DSB (Austria) - 2021-0.024.862: Difference between revisions
From GDPRhub
mNo edit summary |
mNo edit summary |
||
| Line 78: | Line 78: | ||
=== Holding === | === Holding === | ||
==== Conditions for the | ==== Conditions for the Prior Consultation ==== | ||
The DPA first states that [[Article 36 GDPR#1|Article 36(1) GDPR]] provides for a duty to consult if two conditions are met. First, a data protection impact assessment under [[Article 35 GDPR|Article 35 GDPR]] must show that the processing operation entails a high risk. Second, the controller must not have taken appropriate measures to mitigate the risk. | The DPA first states that [[Article 36 GDPR#1|Article 36(1) GDPR]] provides for a duty to consult if two conditions are met. First, a data protection impact assessment under [[Article 35 GDPR|Article 35 GDPR]] must show that the processing operation entails a high risk. Second, the controller must not have taken appropriate measures to mitigate the risk. | ||
| Line 89: | Line 89: | ||
However, the DPO assumed that the measures proposed by the controller were sufficient to contain the risk. Taking together the measures set out in [[Article 35 GDPR#7d|Article 35(7)(d) GDPR]], the existing risk was sufficiently contained (see below). | However, the DPO assumed that the measures proposed by the controller were sufficient to contain the risk. Taking together the measures set out in [[Article 35 GDPR#7d|Article 35(7)(d) GDPR]], the existing risk was sufficiently contained (see below). | ||
==== Requirements for the | ==== Requirements for the Information Obligation in case of occasion-related Video Documentation ==== | ||
The information system proposed by the controller complies with the information requirements of Article 13 of the GDPR. | The information system proposed by the controller complies with the information requirements of Article 13 of the GDPR. | ||
Revision as of 14:38, 11 June 2021
| DSB (Austria) - DSB-D485.007 / 2021-0.024.862 | |
|---|---|
 | |
| Authority: | DSB (Austria) |
| Jurisdiction: | Austria |
| Relevant Law: | Article 6(1)(f) GDPR Article 13(1) GDPR Article 13(2) GDPR Article 35(1) GDPR Article 35(7)(d) GDPR Article 36(1) GDPR Article 36(3)(e) GDPR GDPR Recital 89 |
| Type: | Other |
| Outcome: | n/a |
| Started: | |
| Decided: | 02.02.2021 |
| Published: | 07.06.2021 |
| Fine: | None |
| Parties: | n/a |
| National Case Number/Name: | DSB-D485.007 / 2021-0.024.862 |
| European Case Law Identifier: | AT:DSB:2021:2021.0.024.862 |
| Appeal: | Unknown |
| Original Language(s): | German |
| Original Source: | Rechtsinformationssystem des Bundes (RIS) (in DE) |
| Initial Contributor: | n/a |
The Austrian DPA rejected a request for prior consultation under Article 36(1) GDPR. It held that the initially identified high risk was mitigated by measures proposed by the controller. The unsuccessful mitigation constitutes a prerequisite for the obligation to consult.
Further, the DPA specified the information requirements for processing of personal data through video devices.
English Summary
Facts
The controller is a transport operating company which, among other things, operates railway bridges. Bridges that run over public traffic areas are occasionally damaged during passage by vehicles that exceed the vehicle height permitted for the respective bridge. The company planned occasion-related video documentations on selected bridges.
For this purpose, the company conducted a data protection impact assessment. It came to the conclusion that there was a high residual risk and that the consultation procedure pursuant to Article 36 of the GDPR should be carried out. On the details of the data protection impact assessment:
The company assumed that there was a sufficient legal basis for the data processing. It assumed that the data processing was necessary for the fulfilment of its maintenance and traffic safety obligations as well as for the initiation of criminal and civil (damages) proceedings and could therefore be based on Article 6(1)(f) GDPR.
However, it concluded that there was a high risk for the data subjects because reliable information of the data subjects about the data processing was not ensured, although the data controller provided for measures to inform them: In the area of the bridges, the recording activity should be marked by appropriate signs. Information signs should contain references to height control, a pictogram for video surveillance, a reference to the controller as well as a link including a QR code with a reference to further information in the data protection declaration of the controller. A detailed description of the processing activity should be included in the data protection declaration. It would be available at any time on the website of the controller and could be requested at the company's headquarters.
Holding
Conditions for the Prior Consultation
The DPA first states that Article 36(1) GDPR provides for a duty to consult if two conditions are met. First, a data protection impact assessment under Article 35 GDPR must show that the processing operation entails a high risk. Second, the controller must not have taken appropriate measures to mitigate the risk.
With regard to the definition of "high risk", which is not provided for in the GDPR, the data protection authority refers to recital 89 and states in summary that, in addition to "technical" risks, basically all provisions of the GDPR that serve to protect the data subjects must be examined.
For the mitigation of the risk, the GDPR gives three examples of remedial measures. According to the DPA, if the controller takes appropriate measures, the identified risk must be reassessed. If it is then no longer classified as "high", no obligation to consultation is established. The determination of a possible remaining high residual risk has to be made taking into account all mitigation measures foreseen for the desired processing. When assessing the remaining residual risk, all planned measures to ensure GDPR-compliant processing must be taken into account. This is justified by a reference to the wording of Article 35 GDPR, which refers the risk "to the rights and freedoms of the data subject". Accordingly, an overall view of all measures and precautions taken - in the sense of an all-encompassing balancing of interests in the sense of Article 5 in conjunction with Article 6 of the GDPR - must be carried out for the assessment of the remaining risk.
In the specific case, the DPO assumed that the first condition is met, so to speak, on the basis of the data controller's submission. In this respect, an abstract potential breach of the duty to inform under Article 13 GDPR constitutes a "high risk".
However, the DPO assumed that the measures proposed by the controller were sufficient to contain the risk. Taking together the measures set out in Article 35(7)(d) GDPR, the existing risk was sufficiently contained (see below).
The information system proposed by the controller complies with the information requirements of Article 13 of the GDPR.
In order to determine the scale of image processing operations, the DPA uses the two-layer information model established in the European Data Protection Board's Guidelines 3/2019 on processing of personal data through video devices.
The first-layer information should be provided by a warning sign. This shall be placed in such a way that the data subject can easily recognise the circumstances of the surveillance before entering the monitored area (e.g. at eye level). The data subject must be able to assess which area is being covered by a camera so that he or she can avoid the surveillance or adjust his or her behaviour if necessary. The first level information should normally contain the most relevant information (e.g. purposes of the processing, identity of the controller, rights of the data subject and other information of high importance). They must also refer to the more detailed second level of information as well as where and how to find it.
The second stage information must also be made available in a location that is easily accessible to the data subject, e.g. as a complete information sheet in a central location (e.g. information desk, reception or checkout) or on an easily accessible poster. It is best if the first level information links to the second level digital source (e.g. QR code or web address). However, the information must also be easily available by non-digital means. It should be possible to access the second level information without going into the monitored area. Another suitable means could be a telephone number that can be called. The information must contain all the details that are mandatory under Article 13 GDPR.
The DPA decided that the controller’s planned actions met these requirements. The controller provided for "marking of the application". The monitored area would be marked in a clearly visible manner near the secured bridges by appropriate signs. In addition to a pictogram depicting a video camera, the sign contains a QR code that refers to the website - also indicated on the sign - where the data protection declaration of the controller can be accessed. If there is a corresponding reason on the part of the controller, the sign should be clearly visible to approaching traffic in front of the bridge.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
GZ: 2021-0.024.862 of February 2, 2021 (case number: DSB-D485.007)
[Note processor: names and companies, legal forms and product names,
Addresses (including URLs, IP and e-mail addresses), file numbers (and the like), etc., as well as
their initials and abbreviations can be abbreviated for reasons of pseudonymisation
and / or changed. Obvious spelling, grammar, and punctuation errors
have been corrected.]
B E S C H E I D
S P R U C H
The data protection authority decides on the basis of the A ** Verkehrsbetriebe GmbH
(Responsible), represented by N ** Rechtsanwälte GmbH, on December 10, 2020
initiated procedure according to Art. 36 GDPR concerning an intended
Data processing ("test mode impact detection on bridges") as follows:
- The request for prior consultation in accordance with Art. 36 GDPR is rejected.
Legal basis: Articles 5, 6, 13, 14, 35 and 36 of Regulation (EU) 2016/679 (data protection
Basic Regulation, hereinafter: GDPR), OJ No. L 119 of 4.5.2016 p. 1;
REASON
A. Submissions of those responsible:
1. In a letter dated December 10, 2020, the controller initiated a procedure in accordance with
Art. 36 GDPR and stated as follows:
The person in charge intends to use "impact detection on bridges" for detection and
Video documentation of damage cases - those caused by the collision of a vehicle
to be caused with a bridge of those responsible - to build. The data protection
Impact assessment came to the conclusion that with regard to the assessed
Processing activity remains a high (residual) risk or cannot be ruled out
could. The application was the "data protection impact assessment test operation impact detection
in the case of bridges ”of the responsible persons.
2. The person responsible specified - at the request of the data protection authority - with
Opinion of January 7, 2021 their application to the effect that they are at high risk for
recognize the data protection rights of the data subjects in the fact that due to the specific
Circumstances of processing although a viable legal basis for data processing
exists, however, reliable information of the persons concerned about the
Data processing is not guaranteed. Because the person responsible has no direct one
Contact with the drivers and passengers of approaching vehicles, which can provide information. There is also no empirical evidence that the attached
Information signs can also be perceived by persons concerned “in passing”.
In addition, the person responsible is not the maintainer of the motorways concerned, but only
the overpassing railway bridges, which the available space for
Could restrict information signs.
The specific circumstances of the processing therefore result in the risk that the
data subjects affected by data processing in the form of video surveillance in their
private or professional life can be recorded without going beyond the fact of
Processing and / or the identity of the person responsible to be informed. Manifest therein
pose a high risk to the data subjects' data protection rights, especially for
the right, protected by Art. 5 Para. 1 lit. a GDPR, that personal data is only available in
processed in a way that is understandable for the data subjects.
The present data protection impact assessment therefore comes to the conclusion that the
planned technical and organizational measures alone cannot be sufficient,
to completely exclude these risks.
B. Factual Findings
The person responsible intends a video-based "impact detection in bridges", their
Conservation is their area of responsibility. The planned application is as
Test setup consisting of a sensor and video recording system designed in
Area of railway bridges of the responsible person is attached over public
Traffic areas run. The system is used for recognition and video documentation of
Damage caused by the collision of a vehicle with a bridge of the
Responsible.
Excerpts from the data protection declaration are as follows (formatting not
1: 1 reproduced):
"1. SECTION: DESCRIPTION AND LIMITATION OF THE
PROCESSING OPERATIONS
[...]
1.2 Functional description of the application
[...]
Detailed presentation of the planned processing operations
In the area of selected railway bridges the responsible persons, which over
public traffic areas become digital, permanently adjusted video cameras
Installed. In addition, laser light barriers are installed in the area of the railway bridges
installed as so-called "start-up triggers", which strike (trigger) as soon as a vehicle is reached
happens that exceeds the permissible total height (cause of impact). Two different camera perspectives are provided for the camera system
each fulfill different recording purposes:
(i) Recording of the structure's bottom view for the identification and documentation of
any optical changes to the structure as well as more precise
Analysis of the impact (nature of the vehicle part that is in contact with
the bridge structure, speed at impact, etc.).
The camera lens is aligned in such a way that no public
Traffic areas (e.g. street, footpath, bike path) are recorded.
(ii) Recording of the lane of the approaching road traffic in
close proximity to the secured railway bridge for the purpose of
Detection of impacting vehicles as well as their license plates and
possibly the handlebars from the front.
Depending on the local conditions, the application is either as
"Cause recording system" or implemented as a "Cause storage system",
whereby, in terms of data minimization (Art 5 Para 1 lit c GDPR), priority is given to
The event recording system is to be implemented:
(i) Event recording system: If the local conditions in the individual case
a corresponding positioning of the laser light barriers on the bottom of the
Responsible persons (not on third-party land) in the run-up to the secured bridge
allow, no continuous recordings are made by the installed
Cameras, but are only activated when an impact event is registered
put into operation, thus when a vehicle which is permitted
Exceeds the total height, one of the installed laser light barriers passes
(Event recording).
(ii) Occurrence memory system: In all other cases - ie where none
suitable reason for those responsible for installing the laser light barriers
is available in the run-up to the bridge - the laser light barriers are switched on
the bridge installed itself. In this case it would be without a certain lead time
Camera recording not possible, possible damaging parties and their vehicles
to be identified through mere event recordings (the technically necessary
Otherwise, the “lead time” for activating the camera system cannot be guaranteed
become). It is therefore a permanent operation of the installed video cameras
required.
However, the continuously recorded image data are only temporary
backed up in a ring memory and regularly overwritten. The
specific storage duration depends on the maximum expected
Approach speed and the concretely visible approach line
from. The maximum storage period is 10 seconds. A
Any additional storage of captured image data takes place only with
Registration of a crash event, thus when a vehicle which
exceeds the total allowable height, one of the installed
Laser light barriers passed. In this case, the overwriting of image data
suspended in the ring buffer until a corresponding
Preservation of evidence has taken place (event storage).
[...]
The image data saved as part of the recording or storage of the event
will be sent from there immediately - but in any case within 96 hours
authorized persons of the responsible person analyzed and evaluated. These operations
are logged. The further use and storage period of the image data in the
Individual cases are then derived from the documentation purposes shown below
Consideration of the principles of data minimization (Art 5 Para 1 lit c GDPR) and
Storage limitation (Art 5 Para 1 lit e GDPR). [...]
The pursued legitimate interests (if Art 6 para 1 lit f GDPR as
Legal basis is used)
The legitimate interests pursued by the person responsible through the application
can be summarized as follows:
• Detection and analysis of crash incidents to ensure safety and security
To be able to guarantee the functionality of the protected infrastructure and
if necessary to take suitable remedial measures (e.g. necessary
Repair work on parts of the bridge or barrier affected by an impact
of tracks);
• Gathering information on the ongoing fulfillment of maintenance
and traffic safety obligations of those responsible with regard to their
Railway bridges, in particular due to the better detection and
Assessment of dangerous situations and their proactive elimination or
Defusing;
• Investigation of crash incidents including the identification of the
Causer and appropriate evidence preservation, whereby in particular the
Initiation of any (administrative) criminal proceedings enables and effective
Enforcement of civil law claims of those responsible ensured
shall be.
That the video documentation of damage cases in public road traffic via
se corresponds to a legitimate interest of the person responsible is undisputed (cf.
VwGH Ro 2015/04/0011).
The processing is also necessary to safeguard this legitimate interest,
because there is no more lenient means of avoiding the handlebars of a crashing vehicle
to identify or the license plate number and thus a conclusion about the
To determine the authorization holder. The capture by video recording is about this
Purpose therefore required, whereby the person responsible (as described overleaf)
Extensive measures are taken to reduce the level of processing on a
to limit the necessary minimum.
Finally, the processing does not have any overriding interests
affected persons against. Because initially the processing is limited to
a sequence lasting a few seconds in which affected persons as
Participants in public road traffic can be captured visually.
In particular, no highly personal areas of life are recorded or sensitive
Data processed within the meaning of Art 9 GDPR. Processing therefore takes place in the
Compared to other image processing systems, the intervention intensity is relatively low. The
Image recording captures a publicly perceptible behavior of those affected
People.
Above all, however, within the scope of this balancing of interests according to recital 47
GDPR based on the reasonable expectations of the data subjects (cf.
DSB-D550.084 / 0002-DSB / 2018). In this sense is for the representational
Application assume that the road users concerned
can reasonably foresee that in the area of critical infrastructures such as
image recordings may also be made to railway bridges. So are
Video surveillance in Austria already at dangerous intersections, in tunnels,
on motorways and open roads as well as rest areas, train stations, airports, etc.
widespread.
[…] According to the DSB, dashcams can therefore be permitted in particular if
the following parameters are observed:
• The data processing takes place for the exclusive purpose of
Documentation of the course of the accident. The application in question is fulfilled
this criterion is flawless, since only those shown
Documentation purposes are pursued.
• The recording of the public space (= street) is based on the
required extent limited. The ones described overleaf
Data minimization measures taken by those responsible also ensure compliance
this criterion for sure.
• In the case of storage, data will only be unconditional
required amount of time stored (the specific storage period
depends on the maximum expected approach speed and the
concretely visible approach line. The maximum storage period is 10
seconds before the accident occurrence until a few seconds afterwards, cf.
Sketch1). Data is continuously overwritten as far as there is none
Accident happened. The combination envisaged by the person responsible
from ring memory and start trigger by laser light barriers also fulfilled
this requirement.
• If the permanent storage of image data (= stop of the
Overwriting in the ring buffer) by a deliberate act of the
Is dependent on the person responsible (e.g. push of a button), in case of doubt the
Inadmissibility of the processing must be assumed. On the other hand, the
only automatic storage of image data (= stop of the
Overwriting process) by predefined impulses, without possibility
manual storage. In the context of the present application
the overwrite process is only started by pressing the
Exposed to the laser light barrier or, in the case of the event recording, the
Video recording started in the first place.
• Ensuring integrity and confidentiality through the use of
Encryption techniques and access restrictions. Also this one
Requirement is the objective application of those responsible
fair (see point 5 below for the implemented measures).
Also taking into account those criteria that the DSB at least in the case of
Has considered image processing by dashcams to be decisive, is the permissibility of the
applicable application in accordance with Art 6 Paragraph 1 lit f GDPR must therefore be affirmed. There
It should also be taken into account that the use of dashcams is a
comparatively even has higher intervention intensity. Because in contrast to the
It just does not correspond to objective monitoring of critical infrastructure
the reasonable expectations of the data subjects that they will be able to do so using the Dashcam
be filmed by other road users (cf. in this sense DSB-
D550.084 / 0002-DSB / 2018). In addition, it is the representational
Processing activity around a stationary image recording, which is always the same
Area of a potential danger point in road traffic recorded and also in the
In contrast to a "movable" dashcam located in a vehicle, it is visible
can be marked.
[...]
SECTION 3: EVALUATION OF THE NEED AND
PROPORTIONALITY OF THE PROCESSING OPERATIONS IN RELATION TO
THE PURPOSE
[…] 3.2 Information on the measures taken or planned to comply with
GDPR, in particular those to ensure the necessity and
Proportionality
Purpose limitation principle (Art 5 Paragraph 1 lit b: Collection for specified, unambiguous and
legitimate purposes; Re-use?)
The data processing takes place exclusively for the designated
Documentation purposes. There is no data processing for other purposes
instead of. This is ensured through internal training courses and guidelines. Furthermore were
all employees of
Responsible by means of a separate declaration of compliance with the
Data secrecy according to § 6 DSG and the applicable internal regulations for
Committed to data protection and information security.
Principle of data minimization (Art 5 para 1 lit c: How is it ensured that only the
required data are processed?)
In order to minimize data, the camera is aligned with the
Road perspective such that only the vehicles on the lane of the
approaching traffic and also only the relevant areas of the approaching
Vehicles (driver and passenger seat and license plate number) are recorded.
The duration of the recorded sequence and camera angle is chosen so that at
average speed a crashing truck fills the picture and therefore
If possible, no other road users are recorded.
The orientation of the structure underside is carried out in such a way that through it
Camera recordings, no personal data are processed at all.
In particular, cycle or footpaths below the structure are not recorded.
In addition, recording areas that are not relevant for achieving the purpose are included
static blackening (digital masking) (e.g. the edge areas where
Pedestrians could be detected or the one moving away from the bridge
Two-way traffic). The blackening is fixed in the camera views
programmed so that the area covered by the mask is not recorded at all
is, ie no image pixels are processed in the relevant areas.
Through the use of laser light barriers, which, depending on the implementation, either the
The camera only starts up (event recording) or the continuous overwriting
suspends existing recordings in the ring memory (initial storage)
the period of inclusion becomes necessary to achieve the purpose
Reduced minimum size. Where the local conditions allow, this will always be the case
Event recording system implemented.
When an impact occurs, only those cameras are put into operation that are on
that lane on which the impacting vehicle is located are directed.
Principle of storage limitation (Art 5 Para 1 lit e: storage period only as long
than necessary for the purpose)
As part of the event recording system, data will only be used in the event of a
Impact event recorded and saved.
As part of the event storage system, the
Image data are temporarily saved in a ring buffer and already after expiry
overwritten by a few seconds and thus irreversibly deleted (the specific
Storage duration depends on the maximum expected approach speed
and the concretely visible approach line. The maximum storage period is
10 seconds provided). Any additional storage of recorded
Image data is only generated when a collision event is registered. The data storage following a collision event takes place as long as
how this is necessary for the stated processing purposes in individual cases (Art
5 para 1 lit e GDPR). There is no legitimate storage purpose - in particular
if there has not been a negative impact for those responsible - will
the data immediately, but in any case after 96 hours after the
Recording deleted. The same applies to irrelevant image sequences of a
stored recording (e.g. the recording of uninvolved road users).
Information on compliance with the requirements for data transfer to third countries (or
international organizations)
The image recordings are stored on a server in Germany. There is none
Transmission to third countries or international organizations.
[...]
3.3 Information on the measures taken or planned for
Consideration of the rights of the data subjects
Guarantee of transparency and information obligations (Art 12-14)
The recording activity is clearly visible in the area of the secured bridges
corresponding signs are marked. Where the local conditions this
allow, i.e. if the responsible person has a corresponding reason (not an external reason)
is present, the marking is clearly visible in the oncoming traffic
Attached to the apron of the bridge.
The information sign contains information on the height control, a pictogram for
Video surveillance, a reference to the person responsible and a link including QR
Code with reference to further information in the data protection declaration of
Responsible person. The marking essentially corresponds to sketch 2.
A detailed description is given in the data protection declaration of the person responsible
started processing activities in accordance with Art 13 GDPR. The
The data protection declaration can be accessed at any time on the website of the controller
can be requested at the company headquarters.
[...]
SECTION 4: IDENTIFICATION AND ASSESSMENT OF THE RISKS FOR THE
RIGHTS AND FREEDOMS OF AFFECTED PERSONS
[...]
[...]
SECTION 5: IDENTIFICATION OF CORRECTIVE MEASURES 5.1 Control 1: Technical and organizational measures
[...]
Appropriate labeling of the application
The recording activity is clearly visible in the area of the secured bridges
corresponding signs are marked. Where the local conditions this
allow, i.e. if the responsible person has a corresponding reason (not an external reason)
is present, the marking is clearly visible in the oncoming traffic
Attached to the apron of the bridge.
Depending on the local conditions, this cannot be done in every case
ensure that the information is communicated through these markings
takes place in such a way that the persons potentially affected by the application can still use the
Choose another route to avoid. But as a rule they still can
stop in front of the bridge.
However, this is not a mandatory legal requirement (cf.
DSB-D550.084 / 0002-DSB / 2018, according to which the possibility of evading "if possible"
should exist). For example, dashcams are also qualified as not per se inadmissible,
although with these the possibilities of information sharing are even stronger resp.
are restricted at least in a comparable way (see VwGH Ro 2015/04/0011
or newsletter 1/2020 of the DSB).
In addition, a detailed statement is made in the data protection declaration of the person responsible
Description of the processing activity in accordance with Art 13 GDPR added. The
The data protection declaration can be accessed at any time on the website of the person responsible.
This control reduces the risk described, but cannot completely
remove. There remains a residual risk.
[...]
SECTION 6: DOCUMENTATION OF THE SOLUTION AND THE RESIDUAL RISK
[...]
"
The sketch in Appendix 4 (SKETCH 2) is as follows (formatting not 1: 1
accepted):
[Editor's note: the one reproduced here as a graphic file (screenshot)
Figure cannot be pseudonymized with justifiable effort.] Evidence assessment: The determinations made result from the
procedural application, its attachment and supplementary statement.
C. From a legal point of view, it follows:
C.1. General
According to Art. 36 Para. 1 GDPR, the person responsible consults the
Supervisory authority, if from a data protection impact assessment according to Art. 35 leg. Cit.
it is clear that the processing would result in a high risk, provided that the controller
does not take any measures to contain the risk.
A final definition of the "high risk" cannot be found in the GDPR.
However, it follows from Recital 89 that processing operations that involve “high risks”
bring themselves, especially those that use new technologies
or that are new and for which the person responsible has not yet
Has carried out an impact assessment (König in Gantschacher † / Jelinek / Schmidl / Spanberger,
Comment on GDPR [2017], Art. 36 Note 1).
Both internal and external, potential and actual sources of risk come as sources of risk
Risks in question. When identifying all potential risks is no less than one type
"Foray through the requirements of data protection law" required (Trieb in Knyrim,
DatKomm Art 35 GDPR, margin no.113). In the course of the
In addition to purely “technical” risks, risk analysis includes all those risks
To pick up data processing, which may have negative effects on a
affected person and they are thus provided for in their by the GDPR
Impair the protection area. This also includes the lawfulness of the processing
within the meaning of Art. 6 GDPR as well as compliance with all principles according to Art. 5 GDPR.
To contain the risk, the GDPR names three different types of
Remedial measures, namely guarantees, safeguards, and procedures by which
the protection of personal data is ensured and proof of this is provided,
that the GDPR is complied with. Thus, technical, organizational such as
legal, in particular contractual measures intended to remedy the situation (instinct in
Knyrim, DatKomm Art 35 GDPR, margin no.116).
C.2. In the matter
1. The person in charge states that there is a high risk in relation to the issuance of the
reliable information to the data subjects about the data processing
is given to the effect that the data subjects affected by the data processing in the form
recorded by video surveillance in their private or professional life,
without being informed of the fact of the processing and / or the identity of the person responsible. Specifically, the person responsible defines the risk as part of their data protection
Impact assessment as a “risk [o] for the effectiveness of the fulfillment of the information obligations
by marking ". It is here - with regard to the previously recorded
Considerations - about a "risk" within the meaning of Art. 35 GDPR.
Since only those processing - which even after provision of the data protection
Impact assessment defined remedial measures remain high risks for natural
Rescue people - are to be subjected to the consultation mechanism (instinct in
Knyrim, Art 35, Rz 28 ff; Trieb in Knyrim, Art. 36 Rz 1), is to be checked in a next step,
whether the person responsible takes appropriate measures to contain the identified risk
has met.
2. As stated, the person responsible foresees a "marking of the application". The
The monitored area should be clearly visible in the vicinity of the secured bridges
appropriate signs (SKETCH 2) are marked. The information sign
contains a pictogram representing a video camera, a QR code,
which on the website - also listed on the sign - on which the
Data protection declaration of the person responsible is to be accessed, refers. If more appropriate
Reason the responsible person is present, the marking should be for the approaching
Traffic must be clearly visible in the apron of the bridge.
For image processing, see the guidelines 3/2019 of the European
Data protection committee for the processing of personal data by video devices
a two-stage model with regard to the information to be provided.
Accordingly, the information on the first level should be provided by a meaningful sign.
This information should be appropriate so that the data subject understands the circumstances of the
Surveillance can easily detect before it enters the monitored area (e.g. in
Eye level). The position of the camera itself does not have to be disclosed as long as no
There are doubts as to which areas are covered and the circumstances of the surveillance
clearly described. The person concerned must be able to assess
which area is covered by a camera so that they evade surveillance or
can adjust their behavior if necessary (see margin no. 113).
The information on the first level (sign) should usually be the most important
Contain information, e.g. B. Information on the purposes of processing, the identity of the
Responsible persons and the existence of the rights of the data subject as well as others
Information of great importance. For example, the legitimate interests
of the person responsible (or a third party) and (if applicable) the contact details of the
Data protection officers belong. They must also refer to the more detailed second level of information and point out where and how it can be found (ibid.
114).
Second level information also needs to be made easy for the data subject
be made available in an accessible location, e.g. B. as a complete information sheet
a central point (e.g. information desk, reception or cash register) or on an easy
accessible poster. As mentioned earlier, the first level warning must be clear
refer to the information on the second level. In addition, it is best when
the information of the first level on a digital source (e.g. QR code or
Internet address) of the second level. However, the information also needs to be on
not be readily available digitally. It should be possible to access the information of the
to access the second level without entering the monitored area, in particular
if the information is provided digitally (for example via a link). A
another suitable means could be a telephone number that can be called. The
However, information must contain all information that is mandatory according to Art. 13 GDPR
are (ibid. Rz 117).
3. The marking provided by the person responsible is both different from the one planned
local positioning as well as the content is a suitable measure to
to minimize identified risk. It corresponds to the model mentioned in the above
Guidelines is recommended. The argument of those responsible that it is not in every case -
due to local conditions - the selected measure is possible in the same way
implement and minimize the identified risk in the same way and therefore a high one
Residual risk remains, it must be countered that not only the - in the by the
Responsible in the course of the data protection impact assessment specifically the identified
Risk assigned - measure that also has to sufficiently minimize the specific risk.
Rather, the determination of a possibly remaining high residual risk has under
Consideration of all intended for the desired processing
Containment measures to be taken. When assessing the remaining residual risk
are therefore all planned measures to ensure GDPR-compliant
Include processing.
This can be justified by a reference to the wording of Art. 35 GDPR, which
refers to “the rights and freedoms of the data subject” in relation to risk.
Accordingly, there is also one for assessing the remaining risk
Overall view of all measures and precautions taken - in the sense of a
comprehensive weighing of interests within the meaning of Art. 5 in conjunction with Art. 6 GDPR - to
4. Based on the data controller in the data protection impact assessment
The assessment made is the admissibility of the data processing in question
and the data protection authority has weighed the interests of those responsible
nothing to oppose.
The “high residual risk” raised by the person responsible is in any case caused by the
planned recording, evaluation and deletion modalities so greatly reduced that in
Result no high residual risk for those affected can be recognized.
Contrary to the view of those responsible, it has therefore overall under review
of the measures set out in accordance with Article 35 (7) (d) GDPR, the existing risk
adequately contained.
The requirements for prior consultation in accordance with Art. 36 GDPR are therefore
not given due to the lack of high risk and the decision had to be made according to the ruling.
