AKI (Estonia) - 2.1.-4/22/2585: Difference between revisions

From GDPRhub
(added a number of paragraphs to the holding)
mNo edit summary
 
(One intermediate revision by one other user not shown)
Line 63: Line 63:
}}
}}


The Estonian DPA held that using CCTV cameras to monitor employees cannot be based on consent, but only on legitimate interest under [[Article 6 GDPR|Article 6(1)(f) GDPR]] backed by a balancing of interests assessment.  
The Estonian DPA held that using CCTV cameras to monitor employees cannot be based on consent, but only on legitimate interest under [[Article 6 GDPR|Article 6(1)(f) GDPR]] provided that a valid interest assessment had been carried out.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
A hotel company, OÜ Laidoneri KV (the controller), installed CCTV cameras visible in three external corners of its Park Hotel Viljandi, the public spaces on the ground floor as well as in the kitchen and the basement floor. The cameras monitored the employees of the hotel (data subjects).  
A hotel company, OÜ Laidoneri KV (the controller), installed CCTV cameras visible in three external corners of its Park Hotel Viljandi, the public spaces on the ground floor as well as in the kitchen and the basement floor. The cameras monitored the employees of the hotel (data subjects).  


On its own initiative, the Estonian DPA started an investigation with the aim of finding out on what legal basis and for what purpose the CCTV cameras were used. During the proceedings, the controller explained that it used consent as a legal basis through the installation of information signs on the walls of the building, notifying data subjects that surveillance camera were active.   
On its own initiative, the Estonian DPA started an investigation with the aim of finding out on what legal basis and for what purpose the CCTV cameras were used. During the proceedings, the controller explained that it used consent as a legal basis through the installation of information signs on the walls of the building, notifying data subjects that surveillance camera were active.   
Line 77: Line 77:
The DPA also rejected the argument of the controller that the processing of personal data could be based on [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]]. The investigation revealed that the signs informing about the usage of CCTV cameras were not suitable as they lacked necessary information about the aim of the video surveillance, no legal basis was mentioned, and no information was provided about the controller.  
The DPA also rejected the argument of the controller that the processing of personal data could be based on [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]]. The investigation revealed that the signs informing about the usage of CCTV cameras were not suitable as they lacked necessary information about the aim of the video surveillance, no legal basis was mentioned, and no information was provided about the controller.  


Therefore, the only possible legal basis would be legitimate interest under [[Article 6 GDPR|Article 6(1)(f) GDPR.]] However, in order to invoke this legal basis, an assesment must be carried out, showing that the interest of the controller outweighs the interests or fundamental rights and freedoms of the data subjects. For example, cameras cannot be used because of a hypothetical threat. Additionally, according to [[Article 5 GDPR|Article 5(2) GDPR]], the controller must be able to prove the lawfulness of processing.   
Therefore, the only possible legal basis would be legitimate interest under [[Article 6 GDPR|Article 6(1)(f) GDPR.]] However, in order to invoke this legal basis, an assessment must be carried out, showing that the interest of the controller outweighs the interests, fundamental rights and freedoms of the data subjects. For example, cameras cannot be used because of a hypothetical threat. Additionally, according to [[Article 5 GDPR|Article 5(2) GDPR]], the controller must be able to prove the lawfulness of processing.   


The DPA concluded that the controller had no valid legal basis for the monitoring of its employees via CCTV cameras and ordered the controller, under [[Article 58 GDPR|Article 58(2)(d) GDPR]], to discontinue the use of video surveillance.  
The DPA concluded that the controller had no valid legal basis for the monitoring of its employees via CCTV cameras and ordered the controller, under [[Article 58 GDPR|Article 58(2)(d) GDPR]], to discontinue the use of video surveillance.  

Latest revision as of 09:40, 11 January 2023

AKI - 2.1.-4/22/2585
LogoEE.png
Authority: AKI (Estonia)
Jurisdiction: Estonia
Relevant Law: Article 5 GDPR
Article 6(1) GDPR
Type: Investigation
Outcome: Violation Found
Started: 28.10.2022
Decided: 06.12.2022
Published: 06.12.2022
Fine: n/a
Parties: OÜ Laidoneri KV
National Case Number/Name: 2.1.-4/22/2585
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Estonian
Original Source: AKI (Estonia) (in ET)
Initial Contributor: Norman Aasma

The Estonian DPA held that using CCTV cameras to monitor employees cannot be based on consent, but only on legitimate interest under Article 6(1)(f) GDPR provided that a valid interest assessment had been carried out.

English Summary

Facts

A hotel company, OÜ Laidoneri KV (the controller), installed CCTV cameras visible in three external corners of its Park Hotel Viljandi, the public spaces on the ground floor as well as in the kitchen and the basement floor. The cameras monitored the employees of the hotel (data subjects).

On its own initiative, the Estonian DPA started an investigation with the aim of finding out on what legal basis and for what purpose the CCTV cameras were used. During the proceedings, the controller explained that it used consent as a legal basis through the installation of information signs on the walls of the building, notifying data subjects that surveillance camera were active.

Holding

First, the DPA recalled that according to Article 5(1)(a) GDPR, personal data processing must have a valid legal basis under Article 6(1) GDPR. As a general rule, the processing of personal data in an employment relationship can be lawful if it is related to the performance of a contractual obligation or a legal duty owed to the employer, or if it is in the legitimate interest of the employer or a third party. In the present case, the DPA stated that the fulfilment of contractual obligations can only be invoked for processing operations which are actually necessary for the employer to perform the employment contract, which the use of cameras certainly was not.

The DPA also rejected the argument of the controller that the processing of personal data could be based on Article 6(1)(a) GDPR. The investigation revealed that the signs informing about the usage of CCTV cameras were not suitable as they lacked necessary information about the aim of the video surveillance, no legal basis was mentioned, and no information was provided about the controller.

Therefore, the only possible legal basis would be legitimate interest under Article 6(1)(f) GDPR. However, in order to invoke this legal basis, an assessment must be carried out, showing that the interest of the controller outweighs the interests, fundamental rights and freedoms of the data subjects. For example, cameras cannot be used because of a hypothetical threat. Additionally, according to Article 5(2) GDPR, the controller must be able to prove the lawfulness of processing.

The DPA concluded that the controller had no valid legal basis for the monitoring of its employees via CCTV cameras and ordered the controller, under Article 58(2)(d) GDPR, to discontinue the use of video surveillance.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details.

PRIVACY PROTECTION AGAINST STATE TRANSPARENCY








                              PRESCRIPTION WARNING
                       personal data protection case no. 2.1.-4/22/2585




Geili Keppi, a lawyer from the Data Protection Inspectorate, made the order

Time of prescription
and place 06.12.2022 in Tallinn
                                OÜ Laidoner KV registry code 12955595
Addressee of the prescription - Viljandi county, Viljandi city, J. Laidoneri plats 8, 71020
e-mail address of the personal data processor: park@parkhotelviljandi.ee

Personal data processor Member of the Board
responsible official



RESOLUTION:
§ 56 subsection 1, subsection 2 clause 8, § 58 subsection 1 of the Personal Data Protection Act and personal data
on the basis of Article 58(2)(d) of the General Regulation on Protection (IKÜM), considering the IKÜM
with articles 5, 6 and 12-14, I make a mandatory prescription for compliance:

Stop the use of cameras on the territory of OÜ Laidoner KV until it is fulfilled
the following points:

    1. a legitimate interest analysis has been prepared regarding the use of cameras accordingly
       The instructions prepared by the inspection and which meet the requirements of IKÜM
       Approved by the Data Protection Inspectorate;
    2. data protection conditions have been drawn up, which meet the requirements of IKÜM
       Approved by the Data Protection Inspectorate.

I set the deadline for the execution of the order as 20.12.2022.


Report compliance with the order to the Data Protection Inspectorate by this deadline at the latest.
DISPUTE REFERENCE:
This order can be challenged within 30 days by submitting either:
- appeal to the Data Protection Inspectorate under the Administrative Procedure Act or
- a complaint to the Tallinn Administrative Court in accordance with the Code of Administrative Court Procedure (in this case it is not possible

to review an argument on the same matter).

Challenging an injunction does not suspend the obligation to fulfill it or the measures necessary for its fulfillment
implementation.

EXTORTION ALERT:
If the injunction has not been fulfilled by the set deadline, the Data Protection Inspectorate will determine

extortion money to the addressee of the injunction on the basis of § 40 (2) of the Personal Data Protection Act
in points 1-2 for failure to fulfill each obligation in the amount of 2000 euros.

Tatari tn 39 / 10134 Tallinn / 627 4135 / info@aki.ee / www.aki.ee
Registration code 70004235 The penalty may be imposed repeatedly - until the injunction is fulfilled. If the recipient does not pay
extortion money, it is forwarded to the bailiff to start enforcement proceedings. In this case, they are added
bailiff's fee and other enforcement costs for the enforcement money.


FACTUAL DISTRIBUTIONS:

On 28.10.2022, AKI initiated a self-initiated supervision procedure, the purpose of which was to
explain on what legal basis and purpose the legal entity uses OÜ Laidoner

KV, cameras with registry code 12955595.

OÜ Laidoneri KV explained in the letter sent on 02.11.2022 that the cameras of Park Hotell Viljandi are
visibly installed in the three outer corners of the house (the farmyard, the front door and the other side of the house),
to the public spaces on the first floor (inner atrium and restaurant) and to the one on the basement floor
to the kitchen.

Insofar as AKI was not provided with a legitimate interest analysis carried out prior to the use of the cameras,
then on 18.11.2022 AKI made a proposal to Laidoneri KV OÜ in the matter of personal data protection, incl.

explaining that, understandably, they relied on the General Regulation on Personal Data Protection in their response
(hereinafter IKÜM) Article 6 paragraph 1 point a, according to which the processing of personal data
(the use of video cameras) the legal basis is the consent of the persons. Data Protection Inspectorate
consequently proposed to OÜ Laidoner KV to stop using video surveillance and
delete the existing recordings, as KV Laidoneri OÜ does not have a verified legal
a basis for using video surveillance and send a confirmation of this to the inspection at the latest
24.11.2022.


In the proposal, AKI explained, among other things, why consent given in employment relationships is not considered
for voluntarily given consent and why cameras cannot be used on this legal basis
rely on use.

OÜ Laidoneri KV responded to the proposal made by AKI on 21.11.2022 and continued to confirm that
however, the use of cameras is based on the consent of employees;

As it became clear during the supervision procedure that the signs informing about the cameras do not correspond
requirements, then in the proposal made on 18.11.2022, the inspection asked to create also those that meet the requirements

notification signs, in case KV Laidoneri OÜ still wants to use video surveillance. For inspection
images of notification signs were transmitted, but these signs did not indicate the purpose of video surveillance,
to the legal basis and controller. There was also no indication of where and how
the customer/employee can find the data protection conditions.

OÜ Laidoneri KV explained in its response to the inspection's proposal submitted on 21.11.2022 that their
it is estimated that the existing notification signs are sufficient, as they are installed on the walls of the house and

it is understood that they refer to the cameras in this house. However, KV Laidoneri forwarded
OÜ 29.11.2022 pictures of notification labels prepared by the Data Protection Inspectorate
developed with video surveillance tag generator.


PERSONAL DATA PROCESSOR EXPLANATION:
In the response to AKI's proposal submitted on 21.11.2022, KV Laidoneri OÜ explained, among other things,
the following: "As I have explained many times, the people who work in our building have given
verbal consent (you may be surprised, but completely voluntarily) that they understand which ones
purposes, we have surveillance cameras in our house. The aim is to ensure that those staying in the territory
the safety of people and the house. Notification signs have been installed and photos have been sent to you.
Notification signs are installed on the walls of the house (indicating video surveillance) and you can get out of there

read that they apply to this house, as they are installed on the walls, doors, fence and

2 (4) interior rooms. There has never been any indication in previous answers that notification labels should have
the additional information mentioned in your last letter, and I have also not come across it in the cityscape of Viljandi
video surveillance labels with additional information: purpose of processing, legal basis, person responsible
the name and contact details of the processor and information where the data protection conditions can be found."


GROUNDS FOR DATA PROTECTION INSPECTION:

    1. According to Article 5 of the General Regulation on the Protection of Personal Data (GPR), data processing must be
       legal. The processing of personal data is legal only if there is an IKÜM
       of the legal bases given in Article 6.

    2. According to article 6 paragraph 1 of the IKYM, the processing of personal data is legal only if
       there is a legal basis provided for in the said article. As a rule, in an employment relationship
       the processing of personal data be lawful if it is related to contractual obligations or
       to the employer by fulfilling the obligations arising from the law or if it is an employer or
       with the legitimate interest of a third party. We note here that contractual obligations
       compliance can only be relied upon for such processing operations as are real

       necessary for the employer to fulfill the employment contract, which must be the use of cameras
       can not. There is also no obligation arising from the law that would oblige KV in this case
       Laidoneri OÜ to use camera surveillance. So in this case there are cameras
       use is possible only in case of legitimate interest (IKÜM art. 6 paragraph 1 p f). Legitimate
       However, when relying on interest, a legitimate interest assessment must have been carried out
       in terms of use. Information about this was sent by AKI on 18.11.2022
       in proposal No. 2.1.-4/22/2585. In addition, AKI also explained why not in the mentioned proposal

       can rely on the consent of employees when using cameras.
    3. Because the monitoring of persons by means of a camera infringes the integrity of private life to a significant extent and theirs
       use is only possible if there is a legitimate interest, then it is important that it is over

       evaluation of the legitimate interest carried out, which shows that the interest of the data processor outweighs it
       interests or fundamental rights and freedoms of the data subject. In a situation where it is not, no
       the use of cameras is also not allowed. According to article 5 paragraph 2 of the IKYM, must
       data processor to prove the legality of data processing. How to assess legitimate interest,
       we have explained in the guide.

    4. The assessment of legitimate interest is not just for filling out forms. It is aimed at everyone
       clearly explain why it is necessary to use just so much and in such cases
       cameras in locations. What purpose do cameras serve and why no other
       the measure is not sufficient. The objectives must be stated precisely, e.g. an abstract reference is not suitable
       "to monitor processes" or "to ensure security". When the camera is used early

       for protection, then it is necessary to describe exactly what the threat to the property is and why it is a threat
       realistic (references to past events). Cameras cannot be used
       because of a hypothetical threat. You must write down all the purposes for which the cameras are actually used
       is used.

    5. Then it is necessary to specifically justify why the cameras are installed in these
       places and which cameras are used. Caused by camera surveillance
       to reduce friction, they must be directed only to a specific problem area.
       Unnecessary part of the camera's field of view must be blurred or covered.

    6. Once the above is done, it is necessary to explain what effect the cameras have on the employees.
       How long the recordings are kept and by whom also affects the extent of the encroachment on the rights of employees
       have access to them. Among other things, stress caused by constant stress must be taken into account
       being under surveillance.

    7. AKI explained in the proposal, among other things, that consent cannot be relied upon in an employment relationship
       to the legal basis, insofar as it is a subordination relationship and in such a case it is
       it is unlikely that the person gave consent voluntarily. Europe too


3 (4) of the Data Protection Board in its directive on personal data via video devices
       processing ("Guidelines 3/2019 on processing of personal data through video devices")
       reached the same conclusion, and the Data Protection Inspectorate is based on Europe
       of the guidelines of the Data Protection Board. In addition, we also explained that if a situation should arise
       (on the example of OÜ KV Laidoner), where one employee gives his own consent to the processing of his data
       does not give or withdraws it later (this right derives from Article 7, paragraph 3 of IKÜM), then

       theoretically, he should also not be in the field of view of the camera, which is why the employer has
       the obligation to close the camera at any moment when the employee is in front of the camera (which is
       impossible in reality). In addition, the use of consent is for cameras
       problematic also because persons who are not in the field of view of the cameras also remain
       employees and it is not vitally plausible that KV Laidoneri OÜ as a data processor from them
       obtains consent from individuals each time. In this case, cameras are used
       therefore, without a legal basis - illegally.

    8. When using cameras, the appropriate ones must also be installed
       notice labels with a more detailed reference to the data processor's data protection conditions.
       KV Laidoneri OÜ explained in the initial response to AKI that the information labels were theirs

       considered suitable, because they were installed on the wall of the house, and therefore it was understood
       get that they are about this house. In addition, according to KV Laidoneri OÜ, there is no AKI before
       making the proposal referred to the information that must be on the information labels. At this point
       we note that AKI already referred to the video surveillance tag generator developed by AKI
       in the first inquiry. The information label must have information about who is responsible
       processor, what is the purpose of personal data processing and its legal basis, and also
       contact details of the data controller. 29.11.2022 transmitted by KV Laidoneri OÜ

       to the inspection, pictures of the new installed signs, which show that the signs have
       necessary information. However, it is confusing that the labels refer to it as a legal basis
       on the basis of legitimate interest. At the same time, KV Laidoneri OÜ has been repeatedly involved in the proceedings
       referred as if the use of video surveillance was based on the consent of individuals.

    9. Taking into account the above, personal data is currently being processed
       (filming) by OÜ KV Laidoner illegal because it does not comply with IKÜM 5, 6, 12 and 13
       requirements.

    10. According to IKS § 58 paragraph 1 and IKÜ Article 58 paragraph 2 points d and f, it is
       the inspectorate has the right to order the data processor to carry out the processing of personal data
       actions in a certain way and within a certain time to comply with the provisions of the IKÜM, right
       establish a temporary or permanent restriction on the processing of personal data, including a ban on processing.

    11. At the end of the proposal, AKI pointed out that the Data Protection Inspectorate has
       right according to IKS § 56 (2) point 8, § 58 (1) and protection of personal data
       on the basis of Article 58 (2) of the General Regulation, issue an injunction to the processor of personal data if
       the personal data processor has violated the personal data protection processing requirements.

    12. Taking into account the circumstances that personal data is currently being processed illegally and OÜ
       KV Laidoneri has not shown a willingness to harmonize data processing in IKÜM
       with the stated requirements, then the inspection considers that the mandatory injunction has been granted
       in the matter is necessary in order to end the offense as soon as possible and to ensure
       protection of privacy of individuals. Therefore, the inspection makes a mandatory prescription

       stop the use of surveillance cameras on the territory of OÜ KV Laidoner until the company
       fulfills the obligations imposed by IKÜM to perform such data processing.


(signed digitally)
Geili Kepp
lawyer
on the authority of the Director General



4 (4)