HDPA (Greece) - 50/2022: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Greece |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoGR.jpg |DPA_Abbrevation=HDPA |DPA_With_Country=HDPA (Greece) |Case_Number_Name=Dec...")
 
(Short summary: • When a fine is imposed, mention it in the short summary • Otherwise well written short summary that mentions the most important takeaways from the decision, however I made it focus more on the specific GDPR violations in this case. d Facts: • Added more details to the facts, such as what was the purpose of the surveillance system, what were the arguments submitted by the controller • Assign GDPR roles to the parties involved – who was the data subject/complainant and who is the)
Line 79: Line 79:
}}
}}


The Authority held that surveillance systems should be before installation be based on documented legitimacy of the processing decisions and that the controller should always considers the necessity and the proportionality of the purpose.
The Greek DPA imposed a €15,000 fine on a private school for installing a video surveillance system which, among others, did not respect the purpose limitation and accountability principles.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The Authority examined the legality of the operation of a video surveillance system in a private educational establishment, following a complaint by a former employee. The evidence submitted showed that the video surveillance system did not fulfil the conditions of legality. In particular, violations of Articles 5(5)(a) and (b) were found. 1(a), 5 par. 1(b) and 5 par. 2, and Articles 6, 12, 13 and 30 of the GDPR, since the controller should always carefully consider whether this measure is, in the first place,
A former teacher (the data subject) at a private primaryschool (the controller) submitted a complaint to the Greek DPA regarding a video surveillance system in the classrooms, which had been recording them without knowledge or consent. The DPA started proceedings to examine the legality of the operation of the system.
appropriate to achieve the desired objective and, secondly, adequate and necessary to achieve its purposes. The Authority imposed an administrative fine of EUR 15 000 on the controller and ordered it to uninstall the cameras and to inform the Authority in writing.
 
The controller submitted that the video surveillance system had been operating since 2007 in order to provide direct visual contact with dangerous places for students (courtyard, balconies) and to discourage possible intruders. According to the controller, persons with access to the transmitted video were the principal, owner and president of the school, via a computer located in their office. Moreover, persons entering the site were informed by signs and verbally about the existence of the video cameras. Similarly, teachers were informed about it verbally, allegedly with no objections. The controller stated that the legal basis for the processing of personal data related to the video cameras was legitimate interest.
 
In its decision, the DPA considered the legal basis for processing as well as compliance with general data processing principles and data subject rights.  


=== Holding ===
=== Holding ===
The Authority instruct the private school  as controller to within one (1) month of the receipt of this notice, to uninstall the cameras and to inform the Authority in writing. Moreover, the Authority order the complainant company to pay the effective, proportionate and dissuasive administrative fine appropriate in the particular case, in accordance with the specific circumstances of the case, amounting to fifteen thousand (EUR 15 000,00).
First, the DPA held that information to parents and employees on the operation of the system was incomplete because, according to the controller, it was given orally, in violation of [[Article 5 GDPR|Articles 5(1)(a) and (b)]] as well as [[Article 12 GDPR|Articles 12]] and [[Article 13 GDPR|13 GDPR]]. The controller was not able to prove that such information was given nor which categories of persons were informed. In particular, the DPA noted that children were not appropriately protected in this regard.
 
Second, the DPA stated that the principle of purpose limitation ([[Article 5 GDPR|Article 5(1)(b) GDPR]]) was not respected, since the access to the transmitted image by the manager and employees, that is officially unauthorised parties, did not ensure that the purpose of the processing was exclusively the protection of persons and property.
 
Thrid, the principle of accountability ([[Article 5 GDPR|Article 5(2) GDPR]]) was not respected because the controller did not keep activity records for the processing of personal data through the video surveillance system, but only provided them after the hearing.
 
Fourth, with regards to the legal basis for processing, the DPA held that the controller had not ensured that there was an overriding legitimate interest for the installation of cameras to justify the interference with fundamental rights and freedoms of persons, as required by [[Article 6 GDPR|Article 6(1)(f) GDPR]]. The DPA reasoned that the controller's educational establishment was not so large as to justify the need to monitor remote points of the premises by using surveillance cameras instead of milder means. Hence, there was no valid legal basis for the operation of the system.
 
Considering the above-mentioned violations, the DPA ordered the controller to uninstall the cameras within one month of the receipt of the notice. Furthemore, the DPA used its powers under [[Article 58 GDPR|Article 58(2)(i) GDPR]] and imposed a €15,000 fine on the controller.  


== Comment ==
== Comment ==

Revision as of 14:41, 4 November 2022

HDPA - Decision 50/2022
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1)(b) GDPR
Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 6(1)(f) GDPR
Article 12 GDPR
Article 13 GDPR
Article 30 GDPR
Guidelines 3/2019 on processing of personal data through video devices
Law 4624/2019
Type: Complaint
Outcome: Upheld
Started:
Decided: 09.09.2022
Published: 09.09.2022
Fine: 15.000 EUR
Parties: Private school
Individual-Ex-employee
National Case Number/Name: Decision 50/2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: Hellenic DPA (in EL)
Initial Contributor: Anastasia Tsermenidou

The Greek DPA imposed a €15,000 fine on a private school for installing a video surveillance system which, among others, did not respect the purpose limitation and accountability principles.

English Summary

Facts

A former teacher (the data subject) at a private primaryschool (the controller) submitted a complaint to the Greek DPA regarding a video surveillance system in the classrooms, which had been recording them without knowledge or consent. The DPA started proceedings to examine the legality of the operation of the system.

The controller submitted that the video surveillance system had been operating since 2007 in order to provide direct visual contact with dangerous places for students (courtyard, balconies) and to discourage possible intruders. According to the controller, persons with access to the transmitted video were the principal, owner and president of the school, via a computer located in their office. Moreover, persons entering the site were informed by signs and verbally about the existence of the video cameras. Similarly, teachers were informed about it verbally, allegedly with no objections. The controller stated that the legal basis for the processing of personal data related to the video cameras was legitimate interest.

In its decision, the DPA considered the legal basis for processing as well as compliance with general data processing principles and data subject rights.

Holding

First, the DPA held that information to parents and employees on the operation of the system was incomplete because, according to the controller, it was given orally, in violation of Articles 5(1)(a) and (b) as well as Articles 12 and 13 GDPR. The controller was not able to prove that such information was given nor which categories of persons were informed. In particular, the DPA noted that children were not appropriately protected in this regard.

Second, the DPA stated that the principle of purpose limitation (Article 5(1)(b) GDPR) was not respected, since the access to the transmitted image by the manager and employees, that is officially unauthorised parties, did not ensure that the purpose of the processing was exclusively the protection of persons and property.

Thrid, the principle of accountability (Article 5(2) GDPR) was not respected because the controller did not keep activity records for the processing of personal data through the video surveillance system, but only provided them after the hearing.

Fourth, with regards to the legal basis for processing, the DPA held that the controller had not ensured that there was an overriding legitimate interest for the installation of cameras to justify the interference with fundamental rights and freedoms of persons, as required by Article 6(1)(f) GDPR. The DPA reasoned that the controller's educational establishment was not so large as to justify the need to monitor remote points of the premises by using surveillance cameras instead of milder means. Hence, there was no valid legal basis for the operation of the system.

Considering the above-mentioned violations, the DPA ordered the controller to uninstall the cameras within one month of the receipt of the notice. Furthemore, the DPA used its powers under Article 58(2)(i) GDPR and imposed a €15,000 fine on the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.