CNPD (Portugal) - Deliberação 2019/207: Difference between revisions

From GDPRhub
 
(8 intermediate revisions by 5 users not shown)
Line 61: Line 61:
}}
}}


The Portuguese Data Protection Authority ([[CNPD (Portugal)|CNPD]]) ruled that failing to post CCTV signage in monitored areas violates the controller's obligation to inform data subjects under [[Article 13 GDPR|Article 13 GDPR]].
The DPA fined a controller €2,000 for failing to inform data subjects about the presence of video surveillance by installing signs in the monitored area. Thus, the controller violated [[Article 13 GDPR|Article 13 GDPR]].


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The controller installed in its commercial establishment a video surveillance system (CCTV). During a routine inspection by the public police forces, it was noted that the mandatory CCTV signage was missing. The situation was reported to the Portuguese DPA (CNPD).
On June 18, 2018, during a routine inspection by the Public Security Police at a commercial establishment, it was discovered that there was no visible informational notice about the operation of an active CCTV system.  
 
The situation was reported to the [[CNPD (Portugal)|Portuguese DPA (CNPD)]].
 
The CCTV system had been installed for the protection of people and property. The business owner, recently having acquired signage after a similar issue at another store, argued that an informative sign was always present but obscured by furniture and also highlighted her financial hardships and ongoing negotiations with creditors.


=== Holding ===
=== Holding ===
The Portuguese Data Protection Authority (CNPD) emphasized that the controller should have been aware of its obligation to display the necessary CCTV signage, failing to meet its transparency and information obligations under [[Article 13 GDPR|Article 13 GDPR]].  
The DPA emphasized that the controller should have been aware of its obligation to display the necessary CCTV signage, failing this way to meet its transparency and information obligations under [[Article 13 GDPR|Article 13 GDPR]].  
When determining the fine amount, the DPA noted that the controller promptly addressed the issue following the police inspection. However, the DPA highlighted that the controller did not inform the CNPD directly; instead, the matter was brought to the DPA's attention through a police complaint.
 
The controller was fined €2,000.
 
When determining the fine amount, the DPA noted that the controller promptly addressed the issue following the Public Security Police inspection. However, the DPA highlighted that the controller did not inform the CNPD directly; instead, the violation was discovered during the inspection of other authority.


== Comment ==
== Comment ==
Line 82: Line 89:


<pre>
<pre>
Case No. 10212/2018
DELIBERATION/2019/207
I - Report
The National Commission for Data Protection (hereafter CNPD) drafted on December 18, 2018, a deliberation project in which the accused was charged with committing an infraction as set forth and punishable under the combined provisions of nos. 1 and 2 of Article 13, along with paragraph b) of no. 5 of Article 83 of the General Data Protection Regulation (Regulation 679/2016, dated April 27, hereafter GDPR), punishable by a fine up to a maximum of €20,000,000.00 or up to 4% of the annual turnover, whichever amount is higher.
The accused was notified of the content of said project according to Article 50 of the General Regime of Misdemeanours and Fines to present her defence, subsequently arguing (see pages 65 to 80) that:
1. On June 18, 2018, two agents from the Public Security Police conducted an "informative action" regarding the regulations. In the absence of the manager, the employee responded as best she could since she had been at the store for only a few days, and made a phone call to the manager to obtain some answers. It was agreed during the call that the agents would visit on June 20 to inspect the recording system among other security-related issues. Following their action, and due to a visit to another store a few days earlier where it was found that the signage did not meet all requirements, the company acquired two signs.
2. The accused also claims that an informative sign had always been present in the commercial establishment at the time of the infraction, although it was not visible since a piece of furniture from the brand was obstructing the view of the said sign.
3. Furthermore, she stated that she is in a difficult economic situation, with several debts to suppliers, which are being renegotiated to allow the accused's operations and compliance with her tax obligations.
4. Lastly, the accused requests her acquittal, with the dismissal of the misdemeanour proceedings.
II - Assessment
The CNPD is competent as per letter i) of no. 2 of Article 58 of the GDPR, combined with no. 1 of Article 21 and no. 1 of Article 22, both from Law no. 67/98, dated October 26, amended by Law no. 103/2015, dated August 24 (hereafter LPDP). Given the written defence presented by the accused, an assessment of the factual arguments and their legal bases is required.
The accused conducted personal data processing through video surveillance for the purpose of protecting people and property, as per nos. 1 and 2 of Article 4 of the GDPR. Having carried it out under the factual circumstances that will be listed below, it is certain that she collected personal data directly from the subjects, which is evident.
As such, she should have fulfilled the information obligation towards the subjects, adhering to the requirements of nos. 1 and 2 of Article 13 of the GDPR. By failing to fulfill the information obligation, she significantly limited one of the most relevant rights in terms of personal data protection, which is the right to information of the subjects and which is instrumental to other rights such as access.
Moreover, the accused did not even challenge the notice of infraction, nor does she deny the facts stated therein. Additionally, the documentary evidence presented by the accused does not demonstrate that, at the date and time stated in the notice of infraction, the commercial establishment was equipped with an informative notice about the video surveillance system.
Lastly, the accused also claims to be in a purported precarious economic situation; however, she did not provide any proof to substantiate such a condition.
Thus, the defence's allegations do not challenge the framing of facts made in the deliberation project, nor is any fact that constitutes a ground for excluding guilt or unlawfulness invoked, so we understand to maintain the already assumed position.
With the elements from the files, which are of interest for the decision, we consider the following as proven:
Facts
1. The accused is the holder of the Tax Identification Number and has its headquarters at
2. The accused operates a commercial establishment named , located at:
3. On June 18, 2018, at 9:30 PM, following an inspection action by the Public Security Police at the aforementioned commercial establishment, the existence of a functioning video surveillance system was established.
4. It was observed during the inspection that no informative notice about the operation of the video surveillance system was visibly posted, nor was it posted anywhere else.
5. By failing to post an informative notice about the existence of cameras allowing for the viewing of images, the accused did not act with the care she was obligated to and capable of, foreseeing as possible that she was acting against the Law.
III - Motivation for the Fact-Finding Decision
The facts given as proven resulted from:
- The notice of infraction and the photographic report made by the police authority, included on pages 1 to 8 of the files.
It is apparent, based on the facts established, that the practice by the accused of an infraction as set forth and punishable under the combined provisions of
- nos. 1 and 2 of Article 13 and paragraph b) of no. 5 of Article 83 of the GDPR is sufficiently indicated, punishable by a fine up to €20,000,000.00 or up to 4% of the annual turnover, whichever is higher.
IV - Determination of the Sanction
According to Article 83, no. 1, letters a) to k) of the GDPR, in deciding on the application of a fine or another sanction and on the determination of its extent, the following criteria shall be considered:
- The nature, gravity, and duration of the infraction considering the nature, scope, or purpose of the data processing at issue, as well as the number of data subjects affected and the level of damage they suffered - we are dealing with an infraction punishable by the most severe framework provided by the GDPR, with the data being normal, or non-special, as they do not fall under the special data categories listed in Article 9 of the GDPR. The unlawfulness is moderate, given the circumstances of time, manner, and place in which the accused committed the infraction.
- The intentional or negligent character of the infraction - it is considered to be with conscious negligence, as the accused did not act with the care she was obligated to and capable of, foreseeing as possible that she was acting against the Law.
- The initiative taken by the data controller or processor to mitigate the damage suffered by the subjects - the conduct of the accused is valued, who adopted, after the inspection action, the appropriate measure to rectify the infraction observed, by posting the informative notices.
- The degree of responsibility of the data controller or processor considering the technical or organizational measures they implemented under Articles 25 and 32 - the responsibility of the accused regarding the infraction committed is considered moderate, as she had the cameras installed and did not take care to observe the legal requirements for using a video surveillance system.
- Any relevant infractions previously committed by the data controller or processor - which are not verified, the accused being primary.
- The degree of cooperation with the control authority to remedy the infraction and mitigate its potential negative effects - which is considered high, with voluntary and spontaneous compliance, by having posted the informative notices, without the CNPD having exercised any corrective power in this regard.
- The specific categories of personal data affected by the infraction - non-special personal data categories, according to Article 9, no. 1 of the GDPR, read contrario sensu.
- The manner in which the control authority became aware of the infraction, especially whether the data controller or processor notified it, and if affirmative, to what extent they did - the infraction was known through the submission of the notice of infraction raised following the inspection action officiously conducted by the Public Security Police, so the accused did not notify the CNPD of such a fact.
- Compliance with the measures referred to in Article 58, no. 2, if they had previously been imposed on the data controller or processor in question regarding the same matter - this criterion does not apply, as there were no corrective measures previously determined.
- Compliance with codes of conduct approved under Article 40 or certification procedures approved under Article 42 - a criterion that also does not apply, as there is no code of conduct or certification procedure, in the terms indicated;
and
- Any other aggravating or mitigating factor applicable to the circumstances of the case, under letter k) of no. 2 of Article 83 of the GDPR, such as the financial benefits obtained or losses avoided, directly or indirectly, through the infraction - here, as a mitigating factor, the absence of any economic benefit with the practice of the infraction in question is relevant.
Concrete Framework of the Fine
As expressed in the deliberation project, the framework of the fine abstractly applicable to the accused for the infraction as set forth and punishable under the combined provisions of nos. 1 and 2 of Article 13 and paragraph b) of no. 5 of Article 83 of the GDPR, punishable, with a fine up to €20,000,000.00 or up to 4% of the annual turnover, whichever is higher.
Although the economic situation of the accused was not determined and considering the facts established in light of the criteria outlined above, the CNPD,
- under Article 58, no. 2, letter i) of the GDPR, considers it appropriate to apply to the accused a fine in the amount of €2,000.00 (two thousand euros) for violation of nos. 1 and 2 of the aforementioned Regulation.
V - Conclusion
In light of the above, the CNPD resolves to:
1. Impose on the accused, a fine in the amount of €2,000.00 (two thousand euros).
2. Under the provisions of nos. 2 and 3 of Article 58 of the General Regime of Misdemeanours and Fines, inform the accused that:
  a) The conviction becomes definitive and enforceable if not judicially contested under Article 59.
  b) In the event of judicial contestation, the Court may decide by hearing or, if the accused and the Public Prosecutor do not oppose, by simple order.
  c) The accused must proceed with the payment of the fine within a maximum of 10 days after its definitive character, sending to the CNPD the respective payment guide. In case of impossibility of timely payment, the accused must communicate such fact, in writing, to the CNPD.
Lisbon, March 19, 2019
José Grazina Machado (rapporteur)
Luís Barroso
Maria Cândida Guedes de Oliveira
Maria Teresa Naia


Filipa Calvão (President)
</pre>
</pre>

Latest revision as of 12:50, 18 September 2024

CNPD - Deliberação 2019/207
LogoPT.png
Authority: CNPD (Portugal)
Jurisdiction: Portugal
Relevant Law: Article 13(1) GDPR
Article 13(2) GDPR
Type: Complaint
Outcome: Other Outcome
Started:
Decided:
Published: 19.03.2019
Fine: 2000 EUR
Parties: n/a
National Case Number/Name: Deliberação 2019/207
European Case Law Identifier: Processo nº10212/2018
Appeal: n/a
Original Language(s): Portuguese
Original Source: CNPD (in PT)
Initial Contributor: Diana Oliveira

The DPA fined a controller €2,000 for failing to inform data subjects about the presence of video surveillance by installing signs in the monitored area. Thus, the controller violated Article 13 GDPR.

English Summary

Facts

On June 18, 2018, during a routine inspection by the Public Security Police at a commercial establishment, it was discovered that there was no visible informational notice about the operation of an active CCTV system.

The situation was reported to the Portuguese DPA (CNPD).

The CCTV system had been installed for the protection of people and property. The business owner, recently having acquired signage after a similar issue at another store, argued that an informative sign was always present but obscured by furniture and also highlighted her financial hardships and ongoing negotiations with creditors.

Holding

The DPA emphasized that the controller should have been aware of its obligation to display the necessary CCTV signage, failing this way to meet its transparency and information obligations under Article 13 GDPR.

The controller was fined €2,000.

When determining the fine amount, the DPA noted that the controller promptly addressed the issue following the Public Security Police inspection. However, the DPA highlighted that the controller did not inform the CNPD directly; instead, the violation was discovered during the inspection of other authority.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.

Case No. 10212/2018

DELIBERATION/2019/207

I - Report

The National Commission for Data Protection (hereafter CNPD) drafted on December 18, 2018, a deliberation project in which the accused was charged with committing an infraction as set forth and punishable under the combined provisions of nos. 1 and 2 of Article 13, along with paragraph b) of no. 5 of Article 83 of the General Data Protection Regulation (Regulation 679/2016, dated April 27, hereafter GDPR), punishable by a fine up to a maximum of €20,000,000.00 or up to 4% of the annual turnover, whichever amount is higher.

The accused was notified of the content of said project according to Article 50 of the General Regime of Misdemeanours and Fines to present her defence, subsequently arguing (see pages 65 to 80) that:

1. On June 18, 2018, two agents from the Public Security Police conducted an "informative action" regarding the regulations. In the absence of the manager, the employee responded as best she could since she had been at the store for only a few days, and made a phone call to the manager to obtain some answers. It was agreed during the call that the agents would visit on June 20 to inspect the recording system among other security-related issues. Following their action, and due to a visit to another store a few days earlier where it was found that the signage did not meet all requirements, the company acquired two signs.
2. The accused also claims that an informative sign had always been present in the commercial establishment at the time of the infraction, although it was not visible since a piece of furniture from the brand was obstructing the view of the said sign.
3. Furthermore, she stated that she is in a difficult economic situation, with several debts to suppliers, which are being renegotiated to allow the accused's operations and compliance with her tax obligations.
4. Lastly, the accused requests her acquittal, with the dismissal of the misdemeanour proceedings.

II - Assessment

The CNPD is competent as per letter i) of no. 2 of Article 58 of the GDPR, combined with no. 1 of Article 21 and no. 1 of Article 22, both from Law no. 67/98, dated October 26, amended by Law no. 103/2015, dated August 24 (hereafter LPDP). Given the written defence presented by the accused, an assessment of the factual arguments and their legal bases is required.

The accused conducted personal data processing through video surveillance for the purpose of protecting people and property, as per nos. 1 and 2 of Article 4 of the GDPR. Having carried it out under the factual circumstances that will be listed below, it is certain that she collected personal data directly from the subjects, which is evident.

As such, she should have fulfilled the information obligation towards the subjects, adhering to the requirements of nos. 1 and 2 of Article 13 of the GDPR. By failing to fulfill the information obligation, she significantly limited one of the most relevant rights in terms of personal data protection, which is the right to information of the subjects and which is instrumental to other rights such as access.

Moreover, the accused did not even challenge the notice of infraction, nor does she deny the facts stated therein. Additionally, the documentary evidence presented by the accused does not demonstrate that, at the date and time stated in the notice of infraction, the commercial establishment was equipped with an informative notice about the video surveillance system.

Lastly, the accused also claims to be in a purported precarious economic situation; however, she did not provide any proof to substantiate such a condition.

Thus, the defence's allegations do not challenge the framing of facts made in the deliberation project, nor is any fact that constitutes a ground for excluding guilt or unlawfulness invoked, so we understand to maintain the already assumed position.

With the elements from the files, which are of interest for the decision, we consider the following as proven:

Facts

1. The accused is the holder of the Tax Identification Number and has its headquarters at
2. The accused operates a commercial establishment named , located at:
3. On June 18, 2018, at 9:30 PM, following an inspection action by the Public Security Police at the aforementioned commercial establishment, the existence of a functioning video surveillance system was established.
4. It was observed during the inspection that no informative notice about the operation of the video surveillance system was visibly posted, nor was it posted anywhere else.
5. By failing to post an informative notice about the existence of cameras allowing for the viewing of images, the accused did not act with the care she was obligated to and capable of, foreseeing as possible that she was acting against the Law.

III - Motivation for the Fact-Finding Decision

The facts given as proven resulted from:
- The notice of infraction and the photographic report made by the police authority, included on pages 1 to 8 of the files.

It is apparent, based on the facts established, that the practice by the accused of an infraction as set forth and punishable under the combined provisions of

- nos. 1 and 2 of Article 13 and paragraph b) of no. 5 of Article 83 of the GDPR is sufficiently indicated, punishable by a fine up to €20,000,000.00 or up to 4% of the annual turnover, whichever is higher.

IV - Determination of the Sanction

According to Article 83, no. 1, letters a) to k) of the GDPR, in deciding on the application of a fine or another sanction and on the determination of its extent, the following criteria shall be considered:
- The nature, gravity, and duration of the infraction considering the nature, scope, or purpose of the data processing at issue, as well as the number of data subjects affected and the level of damage they suffered - we are dealing with an infraction punishable by the most severe framework provided by the GDPR, with the data being normal, or non-special, as they do not fall under the special data categories listed in Article 9 of the GDPR. The unlawfulness is moderate, given the circumstances of time, manner, and place in which the accused committed the infraction.
- The intentional or negligent character of the infraction - it is considered to be with conscious negligence, as the accused did not act with the care she was obligated to and capable of, foreseeing as possible that she was acting against the Law.
- The initiative taken by the data controller or processor to mitigate the damage suffered by the subjects - the conduct of the accused is valued, who adopted, after the inspection action, the appropriate measure to rectify the infraction observed, by posting the informative notices.
- The degree of responsibility of the data controller or processor considering the technical or organizational measures they implemented under Articles 25 and 32 - the responsibility of the accused regarding the infraction committed is considered moderate, as she had the cameras installed and did not take care to observe the legal requirements for using a video surveillance system.
- Any relevant infractions previously committed by the data controller or processor - which are not verified, the accused being primary.
- The degree of cooperation with the control authority to remedy the infraction and mitigate its potential negative effects - which is considered high, with voluntary and spontaneous compliance, by having posted the informative notices, without the CNPD having exercised any corrective power in this regard.
- The specific categories of personal data affected by the infraction - non-special personal data categories, according to Article 9, no. 1 of the GDPR, read contrario sensu.
- The manner in which the control authority became aware of the infraction, especially whether the data controller or processor notified it, and if affirmative, to what extent they did - the infraction was known through the submission of the notice of infraction raised following the inspection action officiously conducted by the Public Security Police, so the accused did not notify the CNPD of such a fact.
- Compliance with the measures referred to in Article 58, no. 2, if they had previously been imposed on the data controller or processor in question regarding the same matter - this criterion does not apply, as there were no corrective measures previously determined.
- Compliance with codes of conduct approved under Article 40 or certification procedures approved under Article 42 - a criterion that also does not apply, as there is no code of conduct or certification procedure, in the terms indicated;
and
- Any other aggravating or mitigating factor applicable to the circumstances of the case, under letter k) of no. 2 of Article 83 of the GDPR, such as the financial benefits obtained or losses avoided, directly or indirectly, through the infraction - here, as a mitigating factor, the absence of any economic benefit with the practice of the infraction in question is relevant.

Concrete Framework of the Fine

As expressed in the deliberation project, the framework of the fine abstractly applicable to the accused for the infraction as set forth and punishable under the combined provisions of nos. 1 and 2 of Article 13 and paragraph b) of no. 5 of Article 83 of the GDPR, punishable, with a fine up to €20,000,000.00 or up to 4% of the annual turnover, whichever is higher.

Although the economic situation of the accused was not determined and considering the facts established in light of the criteria outlined above, the CNPD,

- under Article 58, no. 2, letter i) of the GDPR, considers it appropriate to apply to the accused a fine in the amount of €2,000.00 (two thousand euros) for violation of nos. 1 and 2 of the aforementioned Regulation.

V - Conclusion

In light of the above, the CNPD resolves to:
1. Impose on the accused, a fine in the amount of €2,000.00 (two thousand euros).
2. Under the provisions of nos. 2 and 3 of Article 58 of the General Regime of Misdemeanours and Fines, inform the accused that:
   a) The conviction becomes definitive and enforceable if not judicially contested under Article 59.
   b) In the event of judicial contestation, the Court may decide by hearing or, if the accused and the Public Prosecutor do not oppose, by simple order.
   c) The accused must proceed with the payment of the fine within a maximum of 10 days after its definitive character, sending to the CNPD the respective payment guide. In case of impossibility of timely payment, the accused must communicate such fact, in writing, to the CNPD.

Lisbon, March 19, 2019

José Grazina Machado (rapporteur)

Luís Barroso

Maria Cândida Guedes de Oliveira

Maria Teresa Naia

Filipa Calvão (President)