IP (Slovenia) - 0603-44-2023-5: Difference between revisions
No edit summary |
No edit summary |
||
(2 intermediate revisions by 2 users not shown) | |||
Line 65: | Line 65: | ||
}} | }} | ||
The Slovenian DPA fined a company €4,000 for installing two video surveillance cameras | The Slovenian DPA fined a company €4,000 for installing two video surveillance cameras in lack of a proper legal basis and without displaying the appropriate information. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The DPA decided to begin its proceedings due to the presence of two cameras on the premises of the company that the controller used to carry out video surveillance in the work areas on the basis of [http://www.pisrs.si/Pis.web/pregledPredpisa?id=ZAKO7959 Article 78(1) of the Slovenian Data Protection Law (ZVOP-2)]. The article allows for video surveillance within work premises where it is strictly necessary for the safety of persons or property. One of the cameras was located inside the premises of the company and recorded the office area, such as the work area and workstations. The second camera was installed at the entrance of the premises. | |||
The | The proceeding concerned both the company (the controller) and its director, as the latter is considered the "responsible person" under Slovenian law. | ||
=== Holding === | === Holding === | ||
Firstly, the Slovenian DPA found the controller’s breach to fall within the scope of [http://www.pisrs.si/Pis.web/pregledPredpisa?id=ZAKO7959 Article 100(3) ZVOP-2] in relation to [http://www.pisrs.si/Pis.web/pregledPredpisa?id=ZAKO7959 Article 100(1)(2) ZVOP-2] for infringing general provisions on video surveillance. The DPA noted that on the day of the inspection, the responsible person failed to comply with the Articles due to its video surveillance system. Specifically, there was no prominent information notice of the system before entering the surveilled system, which allowed an individual to become aware of the video surveillance and to refuse to enter the monitored area, as provided in [http://www.pisrs.si/Pis.web/pregledPredpisa?id=ZAKO7959 Article 76(3) ZVOP-2]. | Firstly, the Slovenian DPA found the controller’s breach to fall within the scope of [http://www.pisrs.si/Pis.web/pregledPredpisa?id=ZAKO7959 Article 100(3) ZVOP-2] in relation to [http://www.pisrs.si/Pis.web/pregledPredpisa?id=ZAKO7959 Article 100(1)(2) ZVOP-2] for infringing general provisions on video surveillance. The DPA noted that on the day of the inspection, the responsible person failed to comply with the Articles due to its video surveillance system. Specifically, there was no prominent information notice of the system before entering the surveilled system, which would have allowed an individual to become aware of the video surveillance and to refuse to enter the monitored area, as provided in [http://www.pisrs.si/Pis.web/pregledPredpisa?id=ZAKO7959 Article 76(3) ZVOP-2]. | ||
Secondly, the DPA found the controller’s breach to fall within the scope of [http://www.pisrs.si/Pis.web/pregledPredpisa?id=ZAKO7959 Article 103(3) ZVOP-2] in connection with [http://www.pisrs.si/Pis.web/pregledPredpisa?id=ZAKO7959 Article 103(1)(2) ZVOP-2], as well, for infringing general provisions on video surveillance specifically within work premises. The DPA stated that the video surveillance in this specific workplace was not necessary for the security of persons or property or the prevention of breaches of business secrecy, as that purpose could have also been achieved with less intrusive and more effective means than video surveillance | Secondly, the DPA found the controller’s breach to fall within the scope of [http://www.pisrs.si/Pis.web/pregledPredpisa?id=ZAKO7959 Article 103(3) ZVOP-2] in connection with [http://www.pisrs.si/Pis.web/pregledPredpisa?id=ZAKO7959 Article 103(1)(2) ZVOP-2], as well, for infringing general provisions on video surveillance specifically within work premises. The DPA stated that the video surveillance in this specific workplace was not necessary for the security of persons or property or the prevention of breaches of business secrecy, as that purpose could have also been achieved with less intrusive and more effective means than video surveillance, as provided by [http://www.pisrs.si/Pis.web/pregledPredpisa?id=ZAKO7959 Article 78(2) ZVOP-2]. | ||
In light of these infringements, the DPA fined the controller €4,000. It further fined the director €500 since he committed the offences in the course of his business and on behalf of and with the funds of the legal person, for which he was authorised to perform the works and duties of a director and was obliged to ensure that the video surveillance was carried out in accordance with the provisions of the ZVOP-2. The DPA found him liable on the basis of [http://pisrs.si/Pis.web/pregledPredpisa?id=ZAKO2537 Article 15(1) and Article 15a(1) of the Law on the Provision of Information and Communication on Video Surveillance (ZP-1)], which provides that a responsible person shall be liable for an offence committed in the course of the business of a legal person. | In light of these infringements, the DPA fined the controller €4,000. It further fined the director €500 since he committed the offences in the course of his business and on behalf of and with the funds of the legal person, for which he was authorised to perform the works and duties of a director and was obliged to ensure that the video surveillance was carried out in accordance with the provisions of the ZVOP-2. The DPA found him liable on the basis of [http://pisrs.si/Pis.web/pregledPredpisa?id=ZAKO2537 Article 15(1) and Article 15a(1) of the Law on the Provision of Information and Communication on Video Surveillance (ZP-1)], which provides that a responsible person shall be liable for an offence committed in the course of the business of a legal person. | ||
Line 83: | Line 83: | ||
== Comment == | == Comment == | ||
It is necessary to point out that the fine was imposed on the director of the company not in light of the GDPR or of the Slovenian Data Protection Law (ZVOP-2). Instead, the €500 fine was issued on the basis of another Slovenian law, namely the Law on the Provision of Information and Communication on Video Surveillance (ZP-1). | It is necessary to point out that the fine was imposed on the director of the company not in light of the GDPR or of the Slovenian Data Protection Law (ZVOP-2). Instead, the €500 fine was issued on the basis of another Slovenian law, namely the Law on the Provision of Information and Communication on Video Surveillance (ZP-1). | ||
Seemingly, the DPA's reasoning is based on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], as well as [[Article 13 GDPR]], snice [http://www.pisrs.si/Pis.web/pregledPredpisa?id=ZAKO7959 Article 76(3) ZVOP-2] regulates video surveillance information notice, in line with [[Article 13 GDPR]]. | |||
== Further Resources == | == Further Resources == |
Latest revision as of 10:59, 31 January 2024
IP - 0603-44-2023-5 | |
---|---|
Authority: | IP (Slovenia) |
Jurisdiction: | Slovenia |
Relevant Law: | Article 100 ZVOP-2 Article 103 ZVOP-2 Article 76(3) ZVOP-2 Article 78(1) ZVOP-2 |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 03.01.2024 |
Fine: | 4,500 EUR |
Parties: | n/a |
National Case Number/Name: | 0603-44-2023-5 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Slovenian |
Original Source: | Informacijski pooblaščenec (in SL) |
Initial Contributor: | ar |
The Slovenian DPA fined a company €4,000 for installing two video surveillance cameras in lack of a proper legal basis and without displaying the appropriate information.
English Summary
Facts
The DPA decided to begin its proceedings due to the presence of two cameras on the premises of the company that the controller used to carry out video surveillance in the work areas on the basis of Article 78(1) of the Slovenian Data Protection Law (ZVOP-2). The article allows for video surveillance within work premises where it is strictly necessary for the safety of persons or property. One of the cameras was located inside the premises of the company and recorded the office area, such as the work area and workstations. The second camera was installed at the entrance of the premises.
The proceeding concerned both the company (the controller) and its director, as the latter is considered the "responsible person" under Slovenian law.
Holding
Firstly, the Slovenian DPA found the controller’s breach to fall within the scope of Article 100(3) ZVOP-2 in relation to Article 100(1)(2) ZVOP-2 for infringing general provisions on video surveillance. The DPA noted that on the day of the inspection, the responsible person failed to comply with the Articles due to its video surveillance system. Specifically, there was no prominent information notice of the system before entering the surveilled system, which would have allowed an individual to become aware of the video surveillance and to refuse to enter the monitored area, as provided in Article 76(3) ZVOP-2.
Secondly, the DPA found the controller’s breach to fall within the scope of Article 103(3) ZVOP-2 in connection with Article 103(1)(2) ZVOP-2, as well, for infringing general provisions on video surveillance specifically within work premises. The DPA stated that the video surveillance in this specific workplace was not necessary for the security of persons or property or the prevention of breaches of business secrecy, as that purpose could have also been achieved with less intrusive and more effective means than video surveillance, as provided by Article 78(2) ZVOP-2.
In light of these infringements, the DPA fined the controller €4,000. It further fined the director €500 since he committed the offences in the course of his business and on behalf of and with the funds of the legal person, for which he was authorised to perform the works and duties of a director and was obliged to ensure that the video surveillance was carried out in accordance with the provisions of the ZVOP-2. The DPA found him liable on the basis of Article 15(1) and Article 15a(1) of the Law on the Provision of Information and Communication on Video Surveillance (ZP-1), which provides that a responsible person shall be liable for an offence committed in the course of the business of a legal person.
Comment
It is necessary to point out that the fine was imposed on the director of the company not in light of the GDPR or of the Slovenian Data Protection Law (ZVOP-2). Instead, the €500 fine was issued on the basis of another Slovenian law, namely the Law on the Provision of Information and Communication on Video Surveillance (ZP-1).
Seemingly, the DPA's reasoning is based on Article 6(1)(f) GDPR, as well as Article 13 GDPR, snice Article 76(3) ZVOP-2 regulates video surveillance information notice, in line with Article 13 GDPR.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.
File history Click on a date/time to view the file as it appeared at that time. Date/TimeDimensionsUserComment current16:06, 30 January 2024 (379 KB)Ar (talk | contribs) You cannot overwrite this file.File usage There are no pages that use this file.