IP (Slovenia) - 0603-47/2023/5: Difference between revisions
m (→Facts) |
No edit summary |
||
Line 63: | Line 63: | ||
}} | }} | ||
The | The DPA fined a company €30 for video surveillance of work premises, as the monitored area was too large for the processing to be based on a legitimate interest of the controller. | ||
== English Summary == | == English Summary == | ||
Line 75: | Line 75: | ||
=== Holding === | === Holding === | ||
Firstly, the DPA noted that carrying out a video surveillance in working premises of such an excessive part of the space is incompatible with the purposes listed in [http://www.pisrs.si/Pis.web/pregledPredpisa?id=ZAKO7959 Article 78(1) ZVOP-2]. The DPA observed that it was unnecessary for the controller to conduct such surveillance for security reasons or protection of business secrets. In working premises of this type, these purposes can be achieved with milder and more effective means than video surveillance. As a result, the DPA considered this case an invasive intrusion into the privacy of employees | Firstly, the DPA noted that carrying out a video surveillance in working premises of such an excessive part of the space is incompatible with the purposes listed in [http://www.pisrs.si/Pis.web/pregledPredpisa?id=ZAKO7959 Article 78(1) ZVOP-2]. The DPA observed that it was unnecessary for the controller to conduct such surveillance for security reasons or protection of business secrets. In working premises of this type, these purposes can be achieved with milder and more effective means than video surveillance. As a result, the DPA considered this case an invasive intrusion into the privacy of employees. Even though the controller has legitimate interest for video surveillance of premises of the legal entity he represents under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], it is overridden by the data protection of the employees. | ||
Secondly, the DPA found the controller in breach of [http://www.pisrs.si/Pis.web/pregledPredpisa?id=ZAKO7959 Article 76(4) ZVOP-2], mirroring transparency and information obligations set out in [[Article 12 GDPR]] for failing to include all the required information on the video surveillance notice, such as purpose, impact and unusual type of processing. | Secondly, the DPA found the controller in breach of [http://www.pisrs.si/Pis.web/pregledPredpisa?id=ZAKO7959 Article 76(4) ZVOP-2], mirroring transparency and information obligations set out in [[Article 12 GDPR]] for failing to include all the required information on the video surveillance notice, such as purpose, impact and unusual type of processing. |
Revision as of 10:48, 28 February 2024
IP - 0603-47/2023/5 | |
---|---|
Authority: | IP (Slovenia) |
Jurisdiction: | Slovenia |
Relevant Law: | Article 78(1) ZVOP-2 Article 76(4) ZVOP-2 Article 80(3) ZVOP-2 |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 24.10.2023 |
Published: | |
Fine: | 30 EUR |
Parties: | n/a |
National Case Number/Name: | 0603-47/2023/5 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Slovenian |
Original Source: | Slovenian DPA (in SL) |
Initial Contributor: | im |
The DPA fined a company €30 for video surveillance of work premises, as the monitored area was too large for the processing to be based on a legitimate interest of the controller.
English Summary
Facts
The DPA decided to bring legal proceedings against a legal entity, the controller, which carried out video surveillance at working premises.
The controller claimed they processed data on the basis of legitimate interest as per Article 6(1)(f) GDPR and Article 78(1) of the Slovenian Personal Data Protection Act (hereinafter referred to as ‘ZVOP-2’). The latter provision allows for video surveillance under specific circumstances, such as safety reasons or protection of business secret which must be specified.
In this case, the controller conducted the video surveillance without publishing a notice containing all the information referred to in Article 76(4) ZVOP-2, as the published notice contained only a picture of the camera, the word ‘video surveillance’ and a contact telephone number. According to Article 76(5) ZVOP-2, the controller also had an option to publish this information on its website instead of publishing the notice pursuant to Article 76(4) ZVOP-2, yet he opted not to do so.
Holding
Firstly, the DPA noted that carrying out a video surveillance in working premises of such an excessive part of the space is incompatible with the purposes listed in Article 78(1) ZVOP-2. The DPA observed that it was unnecessary for the controller to conduct such surveillance for security reasons or protection of business secrets. In working premises of this type, these purposes can be achieved with milder and more effective means than video surveillance. As a result, the DPA considered this case an invasive intrusion into the privacy of employees. Even though the controller has legitimate interest for video surveillance of premises of the legal entity he represents under Article 6(1)(f) GDPR, it is overridden by the data protection of the employees.
Secondly, the DPA found the controller in breach of Article 76(4) ZVOP-2, mirroring transparency and information obligations set out in Article 12 GDPR for failing to include all the required information on the video surveillance notice, such as purpose, impact and unusual type of processing.
The DPA’s investigation also revealed that the camera in question recorded public road and meadow areas. According to Article 80(3) ZVOP-2 video surveillance of a public area is only permissible to those who are authorized. Since the controller does not manage the location in question nor uses it to conduct any legal activities, the DPA found the controller in breach of Article 80(3) ZVOP-2
The DPA, therefore, fined the controller €30 for violations of Article 76(4) ZVOP-2, Article 78(1) ZVOP-2 and Article 80(3) ZVOP-2.
Comment
'The notification referred to in the preceding paragraph shall contain, in addition to the information referred to in Article 13(1) of the General Regulation, the following information:
1. a written or unambiguous graphic description of the fact that video surveillance is being carried out;
2. the purposes of the processing, the name of the controller of the video surveillance system, a telephone number or an e-mail address or a website address for the purposes of exercising the data subject's rights relating to the protection of personal data;
3. information on the specific impact of the processing, in particular further processing;
4. the contact details of the authorized person (telephone number or e-mail address);
5. unusual further processing, such as transfers to third country entities, live monitoring, possibility of audio intervention in case of live monitoring.'
'Video surveillance may be carried out within work premises only where it is strictly necessary for the security of persons or property or for the prevention or detection of gambling offenses or for the protection of classified information or business secrets and these purposes cannot be achieved by less intrusive means.'
'Video surveillance in public areas may be carried out by a public or private sector person who manages or lawfully carries out an activity in a public area. Video surveillance may only be carried out by officials or authorized security personnel in the public sector and by authorized security personnel in the private sector. The persons or personnel referred to in the preceding sentence must be expressly authorized to carry out video surveillance.'
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.
Number: 0603-47/2023/5 Date: 24/10/2023 The Information Commissioner (hereinafter: the misdemeanor authority) issues the issue through the authorized official ...., the State Supervisor for the Protection of Personal Data, ex officio on the basis of the second paragraph of Article 51 and Article 46 of the Act on Misdemeanors (Official Gazette of the Republic of Slovenia, No. 29 /11 - Official Consolidation Text, 21/13, 111/13, 74/14 - US Sec, 92/14 - US Sec, 32/16, 15/17 - US Sec, 73/19 - US Sec . A; hereinafter: ZInfP), in the misdemeanor proceedings against the legal entity ….. (registration number: ….., hereinafter: …..) and its responsible person, the director …, for misdemeanors under point 2 of the first paragraph of 100. of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 163/22, hereinafter: ZVOP-2), according to point 2 of the first paragraph of Article 103 of ZVOP-2 and according to point 3 of the first paragraph of Article 105 of ZVOP-2 , the next one DECISION ON OFFENSE Violator: 1. responsible person: …., address of residence: …., EMŠO: …., citizen of the Republic of Slovenia, employed at ….. as a director at the time the offense was committed, is responsible 1. for a misdemeanor according to the third paragraph of Article 100 of ZVOP-2 in relation to point 3 of the first paragraph of Article 100 of ZVOP-2, which he did by being the responsible person of the legal entity ...., in ...., in the period from 26/01/2023 (when ZVOP-2 came into force) to 14/03/2023, in the premises of at the address ...., carried out video surveillance without publishing an announcement about it, which would contain all the information from the fourth paragraph of Article 76 of ZVOP-2, since the published announcements contained only the image of the camera, the inscription video surveillance and the contact telephone number, but not the others the information required by the fourth paragraph of Article 76 of ZVOP-2, and he also did not publish in these notices the web address at which this information would be accessible, as follows from the fifth paragraph of Article 76 of ZVOP-2, which violated the provision of the fourth paragraph of Article 76 ZVOP-2; 2. for a misdemeanor according to the third paragraph of Article 103 of ZVOP-2 in relation to point 2 of the first paragraph of Article 103 of ZVOP-2, which he did by being the responsible person of the legal entity...., in..., in the period from 26/01/2023 (when ZVOP-2 came into effect) to 28/02/2023, on the premises of the legal entity …, at the address …., carried out video surveillance in the workplaces of the legal entity …., in such a way that with one camera (camera 16), installed inside the company ….., it recorded an excessive part of the space - the area of the occasional workplace (workspace and workplaces where workers work) and thus used this camera to carry out video surveillance in workplaces in which there is no need to protect the interests from the first paragraph of Article 78 ZVOP-2, since video surveillance to such an extent in these workplaces where employees work on of their workplaces, was not absolutely necessary for the safety of people or property or the prevention of violations in the field of trade secrets, since the purpose for which you implemented video surveillance, i.e. the protection of people and property, could also be achieved in these workplaces with milder and more effective means as with video surveillance within these workplaces and with the recording of workplaces and without such an invasive interference with the expected privacy of employees at the workplace (e.g. with a video surveillance system that would be targeted and would only monitor what was happening at the entrances to the workplaces, locking the premises when there are no employees in them, etc.), whereby video surveillance with the mentioned camera was carried out in workplaces where there is no need to protect interests from the first paragraph of Article 78 of ZVOP-2 and thereby violated the provision of the second paragraph of Article 78 of ZVOP-2; 3. for a misdemeanor according to the third paragraph of Article 105 in relation to point 3 of the first paragraph of Article 105 of ZVOP-2, which he did by being the responsible person of a legal entity...., in..., in the period from 26/01/2023 (when ZVOP-2 came into force) to 28/02/2023 in the premises of a legal entity... ., at the address at the address ..., carried out video surveillance in such a way that with one camera (camera 6) he recorded the road and meadow areas, which are public areas that the company did not manage and did not legally carry out activities on, thereby violating the provision of the third paragraph of Article 80 of ZVOP-2. The aforementioned offenses were committed by ... in the performance of activities and in the name and with the means of a legal entity ..., where he was authorized to perform the duties and tasks of a director and, as a director, was obliged to ensure the implementation of video surveillance in accordance with the provisions of ZVOP-2, as a result of which, on the basis of the first paragraph of Article 15 and the first paragraph of Article 15.a of ZP-1 shall be liable for misdemeanors as a responsible person of a legal entity. 2. responsible legal entity: ….. (registration number: …) is responsible 1. for a misdemeanor according to point 3 of the first paragraph of Article 100 of ZVOP-2, which he committed... by being the responsible person of the legal entity..., who at the time of the commission of the offense was authorized to perform the work of the director of the said legal entity, in the period from 26 January 2023 (when ZVOP came into force- 2) until 21/03/2023, in the premises at the address ..., implemented video surveillance without publishing a notification containing all the information from the fourth paragraph of Article 76 of ZVOP-2, as the published notifications only contained a camera image , the inscription video surveillance and the contact telephone number, but not the other information required by the fourth paragraph of Article 76 ZVOP-2, and he also did not publish in these notices the web address where this information would be accessible, as follows from of the fifth paragraph of Article 76 of ZVOP-2, thereby violating the provisions of the fourth paragraph of Article 76 of ZVOP-2. 2. for a misdemeanor according to point 2 of the first paragraph of Article 103 of ZVOP-2, which he did... by being the responsible person of the legal entity..., in the period from 26/01/2023 (when ZVOP-2 came into force) to 28/02/2023 in the premises of the legal entity..., at the address at the address ..., carried out video surveillance in the workplaces of the legal entity ...., in such a way that with one camera (camera 16), installed inside the company ...., he recorded an excessive part of the space - the area of the temporary workplace (work space and workplace places where workers work) and thus used this camera to carry out video surveillance in workplaces in which there is no need to protect interests from the first paragraph of Article 78 ZVOP-2, since video surveillance to such an extent in these workplaces where employees work at their workplaces places, was not absolutely necessary for the safety of people or property or the prevention of violations in the field of trade secrets, since the purpose for which he implemented video surveillance, i.e. the protection of people and property, could also be achieved in these workplaces with gentler and more effective means than with by video surveillance within these workplaces and by recording workplaces and without such an invasive interference with the expected privacy of employees at the workplace (e.g. with a video surveillance system, which would be directed and would only monitor what was happening at the entrances to the workplaces, locking the premises when there are no employees in them, etc.), whereby video surveillance with the mentioned camera was carried out in workplaces in which there is no need to protect interests from the first paragraph of Article 78 of ZVOP-2 and thus violated the provision of the second paragraph of Article 78 of ZVOP-2; 3. for a misdemeanor according to point 3 of the first paragraph of Article 105 of ZVOP-2 which he did…. with the fact that, as the responsible person of the legal entity..., in the period from 26/01/2023 (when ZVOP-2 came into effect) to 28/02/2023, he is on the premises of the legal entity..., at the address at the address..., carried out video surveillance in such a way that with one camera (camera 6) he recorded the road and meadow areas, which are public areas, which the company did not manage and did not legally perform activities on, thereby violating the provision of the third paragraph of Article 80 of the ZVOP- 2; ... committed the described offenses in the performance of activities and in the name and with the means of a legal entity ...., where he was authorized to perform the duties and tasks of a director and, as a director, was obliged to ensure the implementation of video surveillance in accordance with the provisions of ZVOP-2, as a result of which legal the person ... is liable as a responsible legal entity for the listed offenses in accordance with the first paragraph of Article 14 of the ZP-1. Therefore, on the basis of the third paragraph of Article 100 of ZVOP-2 in relation to point 3 of the first paragraph of Article 100 of ZVOP-2, the third provision of Article 103 in relation to point 2 of the first paragraph of Article 103 of ZVOP-2 and the third paragraph of Article 105 in relation to point 3 of the first paragraph of Article 105 of ZVOP-2; to the responsible legal entity on the basis of point 3 of the first paragraph of Article 100 of ZVOP-2, point 2 of the first paragraph of Article 103 of ZVOP-2 and point 3 of the first paragraph of Article 105 of ZVOP-2 and when applying the first paragraph of Article 21, the first and second paragraphs of Article 26 and the first paragraph of Article 27 of ZP-1 clause 1. to the responsible person of the legal entity...: – for an offense under point 1.1. of this saying: REMINDER – for an offense under point 1.2. of this statement: REMINDER, – for an offense under point 1.3. of this saying: REMINDER. 2. to a legal entity...: for an offense under point 2.1. of this saying: REMINDER for an offense under point 2.2. of this statement: REMINDER, for an offense under point 2.3. of this saying: REMINDER. Then, on the basis of the second paragraph of Article 27 of the ZP-1 and with words single sanction: 1. to the responsible person...: REMINDER; 2. to the responsible legal entity....: REMINDER. Based on the first paragraph of Article 143, in relation to the first paragraph of Article 144 and the second paragraph of Article 58 of the ZP-1, the violator responsible person must pay a court fee in the amount of EUR 30.00. The court fee, which is assessed to the violator for the reprimand in accordance with tariff number 8112 of the Court Fees Act (Official Gazette of the RS, No. 37/08, with amendments, hereinafter: ZST-1), must be paid by the violator as the responsible person to the recipient's account : Information Commissioner, IBAN of recipient: SI56 0110 0845 0162 502, BIC code of recipient bank: BSLJSI2X, purpose code: GOVT, purpose of payment: 0603-47/2023/5 court fee, reference: SI11 12157-7120087- 2023135. Violator responsible legal entity... based on the first paragraph of Article 143 in connection with the first paragraph of Article 144 and the second paragraph of Article 58 ZP-1, he must pay a court fee in the amount of EUR 30.00. The court fee, which is assessed to the violator for the issued warning under tariff number 8112 ZST-1, must be paid by the violator as a responsible legal entity to the account of the recipient: Information Commissioner, IBAN of the recipient: SI56 0110 0845 0162 502, BIC code of the recipient's bank: BSLJSI2X, purpose code: GOVT, purpose of payment: 0603-47/2023/5 court fee, reference: SI11 12157-7120087- 2023134. Violators must pay the court fee within fifteen (15) days after the decision on the offense becomes final. If the violator, the legal entity and the responsible person, do not pay the costs of the procedure (court fees) within the specified period, the unpaid costs of the procedure (court fees) will be forcibly recovered. LEGAL LESSON: A request for judicial protection is allowed against a decision on a misdemeanor. The request must be announced in writing within eight (8) days of receipt of this decision to the Information Commissioner, Dunajska cesta 22, 1000 Ljubljana, otherwise it is considered that the beneficiary of the request (infringer, legal representative or defender) has waived the right to request judicial protection. The notice of request is sent by mail or delivered directly in two copies and is considered timely if submitted on the last day of the deadline for filing the notice of request by registered mail or directly to the authority that issued the decision. The announced filing of a request for judicial protection may be withdrawn until the deadline for filing the announcement of this request expires. If the beneficiary of the request for judicial protection does not announce or withdraws the announcement within the legal deadline for filing this request, it is considered that he has waived the right to request for judicial protection. If none of the beneficiaries of the request for judicial protection announces this request, the misdemeanor authority does not make a decision on the offense with reasons, but it is considered that a final decision has been served on the date of service of the decision without reasons, which with the expiration of the deadline for announcing the request for judicial protection becomes final. When at least one of the beneficiaries of the request for judicial protection announces the filing of this request, a written decision on the offense with reasons is drawn up and sent no later than 30 days after the announcement of the filing of the request for judicial protection is received. In this case, the decision with reasons is served on all beneficiaries of the request for judicial protection. Under the conditions and in accordance with the regulations governing the financial operations of the offense authority, the violator can also pay the costs of the procedure with a non-cash means of payment.