AKI (Estonia) - 2.1.-4/22/2585: Difference between revisions
(added a number of paragraphs to the holding) |
mNo edit summary |
||
(One intermediate revision by one other user not shown) | |||
Line 63: | Line 63: | ||
}} | }} | ||
The Estonian DPA held that using CCTV cameras to monitor employees cannot be based on consent, but only on legitimate interest under [[Article 6 GDPR|Article 6(1)(f) GDPR]] | The Estonian DPA held that using CCTV cameras to monitor employees cannot be based on consent, but only on legitimate interest under [[Article 6 GDPR|Article 6(1)(f) GDPR]] provided that a valid interest assessment had been carried out. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
A hotel company, OÜ Laidoneri KV (the controller), installed CCTV cameras visible in three external corners of its Park Hotel Viljandi, the public spaces on the ground floor as well as in the kitchen and the basement floor. The cameras monitored the employees | A hotel company, OÜ Laidoneri KV (the controller), installed CCTV cameras visible in three external corners of its Park Hotel Viljandi, the public spaces on the ground floor as well as in the kitchen and the basement floor. The cameras monitored the employees of the hotel (data subjects). | ||
On its own initiative, the Estonian DPA started an investigation with the aim of finding out on what legal basis and for what purpose the CCTV cameras were used. During the proceedings, the controller explained that it used consent as a legal basis through the installation of information signs on the walls of the building, notifying data subjects that surveillance camera were active. | On its own initiative, the Estonian DPA started an investigation with the aim of finding out on what legal basis and for what purpose the CCTV cameras were used. During the proceedings, the controller explained that it used consent as a legal basis through the installation of information signs on the walls of the building, notifying data subjects that surveillance camera were active. | ||
Line 77: | Line 77: | ||
The DPA also rejected the argument of the controller that the processing of personal data could be based on [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]]. The investigation revealed that the signs informing about the usage of CCTV cameras were not suitable as they lacked necessary information about the aim of the video surveillance, no legal basis was mentioned, and no information was provided about the controller. | The DPA also rejected the argument of the controller that the processing of personal data could be based on [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]]. The investigation revealed that the signs informing about the usage of CCTV cameras were not suitable as they lacked necessary information about the aim of the video surveillance, no legal basis was mentioned, and no information was provided about the controller. | ||
Therefore, the only possible legal basis would be legitimate interest under [[Article 6 GDPR|Article 6(1)(f) GDPR.]] However, in order to invoke this legal basis, an | Therefore, the only possible legal basis would be legitimate interest under [[Article 6 GDPR|Article 6(1)(f) GDPR.]] However, in order to invoke this legal basis, an assessment must be carried out, showing that the interest of the controller outweighs the interests, fundamental rights and freedoms of the data subjects. For example, cameras cannot be used because of a hypothetical threat. Additionally, according to [[Article 5 GDPR|Article 5(2) GDPR]], the controller must be able to prove the lawfulness of processing. | ||
The DPA concluded that the controller had no valid legal basis for the monitoring of its employees via CCTV cameras and ordered the controller, under [[Article 58 GDPR|Article 58(2)(d) GDPR]], to discontinue the use of video surveillance. | The DPA concluded that the controller had no valid legal basis for the monitoring of its employees via CCTV cameras and ordered the controller, under [[Article 58 GDPR|Article 58(2)(d) GDPR]], to discontinue the use of video surveillance. |
Latest revision as of 09:40, 11 January 2023
AKI - 2.1.-4/22/2585 | |
---|---|
Authority: | AKI (Estonia) |
Jurisdiction: | Estonia |
Relevant Law: | Article 5 GDPR Article 6(1) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 28.10.2022 |
Decided: | 06.12.2022 |
Published: | 06.12.2022 |
Fine: | n/a |
Parties: | OÜ Laidoneri KV |
National Case Number/Name: | 2.1.-4/22/2585 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Estonian |
Original Source: | AKI (Estonia) (in ET) |
Initial Contributor: | Norman Aasma |
The Estonian DPA held that using CCTV cameras to monitor employees cannot be based on consent, but only on legitimate interest under Article 6(1)(f) GDPR provided that a valid interest assessment had been carried out.
English Summary
Facts
A hotel company, OÜ Laidoneri KV (the controller), installed CCTV cameras visible in three external corners of its Park Hotel Viljandi, the public spaces on the ground floor as well as in the kitchen and the basement floor. The cameras monitored the employees of the hotel (data subjects).
On its own initiative, the Estonian DPA started an investigation with the aim of finding out on what legal basis and for what purpose the CCTV cameras were used. During the proceedings, the controller explained that it used consent as a legal basis through the installation of information signs on the walls of the building, notifying data subjects that surveillance camera were active.
Holding
First, the DPA recalled that according to Article 5(1)(a) GDPR, personal data processing must have a valid legal basis under Article 6(1) GDPR. As a general rule, the processing of personal data in an employment relationship can be lawful if it is related to the performance of a contractual obligation or a legal duty owed to the employer, or if it is in the legitimate interest of the employer or a third party. In the present case, the DPA stated that the fulfilment of contractual obligations can only be invoked for processing operations which are actually necessary for the employer to perform the employment contract, which the use of cameras certainly was not.
The DPA also rejected the argument of the controller that the processing of personal data could be based on Article 6(1)(a) GDPR. The investigation revealed that the signs informing about the usage of CCTV cameras were not suitable as they lacked necessary information about the aim of the video surveillance, no legal basis was mentioned, and no information was provided about the controller.
Therefore, the only possible legal basis would be legitimate interest under Article 6(1)(f) GDPR. However, in order to invoke this legal basis, an assessment must be carried out, showing that the interest of the controller outweighs the interests, fundamental rights and freedoms of the data subjects. For example, cameras cannot be used because of a hypothetical threat. Additionally, according to Article 5(2) GDPR, the controller must be able to prove the lawfulness of processing.
The DPA concluded that the controller had no valid legal basis for the monitoring of its employees via CCTV cameras and ordered the controller, under Article 58(2)(d) GDPR, to discontinue the use of video surveillance.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details.
PRIVACY PROTECTION AGAINST STATE TRANSPARENCY PRESCRIPTION WARNING personal data protection case no. 2.1.-4/22/2585 Geili Keppi, a lawyer from the Data Protection Inspectorate, made the order Time of prescription and place 06.12.2022 in Tallinn OÜ Laidoner KV registry code 12955595 Addressee of the prescription - Viljandi county, Viljandi city, J. Laidoneri plats 8, 71020 e-mail address of the personal data processor: park@parkhotelviljandi.ee Personal data processor Member of the Board responsible official RESOLUTION: § 56 subsection 1, subsection 2 clause 8, § 58 subsection 1 of the Personal Data Protection Act and personal data on the basis of Article 58(2)(d) of the General Regulation on Protection (IKÜM), considering the IKÜM with articles 5, 6 and 12-14, I make a mandatory prescription for compliance: Stop the use of cameras on the territory of OÜ Laidoner KV until it is fulfilled the following points: 1. a legitimate interest analysis has been prepared regarding the use of cameras accordingly The instructions prepared by the inspection and which meet the requirements of IKÜM Approved by the Data Protection Inspectorate; 2. data protection conditions have been drawn up, which meet the requirements of IKÜM Approved by the Data Protection Inspectorate. I set the deadline for the execution of the order as 20.12.2022. Report compliance with the order to the Data Protection Inspectorate by this deadline at the latest. DISPUTE REFERENCE: This order can be challenged within 30 days by submitting either: - appeal to the Data Protection Inspectorate under the Administrative Procedure Act or - a complaint to the Tallinn Administrative Court in accordance with the Code of Administrative Court Procedure (in this case it is not possible to review an argument on the same matter). Challenging an injunction does not suspend the obligation to fulfill it or the measures necessary for its fulfillment implementation. EXTORTION ALERT: If the injunction has not been fulfilled by the set deadline, the Data Protection Inspectorate will determine extortion money to the addressee of the injunction on the basis of § 40 (2) of the Personal Data Protection Act in points 1-2 for failure to fulfill each obligation in the amount of 2000 euros. Tatari tn 39 / 10134 Tallinn / 627 4135 / info@aki.ee / www.aki.ee Registration code 70004235 The penalty may be imposed repeatedly - until the injunction is fulfilled. If the recipient does not pay extortion money, it is forwarded to the bailiff to start enforcement proceedings. In this case, they are added bailiff's fee and other enforcement costs for the enforcement money. FACTUAL DISTRIBUTIONS: On 28.10.2022, AKI initiated a self-initiated supervision procedure, the purpose of which was to explain on what legal basis and purpose the legal entity uses OÜ Laidoner KV, cameras with registry code 12955595. OÜ Laidoneri KV explained in the letter sent on 02.11.2022 that the cameras of Park Hotell Viljandi are visibly installed in the three outer corners of the house (the farmyard, the front door and the other side of the house), to the public spaces on the first floor (inner atrium and restaurant) and to the one on the basement floor to the kitchen. Insofar as AKI was not provided with a legitimate interest analysis carried out prior to the use of the cameras, then on 18.11.2022 AKI made a proposal to Laidoneri KV OÜ in the matter of personal data protection, incl. explaining that, understandably, they relied on the General Regulation on Personal Data Protection in their response (hereinafter IKÜM) Article 6 paragraph 1 point a, according to which the processing of personal data (the use of video cameras) the legal basis is the consent of the persons. Data Protection Inspectorate consequently proposed to OÜ Laidoner KV to stop using video surveillance and delete the existing recordings, as KV Laidoneri OÜ does not have a verified legal a basis for using video surveillance and send a confirmation of this to the inspection at the latest 24.11.2022. In the proposal, AKI explained, among other things, why consent given in employment relationships is not considered for voluntarily given consent and why cameras cannot be used on this legal basis rely on use. OÜ Laidoneri KV responded to the proposal made by AKI on 21.11.2022 and continued to confirm that however, the use of cameras is based on the consent of employees; As it became clear during the supervision procedure that the signs informing about the cameras do not correspond requirements, then in the proposal made on 18.11.2022, the inspection asked to create also those that meet the requirements notification signs, in case KV Laidoneri OÜ still wants to use video surveillance. For inspection images of notification signs were transmitted, but these signs did not indicate the purpose of video surveillance, to the legal basis and controller. There was also no indication of where and how the customer/employee can find the data protection conditions. OÜ Laidoneri KV explained in its response to the inspection's proposal submitted on 21.11.2022 that their it is estimated that the existing notification signs are sufficient, as they are installed on the walls of the house and it is understood that they refer to the cameras in this house. However, KV Laidoneri forwarded OÜ 29.11.2022 pictures of notification labels prepared by the Data Protection Inspectorate developed with video surveillance tag generator. PERSONAL DATA PROCESSOR EXPLANATION: In the response to AKI's proposal submitted on 21.11.2022, KV Laidoneri OÜ explained, among other things, the following: "As I have explained many times, the people who work in our building have given verbal consent (you may be surprised, but completely voluntarily) that they understand which ones purposes, we have surveillance cameras in our house. The aim is to ensure that those staying in the territory the safety of people and the house. Notification signs have been installed and photos have been sent to you. Notification signs are installed on the walls of the house (indicating video surveillance) and you can get out of there read that they apply to this house, as they are installed on the walls, doors, fence and 2 (4) interior rooms. There has never been any indication in previous answers that notification labels should have the additional information mentioned in your last letter, and I have also not come across it in the cityscape of Viljandi video surveillance labels with additional information: purpose of processing, legal basis, person responsible the name and contact details of the processor and information where the data protection conditions can be found." GROUNDS FOR DATA PROTECTION INSPECTION: 1. According to Article 5 of the General Regulation on the Protection of Personal Data (GPR), data processing must be legal. The processing of personal data is legal only if there is an IKÜM of the legal bases given in Article 6. 2. According to article 6 paragraph 1 of the IKYM, the processing of personal data is legal only if there is a legal basis provided for in the said article. As a rule, in an employment relationship the processing of personal data be lawful if it is related to contractual obligations or to the employer by fulfilling the obligations arising from the law or if it is an employer or with the legitimate interest of a third party. We note here that contractual obligations compliance can only be relied upon for such processing operations as are real necessary for the employer to fulfill the employment contract, which must be the use of cameras can not. There is also no obligation arising from the law that would oblige KV in this case Laidoneri OÜ to use camera surveillance. So in this case there are cameras use is possible only in case of legitimate interest (IKÜM art. 6 paragraph 1 p f). Legitimate However, when relying on interest, a legitimate interest assessment must have been carried out in terms of use. Information about this was sent by AKI on 18.11.2022 in proposal No. 2.1.-4/22/2585. In addition, AKI also explained why not in the mentioned proposal can rely on the consent of employees when using cameras. 3. Because the monitoring of persons by means of a camera infringes the integrity of private life to a significant extent and theirs use is only possible if there is a legitimate interest, then it is important that it is over evaluation of the legitimate interest carried out, which shows that the interest of the data processor outweighs it interests or fundamental rights and freedoms of the data subject. In a situation where it is not, no the use of cameras is also not allowed. According to article 5 paragraph 2 of the IKYM, must data processor to prove the legality of data processing. How to assess legitimate interest, we have explained in the guide. 4. The assessment of legitimate interest is not just for filling out forms. It is aimed at everyone clearly explain why it is necessary to use just so much and in such cases cameras in locations. What purpose do cameras serve and why no other the measure is not sufficient. The objectives must be stated precisely, e.g. an abstract reference is not suitable "to monitor processes" or "to ensure security". When the camera is used early for protection, then it is necessary to describe exactly what the threat to the property is and why it is a threat realistic (references to past events). Cameras cannot be used because of a hypothetical threat. You must write down all the purposes for which the cameras are actually used is used. 5. Then it is necessary to specifically justify why the cameras are installed in these places and which cameras are used. Caused by camera surveillance to reduce friction, they must be directed only to a specific problem area. Unnecessary part of the camera's field of view must be blurred or covered. 6. Once the above is done, it is necessary to explain what effect the cameras have on the employees. How long the recordings are kept and by whom also affects the extent of the encroachment on the rights of employees have access to them. Among other things, stress caused by constant stress must be taken into account being under surveillance. 7. AKI explained in the proposal, among other things, that consent cannot be relied upon in an employment relationship to the legal basis, insofar as it is a subordination relationship and in such a case it is it is unlikely that the person gave consent voluntarily. Europe too 3 (4) of the Data Protection Board in its directive on personal data via video devices processing ("Guidelines 3/2019 on processing of personal data through video devices") reached the same conclusion, and the Data Protection Inspectorate is based on Europe of the guidelines of the Data Protection Board. In addition, we also explained that if a situation should arise (on the example of OÜ KV Laidoner), where one employee gives his own consent to the processing of his data does not give or withdraws it later (this right derives from Article 7, paragraph 3 of IKÜM), then theoretically, he should also not be in the field of view of the camera, which is why the employer has the obligation to close the camera at any moment when the employee is in front of the camera (which is impossible in reality). In addition, the use of consent is for cameras problematic also because persons who are not in the field of view of the cameras also remain employees and it is not vitally plausible that KV Laidoneri OÜ as a data processor from them obtains consent from individuals each time. In this case, cameras are used therefore, without a legal basis - illegally. 8. When using cameras, the appropriate ones must also be installed notice labels with a more detailed reference to the data processor's data protection conditions. KV Laidoneri OÜ explained in the initial response to AKI that the information labels were theirs considered suitable, because they were installed on the wall of the house, and therefore it was understood get that they are about this house. In addition, according to KV Laidoneri OÜ, there is no AKI before making the proposal referred to the information that must be on the information labels. At this point we note that AKI already referred to the video surveillance tag generator developed by AKI in the first inquiry. The information label must have information about who is responsible processor, what is the purpose of personal data processing and its legal basis, and also contact details of the data controller. 29.11.2022 transmitted by KV Laidoneri OÜ to the inspection, pictures of the new installed signs, which show that the signs have necessary information. However, it is confusing that the labels refer to it as a legal basis on the basis of legitimate interest. At the same time, KV Laidoneri OÜ has been repeatedly involved in the proceedings referred as if the use of video surveillance was based on the consent of individuals. 9. Taking into account the above, personal data is currently being processed (filming) by OÜ KV Laidoner illegal because it does not comply with IKÜM 5, 6, 12 and 13 requirements. 10. According to IKS § 58 paragraph 1 and IKÜ Article 58 paragraph 2 points d and f, it is the inspectorate has the right to order the data processor to carry out the processing of personal data actions in a certain way and within a certain time to comply with the provisions of the IKÜM, right establish a temporary or permanent restriction on the processing of personal data, including a ban on processing. 11. At the end of the proposal, AKI pointed out that the Data Protection Inspectorate has right according to IKS § 56 (2) point 8, § 58 (1) and protection of personal data on the basis of Article 58 (2) of the General Regulation, issue an injunction to the processor of personal data if the personal data processor has violated the personal data protection processing requirements. 12. Taking into account the circumstances that personal data is currently being processed illegally and OÜ KV Laidoneri has not shown a willingness to harmonize data processing in IKÜM with the stated requirements, then the inspection considers that the mandatory injunction has been granted in the matter is necessary in order to end the offense as soon as possible and to ensure protection of privacy of individuals. Therefore, the inspection makes a mandatory prescription stop the use of surveillance cameras on the territory of OÜ KV Laidoner until the company fulfills the obligations imposed by IKÜM to perform such data processing. (signed digitally) Geili Kepp lawyer on the authority of the Director General 4 (4)