AEPD (Spain) - PS/00151/2020: Difference between revisions
No edit summary |
No edit summary |
||
Line 50: | Line 50: | ||
}} | }} | ||
The Spanish DPA (AEPD) fined an organisation €3.000 for violating | The Spanish DPA (AEPD) fined an organisation €3.000 for violating Articles 5(1)(c) and 13 GDPR in relation to a video surveillance system in an apartment building. | ||
==English Summary== | ==English Summary== |
Revision as of 09:49, 21 April 2021
AEPD - PS/00151/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(c) GDPR Article 13 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 14.04.2021 |
Fine: | 3000 EUR |
Parties: | n/a |
National Case Number/Name: | PS/00151/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The Spanish DPA (AEPD) fined an organisation €3.000 for violating Articles 5(1)(c) and 13 GDPR in relation to a video surveillance system in an apartment building.
English Summary
Facts
The defendant has installed a video surveillance system composed of four cameras in the building where he/she owns three apartments (of which two used for tourism activity), without asking for permission of the other people living in the building. These four cameras have recorded data of personal character that have been incorporated into some type of computer file managed by the defendant. No information about the video surveillance has been displayed in the building, leaving therefore the data subjects without notice. The surveillance system recorded every person passing without limitations.
Dispute
Was the system put in place violating the principle of data minimization and the obligation to give information to the data subjects as per articles 5 and 13 GDPR?
Holding
The Spanish DPA considered that the surveillance system installed was violating the minimization principle: the fact that some of the apartments in the building are dedicated to tourist activities does not legitimize the recording of the common areas, unless by agreement of the board of owners. The DPA imposed therefore a fine of € 2.000 for violation of Article 5(1)(c) GDPR.
Regarding the obligation to provide information to the data subjects, as there is no informational poster that informs the people affected about the data processing, the identity of the controller and the possibility of exercising their rights, there is a clear breach of the duty of information as per article 13 GDPR. The DPA imposed thus a fine of € 1.000 for violating Article 13 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/10 Procedure No.: PS / 00151/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: URBAN GUÀRDIA OF THE CITY COUNCIL OF FIGUERES (hereinafter, the claimant) on October 2, 2019 filed a claim with the Agency Spanish Data Protection. The claim is directed against A.A.A. with NIF *** NIF. 1 (hereinafter, the claimed one). The reasons on which the claim is based, in its Spanish translation, are the following: “[…] On July 26, 2019 at 6:00 p.m., the agents of the Guardia Urbana de Figueres with *** TIP.1 and *** TIP.2 in non-uniformed service go to the *** ADDRESS. 1 to check what activity is carried out in this property due to complaints from various residents of the area regarding constant entrances and exits of different people and noises that disturb your rest. Agents identify three people who reside on the first floor for rent: a) A.A.A. calling himself B.B.B. […] The agents warned that both at the entrance door of the property on the interior as in each door of the floors 1º, 2º and 3º there were cameras of video recording in operation. There was no informational poster […]. […] […] It is clear that the property on the second and third floors is in the name of. A.A.A. […]. On 09/17/2019 […] Sergeant *** TIP.3 and agent *** TIP.4 went to the property and verified that Mr. A.A.A. Y They confirmed that it had the second and third floors on a tourist rental basis […]. […] Agents *** TIP.3 and *** TIP.4 in this inspection verified that indeed there was a security camera working just enter the door of the building and another on the doors of the 1st, 2nd and 3rd floors. When questioned, A.A.A. confirmed to the agents that she had a video recorder in her address and that he had them installed for security due to his rental activity bedrooms. […]. There is also no authorization from the community of owners in a board agreement that would allow this person to manage this system of safety. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/10 Considering the facts, it can be seen that these 4 cameras have recorded data from personal character (one or several elements of the physical, physiological identity) […] And they have been incorporated into some type of computer file of a video recorder that manages A.A.A. how are the faces of both different identified people and the 4 acting agents […]. " Along with the claim, provide the following documents: 1. Simple note of the property registry of the three floors that make up the property. 2. Contract model used by the person in charge of renting the 2nd and 3rd floors. 3. Photographs of the exterior of the property and of the 4 cameras installed inside the east (entrance, 1st, 2nd and 3 floors). 4. Model contract used by the claimed for tourist rental. SECOND: Prior to the admission for processing of this claim, the Subdirectorate General for Data Inspection sent the respondent a request for information on November 4, 2019, which was notified on November 12, 2019. In the absence of a reply, the request for information was reiterated on February 2020, the notification of which took place on February 27, 2020. No received reply THIRD: The Director of the Spanish Protection Agency agreed to admit process the claim on June 1, 2020. FOURTH: On November 3, 2020, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure to the claimed, by the alleged infringements of articles 5.1.c) and 13 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), typified in the Article 83.5 of the same rule. FIFTH: The commencement agreement was notified on November 13, 2020, the claimed has not submitted a brief of allegations, so what is indicated in the Article 64 of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, which in its section f) establishes that in case of not making allegations within the term provided on the content of the agreement of initiation, it may be considered a resolution proposal when it contains a precise pronouncement about the responsibility imputed, for which it proceeds to issue Resolution. In view of all the actions, by the Spanish Agency for Data Protection In the present proceeding, the following are considered proven facts, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/10 FACTS FIRST: In accordance with the Act of complaint raised by the Guàrdia Urbana de Figueres on September 17, 2019 and the attached photographic report, the claimed has installed a video surveillance system in the property located in *** ADDRESS.1 composed of 4 cameras located in the portal and 1st, 2nd and 3rd floors. 1. The camera located in the portal is installed on top of a side wall focusing on the access door to the building. 2. The camera located on the first floor is installed on a wall of the landing. 3. The second floor camera is located above the door. 4. No photograph of the camera installed on the third floor is attached. According to Act complaint, would be located above the door as well. SECOND: There is no authorization from the community of owners for the installation of the system and it does not have an informational poster. THIRD: The defendant resides as a tenant on the 1st floor and in accordance with the Simple notes from the Property Registry attached to the complaint, is the owner of the flats located on the 2nd and 3rd floors of the property. FOURTH: The defendant develops an economic activity consisting of renting of the 2nd and 3rd floors of the building under the tourist accommodation regime. FIFTH: The defendant declares to the agents that he has installed the cameras for security reasons related to your room rental activity and that has a video recorder at home. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in arts. 47 and 48.1 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Agency for Data Protection is competent to solve this procedure. II The defendant is charged, on the one hand, with the commission of an offense for violation of article 5.1.c) of the RGPD that personal data will be “adequate, pertinent and limited to what is necessary in relation to the purposes for which they are processed ("Data minimization"). " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/10 Likewise, the defendant is charged with committing another offense for violation of the Article 13 of the RGPD, which establishes that: "1. When personal data relating to him are obtained from an interested party, the responsible for the treatment, at the time these are obtained, will provide all the information indicated below: a) the identity and contact details of the person in charge and, where appropriate, of their representative; b) the contact details of the data protection officer, if applicable; c) the purposes of the treatment to which the personal data are destined and the legal basis of the treatment; d) when the treatment is based on article 6, paragraph 1, letter f), the interests legitimate rights of the person in charge or of a third party; e) the recipients or categories of recipients of personal data, in their case; f) where appropriate, the intention of the person responsible to transfer personal data to a third party country or international organization and the existence or absence of a decision of adequacy of the Commission, or, in the case of transfers indicated in the Articles 46 or 47 or Article 49, paragraph 1, second subparagraph, reference to the adequate or appropriate warranties and the means to obtain a copy of these or to the fact that they have been borrowed. 2. In addition to the information mentioned in section 1, the person responsible for the treatment will facilitate the interested party, at the time the data is obtained personal information, the following information necessary to guarantee data processing loyal and transparent: a) the period during which the personal data will be kept or, when it is not possible, the criteria used to determine this deadline; b) the existence of the right to request the data controller for access to the personal data relating to the interested party, and its rectification or deletion, or the limitation of its treatment, or to oppose the treatment, as well as the right to portability of the data; c) when the treatment is based on article 6, paragraph 1, letter a), or article 9, paragraph 2, letter a), the existence of the right to withdraw consent in at any time, without affecting the legality of the treatment based on the consent prior to its withdrawal; d) the right to file a claim with a supervisory authority; e) if the communication of personal data is a legal or contractual requirement, or a necessary requirement to sign a contract, and if the interested party is obliged to provide C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/10 personal data and is informed of the possible consequences of not provide such data; f) the existence of automated decisions, including profiling, to be referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information significant on the applied logic, as well as the importance and consequences provided for said treatment for the interested party. 3.When the data controller plans the further processing of data personal data for a purpose other than that for which they were collected, will provide the interested party, prior to said further processing, information on that other purpose and any additional relevant information pursuant to section 2. 4.The provisions of paragraphs 1, 2 and 3 shall not apply when and in the to the extent that the interested party already has the information. " The aforementioned infractions are classified in article 83.5 of the RGPD, which provides the following: "Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the highest amount: a) the basic principles for the treatment, including the conditions for the treatment consent in accordance with articles 5, 6, 7 and 9; b) the rights of the interested parties in accordance with articles 12 to 22 […] " For the purposes of the statute of limitations for offenses, both offenses are considered very serious and prescribe after three years, in accordance with article 72.1 of the LOPDGDD, which establishes that: "Based on what is established in article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: a) The processing of personal data violating the principles and guarantees established in article 5 of Regulation (EU) 2016/679. […] h) The omission of the duty to inform the affected party about the processing of their data personal in accordance with the provisions of articles 13 and 14 of Regulation (EU) 2016/679 and 12 of this Organic Law. […] " III Article 22 of the LOPDGDD, relative to "Treatments for video surveillance purposes" establishes in section 1 that: “Individuals or legal entities, public or private, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/10 may carry out image processing through camera systems or video cameras in order to preserve the safety of people and property, as well as its facilities ”. This treatment, which is legitimized in the cause of fulfillment of a mission public interest public interest included in the article 6.1.e) of the RGPD, must comply with the principles set forth in article 5 of the cited European standard. One of these principles is that of data minimization (article 5.1.c), which establishes the The need for the data to be processed to be the minimum necessary to carry out carry out the purpose pursued by the person in charge. In this way, the cameras installed will only be able to capture images of public roads to the extent that they are essential and will avoid affecting the legal sphere of rights of third parties people without just cause, so it will not be possible to obtain images of spaces public areas or areas for private use of third parties without the concurrence of the aforementioned just cause. On the other hand, individuals who use this type of device are responsible that these comply with current legislation, having to comply, when the property It is under the community of owners regime, with the requirements established in Law 49/1960, of July 21, on horizontal property (LPH). A) Yes, the installation of a video surveillance system by an individual will require authorization of the board of the community of owners both when its location in a common area such as when, even installed in an area of use private, orient yourself to surrounding common areas and capture - respecting in any case the principle of data minimization — tangentially common areas. As regards the joint assessment of factual elements in the sanctioning procedure, it is necessary to indicate in advance that, in accordance with with article 77.5 of the LPACAP, “The documents formalized by the civil servants to which the status of authority is recognized and in which, observing the corresponding legal requirements the facts verified by those they will make proof of these unless the opposite is accredited ”. Therefore, since there is no presented the claimed no evidence to the contrary, they must be fully understood proven, for the purposes of this proceeding, the facts established and documented by the agents of the Guàrdia Urbana de Figueres in their complaint report of September 17, 2019. Taking into account the above, the proven facts show that the The complainant has installed a video surveillance system - alleging reasons of security related to the tourist accommodation business that you run— in areas common areas of the building, such as the portal and the landings of the floors. The system like this installed violates the principle of data minimization in that the cameras in operation capture areas that exceed those that would be covered by the mentioned security purpose. The fact that some real estate in the building are dedicated to tourist rental does not legitimize that the common areas are captured, to Unless by agreement of the board of the community of owners the installation of a video surveillance system in order to guarantee the safety of the edifice. IV C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/10 The RGPD enshrines as another of its fundamental principles that of transparency in relationship with stakeholders. As one of its manifestations, Article 13 of the RGPD —in compliance with the duty of information contained in the preceding article 12 of the same legal text - regulates the information to be provided when the personal data is obtained from the interested party, a situation that occurs in cases in which images are captured by a video surveillance system. In this In this sense, article 22.4 of the LOPDGDD establishes that “The duty of information provided for in Article 12 of Regulation (EU) 2016/679 shall be deemed to have been fulfilled by placing an information device in a sufficiently visible place identifying, at least, the existence of the treatment, the identity of the person in charge and the possibility of exercising the rights provided in articles 15 to 22 of the Regulation (EU) 2016/679. An information code may also be included in the information device. connection or internet address to this information ”. Regarding this issue, the facts proven in the present proceeding also They allow to prove that the claimed person, as the person responsible for the treatment carried out through a video surveillance system, has breached the aforementioned duty of information, as there is no informational poster that informs those affected that the data processing of your image, the identity of the responsible or the possibility of exercising their rights in this regard. V The corrective powers available to the Spanish Agency for the Protection of Data, as a control authority, are established in article 58.2 of the RGPD. Between they have the power to sanction with warning -article 58.2 b) -, the Power to impose an administrative fine in accordance with article 83 of the RGPD -article 58.2 i) -, or the power to order the person in charge of the treatment that the processing operations comply with the provisions of the RGPD, when proceed, in a certain way and within a specified period - article 58. 2 d) -. According to the provisions of article 83.2 of the RGPD, the measure provided for in article 58.2 d) of the aforementioned Regulation is compatible with the sanction consisting of a fine administrative. SAW In accordance with the provisions of the RGPD in its art. 83.2, when deciding to impose a administrative fine and its amount in each individual case will take into account the aggravating and mitigating factors that are listed in the indicated article, as well as any other that may be applicable to the circumstances of the case. For the purposes of setting the sanction to be imposed on the claimed party, the aggravating circumstance of intent or negligence in the offense (article 83.2.b) of the RGPD), since the complainant has not shown the minimum diligence enforceable from the owner of a business in compliance with the applicable regulations in data protection matters. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/10 Likewise, mitigating circumstance has been taken into account that the claimed is a Physical person. Based on the foregoing, a fine of two thousand euros (€ 2,000.00) should be imposed for the violation of article 5.1.c) of the RGPD and one thousand euros (€ 1,000.00) for the violation of the Article 13 of the RGPD, resulting in a total of three thousand euros (€ 3,000.00). On the other hand, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to which each supervisory authority may 'order the person in charge or in charge of the treatment that the treatment operations conform to the provisions of the this Regulation, where appropriate, in a certain way and within a specified term […] ”, the person in charge must prove, within a period of (1) month, the following extremes: Having proceeded to remove the camera located in the portal of the building. Having proceeded to remove the cameras located on the 1st, 2nd and 3rd floors of the property or its reorientation towards private areas. In the event that the installation of a camera that complies with the principle of data minimization, having proceeded to the placement of the device informative in the video-monitored areas or to complete the information offered in the itself (at least the existence of a treatment, the identity of the responsible and the possibility of exercising the rights provided for in said precepts), placing this device in a sufficiently visible place. Likewise, you must prove that keeps at the disposal of those affected all the information referred to in the GDPR. It is noted that not meeting the requirements of this body may be considered as an administrative offense in accordance with the provisions of the RGPD, classified as an offense in its articles 83.5 and 83.6, being able to motivate such conduct the opening of a subsequent administrative sanctioning procedure. Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of the sanctions whose existence has been accredited, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: IMPOSE A.A.A., with NIF *** NIF.1, For an infringement of article 5.1.c) of the RGPD, typified in article 83.5 of the mentioned rule, a fine of TWO THOUSAND EUROS (€ 2,000.00). For an infringement of article 13 of the RGPD, typified in article 83.5 of the aforementioned norm, a fine of THOUSAND EUROS (€ 1,000.00) The total of the fines amounts to THREE THOUSAND EUROS (€ 3,000.00) C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/10 SECOND: ORDER A.A.A., with NIF *** NIF.1, which certifies, within the maximum term of ONE MONTH from the notification of this resolution, the following points: Having proceeded to remove the camera located in the portal of the building. Having proceeded to remove the cameras located on the 1st, 2nd and 3rd floors of the property or its reorientation towards private areas. In the event that the installation of a camera that complies with the principle of data minimization, having proceeded to the placement of the device informative in the video-monitored areas or to complete the information offered in the itself (at least the existence of a treatment, the identity of the responsible and the possibility of exercising the rights provided for in said precepts), placing this device in a sufficiently visible place. Likewise, you must prove that keeps at the disposal of those affected all the information referred to in the GDPR. THIRD: NOTIFY this resolution to A.A.A. and inform the claimant. FOURTH: Warn the sanctioned person that the sanction imposed by a Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter LPACAP), within the payment period voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency Spanish Data Protection in the banking entity CAIXABANK, S.A .. In case Otherwise, it will be collected in the executive period. Received the notification and once executive, if the date of execution is found Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment volunteer will be until the 20th of the following or immediately subsequent business month, and if between the 16th and the last day of each month, both inclusive, the payment term It will be until the 5th of the second following or immediate business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to counting from the day after the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/10 Contentious-administrative jurisdiction, within two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Agency for Data Protection, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web /], or through any of the other records provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. 938-131120 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es