IMY (Sweden) - IMY-2022-1558: Difference between revisions

From GDPRhub
mNo edit summary
Line 66: Line 66:


=== Facts ===
=== Facts ===
The Swedish DPA received a tip saying that the home security company Verisure, the controller, shared, unlawfully, image materials from private individuals´ homes.  
The Swedish DPA received a tip saying that employees of the home security company Verisure, the controller, unlawfully shared footage from cameras in private individuals´ homes between themselves.  


The controller started an internal investigation and found no indication of improper sharing of personal customer information as described by the tip to the DPA. Moreover, it considered that there is no evidence suggesting ongoing or current violations of the international regulations.  
The controller started an internal investigation and found no indication of improper sharing of personal customer information as described by the tip to the DPA. Moreover, it considered that there is no evidence suggesting ongoing or current violations of the international regulations.  


More specifically, the image material is available to authorised personnel in the company´s system for a specific amount of time, and is subsequently archived for a certain period of time, to be able to share images with law enforcement authorities. The controller specified that the storing of images is exactly the needed time to comply with the purposes of the processing. Additionally, all image views require logging in with specific credentials, making it impossible to export them outside of the controller´s system.
More specifically, the image material was available to authorised personnel in the company´s system for a specific amount of time, and was subsequently archived for a certain period of time, to be able to share images with law enforcement authorities. The controller specified that the footage is stored for exactly the needed time to comply with the purposes of the processing. Additionally, all image views require logging in with specific credentials, making it impossible to export them outside of the controller´s system.


=== Holding ===
=== Holding ===
First, as to type of log in information, the DPA found that there was no issue with the technical measures in place in the controller´s systems.  
First, as to the type of log in information, the DPA found that there was no issue with the technical measures in place in the controller´s systems.  


Second, the DPA highlighted the gravity of processing data subjects´ pictures for amusement purposes and its noncompliance with [[Article 6 GDPR]]. However, nothing emerged to indicate that the handling of image material has taken place.  
Second, the DPA highlighted the gravity of processing data subjects´ pictures for amusement purposes and its noncompliance with [[Article 6 GDPR]]. However, nothing emerged to indicate that the alleged unlawful handling of image material has taken place.  


The DPA further ascertained the existence appropriate measures as per [[Article 32 GDPR#1|Article 32(1) GDPR]]. Since the controller processes personal data of a large number of data subjects and that such processing happens in the context of an alarm management service, the data processed is of a very privacy-sensitive treatment. Moreover, data subjects expect a high degree of confidentiality and protection against unlawful or unauthorised processing. These elements point out that the controller shall implement measures that counter face this high risk to the rights and freedoms of data subjects through a high level of data protection.  
The DPA further ascertained the existence of appropriate measures as per [[Article 32 GDPR#1|Article 32(1) GDPR]]. Since the controller processes personal data of a large number of data subjects and the fact that such processing happens in the context of an alarm management service, the data processed is of a very privacy-sensitive nature. Moreover, data subjects expect a high degree of confidentiality and protection against unlawful or unauthorised processing. These elements point out that the controller shall implement measures that counter this high risk to the rights and freedoms of data subjects through a high level of data protection.  


In light of the above, the DPA considered whether such high level of data protection was in place. The DPA found that the controller did not take the appropriate technical and organisational measures as it did not store the log data on file names long enough to allow tracing of any mismanagement of the personal data related to the images from customers´ cameras.  
In light of the above, the DPA considered whether such high level of data protection was in place. The DPA found that the controller did not take the appropriate technical and organisational measures as it did not store the log data on file names long enough to allow tracing of any mismanagement of the personal data related to the images from customers´ cameras.  

Revision as of 14:04, 3 December 2024

IMY - IMY-2022-1558
LogoSE.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 32(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 27.11.2024
Published:
Fine: n/a
Parties: Verisure
National Case Number/Name: IMY-2022-1558
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Swedish
Original Source: Integritetsskydds myndigheten (in SV)
Initial Contributor: elu

After a tip concerning employees sharing clients´ images for amusement purposes, the Swedish DPA issued a reprimand against alarm management service Verisure for lack of appropriate technical and organisational measures.

English Summary

Facts

The Swedish DPA received a tip saying that employees of the home security company Verisure, the controller, unlawfully shared footage from cameras in private individuals´ homes between themselves.

The controller started an internal investigation and found no indication of improper sharing of personal customer information as described by the tip to the DPA. Moreover, it considered that there is no evidence suggesting ongoing or current violations of the international regulations.

More specifically, the image material was available to authorised personnel in the company´s system for a specific amount of time, and was subsequently archived for a certain period of time, to be able to share images with law enforcement authorities. The controller specified that the footage is stored for exactly the needed time to comply with the purposes of the processing. Additionally, all image views require logging in with specific credentials, making it impossible to export them outside of the controller´s system.

Holding

First, as to the type of log in information, the DPA found that there was no issue with the technical measures in place in the controller´s systems.

Second, the DPA highlighted the gravity of processing data subjects´ pictures for amusement purposes and its noncompliance with Article 6 GDPR. However, nothing emerged to indicate that the alleged unlawful handling of image material has taken place.

The DPA further ascertained the existence of appropriate measures as per Article 32(1) GDPR. Since the controller processes personal data of a large number of data subjects and the fact that such processing happens in the context of an alarm management service, the data processed is of a very privacy-sensitive nature. Moreover, data subjects expect a high degree of confidentiality and protection against unlawful or unauthorised processing. These elements point out that the controller shall implement measures that counter this high risk to the rights and freedoms of data subjects through a high level of data protection.

In light of the above, the DPA considered whether such high level of data protection was in place. The DPA found that the controller did not take the appropriate technical and organisational measures as it did not store the log data on file names long enough to allow tracing of any mismanagement of the personal data related to the images from customers´ cameras.

The DPA found that the controller violated Article 32(1) GDPR but that such violation was minor and thus that a reprimand was appropriate.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

1(10)






                                                                      Verisure Sweden AB









Diary number:
IMY-2022-1558 Decision after supervision according to

Date: Data Protection Regulation - Verisure
2024-11-27
                                Sweden AB





                                The Privacy Protection Authority's decision


                                The Swedish Privacy Agency (IMY) states that Verisure Sverige AB (556153-
                                2176) during the period from 20 April 2022 to August 2022 has processed personal data in
                                                                                 1
                                violation of Article 32.1 of the Data Protection Regulation by not having taken appropriate measures
                                measures to ensure an appropriate level of protection for personal data in the form of
                                footage from cameras in private homes.


                                IMY gives Verisure Sverige AB a reprimand based on Article 58.2 b i
                                the data protection regulation for the established violation.


                                Account of the supervisory matter


                                Background

                                The Swedish Privacy Protection Authority (IMY) has taken note of information in the media such as, among other things

                                claims that employees of Verisure Sverige AB (hereinafter "Verisure" or the company") i
                                in connection with incoming alarms have shared footage from cameras in private individuals' homes
                                between themselves in different ways without it being justified. IMY has therefore initiated supervision of
                                Verisure for the purpose of investigating the company's internal handling of image material from cameras

                                installed in customers' homes.

                                After the start of the inspection, IMY has received tips regarding Verisure's technical and

                                organizational security measures. Verisure has been given the opportunity to make a statement with reason
                                hence.

                                What emerged in the case


Postal address: Verisure has, among other things, stated the following.
Box 8114
104 20 Stockholm
                                About the data in the media
Website: The company has taken the information in the media reporting very seriously and has added
www.imy.se great resources to investigate the claims in the current newspaper article. However, Verisure takes
E-mail:
imy@imy.se
                                1Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with
Telephone: regarding the processing of personal data and on the free flow of such data and on the cancellation of
08-657 61 00 directive 95/46/EC (general data protection regulation). Data Protection Agency Diary number: IMY-2022-1558 2(10)
                                Date: 2024-11-27






                                distance from the information in the media in that nothing in the company's extensive internal
                                investigation indicates that there would be scope for such processing of image material
                                as described or that similar treatment actually takes place. The internal investigation has

                                among other things consisted of interviews with employees and former employees, a technical
                                review of log data to check whether image material has been handled on a
                                deviating ways, review of the alarm operators' chat groups and a review

                                of the technical limitations in the company's system to identify any deficiencies
                                which could enable incorrect processing of the image material. The company's
                                internal investigation has also involved a review of the list of handled cases

                                regarding the request for register extracts in accordance with the data protection regulation, and a
                                review of compliance with the applicable data protection regulations and the internal
                                the regulatory framework. Furthermore, the internal investigation has included an examination of the

                                data protection-related training initiatives that the company carries out for new employees and i
                                the ongoing work.


                                The results of the internal investigation show that there is nothing to indicate that
                                there has been improper sharing of personal customer information in the manner described
                                in the media. In the internal investigation, Verisure was also unable to find any evidence or otherwise

                                something that suggests ongoing or current violations of the internal regulations.
                                The company also has an established whistleblower channel that has been used by employees in
                                other contexts but there are no reported events to suggest that

                                improper handling of image material has been reported via that channel.

                                Had the claims in the media been true, however, there would have been no legal basis

                                for such obviously unauthorized processing of personal data.

                                About Verisure's handling of personal data from customers' cameras in general

                                Verisure is an authorized alarm center which imposes extensive regulatory requirements
                                the business. Verisure takes its responsibility as a personal data controller very seriously
                                and works in a structured manner with privacy and data protection issues to safeguard them

                                registered interests. Customer privacy is an integral and crucial part of
                                Verisure's business. The company has, among other things, an extensive internal regulatory framework in place
                                of guidelines and routines.


                                The company's internal policy clearly states how the alarm operators may handle image material
                                and in which situations they may look at the images or ask a colleague to look. As one
                                As a privacy-enhancing measure, Verisure has also implemented detailed instructions

                                regarding how the cameras may be installed so as not to risk violating the personal
                                integrity. Verisure has also implemented technical limitations that ensure
                                that image material is only processed if it is necessary to achieve the purpose of

                                the treatment.

                                The image material is available to authorized personnel in the company's system for a certain time, thereafter

                                it is automatically deleted from the system but archived for a further time, among other things
                                the need to be able to share images with law enforcement agencies. Verisure has
                                made the assessment that the time the image material is saved is a sufficiently long period for

                                the company to store the image files in order to, taking into account the clear privacy interest
                                still be able to fulfill the company's purposes with the processing. For example, there may be
                                need to be able to follow up on how a certain incident has been handled or to be able to respond

                                customers' questions about a particular incident that requires access to visual material.

                                All image views in the company's system are logged. It is technically impossible to gain access

                                to the image material without it being logged. This means that if there is no log of the Privacy Protection Agency Diary number: IMY-2022-1558 3(10)
                                Date: 2024-11-27






                                handling of images in the system, Verisure can state with certainty that it does not
                                no access occurred. That all handling of the image material is logged makes it possible
                                investigation of unauthorized access to the material.


                                As a general rule, image material should not be exported from Verisure's system. However, there is
                                exceptions where Veirsure is entitled to share images why there is an opportunity to
                                export images in special cases. This feature is subject to access restrictions and

                                actions are logged, so it is always possible to track how an image has been shared.

                                Verisure only has the ability to investigate misconduct of the type alleged in
                                media during a certain period backwards in time when image material is deleted from the system i

                                in accordance with the company's automatic thinning routines. Log data in the form of images
                                filenames have, however, been saved for a slightly longer time, namely 100 days, before these too
                                data was deleted. With this information, Verisure has been able to check how many

                                times a particular operator has opened an image. Since August 2022 has an adjustment of
                                the storage time for log data has taken place. The adjustment means that all log data,
                                except for images, stored for five years. The adjustment regarding the storage time for the log data
                                is partly a result of the need to be able to investigate image processing over a longer period of time

                                period back in time.

                                About the tips

                                Regarding the first tip received by IMY about the correct login information
                                the information largely disagrees with Verisure's view. There have been good ones
                                reasons for the current use of a certain type of login information and the procedure

                                has been designed taking into account the relevant data protection legislation. The usage has
                                also continued for a limited time and has now been discontinued. Regarding the two
                                other tips, Verisure is not to be considered the personal data controller for those described
                                the treatments. In the one tip, one of Verisure's franchisees also has

                                personal data officer has clearly acted outside of his instructions and the company is therefore
                                to be considered the personal data controller for the event in question. Although Verisure
                                is not responsible for personal data for the current processing, the company has, however, taken

                                tip very seriously and acted accordingly. Among other things, Verisure has assisted the person in question
                                the franchisee in the investigation of the incident described in the tip. The second tip concerns
                                another company.


                                The extent of IMY's review of the case

                                The Data Protection Regulation contains a large number of rules that must be followed in conjunction

                                with the processing of personal data. Within the framework of this supervisory matter, IMY reviews
                                not all rules and issues that can be actualized in Verisure's operations.


                                IMY's review of the case has been limited to include what is described in the media
                                the processing of personal data and to intend to the extent that the company has taken appropriate technical measures
                                and organizational measures to protect the personal data of the company's customers at it
                                the internal handling of image material in accordance with Article 32 of the Data Protection Regulation.


                                Justification of the decision


                                Applicable regulations


                                According to Article 4.7 of the Data Protection Regulation, the person in charge of personal data is a physical or
                                legal person, public authority, institution or other body that alone or the Swedish Data Protection Agency Diary number: IMY-2022-1558 4(10)
                                Date: 2024-11-27






                                together with others determines the purposes and means of the processing of
                                personal data.


                                According to the principle of responsibility in Article 5.2 of the Data Protection Regulation, it must
                                personal data controller responsible for compliance with the principles described in
                                first paragraph of the article, including the security principle (article 5.1 f i

                                data protection regulation). The liability principle has been further developed in Article 24
                                where it appears that the person in charge of personal data must take appropriate technical and
                                organizational measures to ensure and be able to demonstrate that the processing is carried out in

                                in accordance with the data protection regulation.

                                It follows from Article 28.10 of the data protection regulation that about a personal data assistant

                                violates this regulation by establishing the purposes and means of
                                the processing, the personal data assistant shall be considered a personal data controller with
                                with respect to that treatment, without prejudice to the application of Articles 82,

                                83 and 84.

                                It follows from Article 32.1 of the data protection regulation that the person in charge of personal data must

                                take appropriate technical and organizational measures to ensure a
                                safety level that is appropriate in relation to the risk of the treatment. At
                                the assessment of which technical and organizational measures are appropriate must

                                data controller take into account the latest developments, implementation costs
                                and the nature, scope, context and purpose of the treatment as well as the risks for
                                rights and freedoms of natural persons.


                                According to Article 32(1), appropriate safeguards include, where appropriate,

                                    a) pseudonymisation and encryption of personal data,

                                    b) the ability to continuously ensure confidentiality, integrity, availability
                                         and resilience of treatment systems and services,
                                    c) the ability to restore the availability and access to personal data i

                                         reasonable time in the event of a physical or technical incident, and
                                    d) a procedure for regularly testing, examining and evaluating effectiveness
                                         in the technical and organizational measures that must ensure

                                         the safety of the treatment.

                                According to article 32.2 of the data protection regulation, when assessing the appropriate

                                security level special consideration is given to the risks that the treatment entails, in particular
                                for accidental or unlawful destruction, loss or alteration or for unauthorized disclosure of
                                or unauthorized access to the personal data transmitted, stored or otherwise

                                treated.

                                Personal data responsibility


                                Personal data responsibility in the tips
                                Verisure has stated that the company is the personal data controller for it

                                personal data processing as the first hint about login details has intended,
                                which is supported by the investigation into the case. IMY assesses that Verisure is
                                personal data controller for that processing in the sense referred to in Article 4.7 i

                                data protection regulation.

                                As for the other two tips, Verisure has stated that the company is not

                                personal data controller for the described treatments. Regarding the one tip, the Swedish Privacy Protection Agency Diary number: IMY-2022-1558 5(10)
                                Date: 2024-11-27






                                IMY assesses that in the light of the current tip
                                the nature of the personal data processing, there is no reason to question that the processing has been completed
                                outside the instructions given to the data controller and that Verisure is therefore not

                                to be considered the personal data controller. Regarding the second tip, IMY notes that
                                there is no reason to question that another company is responsible for personal data for it
                                the treatment. IMY therefore assesses that Verisure is not responsible for personal data
                                the treatments that these two tips refer to why these treatments are not covered

                                the further examination in this decision.

                                Responsibility for personal data in general

                                Verisure has stated that the company is responsible for the processing of personal data
                                personal data in the form of images within the framework of the company's incident management.
                                Verisure has also stated that the company is jointly responsible for personal data with

                                the customer for the monitoring that the customer himself undertakes by using Verisures
                                monitoring function in their home, plot and other private buildings. According to Verisure
                                despite this, however, the company will also be considered the sole controller of personal data

                                regarding the treatment of the so-called private exception in Article 2.2 c i
                                the data protection regulation is applicable to the customer. This when the customer's treatment of
                                personal data in that case falls outside the scope of the data protection regulation.


                                What Verisure stated is supported by other investigations in the case. IMY therefore assesses that
                                Verisure is the personal data controller for the current personal data processing in it
                                meaning referred to in Article 4.7 of the Data Protection Regulation.


                                The tip about login details


                                In the tip, it has been claimed that Verisure used a certain type of login information
                                a way that could contravene the data protection regulation. Against the background of what
                                Verisure stated about the use of the current login details and what i

                                other findings in the investigation, however, IMY cannot establish any deficiency in relation
                                to the data protection regulation.


                                The handling of images alleged in the media

                                In the media reporting that IMY took part in before the supervision of Verisure began
                                it was alleged that employees at Verisure shared information about pictures of scantily clad women

                                people between them and that several of the employees took part in the images through the company's
                                alarm management system for entertainment purposes. The current news article did too
                                concerning that pictures could be sent between employees, including in a chat program.


                                IMY states that the treatment of image material that has been described in the media is
                                very serious and could mean a major intrusion into the personal privacy of individuals

                                integrity. Such processing would, as Verisure has also stated, lack legal validity
                                basis in Article 6 of the Data Protection Regulation and thus be impermissible. To be able to
                                establish a deficiency according to the data protection regulation, however, it must be clear that the

                                processing of image material described in the media has taken place.

                                Verisure has reported on the internal investigation that the company undertook to investigate
                                the information in the media and has stated that nothing emerged in the investigation which

                                indicates that handling of image material has taken place in the way that has been described in the media.

                                IMY notes that Verisure has undertaken an extensive internal investigation to investigate

                                the alleged handling of image material. The company's internal investigation has not shown that the Swedish Privacy Agency Diary number: IMY-2022-1558 6(10)
                                Date: 2024-11-27






                                what has been claimed in the media has occurred. Nor has it through IMY's investigation i
                                the case in general could be shown that what was described in the media has happened. IMY assesses

                                because the investigation in the matter does not support that Verisure has failed to comply
                                of the data protection regulation in the way that has been described in the media.


                                Verisure has not taken appropriate security measures


                                Against the background of what emerged from the investigation in the case, IMY finds reason, however
                                to test whether Verisure has taken appropriate measures to ensure a level of protection which
                                is appropriate based on the risks of the treatment.


                                The treatment involved major privacy risks and required a high level of protection
                                The person in charge of personal data must provide security that is suitable from the outside

                                the risks of the treatment. The assessment of the appropriate level of protection must be done with
                                consideration of, among other things, the nature, scope, context and purpose of the processing
                                as well as the risks, of varying degrees of probability and seriousness, for natural persons

                                rights and freedoms. During the assessment, special consideration must be given to the risks that
                                the processing entails, among other things, unauthorized disclosure of or unauthorized access to

                                the personal data.

                                IMY states that Verisure handles personal data from a large company in its operations
                                                   2
                                number of registrants. IMY further states that it is an alarm management service
                                where cameras installed in private individuals' homes are part of that service. The treatment
                                of personal data that takes place through this is therefore, among other things, collection and

                                handling of image material consists of people who are in their home environment.
                                This is a very privacy-sensitive treatment. Furthermore, it can be stated that people
                                who are customers of Verisure have hired the company for safety and security purposes and

                                relies on the cameras installed in the home being used only by Verisure
                                to ensure this purpose. It is therefore a matter of processing personal data
                                for which data subjects have legitimate expectations of a high degree of

                                confidentiality and robust protection against unauthorized and unauthorized processing. This type
                                of personal data processing also takes place within the framework of Verisures
                                core business, which entails even higher requirements for the level of protection.


                                Considering, among other things, that the data processed by Verisure has been deleted
                                privacy-sensitive nature and affected a large number of people has the company's treatment

                                of personal data in total meant a high risk for the rights of natural persons
                                and freedoms. The nature, extent and context of the treatment have thus resulted in a

                                requirements for a high level of data protection. The measures must, among other things, ensure that
                                personal data is protected against unauthorized disclosure and unauthorized access.


                                The data has not been adequately protected
                                The IMY shall then assess whether Verisure has ensured the high level of protection which
                                required. In order to be able to maintain the security of the personal data processed in

                                a business's system, it is fundamental to be able to have control over what is happening,
                                and what has happened to the data. For the registered person, there is also a right to receive
                                access to their personal data and information about how the data has been processed.

                                So that the data subject can exercise this right and thereby, among other things
                                being able to check the legality of the processing is fundamental to it




                                2According to Verisure's website, the company has approximately 500,000 Swedish customers, see Verisure, "About us".
                                https://www.verisure.se/om-oss [2024-11-27]The Swedish Data Protection Agency Diary number: IMY-2022-1558 7(10)
                                Date: 2024-11-27






                                personal data controller has control over how the data is processed or has
                                treated. This can, for example, be done through logging.


                                From the investigation into the matter, it appears that the image material is stored in a certain predetermined location

                                time and is subsequently deleted from the system. After this period it is not possible to search
                                operators' handling of individual images. In the context of image management, however, logging is done
                                also other tasks closely related to the image management for a slightly longer time

                                time. Before August 2022, log data was saved in the form of the images' file names in
                                a total of 100 days. This log entry makes it possible to check how many
                                times a particular operator has opened an image.


                                Regarding the storage time for Verisure's log data, IMY makes the following assessment.
                                Image material from customers' cameras in the home are, as previously established, associated

                                with a weighty privacy interest. In light of this and the purposes
                                with the treatment that Verisure has described and what the company otherwise stated believes
                                IMY that the time Verisure stores the image material is proportional.


                                However, there are other less privacy-sensitive log data that can be used to
                                check that image material is not handled in an inappropriate manner and thus ensure

                                that personal data is protected against unauthorized disclosure and unauthorized access.
                                Log information in the form of the file names of the images is one such log information with which you can
                                search how many times a certain image has been opened in the system. According to Verisure has

                                however, these log data were only stored for 100 days, which resulted in no search
                                of possible mishandling of image material could not be done after this period. With

                                taking into account the high level of protection that has been required for the personal data assesses
                                IMY that the current storage time for log information about the file names of the images has been for
                                card to protect the data against unauthorized disclosure or unauthorized access in sufficient

                                degree and to ensure the confidentiality of the personal data processed in their
                                system.


                                IMY therefore assesses that Verisure has not taken appropriate technical and organizational measures
                                measures to ensure a level of security that was appropriate in relation to the risk
                                with the treatment. The reason for this is that Verisure has not stored log information about

                                the images' file names long enough to be able to search for possible mishandling of
                                personal data in the form of images from customers' cameras. Through this, Verisure has
                                also lacked the ability to sufficiently ensure the protection of those registered

                                rights.

                                Verisure has, however, within the framework of a general review of storage times during the period of

                                IMY's supervision, implemented a new retention time for the images' file names which means that
                                log information about the file names since August 2022 is saved for five years. Verisure has stated

                                that the adjustment of the storage time of the file names is partly a result of the need to be able
                                investigate image processing over a longer period back in time. Through this adjustment
                                IMY considers that, since August 2022, Verisure no longer fails to comply with

                                the data protection regulation in the manner described above.

                                Within the framework of this supervision, Verisure has also reported on other technical and

                                organizational security measures that the company has taken to protect customers
                                personal data in the internal handling of image material. On account of what





                                3 Cf. the judgment of the European Court of Justice Pankki S, C-579/21, EU:C:2023:501, paragraphs 37-83. The Swedish Privacy Agency Diary number: IMY-2022-1558 8(10)
                                Date: 2024-11-27






                                Verisure stated in this part, IMY notes that it has not emerged other than that they
                                the other protective measures appear to be appropriate.


                                Overall, IMY assesses that Verisure has processed personal data in violation of
                                article 32.1 of the data protection regulation. It can be deduced from the investigation in the case that it
                                limited storage time for the current log data has existed at least

                                since the time of the initiation of supervision on 20 April 2022 until August 2022. IMY
                                therefore assesses that Verisure has processed personal data in violation of
                                data protection regulation during the period from 20 April 2022 to August 2022.


                                Choice of intervention


                                From article 58.2 i and article 83.2 of the data protection regulation it appears that IMY has
                                power to impose administrative penalty charges in accordance with Article 83.
                                Depending on the circumstances of the individual case, administrative

                                penalty fees are imposed in addition to or instead of the other measures referred to in article
                                58.2, such as injunctions and prohibitions. Furthermore, it is clear from article 83.2 which
                                factors to be taken into account when deciding whether administrative penalty charges are to be imposed

                                and when determining the size of the fee. If it is a minor violation
                                receives IMY as set out in recital 148 in lieu of imposing a penalty charge
                                issue a reprimand in accordance with Article 58.2 b. Consideration shall be given to aggravating and

                                mitigating circumstances of the case, such as the nature of the violation, degree of severity
                                and duration as well as previous violations of relevance.


                                When assessing the choice of intervention, IMY considers the following. IMY has assessed that
                                Verisure has violated Article 32.1 of the Data Protection Regulation by, in the meantime,
                                April 20, 2022 to August 2022 have not stored log information about the file names of the images

                                long enough to be able to investigate possible mishandling of personal data and
                                in this way, among other things, be able to ensure that the personal data is protected against
                                unauthorized disclosure and unauthorized access. A violation of that provision may
                                incur a penalty charge.


                                Images containing people in their home environment are very sensitive to privacy
                                personal data. Unauthorized disclosure or access to such personal data entails

                                a high risk to the freedoms and rights of the data subjects. Verisure has lacked the ability to
                                search for possible mishandling of the personal data further back in time than 100
                                days, which means a risk that unauthorized disclosure or access could have taken place without

                                that Verisure had the ability to control this and take any appropriate measures.

                                However, Verisure has within the scope of an internal review, among other things, to do so

                                possible to investigate image processing further back in time, changed the storage time for them
                                the current log data in such a way that they are now stored for five years. This was indeed done
                                after IMY started the current supervision, but means that Verisure has thereby taken action

                                the lack. Furthermore, the identified deficiency has not in itself meant that personal data has
                                processed in an impermissible manner but does not concern the possibility of being able to check afterwards
                                the processing of the data. The Swedish Privacy Agency Diary number: IMY-2022-1558 9(10)
                               Date: 2024-11-27






                               In an overall assessment of the circumstances of the case, IMY finds that there is a question
                               if such a minor infringement within the meaning of recital 148 exists

                               reason to refrain from imposing a penalty fee on Verisure for the found
                               the violation. Verisure shall therefore, with the support of Article 58.2 b i

                               the data protection regulation, instead a reprimand is given for the found
                               the violation.


                               __________________________

                               This decision has been made by unit manager Jenny Bård after a presentation by

                               Department Counsel Sarah Bodlander. At the final processing of the case has
                               also the departmental lawyer Andreas Persson and IT- and
                               information security specialist Petter Flink participated.


                               Jenny Bård







                               Copy to
                               The Data Protection Officer The Privacy Protection Agency Diary number: IMY-2022-1558 10(10)
                                Date: 2024-11-27






                                How to appeal


                                If you want to appeal the decision, you must write to IMY. State in the letter which decision you made
                                appeals and the change you request. The appeal must have been received by IMY

                                within three weeks from the day you received the decision. If you are a representing party
                                however, the general appeal must have been received within three weeks from that day
                                the decision was announced. If the appeal has been received in time, IMY forwards it on
                                to the Administrative Court in Stockholm for review.


                                You can e-mail the appeal to IMY if it does not contain any privacy-sensitive information
                                personal data or information that may be subject to confidentiality. The authority's

                                contact details appear on the first page of the decision.