AKI (Estonia) - 2.1.-5/24/2203-8: Difference between revisions

From GDPRhub
mNo edit summary
Line 74: Line 74:


=== Facts ===
=== Facts ===
The DPA received an alert that Simtan Kaubandus OÜ, a retail company (the controller) used on-site security cameras on its territory with the purpose of monitoring its employees in real-time. The DPA decided to launch an investigation into the use of cameras in order to find out the the legal basis on which and the purposes for which the controller used the security cameras, and to verify compliance with [[Article 13 GDPR]].  
The DPA received a notification that Simtan Kaubandus OÜ, a retail company (the controller) used on-site security cameras on its territory with the purpose of monitoring its employees in real-time. The DPA decided to launch an investigation into the use of cameras in order to find out the the legal basis on which and the purposes for which the controller used the security cameras, and to verify compliance with [[Article 13 GDPR]].  


The controller notified the DPA that the legal basis used for the security cameras is [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], i.e. legitimate interest (fraud or abuse of services). However, the controller did not submit to the DPA a legitimate interest analysis demonstrating that   
The controller notified the DPA that the legal basis used for the security cameras is [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], i.e. legitimate interest (fraud or abuse of services). However, the controller did not submit to the DPA a legitimate interest analysis demonstrating that   
Line 85: Line 85:


=== Holding ===
=== Holding ===
To begin with, the DPA noted that it is forbidden to monitor employees with cameras throughout working hours and across the room. Cameras must be directed only at specific security risks to ensure appropriate security of personal data processing under Article 5(1)(f) GDPR.  
To begin with, the DPA noted that it is forbidden to monitor employees with cameras throughout working hours. Cameras must be directed only at specific security risks to ensure appropriate security of personal data processing under Article 5(1)(f) GDPR.  


The DPA was of the opinion that in order to rely on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], i.e. the legitimate interest, there shall be legitimate interest analysis conducted. More specifically, the controller is obliged to compare its own legitimate interests with the interests and fundamental rights of the data subject to see whether [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] can be invoked as a legal basis for the processing.  
The DPA was of the opinion that in order to rely on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], i.e. the legitimate interest, there shall be legitimate interest analysis conducted. More specifically, the controller is obliged to compare its own legitimate interests with the interests and fundamental rights of the data subject to see whether [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] can be invoked as a legal basis for the processing.  
Line 91: Line 91:
Moreover, the DPA highlighted that the data processing must be transparent. The principle of transparency of the GDPR requires that all information and messages related to the processing of personal data must be easily accessible and easy to understand, and that clear and plain language is used. In order to comply with the principle of transparency the privacy notice must be put in place. The content of privacy notice is governed by [[Article 12 GDPR|Articles 12]] to [[Article 14 GDPR|14 GDPR]].
Moreover, the DPA highlighted that the data processing must be transparent. The principle of transparency of the GDPR requires that all information and messages related to the processing of personal data must be easily accessible and easy to understand, and that clear and plain language is used. In order to comply with the principle of transparency the privacy notice must be put in place. The content of privacy notice is governed by [[Article 12 GDPR|Articles 12]] to [[Article 14 GDPR|14 GDPR]].


In addition, the DPA noted that a compliant sign must be created to notify data subjects about the use of security cameras as per [[Article 13 GDPR]], The appropriate sign must therefore contain purpose of the processing, legal basis, name/contact details of the controller and information on where to consult the data protection conditions.  
In addition, the DPA noted that a compliant sign must be created to notify data subjects about the use of security cameras as per [[Article 13 GDPR]]. The appropriate sign must therefore contain purpose of the processing, legal basis, name/contact details of the controller and information on where to consult the data protection conditions.  


As a result, the DPA found a violation of [[Article 5 GDPR|Articles 5]], [[Article 6 GDPR|6,]] [[Article 12 GDPR|12]] and [[Article 13 GDPR|13 GDPR]] in relation to the use of security cameras.  More specifically, the DPA found that the retail company did not have a proper legal basis for the use of security cameras and thus such surveillance should be suspended, until the controller has submitted a legitimate interest analysis to the DPA.  
As a result, the DPA found a violation of [[Article 5 GDPR|Articles 5]], [[Article 6 GDPR|6,]] [[Article 12 GDPR|12]] and [[Article 13 GDPR|13 GDPR]] in relation to the use of security cameras.  More specifically, the DPA found that the retail company did not have a proper legal basis for the use of security cameras and thus such surveillance should be suspended, until the controller has submitted a legitimate interest analysis to the DPA.  

Revision as of 16:14, 4 June 2024

AKI - 2.1.-5/24/2203-8
LogoEE.png
Authority: AKI (Estonia)
Jurisdiction: Estonia
Relevant Law: Article 5(1) GDPR
Article 6(1)(f) GDPR
Article 12 GDPR
Article 13 GDPR
Type: Other
Outcome: n/a
Started: 21.09.2023
Decided: 02.01.2024
Published: 02.01.2024
Fine: n/a
Parties: Simtan Kaubandus OÜ
Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
National Case Number/Name: 2.1.-5/24/2203-8
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Estonian
Original Source: Ettekirjutused (in ET)
Initial Contributor: Norman Aasma

The DPA issued an injunction to a retain company for the use of on-site security cameras to monitor its employees in real-time.

English Summary

Facts

The DPA received a notification that Simtan Kaubandus OÜ, a retail company (the controller) used on-site security cameras on its territory with the purpose of monitoring its employees in real-time. The DPA decided to launch an investigation into the use of cameras in order to find out the the legal basis on which and the purposes for which the controller used the security cameras, and to verify compliance with Article 13 GDPR.

The controller notified the DPA that the legal basis used for the security cameras is Article 6(1)(f) GDPR, i.e. legitimate interest (fraud or abuse of services). However, the controller did not submit to the DPA a legitimate interest analysis demonstrating that

1) the processing of personal data by means of security cameras is actually necessary for the purposes of the legitimate interest pursued by the controller, and

2) the legitimate interests of the controller outweigh the interests or fundamental rights or freedoms of the data subject.

In addition, the controller provided the DPA with photos of the information labels only showing the camera symbol and the text 'video surveillance'.

Holding

To begin with, the DPA noted that it is forbidden to monitor employees with cameras throughout working hours. Cameras must be directed only at specific security risks to ensure appropriate security of personal data processing under Article 5(1)(f) GDPR.

The DPA was of the opinion that in order to rely on Article 6(1)(f) GDPR, i.e. the legitimate interest, there shall be legitimate interest analysis conducted. More specifically, the controller is obliged to compare its own legitimate interests with the interests and fundamental rights of the data subject to see whether Article 6(1)(f) GDPR can be invoked as a legal basis for the processing.

Moreover, the DPA highlighted that the data processing must be transparent. The principle of transparency of the GDPR requires that all information and messages related to the processing of personal data must be easily accessible and easy to understand, and that clear and plain language is used. In order to comply with the principle of transparency the privacy notice must be put in place. The content of privacy notice is governed by Articles 12 to 14 GDPR.

In addition, the DPA noted that a compliant sign must be created to notify data subjects about the use of security cameras as per Article 13 GDPR. The appropriate sign must therefore contain purpose of the processing, legal basis, name/contact details of the controller and information on where to consult the data protection conditions.

As a result, the DPA found a violation of Articles 5, 6, 12 and 13 GDPR in relation to the use of security cameras. More specifically, the DPA found that the retail company did not have a proper legal basis for the use of security cameras and thus such surveillance should be suspended, until the controller has submitted a legitimate interest analysis to the DPA.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details.

Send a letter

Please digitally sign electronic appeals and send them to info[at]aki.ee. Please post paper appeals to:

Data Protection Inspectorate Tatari 39, 10134 Tallinn

Request for clarification

With a request for clarification, you can ask the inspectorate for the institution's views, interpretations or practical information. The request for clarification will be answered within 30 days on the basis of the Act on responding to a memo and a request for clarification and submitting a collective appeal.

Information request

You can submit a request for information to us if you want to receive a document that is already available in the Data Protection Inspectorate. With a request for information, you can request, for example, an earlier letter or a decision that has already been made.

Filing a complaint

You can submit an objection to the inspection's own actions if you want a review of the inspection's decision or action that affects your rights. The appeal must be filed within 30 days of learning about the contested decision or action. You cannot file an appeal if you have gone to court on the same matter.