AEPD (Spain) - EXP202205820: Difference between revisions
m (→Holding) |
mNo edit summary |
||
Line 66: | Line 66: | ||
=== Facts === | === Facts === | ||
The | The data subject worked in a commercial establishment and was aware that the place was monitored by security cameras. On a given day, the data subject received a call from the controller, their boss and owner of the establishment, complaining that background music had been replaced by the news. | ||
The | The data subject lodged a complaint with the Spanish DPA claiming that they were not aware that their conversations were being monitored. The DPA started an investigation and notified the controller. | ||
In response, the controller presented a contract signed with the security service company in charge of the installation, maintenance and management of the alarm system. In the contract, the parties agreed that a microphone would be installed to listen to the audio on site, but without recording. For this reason, the controller argued that there was no privacy violation. | |||
=== Holding === | === Holding === | ||
The DPA | The DPA started its analysis by stating that both athe image and the voice of a person constitute personal data under the terms defined by the GDPR, which is therefore applicable to the case. Then, it emphasized that the mere capture of the voice constitutes processing of personal data, regardless of whether or not there is a recording. | ||
The DPA recalled that [https://www.boe.es/boe/dias/2018/12/06/pdfs/BOE-A-2018-16673.pdf Article 22 of the LOPDGDD] authorizes the installation of video cameras to guarantee the security of people and goods provided that: a) the data will be suppressed within a maximum period of one month from its collection; and b) a visible notice is placed in the monitored area. It also pointed out that [https://www.boe.es/boe/dias/2018/12/06/pdfs/BOE-A-2018-16673.pdf Article 89] of the same law imposes compliance with the principle of proportionality and establishes some conditions for the cameras to be installed in the workplace. Among these conditions, the DPA highlighted the prohibition against the installation of cameras in dressing rooms, toilets, eating rooms or similar places. Moreover, it expressly states that sound recording in the workplace is only permitted when the activities carried out therein generate relevant risks to the security of the facilities, goods and people. | |||
In the specific case, the DPA found that the voice recording in the controller's commercial establishment represented a serious interference in the privacy of its employee and customers. Furthermore, ii held that the processing was not compliant light of the national case law, the DPA manifested that by collecting audio, the controller is not considering the limits above mentioned and it is considered not proportionate in relation to the intended security purposes for both the employees and the customers. The DPA mentioned that recording data subjects’ voices implies a higher interference in the individual's privacy, which was taken into account for the sanction. | |||
Finally, the DPA challenged the controller’s claims by stating that the mere collection of audio is a processing activity even when there is no actual recording or storage of the data in the system. Thus, the DPA concluded that the controller processed personal data without legal basis violating [[Article 6 GDPR|Articles 6]] and [[Article 83 GDPR|83(2)]] of the GDPR and imposed a € 5.000 fine on the controller. | Finally, the DPA challenged the controller’s claims by stating that the mere collection of audio is a processing activity even when there is no actual recording or storage of the data in the system. Thus, the DPA concluded that the controller processed personal data without legal basis violating [[Article 6 GDPR|Articles 6]] and [[Article 83 GDPR|83(2)]] of the GDPR and imposed a € 5.000 fine on the controller. |
Revision as of 12:00, 9 May 2023
AEPD - ps-00389-2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6 GDPR Article 83(2) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | 5,000 EUR |
Parties: | n/a |
National Case Number/Name: | ps-00389-2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Michelle Ayora |
An employer installed a surveillance camera with sound capture for security reasons which was also used for monitoring purposes. Employees were not informed about it and the DPA considered it disproportionate to the purpose and imposed a € 5.000 fine for violation of Article 6 GDPR.
English Summary
Facts
The data subject worked in a commercial establishment and was aware that the place was monitored by security cameras. On a given day, the data subject received a call from the controller, their boss and owner of the establishment, complaining that background music had been replaced by the news.
The data subject lodged a complaint with the Spanish DPA claiming that they were not aware that their conversations were being monitored. The DPA started an investigation and notified the controller.
In response, the controller presented a contract signed with the security service company in charge of the installation, maintenance and management of the alarm system. In the contract, the parties agreed that a microphone would be installed to listen to the audio on site, but without recording. For this reason, the controller argued that there was no privacy violation.
Holding
The DPA started its analysis by stating that both athe image and the voice of a person constitute personal data under the terms defined by the GDPR, which is therefore applicable to the case. Then, it emphasized that the mere capture of the voice constitutes processing of personal data, regardless of whether or not there is a recording.
The DPA recalled that Article 22 of the LOPDGDD authorizes the installation of video cameras to guarantee the security of people and goods provided that: a) the data will be suppressed within a maximum period of one month from its collection; and b) a visible notice is placed in the monitored area. It also pointed out that Article 89 of the same law imposes compliance with the principle of proportionality and establishes some conditions for the cameras to be installed in the workplace. Among these conditions, the DPA highlighted the prohibition against the installation of cameras in dressing rooms, toilets, eating rooms or similar places. Moreover, it expressly states that sound recording in the workplace is only permitted when the activities carried out therein generate relevant risks to the security of the facilities, goods and people.
In the specific case, the DPA found that the voice recording in the controller's commercial establishment represented a serious interference in the privacy of its employee and customers. Furthermore, ii held that the processing was not compliant light of the national case law, the DPA manifested that by collecting audio, the controller is not considering the limits above mentioned and it is considered not proportionate in relation to the intended security purposes for both the employees and the customers. The DPA mentioned that recording data subjects’ voices implies a higher interference in the individual's privacy, which was taken into account for the sanction.
Finally, the DPA challenged the controller’s claims by stating that the mere collection of audio is a processing activity even when there is no actual recording or storage of the data in the system. Thus, the DPA concluded that the controller processed personal data without legal basis violating Articles 6 and 83(2) of the GDPR and imposed a € 5.000 fine on the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/20 File no.: EXP202205820 RESOLUTION OF APPEAL FOR REPLACEMENT Examined the reversal appeal filed by A.A.A. (hereinafter, the part appellant) against the resolution issued by the Director of the Spanish Agency for Data Protection dated March 9, 2023, and based on the following FACTS FIRST: On 03/09/2023, a resolution was issued by the Director of the Agency Spanish Data Protection in file EXP202205820, by virtue of the which was imposed on A.A.A. a penalty of 5,000 euros (five thousand euros), for the violation of the provisions of article 6 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and the free circulation of these data and repealing Directive 95/46/EC (hereinafter GDPR); infringement typified in article 83.5.a) of the same Regulation and qualified as very serious for the purposes of prescription in article 72.1.b) of the Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of the digital rights (hereinafter LOPDPGDD). In the same resolution it was agreed to require A.A.A. so that, within a month, adapt its action to the personal data protection regulations, with the scope expressed in the Foundation of Law VIII of the resolution, and justify before this Spanish Agency for Data Protection the attention of this requirement. Said resolution, which was notified to the appellant on 03/13/2023, was dictated prior to the processing of the corresponding disciplinary procedure, according to in accordance with the provisions of the LOPDGDD, and additionally in Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations Public (hereinafter, LPACAP), in terms of processing procedures sanctioners. SECOND: As proven facts of the aforementioned sanctioning procedure, PS/00389/2022, the following was recorded: <<1. The claimed party carries out its economic activity as an entrepreneur individual, under the trademark "Grupo ***GRUPO.1", with professional domicile at "***ADDRESS 1". 2. The business premises located at "***ADDRESS.1" have a system of video surveillance, for which the claimed party is responsible. 3. The claimant has stated that he provides services as an employee of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/20 claimed party in the place located at the postal address indicated in the Facts Tested First and Second. 4. The complaining party stated that the video surveillance system described in the Fact Tested Second has sound pickup, in addition to voice pickup image. In this regard, the complainant contributed to the proceedings with screenshots of a mobile device in which you can see WhatsApp messages that were sent to you sent by the claimed party (“Group ***GROUP.1”). In these messages indicates: . “Group ***GROUP.1”: “What do you have in the background? Why is there no music? . You: "And this?" . “Group ***GROUP.1”: “Because I entered the camera and the news was being heard”>>. THIRD: On 04/12/2023, within the established period, a appeal for replacement by A.A.A. (hereinafter, the claimed party or the party appellant) against the resolution outlined in the First Antecedent, dated 03/09/2023, in which it literally reproduces the allegations made to the draft resolution prepared in the contested procedure and requests that remember your file. The appellant party provides a copy of the security service contract signed in date 11/12/2019 with the company to which the installation, maintenance and operation of the alarm center, noting that from the analysis of said contract It can be seen that the video surveillance system in question only has contracted, in relation to listening to audio, alarms or alert systems that incorporate microphones that allow listening to audio, but not recording or recording said audios. By this, he understands that he would not be committing the infringement charged. On the other hand, in the same writ of appeal the suspension of the resolution, in accordance with the provisions of article 117 of the LPACAP. FUNDAMENTALS OF LAW Yo Competence The Director of the Spanish Agency is competent to resolve this appeal of Data Protection, in accordance with the provisions of article 123 of the Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations (hereinafter LPACAP) and article 48.1 of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD). II Response to the allegations presented C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/20 In relation to the statements made by the appellant, which literally reproduce the brief of allegations to the motion for a resolution that was presented by the appellant during the processing of the procedure disciplinary action, it should be noted that they were already analyzed and dismissed in the Fundamentals of Law II to VIII of the Appealed Resolution, dated 03/09/2023, in which is considered to have breached the provisions of article 6 of the GDPR and the evaluation of the tests that have allowed to determine said breach and the scope granted to it, as well as the circumstances taken into account for the graduation of the sanction imposed. In said Fundamentals of law states the following: <<II formal issues In advance, it is deemed appropriate to analyze the formal issues raised by the party claimed in their pleadings, both at the opening of the procedure and in relation to the motion for a resolution. It considers that the procedure is null and void since it was not notified evidence of the claim in which it originates, of which he was aware with the notification of the initiation agreement, violating what is established in the LPACAP, in relation to the essential procedures that must be substantiated in a procedure for prevent the interested party from suffering defenselessness; and the requirement to notify the act as necessary requirement for its effectiveness. The claimed party refers, specifically, to the procedure for transferring the claim which is outlined in the Second Antecedent, which was not addressed to "A.A.A.", but to "Group ***GROUP.1", which lacks legal capacity and cannot be interested in The procedure. In this regard, this Agency understands that the claimed party has been respected all the guarantees of the interested party that the procedural regulations provide and it cannot be said that the incidence indicated in relation to the process of transferring the claim supposes no reduction of said guarantees causing defenselessness. The indicated notification of transfer of the claim to the person in charge to whom refers to the party claimed in its allegations has to do with the process of admission to processing of the claims received, prior to the agreement of admission of such claims. In accordance with the provisions of article 55 of the GDPR, the Spanish Agency of Data Protection is competent to perform the functions assigned to it. assigned in its article 57, among them, that of enforcing the Regulation and promoting the sensitization of controllers and processors about the obligations incumbent upon them, as well as dealing with claims filed by a interested and investigate the reason for them. Correlatively, article 31 of the GDPR establishes the obligation of those responsible and those in charge of the treatment to cooperate with the control authority that requests it in C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/20 the performance of their duties. In the event that they have designated a data protection delegate, article 39 of the GDPR attributes to him the function of cooperate with said authority. In the same way, the internal legal system, in article 65.4 of the LOPDGDD, has provided for a mechanism prior to the admission for processing of the claims that are formulated before the Spanish Agency for Data Protection, which consists of giving transfer of the same to the data protection delegates designated by the responsible or in charge of the treatment, for the purposes provided in article 37 of the aforementioned norm, or to them when they have not designated them, so that they proceed to the analysis of said claims and to respond to them within a month. In this Article 65.4 of the LOPDGDD, which regulates the "Admission for processing of claims”, establishes the following: "4. Before deciding whether to admit the claim for processing, the Agency Española de Protección de Datos may send it to the data protection delegate data that would have, where appropriate, designated the person in charge or in charge of the treatment or to the supervisory body established for the application of the codes of conduct for the purposes set forth in articles 37 and 38.2 of this organic law. The Spanish Agency for Data Protection may also send the claim to the person in charge or in charge of the treatment when a data protection officer or adhered to resolution mechanisms extrajudicial conflict, in which case the person responsible or in charge must give response to the claim within a month. According to this regulation, prior to the admission for processing of the claim that gives rise to this procedure, it was transferred to the person in charge (the claimed party) to proceed with its analysis, respond to this Agency in within one month and certify having provided the complaining party with the response due. The result of said transfer was not satisfactory, therefore, for the purposes foreseen in its article 64.2 of the LOPDGDD, it was agreed to admit the claim for processing presented by means of an agreement that was duly notified to the complaining party, and not to the claimed party, in accordance with the provisions of article 65.5 of the LOPDGDD. This procedure prior to the admission of the claim, according to article 65.4 of the LOPDGDD previously transcribed, it is an optional procedure, so that formalized only if this Agency deems it so, without any legal consequence of the fact that this procedure is not carried out or in case of that, once attempted, could not have been carried out effectively; nor does it prevent that the claim can be admitted for processing and given the appropriate course. Neither these circumstances have no bearing on the validity of the possible procedure disciplinary action that could be initiated later. In this case, in addition, the notification of the transfer process, as detailed in the antecedents of this act, it occurred in a valid and reliable manner at the address in which the claimed party carries out its activity, the same indicated by said C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/20 party as address for notification purposes. The letter in question was delivered at that address by the Postal Service on 05/31/2022. It is true, as has been pointed out, that the notification was addressed to "Grupo GRUPO.1" and no to “A.A.A.” However, in the proceedings it has been proven that the party claimed operates under the trademark “Grupo ***GRUPO.1”. own part claimed is presented in their public profiles accessible on the websites "***URL.1" e “***URL.2” as “(…)” since September 2016. Also, in his pleadings brief at the opening of the proceeding, he points out the party claimed as contact information, in addition to the postal address to which the transfer process, the email address "***EMAIL.1". Both addresses, postal and electronic, also appear as contact information on the site website “***URL.3”. Despite this, the period of one month granted to the claimed party to inform on the issues raised by the claim and addressing it took place without that this Agency received any response. The defendant, in its allegations to the proposed resolution, reproduces its previous allegations on the nullity of actions for the sending of the notification of the transfer of the claim to "Group ***GROUP.1", without considering the arguments above, about which it does not mention. II The image and voice are personal data The physical image and voice of a person, according to article 4.1 of the GDPR, are a Personal data and its protection, therefore, is the subject of said Regulation. In the article 4.2 of the GDPR defines the concept of "processing" of personal data. The images and voice captured by a system of cameras or video cameras are data of a personal nature, so its treatment is subject to the regulations of Data Protection. It is, therefore, pertinent to analyze whether the processing of personal data (image and voice of the complaining party, who serves as an employee in the company of the party claimed, and of the natural persons who come as clients to the establishment of said company, open to the public) carried out through the system of denounced video surveillance is in accordance with the provisions of the GDPR. IV. Infringement The complaining party bases its claim on two grounds. First of all, questions that the complained party can access the computer he uses at work, using an application that allows remote access to the device. Without However, it is a company computer accessed by the party claimed in his status as head of the organization. Furthermore, the complaining party It only refers to access to a shared folder in which they are hosted C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/20 company jobs. Thus, from what was provided and stated by the claimant no indications of infringement are deduced. The second reason for the claim has to do with the audio capture by the video surveillance system installed in the workplace of the complaining party and the legality of the processing of personal data that it entails. Article 6.1 of the GDPR establishes the assumptions that allow the use of processing of personal data: "1. Processing will only be lawful if at least one of the following is fulfilled conditions: a) the interested party gave his consent for the processing of his personal data for one or more specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is part of or for the application at the request of the latter of pre-contractual measures; c) the processing is necessary for compliance with a legal obligation applicable to the responsible for the treatment; d) the processing is necessary to protect vital interests of the data subject or of another Physical person; e) the treatment is necessary for the fulfillment of a mission carried out in the interest public or in the exercise of public powers conferred on the data controller; f) the treatment is necessary for the satisfaction of legitimate interests pursued by the person in charge of the treatment or by a third party, provided that on said interests do not outweigh the interests or fundamental rights and freedoms of the interested party that require the protection of personal data, in particular when the interested is a child. The provisions of letter f) of the first paragraph shall not apply to the treatment carried out by public authorities in the exercise of their functions. The permanent implantation of a system of video cameras for reasons of security has a legitimate basis in the LOPDGDD, the explanatory statement of which indicates: “Together with these assumptions, others are included, such as video surveillance… in which the legality of the treatment comes from the existence of a public interest, in the terms established in article 6.1.e) of Regulation (EU) 2016/679”. Regarding treatment for video surveillance purposes, article 22 of the LOPDGDD establishes that natural or legal persons, public or private, may carry out carry out the treatment of images through systems of cameras or video cameras in order to preserve the safety of people and property, as well as their facilities. On the legitimacy for the implementation of video surveillance systems in the field labor, this same article 22, in its section 8, provides that "The treatment by the Employer data obtained through camera or video camera systems will be submits to the provisions of article 89 of this organic law”. Royal Legislative Decree 1/1995, of 03/24, is taken into account, which approves the text C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/20 Consolidated Law of the Workers' Statute (LET), whose article 20.3 states: "3. The employer may adopt the measures he deems most appropriate for surveillance and control to verify compliance by the worker with his obligations and duties labor, keeping in its adoption and application the consideration due to its dignity and taking into account, where appropriate, the real capacity of workers with disability". The permitted surveillance and control measures include the installation of security cameras, although these systems should always respond at first of proportionality, that is, the use of video cameras must be proportional to the purpose pursued, this is to guarantee the security and the fulfillment of the obligations and job duties. Article 89 of the LOPDPGDD, referring specifically to the "right to privacy against the use of video surveillance and sound recording devices in the place work" and the processing of personal data obtained with camera systems or video cameras for the exercise of control functions of the workers, allows that employers can process the images obtained through security systems cameras or camcorders for the exercise of the functions of control of the workers or public employees provided for, respectively, in article 20.3 of the Workers' Statute and in the civil service legislation, provided that These functions are exercised within its legal framework and with the limits inherent to the same. In relation to sound recording, the aforementioned article 89 of the LOPDGDD sets the following: "2. In no case will the installation of sound recording systems or of video surveillance in places destined to the rest or recreation of the workers or public employees, such as changing rooms, toilets, dining rooms and analogues. 3. The use of systems similar to those referred to in the previous sections to the recording of sounds in the workplace will be allowed only when they are relevant risks to the safety of facilities, goods and people derived from the activity carried out in the workplace and always respecting the principle of proportionality, the principle of minimum intervention and guarantees provided in the previous sections. The suppression of sounds preserved by These recording systems will be carried out in accordance with the provisions of section 3 of article 22 of this law”. On the other hand, it is interesting to note that, according to the doctrine of the Constitutional Court, the recording conversations between workers or between them and customers is not justified for the verification of compliance by the worker with his obligations or duties. In a Judgment dated 04/10/2000 (2000/98), issued in rec. num. 4015/1996, it declares the following: In this sense, it must be taken into account that the managerial power of the employer, essential for the smooth running of the productive organization and recognized expressly in art. 20 LET, attributes to the employer, among other faculties, that of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/20 adopt the surveillance and control measures it deems most appropriate to verify the compliance of the worker with his labor obligations (art. 20.3 LET). more that faculty must occur in any case, as is logical, with due respect for the dignity of the worker, as expressly reminds us of the labor regulations (arts. 4.2.e and 20.3 LET)… ... it should be remembered that the jurisprudence of this Court has repeatedly insisted in the full effectiveness of the fundamental rights of the worker within the framework of the employment relationship, since this cannot imply in any way the deprivation of such rights for those who serve in productive organizations... In Consequently, and as this Court has also affirmed, the exercise of such rights only admits limitations or sacrifices to the extent that they are develops within an organization that reflects other recognized rights constitutionally in the arts. 38 and 33 CE and which imposes, according to the assumptions, the necessary adaptability for the exercise of all of them... Therefore, the premise from which the Judgment under appeal is based must be rejected, consisting of affirming that the workplace is not by definition a space in which the right to privacy is exercised by workers, in such a way that so that the conversations that workers have with each other and with Clients in the performance of their work activity are not covered by art. 18.1 CE and there is no reason why the company cannot know the content of those, since the aforementioned right is exercised in the sphere of the private sphere of the worker, that in the workplace it must be understood limited to places of rest or recreation, changing rooms, toilets or the like, but not to those places in which the work activity takes place... …Such a statement is rejectable, since it cannot be ruled out that also in those places of the company where the work activity is carried out may illegitimate interference by the employer in the right to privacy of the workers, such as the recording of conversations between a worker and a client, or between the workers themselves, in which they are addressed issues unrelated to the employment relationship that are integrated into what we have called own sphere of development of the individual (SSTC 231/1988, of December 2, FJ 4 and 197/1991, of October 17, FJ 3, for all). In short, it will be necessary to attend only to the place of the work center where the systems are installed by the company control audiovisuals, but also to other elements of judgment (if the installation is does or not indiscriminately and massively, if the systems are visible or have been surreptitiously installed, the real purpose pursued with the installation of such systems, if there are security reasons, by the type of activity that takes place in the workplace in question, which justifies the implementation of such means of control, etc.) to elucidate in each specific case if these means of surveillance and control respect the right to privacy of workers. Certainly the installation of such means in places of rest or recreation, changing rooms, toilets, dining rooms and the like is, a fortiori, harmful in any case to the right to privacy of workers, without further consideration, for obvious reasons... But this does not mean that this injury cannot occur in those places where it is performed the work activity, if any of the exposed circumstances that allow classify business action as an illegitimate intrusion into the right to privacy from the workers. It will be necessary, then, to attend to the concurrent circumstances in the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/20 Specific assumption to determine whether or not there is a violation of art. 18.1 EC. …its limitation [of the fundamental rights of the worker] by the entrepreneurial powers can only derive well from the fact that the company itself nature of the contracted work implies the restriction of the right (SSTC 99/1994, FJ 7, and 106/1996, FJ 4), either of a proven need or business interest, without that its mere invocation is sufficient to sacrifice the fundamental right of the worker (SSTC 99/1994, FJ 7, 6/1995, FJ 3 and 136/1996, FJ 7)... These limitations or modulations must be the indispensable and strictly necessary to satisfy a business interest deserving of guardianship and protection, of so that if there are other less aggressive possibilities of satisfying said interest and affecting the right in question, it will be necessary to use the latter and not those others more aggressive and affecting. It is, ultimately, the application of the principle of proportionality… The question to be resolved is, therefore, whether the installation of microphones that allow recording the conversations of workers and clients in certain areas... it adjusts in the assumption that concerns us to the essential requirements of respect for the right to The intimacy. In this regard, we must begin by pointing out that it is indisputable that the installation of sound capture and recording devices in two specific areas… It is not without utility for the business organization, especially if one takes into account note that these are two areas where economic transactions take place of some importance. However, the mere utility or convenience for the company does not simply legitimizes the installation of listening and recording devices, taking into account that the company already had other security systems than the security system hearing is intended to complement… In short, the implementation of the listening and recording system has not been in this case in accordance with the principles of proportionality and minimum intervention that govern the modulation of fundamental rights by the requirements of the interest of the business organization, since the purpose pursued (to give a plus security, especially in the event of customer complaints) is disproportionate to the sacrifice that implies the right to privacy of the workers (and even customers...). This system allows for feedback private, both from clients and workers..., comments from others by completely to the corporate interest and therefore irrelevant from the perspective of control of labor obligations, and may, however, have negative consequences for the workers who, in any case, are going to feel constrained to carry out any type of personal comment before the conviction that they are going to be heard and recorded by the company. It is, in short, an intrusion illegitimate in the right to privacy enshrined in art. 18.1 CE, since there is no definitive argument that authorizes the company to listen and record the private conversations that workers… have with each other or with employees customers". In any case, employers must inform in advance, and in a express, clear and concise, to workers or public employees and, where appropriate, to their representatives, about this measure (article 89.1 of the LOPDGDD). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/20 V Video surveillance obligations In accordance with the foregoing, the processing of images through a system video surveillance, to comply with current regulations, must comply with the following requirements: 1.- Individuals or legal entities, public or private, can establish a system video surveillance in order to preserve the safety of people and property, as well as its facilities. It must be assessed whether the intended purpose can be achieved in another less intrusive to the rights and freedoms of citizens. Personal data only should be processed if the purpose of the processing cannot reasonably be achieved by other means, recital 39 of the GDPR. 2.- The images obtained cannot be used for a subsequent purpose incompatible with the one that motivated the installation of the video surveillance system. 3.- The duty to inform those affected provided for in articles 12 and 13 of the GDPR, and 22 of the LOPDGDD. In this sense, article 22 of the LOPDGDD provides in relation to video surveillance a “layered information” system. The first layer must refer, at least, to the existence of the treatment (video surveillance), the identity of the person responsible, the possibility of exercising the rights provided for in articles 15 to 22 of the GDPR and where to obtain more information about the processing of personal data. This information will be contained in a device placed in a sufficiently visible and must be provided in advance. Second layer information should be easily available in one place accessible to the affected person, whether it is an information sheet at a reception, cashier, etc…, placed in a visible public space or in a web address, and must refer to the other elements of article 13 of the GDPR. 4.- Images of the public thoroughfare cannot be captured, since the treatment of images in public places, unless there is government authorization, only It can be carried out by the Security Forces and Bodies. On some occasions, for the protection of private spaces, where cameras installed on facades or inside, may be necessary to ensure the security purpose the recording of a portion of the public thoroughfare. That is, cameras and camcorders installed for security purposes may not be obtain images of public roads unless it is essential for said purpose, or it is impossible to avoid it due to their location. And in such a case extraordinary, the cameras will only be able to capture the minimum portion necessary to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/20 preserve the safety of people and property, as well as its facilities. Installed cameras cannot get images from third-party proprietary space and/or public space without duly accredited justified cause, nor can they affect the privacy of passers-by who move freely through the area. It is not allowed, therefore, the placement of cameras towards the private property of neighbors with the purpose of intimidating them or affecting their private sphere without cause justified. In no case will the use of surveillance practices beyond the environment be admitted. object of the installation and in particular, not being able to affect public spaces surroundings, adjoining buildings and vehicles other than those that access the space guarded. Images cannot be captured or recorded in spaces owned by third parties without the consent of their owners, or, where appropriate, of the people who are in them find. It is disproportionate to capture images in private spaces, such as changing rooms, lockers or rest areas for workers. 5.- The images may be kept for a maximum period of one month, except in those cases in which they must be kept to prove the commission of acts that threaten the integrity of people, property or facilities. In this second case, they must be made available to the authority competent authority within a maximum period of 72 hours from the knowledge of the recording existence. 6.- The controller must keep a record of processing activities carried out under his responsibility in which the information to which he makes reference article 30.1 of the GDPR. 7.- The person in charge must carry out a risk analysis or, where appropriate, an evaluation of impact on data protection, to detect those derived from the implementation of the video surveillance system, assess them and, where appropriate, adopt security measures. appropriate security. 8.- When a security breach occurs that affects the processing of cameras for security purposes, whenever there is a risk to the rights and freedoms of natural persons, you must notify the AEPD within a maximum period of 72 hours. A security breach is understood to be the destruction, loss or accidental alteration or unlawful transfer of personal data, stored or otherwise processed, or the communication or unauthorized access to said data. 9.- When the system is connected to an alarm center, it can only be installed by a qualified private security company C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/20 contemplated in article 5 of Law 5/2014 on Private Security, of April 4. The Spanish Data Protection Agency offers through its website [https://www.aepd.es] access to: . the legislation on the protection of personal data, including the GDPR and the LOPDGDD (section "Reports and resolutions" / "regulations"), . the Guide on the use of video cameras for security and other purposes, . the Guide for compliance with the duty to inform (both available at the section "Guides and tools"). It is also of interest, in case of carrying out low-risk data processing, the free tool Facilita (in the "Guides and tools" section), which, through specific questions, allows to assess the situation of the person in charge with respect to the processing of personal data that it carries out, and where appropriate, generate various documents, informative and contractual clauses, as well as an annex with measures indicative security considered minimum. SAW Administrative offense. Classification and qualification of the infraction. The claim is based on the alleged illegality of the installed video surveillance system by the claimed party in the premises where it carries out its business activity, in relation to sound capture. The claimed party is the owner and responsible for the video surveillance system denounced and, therefore, the person responsible for the data processing involved in the use of said system. The data processing carried out includes the collection of personal data related to the voice of employees and third parties that can access the premises, which appears to be an establishment open to the public, in view of the image provided by the claimant. In relation to said system, the complaining party has stated that the system is was installed when he began to serve as an employee of the part claimed, in 2019, "supposedly as a security measure for the premises"; and? has never been informed about the capture of sound or its use for purposes of labor control, which constitutes, in the opinion of the complaining party, a use "for a purpose other than that which is stated to have been installed." Therefore, the legality of the video surveillance system installed by the party is questioned. claimed in the premises where it carries out its business activity, in relation to the sound capture, which has been duly accredited by the claimant with the contribution of a WhatsApp conversation in which the claimed party refers to his access to the video surveillance system and the sound captured by the same. The claimed party has not provided any justification in relation to the issues raised by the complaining party, despite the fact that it was expressly required with occasion of the process of transfer of the claim, which was not answered by that one. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/20 It has limited itself to denying having received that request for information, according to been exposed in the Fundamentals of Law II. It has indicated that if it had received that communication it would have provided the required information. However, he has had occasion, twice, to formulate allegations at the opening of this disciplinary proceeding, and also in response to the motion for a resolution, and has not provided information and/or any documentation relating to the system installed in the establishment in question. It is interesting to note in this regard that the defendant was asked to prove have informed the workers that the video surveillance system is used for the labor control and to provide a technical report on said system. In arranging for sound pickup, the defendant disregards the limits provided for in article 20.3 of the Workers' Statute Law (LET); it established in article 89.3 of the LOPDGDD, which admits the collection and recording of sounds only when the risks are relevant and respecting the principles proportionality and minimal intervention; nor the doctrine of the Constitutional Court, already expressed, according to which the "implementation of listening and recording systems" does not is legitimized, without further ado, by the "mere utility or convenience of the company", which the "gathering private comments, both from customers and workers" is outside the business interest and is not justified by the verification of compliance by the worker from his obligations or duties. Consequently, it is understood disproportionate the capture of the voice of both the workers and clients of the claimed party for the video surveillance function intended. It is taken into account that the capture of voice supposes a greater intrusion in privacy. The defendant, in its allegations to the proposed resolution, has stated that it is false that the video surveillance system collects and stores personal data related to the voice of employees and customers, and considers that the screenshot provided by the claimed party does not prove the facts, thus invoking the principles of presumption of innocence and “indubio pro reo”. However, this Agency considers that the capture of sounds by the indicated security system is accredited by the content of the message sent by the claimed party to the claiming party through Whatsapp, which is outlined in the Fourth Proven Fact. In this message, the claimed party declares to have entered “into the camera” and accessed the sound captured by it (“they heard news"). Moreover, in the same allegations it expressly acknowledges that the system "that has contracted" incorporates microphones "that allow listening to audios". By not recording or recording audios, the claimed party considers that he is not committing the infraction that is imputed, without considering that the mere capture of audios, even without to proceed with its recording and conservation, constitutes data processing personal information that requires a legitimate basis to be able to carry it out, in order to in accordance with the provisions of article 6 of the GDPR. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/20 Article 4 of the same GDPR defines "processing" in the following terms: "2) "processing": any operation or set of operations carried out on personal data or sets of personal data, either by procedures automated or not, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, diffusion or any other form of authorization of access, collation or interconnection, limitation, deletion or destruction”. Therefore, it is considered that the claimed party performs data processing without have a legitimate basis, violating the provisions of article 6 of the GDPR, which supposes the commission of an infraction typified in article 83.5 of the GDPR, which provides the following: Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of maximum EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the highest amount: a) the basic principles for the treatment, including the conditions for the consent in accordance with articles 5, 6, 7 and 9;”. For the purposes of the limitation period for infringements, the infringement indicated in the previous paragraph is considered very serious in accordance with article 72.1.b) of the LOPDGDD, which states that: "Based on what is established in article 83.5 of Regulation (EU) 2016/679, are considered very serious and will prescribe after three years the infractions that a substantial violation of the articles mentioned therein and, in particular, the following: b) The processing of personal data without the fulfillment of any of the conditions of legality of the treatment established in article 6 of Regulation (EU) 2016/679”. VII Sanction Article 58.2 of the GDPR establishes: "Each control authority will have all the following corrective powers indicated below: (...) d) order the person in charge or person in charge of treatment that the operations of treatment comply with the provisions of this Regulation, where appropriate, in a certain way and within a specified period; (...) i) impose an administrative fine in accordance with article 83, in addition to or instead of the measures mentioned in this paragraph, according to the circumstances of each C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/20 particular case". According to the provisions of article 83.2 of the GDPR, the measure provided for in article 58.2.d) of the aforementioned Regulation is compatible with the sanction consisting of a fine administrative. Regarding the infringement of article 6 of the GDPR, based on the facts exposed, it is considered that the sanction that would correspond to be imposed is a fine administrative. The fine imposed must be, in each individual case, effective, proportionate and dissuasive, in accordance with the provisions of article 83.1 of the GDPR. Thus considers, in advance, the microenterprise status of the claimed party, who develops economic activity as a natural person under the condition of autonomous entrepreneur. In order to determine the administrative fine to be imposed, the provisions of article 83.2 of the GDPR, which states the following: "2. Administrative fines will be imposed, depending on the circumstances of each individual case, in addition to or in lieu of the measures contemplated in Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administration and its amount in each individual case shall be duly taken into account: a) the nature, seriousness and duration of the offence, taking into account the nature, scope or purpose of the processing operation in question such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infraction; c) any measure taken by the controller or processor to alleviate the damages and losses suffered by the interested parties; d) the degree of responsibility of the controller or processor, taking into account the technical or organizational measures that they have applied under of articles 25 and 32; e) any previous infringement committed by the controller or processor; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the potential adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the person in charge or the person in charge notified the infringement and, if so, in what extent; i) when the measures indicated in article 58, paragraph 2, have been ordered previously against the person in charge or the person in charge in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under article 40 or to mechanisms of certification approved in accordance with article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement”. For its part, article 76 "Sanctions and corrective measures" of the LOPDGDD, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/20 Regarding section k) of the aforementioned article 83.2 GDPR, it provides: "1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation (UE) 2016/679 will be applied taking into account the graduation criteria established in section 2 of said article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuing nature of the offence. b) The link between the activity of the offender and the performance of data processing. personal information. c) The benefits obtained as a consequence of the commission of the infraction. d) The possibility that the conduct of the affected party could have led to the commission of the offence. e) The existence of a merger by absorption process subsequent to the commission of the violation, which cannot be attributed to the absorbing entity. f) The affectation of the rights of minors. g) Have, when it is not mandatory, a data protection delegate. h) Submission by the person responsible or in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which there are controversies between those and any interested party”. In this case, the graduation criteria are considered concurrent as aggravating factors. following: . Article 83.2.a) of the GDPR: "a) the nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the operation treatment in question as well as the number of interested parties affected and the level of damages they have suffered”. . The nature and seriousness of the infringement, taking into account that the party claimant and the rest of those affected (third parties who access the establishment of the claimed party) are unaware of the data processing that is being being carried out (sound capture by the video surveillance system) and the use that will be made of personal data, which affects the ability to data subjects to exercise real control over their personal data. . Article 83.2.b) of the GDPR: "b) intentionality or negligence in the infringement". The negligence appreciated in the installation of video surveillance cameras that allow the collection of audio in a work environment, without even informing employees and others affected, and even though these systems have a special and express regulation that imposes special care on those responsible in its use. . Article 83.2.d) of the GDPR: "d) the degree of responsibility of the controller or the processor, taking into account technical or organizational measures that they have applied by virtue of articles 25 and 32”. The claimed party does not have adequate action procedures in place C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/20 in the collection and processing of personal data, as regards to the collection and processing of personal data related to the voice of the person employee in your company, so that the infringement is not the result of a anomaly in the operation of said procedures but rather a defect in the personal data management system designed by the controller. . Article 83.2.g) of the GDPR: "the categories of personal data affected by the infringement”; Although "Special categories of personal data" have not been affected, as defined by the GDPR in article 9, the personal data to which they refer actions (voice of stakeholders) has a particularly sensitive and increases the risks to your privacy. Considering the exposed factors, the valuation reached by the fine for the violation of article 6 of the GDPR is 5,000 euros (five thousand euros). In view of what is stated in this Legal Basis, it is not true what indicated by the party claimed in its allegations, according to which the sanction imposed is not related to the objective and subjective circumstances concurrent, nor does it attend to the seriousness and transcendence of the fact. It also refers to the absence of antecedents of the offender and the absence of damages, but without providing any reasoning that justifies the consideration of these grading factors. None of the grading factors considered is mitigated by the fact that that the claimed entity has not been subject to a disciplinary procedure with above, this circumstance is alleged by the claimed party to be considered as a mitigation. In this regard, the Judgment of the AN, of 05/05/2021, rec. 1437/2020, indicates: "It considers, on the other hand, that the non-commission of a previous violation. Well, article 83.2 of the GDPR establishes that it must be into account for the imposition of the administrative fine, among others, the circumstance "e) any previous infringement committed by the person in charge or in charge treatment". This is an aggravating circumstance, the fact that he did not the budget for its application concurs entails that it cannot be taken into consideration, but it does not imply or allow, as the plaintiff claims, its application as mitigation." According to the aforementioned article 83.2 of the GDPR, when deciding to impose a fine administration and its amount must take into account "any previous infraction committed by the person responsible." It is a normative provision that does not include the inexistence of previous infractions as a factor for grading the fine, which must be be understood as a criterion close to recidivism, although broader. VIII possible measures C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/20 It is appropriate to impose on the controller the obligation to adopt appropriate measures to adjust its performance to the regulations mentioned in this act, in accordance with the established in the aforementioned article 58.2 d) of the GDPR, according to which each authority of control may “order the person in charge or person in charge of the treatment that the processing operations comply with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period…”. The text of this resolution establishes which have been the infractions allegedly committed and the facts that give rise to the violation of the regulations of data protection, from which it is clearly inferred what are the measures to adopt, notwithstanding that the type of procedures, mechanisms or instruments specific measures to implement them correspond to the sanctioned party, since it is the controller who fully knows his organization and has to decide, based on proactive responsibility and risk approach, how to comply with the GDPR and the LOPDGDD. However, in this case, regardless of the foregoing, this Agency estimates proceeding to require the person in charge so that within the period determined in the part device suppresses the capture of sounds by the video surveillance system object of the performances. It is noted that not meeting the requirements of this body may be considered as an administrative offense in accordance with the provisions of the GDPR, classified as an infraction in its article 83.5 and 83.6, being able to motivate such conduct the opening of a subsequent sanctioning administrative procedure>>. II Conclusion In its appeal, the appellant limits itself to reproducing some of the arguments set forth in the pleadings submitted during the processing of the procedure that gave rise to the contested resolution, without considering the facts verified and the grounds that determined the resolution adopted, in which, in addition, extensively analyze the circumstances revealed by said entity and the reasons that determined its dismissal are exposed. Therefore, the allegations contained in the appeal are amply refuted with the transcribed arguments, which are considered valid and sufficient to reject the file of the proceedings requested. It is considered opportune, however, to reiterate that the infraction results from the treatment of personal data that involves the collection of the voice of those affected through the video surveillance system installed object of the proceedings, which was recognized by the appellant itself in its statement of allegations to the resolution proposal and which is now ratified in the writ of reversal appeal, which is attached to the corresponding security service contract signed indicating that it includes alarms or alert systems that incorporate microphones that allow listening audio, as recognized by the appellant. The offense is consummated C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/20 with this audio capture, which constitutes in itself a data processing personal, regardless of whether or not the audio is recorded on the system. Regarding the request for suspension of the enforceability of the resolution, it is worth point out that in the case of a disciplinary procedure, the resolution issued is not until it becomes final, as established in article 98.1.b) of the the LPACAP: “Article 98. Enforceability. 1. The acts of the Public Administrations subject to Administrative Law will be immediately executive, unless: b) It is a resolution of a procedure of a punitive nature against which there is room for any appeal through administrative channels, including the optional replacement". Consequently, in this appeal for reversal, the appellant has not provided new facts or legal arguments that allow reconsidering the validity of the contested decision. Given the aforementioned precepts and others of general application, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DISMISS the reversal appeal filed by A.A.A. against resolution of this Spanish Data Protection Agency issued on date 03/09/2023, in file EXP202205820. SECOND: NOTIFY this resolution to A.A.A.. THIRD: REQUEST A.A.A. so that, within a month, counted from the notification of this resolution, adapt its action to the regulations of protection of personal data, with the scope expressed in the Basis of Law VIII of the appealed resolution, and justify before this Spanish Agency of Protection of Data the attention of the present requirement in the same term. FOURTH: Warn the penalized party that the sanction imposed must be made effective by Once this resolution is enforceable, in accordance with the provisions of Article Article 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, within the voluntary payment period indicated in the Article 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, by depositing it in the restricted account number ES00 0000 0000 0000 0000 0000, opened in the name of the Spanish Data Protection Agency in the Bank CAIXABANK, S.A. or otherwise, it will proceed to its collection in period executive. Once the notification has been received and once executed, if the execution date is between the 1st and 15th of each month, both inclusive, the term to make the payment voluntary will be until the 20th day of the following or immediately following business month, and if C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/20 between the 16th and the last day of each month, both inclusive, the payment term It will be until the 5th of the second following or immediately following business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of Law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations (LPACAP), interested parties may file a contentious-administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provided in article 25 and in section 5 of the fourth additional provision of the Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within two months from the day following the notification of this act, according to the provisions of article 46.1 of the aforementioned Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) LPACAP, may be provisionally suspend the firm resolution in administrative proceedings if the interested party expresses its intention to file a contentious-administrative appeal. if this is the case, the interested party must formally communicate this fact in writing addressed to the Spanish Data Protection Agency, presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other records provided for in art. 16.4 of the aforementioned LPACAP. You must also transfer to the Agency the documentation proving the effective filing of the contentious-administrative appeal. If the Agency did not have knowledge of the filing of the contentious-administrative appeal within the period of two months from the day following the notification of this resolution, it would consider the injunction has ended. 180-111122 Mar Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es