.09.2022 |
Fine: | 15.000 EUR |
Parties: | Private school Individual-Ex-employee |
National Case Number/Name: | Decision 50/2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Greek |
Original Source: | Hellenic DPA (in EL) |
Initial Contributor: | Anastasia Tsermenidou |
The Greek DPA imposed a €15,000 fine on a private school for installing a video surveillance system which, among others, did not respect the purpose limitation and accountability principles.
English Summary
Facts
A former teacher (the data subject) at a private primary school (the controller) submitted a complaint to the Greek DPA regarding a video surveillance system in the classrooms, which had been recording them without knowledge or consent. The DPA started proceedings to examine the lawfulness of the processing.
The controller submitted that the video surveillance system had been operating since 2007 in order to provide direct visual contact with dangerous places for students (courtyard, balconies) and to discourage possible intruders. According to the controller, persons with access to the transmitted video were the principal, owner and president of the school, via a computer located in their office. Moreover, persons entering the site were informed by signs and verbally about the existence of the video cameras. Similarly, teachers were informed about it verbally, allegedly with no objections. The controller stated that the legal basis for the processing of personal data related to the video cameras was legitimate interest.
In its decision, the DPA considered the legal basis for processing as well as compliance with general data processing principles and data subject rights.
Holding
First, the DPA held that information to parents and employees on the operation of the system was incomplete because, according to the controller, it was given orally, in violation of Articles 5(1)(a) and (b) as well as Articles 12 and 13 GDPR. The controller was not able to prove that such information was given nor which categories of persons were informed. In particular, the DPA noted that children were not appropriately protected in this regard.
Second, the DPA stated that the principle of purpose limitation (Article 5(1)(b) GDPR) was not respected, since the access to the transmitted image by the manager and employees, who were officially unauthorised parties, did not ensure that the purpose of the processing was exclusively the protection of persons and property.
Third, the principle of accountability (Article 5(2) GDPR) was not respected because the controller did not keep activity records for the processing of personal data through the video surveillance system, but only provided them after the hearing.
Fourth, with regards to the legal basis for processing, the DPA held that the controller had not ensured that there was an overriding legitimate interest for the installation of cameras to justify the interference with fundamental rights and freedoms of persons, as required by Article 6(1)(f) GDPR. The DPA reasoned that the controller's educational establishment was not so large as to justify the need to monitor remote points of the premises by using surveillance cameras instead of milder means. Hence, there was no valid legal basis for the operation of the system.
Considering the above-mentioned violations, the DPA ordered the controller to uninstall the cameras within one month of the receipt of the notice. Furthemore, the DPA used its powers under Article 58(2)(i) GDPR and imposed a €15,000 fine on the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Ave. Kifissias 1-3, 11523 Athens, Greece, T: 210 6475 600 - E: contact@dpa.gr - www.dpa.gr 2 "Iordanakeion Modern Schools SA" had surveillance cameras in the classrooms and was recorded repeatedly without having knowledge of the existence of the cameras and without its consent. The Directorate of Primary Education D' Athens by document No. G/EIS/8305/21-12-2021 also transmitted to the Authority a complaint of a ... teacher with the same content. The Authority sent a letter to the complainant company, No.G/EΞ/3/07-01- 2022, informing it about the applicable legal framework, namely Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data (hereinafter "GDPR"), Law No. 4624/2019, Directive 1/2011, and Guideline 3/20191 of the EDPS on the processing of personal data through video capture devices. A specific questionnaire was included in the document in order to examine the accountability obligations of the GDPR with regard to the processing of personal data through the operation of a video surveillance system. The complainant company responded with the document No. G/EIS/1686/03- 02-2022 in which it states, among other things, that the video surveillance system has been operating since 2007 in order to provide direct visual contact with dangerous places for students (courtyard, balconies) and to discourage would-be destroyers/intruders. These are fixed cameras, they do not transmit sound and the transmitted image is not recorded. The locations and fields of view of the cameras include the ground floor, exterior and courtyard areas and fields of the adjacent sports facilities, the exterior corridors on the balconies of the three floors, the exterior courtyard area of the 4ου floor, and the school auditorium. Access 1 https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32019-processing- personal-data-through-video_el Ave. Kifissias 1-3, 11523 Athens, Greece, T: 210 6475 600 - E: contact@dpa.gr - www.dpa.gr 3 to the transmitted image has the principal, owner and president of the school, via a computer located in his office. The owner and president of the school made the decision to install the system. Natural persons entering the site are informed by signs and verbally about the existence of the video surveillance system. Teachers shall be informed at the time of their recruitment. Attached are teachers' affidavits, dated 21-1-2022, in which they certify that they are aware of and have no objection to the video surveillance system and that there are no cameras in the classrooms. He finally stated that he does not keep records of activities. Subsequently, in order to complete its examination of the case, the Authority invited the complainant company by letter No. C/EXE/434/15-02-2022 to the meeting of the Department on 2-3-2022. Present at this meeting were, Millas Dimitrios, with ID ..., A, ... ... and B, ... ... ... Following the meeting, the complainant company submitted a request for a hearing, ref. C/EIS/4348/15-3-2022, in which, in addition to the reference to the mode of operation of the video surveillance system, the following additional information was submitted: (a) a resolution of the Teachers' Association dated 04- 03-2022, which shows that the elementary - high school grades concerned by the said system have been consulted with the owner, informed and accept the decision of the owner - the competent representative body of the Company to operate a video surveillance system without data recording; (b) a data protection impact assessment (DIA), which assesses the use of the video surveillance system on the legal basis of the overriding legitimate interest in the protection of property and health and which documents the lawfulness of each camera; c) activity records in accordance with the Authority's template, in electronic form; d) notification texts to staff on the principles of GDPR in general, on the type of data processed by the complainant company as a controller under the contract Ave. Kifissias 1-3, 11523 Athens, Greece, T: 210 6475 600 - E: contact@dpa.gr - www.dpa.gr 4 the specific legal basis for video surveillance without keeping an image file, the rights of workers and how to exercise them. The Authority, after considering the evidence on the file, after hearing the rapporteur and clarifications from the co-rapporteur, who was present without the right to vote, after an extensive discussion, THOUGHT IN ACCORDANCE WITH THE LAW 1. The installation and operation of video surveillance systems with the capture and/or recording of images and/or sound through the collection, preservation, storage, access and transmission of personal data, constitute, as individual processing operations, interference with the individual rights to respect for privacy under Art. 9 S., 7 TFEU2 and 8 ECHR as well as the protection of personal data pursuant to Articles 5 S., 7 CPC and 8 ECHR. 9A CP, 8 ECHR and 8 TFEU3, as considered by the Authority in its Opinion No 3/2020. 2. In accordance with the CPCS Guidelines 3/2019 on the processing of personal data through video devices4, in order to determine the lawfulness of the installation and operation of the video surveillance system, the cumulative requirements of Articles 5 and 6 para. 1 GDPR and the legality of the processing must be documented internally at an earlier stage of the installation and operation of the system and, in fact, when determining the purpose of the processing, a relevant assessment may be required for each camera separately, depending on its location. In particular, these Guidelines set out the following: "α (...) 5. Video surveillance is by definition not necessary if other means are available to achieve the 2 CJEU Digital Rights Ireland para. 29. 3 CJEU Digital Rights Ireland para. 38. 4 https://edpb.europa.eu/our-worktools/ourdocuments/guidelines/guidelines-32019-processing- personal-data-through-video_el Ave. Kifissias 1-3, 11523 Athens, Greece, T: 210 6475 600 - E: contact@dpa.gr - www.dpa.gr 8 and 5 par. 2(b) of the GDPR, because the complainant is not able to prove that such oral information was given and even if it is accepted that oral information was given, it does not cover every category of subjects, in particular children, employees and visitors to the premises, not meeting the requirements of transparency and accountability. 8. The principle of purpose limitation is not respected, since the access to the transmitted image by the manager and employer does not clearly show or technically ensure that the purpose of the processing is exclusively the protection of persons and property. 9. The principle of accountability was not respected with regard to documentation through the keeping of activity records, in breach of Articles 5(5)(a) and (b) of the EC Treaty. The controller did not keep activity records for the processing of personal data through the video-surveillance system, but only provided them after the hearing. 10. In the light of the above, the Authority considers that it is appropriate to exercise the remedies provided for in Article 58(1) of the EEA Agreement. 2 of the GDPR in relation to the infringements found. The Authority also considers that, in the light of the circumstances found, it is appropriate to impose, in application of the provision of Article 58(1) of the GGC, a fine in accordance with the provisions of Article 58(1) of the GGC. 2(i) of the GDPR, the effective, proportionate and dissuasive administrative fine provided for in Article 83 of the GDPR, both to remedy compliance and to punish the unlawful conduct. 11. Furthermore, the Authority took into account the criteria for the calculation of the fine set out in Article 83(1)(a) of the EEA Agreement. 2 of the GDPR, paragraph 5(a) and (b) of the same article, which have applicable in present case and the Guidelines on the application and determination of administrative fines for the purposes of Regulation 2016/679 adopted on 03- 10-2017 by the Article 29 Working Party (WP 253), as well as the facts of the case under consideration, in particular: (a) the nature, gravity and duration of the infringement, in view of the nature, gravity and duration of the infringement; Ave. Kifissias 1-3, 11523 Athens, Greece, T: 210 6475 600 - E: contact@dpa.gr - www.dpa.gr 9 the scope or purpose of the processing in question, as well as the number of data subjects affected by the breach and the degree of damage suffered by them, and in particular: i. the fact that the controller has infringed the obligations laid down in Article 5(5)(a) and (b); 1(a) of the GDPR, the principles of legality, objectivity and transparency and, in addition, the principle of purpose limitation under Article 5(1)(a) of the GDPR. 1(b) and the obligation (principle) of accountability under Article 5(1)(b). 2 of the GDPR, that is to say, it has infringed the fundamental principles of the GDPR on the protection of personal data, ii. the fact that compliance with the principles laid down by the provisions of Article 5(5)(a)(ii) of the Directive. 1(a) and (b). 2 of the GDPR are of fundamental importance, first and foremost the principle of lawfulness, objectivity and transparency, so that if that principle is lacking, the processing becomes unlawful in principle, even if the other processing principles have been complied with. Similarly, both the purpose limitation principle and the principle of accountability in the context of the new compliance model introduced by the GDPR, where the burden of compliance and responsibility lies with the controller, who has been provided by the GDPR with the necessary compliance tools, iii. the fact that the controller has failed to comply with the requirements of the processing principles in Article 5(5); 1(a) and (b) of the GDPR and, in addition, failed to document in the context of compliance the lawfulness of the video surveillance system, iv. the fact that the infringement of the above principles is subject to the provisions of Article 83 para. 5(a) of the GDPR to the highest category provided for in the system of graduated administrative fines, v. the fact that, from the information brought to the attention of the Authority, no material damage to the data subjects has occurred, vi. the fact that the infringement of the principles of Article 5(5)(b) of the ECHR is not justified. 1(a), (b) and (c). 2 of the GDPR did not apply, on the basis of the evidence brought to the Authority's attention, Ave. Kifissias 1-3, 11523 Athens, Greece, T: 210 6475 600 - E: contact@dpa.gr - www.dpa.gr 10 personal data under Articles 9 and 10 of the GDPR, but concerns children, who require specific protection with regard to personal data (recital 38 and Article 6(1)(f) of the GDPR). vii. the fact that the system and the cameras in question had been installed and operated illegally since 2007, while even after the application of the GDPR no compliance action was found until the Authority's intervention; b) the degree of fault of the controller. The installation and operation of the video surveillance system in violation of the principles of legality, objectivity and transparency, purpose limitation as well as accountability was the result of insufficient knowledge and application of the provisions of the GDPR attributable to negligence and therefore mitigating circumstances are taken into account in relation to the possibility that it may have occurred fraudulently. (c) any actions taken by the controller to mitigate the damage suffered by data subjects and the extent of cooperation with the Authority to remedy the breach and mitigate its possible adverse effects. The complainant took steps to document the processing and comply with the GDPR after the hearing and its cooperation with the Authority has been satisfactory. (d) any relevant previous infringements by the controller. An audit shows that the complainant company has not yet been subject to an administrative sanction by the Authority. (e) the categories of personal data affected by the breach. It is not personal data within the meaning of Articles 9 and 10 of the GDPR, according to the information brought to the attention of the Authority, but it concerns children, who require specific protection with regard to personal data (recital 38 and Article 6(1)(f) of the GDPR). (f) the size of the company. In the light of the above, the Authority unanimously considers that the following should be imposed on Ave. Kifissias 1-3, 11523 Athens, Greece, T: 210 6475 600 - E: contact@dpa.gr - www.dpa.gr 11 the complainant company as controller, the administrative penalty referred to in the operative part of the decision, which shall be proportionate to the gravity of the infringement. FOR THESE REASONS The Authori ty Α. Instructs the complainant company named "Iordanakeion Modern Schools SA" as the controller, to uninstall the cameras within one (1) month from the receipt of this notice and to inform the Authority in writing. Β. Impose on the complainant company named "Iordanakion Modern Educational Schools SA" the effective, proportionate and deterrent administrative fine appropriate in this case, according to the specific circumstances of this, amounting to fifteen thousand (15.000,00) euros for the above violations of Articles 5 par. 1(a), 5 par. 1(b) and 5(1)(b) and 5(b). 2, and Articles 6, 12, 13 and 30 of the GDPR.