AEPD (Spain) - EXP202205820

From GDPRhub
Revision as of 13:10, 9 May 2023 by Ba (talk | contribs)
AEPD - ps-00389-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6 GDPR
Article 83(2) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 5,000 EUR
Parties: n/a
National Case Number/Name: ps-00389-2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Michelle Ayora

An employer installed a surveillance camera with sound capture for security reasons which was also used for monitoring purposes. Employees were not informed about it and the DPA considered it disproportionate to the purpose and imposed a € 5.000 fine for violation of Article 6 GDPR.

English Summary

Facts

The data subject worked in a commercial establishment and was aware that the place was monitored by security cameras. On a given day, the data subject received a call from the controller, their boss and owner of the establishment, complaining that background music had been replaced by the news.

The data subject lodged a complaint with the Spanish DPA claiming that they were not aware that their conversations were being monitored. The DPA started an investigation and notified the controller.

In response, the controller presented a contract signed with the security service company in charge of the installation, maintenance and management of the alarm system. In the contract, the parties agreed that a microphone would be installed to listen to the audio on site, but without recording. For this reason, the controller argued that there was no privacy violation.

Holding

The DPA started its analysis by stating that both athe image and the voice of a person constitute personal data under the terms defined by the GDPR, which is therefore applicable to the case. Then, it emphasized that the mere capture of the voice constitutes processing of personal data, regardless of whether or not there is a recording.

The DPA recalled that Article 22 LOPDGDD authorizes the installation of video cameras to guarantee the security of people and goods provided that: a) the data will be suppressed within a maximum period of one month from its collection; and b) a visible notice is placed in the monitored area.

It also pointed out that Article 89 LOPDGDD imposes compliance with the principle of proportionality and establishes some conditions for the cameras to be installed in the workplace. Among these conditions, the DPA highlighted the prohibition against the installation of cameras in dressing rooms, toilets, eating rooms or similar places.

Moreover, it expressly states that sound recording in the workplace is only permitted when the activities carried out therein generate relevant risks to the security of the facilities, goods and people.

In the specific case, the DPA found that the voice recording in the controller's commercial establishment represented a serious interference in the privacy of its employee and customers and that this interference was disproportionate in relation to the intended security purposes.

For these reasons, the DPA found a violation of Article 6 and imposed a €5,000 fine on the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/20










     File no.: EXP202205820



                   RESOLUTION OF APPEAL FOR REPLACEMENT



Examined the reversal appeal filed by A.A.A. (hereinafter, the part
appellant) against the resolution issued by the Director of the Spanish Agency for
Data Protection dated March 9, 2023, and based on the following

                                      FACTS



FIRST: On 03/09/2023, a resolution was issued by the Director of the Agency
Spanish Data Protection in file EXP202205820, by virtue of the
which was imposed on A.A.A. a penalty of 5,000 euros (five thousand euros), for the
violation of the provisions of article 6 of Regulation (EU) 2016/679 of the

European Parliament and of the Council of April 27, 2016 on the protection of
natural persons with regard to the processing of personal data and the free
circulation of these data and repealing Directive 95/46/EC (hereinafter
GDPR); infringement typified in article 83.5.a) of the same Regulation and qualified
as very serious for the purposes of prescription in article 72.1.b) of the Organic Law

3/2018, of December 5, Protection of Personal Data and guarantee of the
digital rights (hereinafter LOPDPGDD).

In the same resolution it was agreed to require A.A.A. so that, within a month,
adapt its action to the personal data protection regulations, with the scope
expressed in the Foundation of Law VIII of the resolution, and justify before this

Spanish Agency for Data Protection the attention of this requirement.

Said resolution, which was notified to the appellant on 03/13/2023, was
dictated prior to the processing of the corresponding disciplinary procedure, according to
in accordance with the provisions of the LOPDGDD, and additionally in Law 39/2015,

of October 1, of the Common Administrative Procedure of the Administrations
Public (hereinafter, LPACAP), in terms of processing procedures
sanctioners.

SECOND: As proven facts of the aforementioned sanctioning procedure,

PS/00389/2022, the following was recorded:

<<1. The claimed party carries out its economic activity as an entrepreneur
individual, under the trademark "Grupo ***GRUPO.1", with professional domicile at
"***ADDRESS 1".


2. The business premises located at "***ADDRESS.1" have a system of
video surveillance, for which the claimed party is responsible.

3. The claimant has stated that he provides services as an employee of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/20








claimed party in the place located at the postal address indicated in the Facts
Tested First and Second.


4. The complaining party stated that the video surveillance system described in the
Fact Tested Second has sound pickup, in addition to voice pickup
image.

In this regard, the complainant contributed to the proceedings with screenshots of
a mobile device in which you can see WhatsApp messages that were sent to you

sent by the claimed party (“Group ***GROUP.1”). In these messages
indicates:

. “Group ***GROUP.1”: “What do you have in the background? Why is there no music?
. You: "And this?"

. “Group ***GROUP.1”: “Because I entered the camera and the news was being heard”>>.

THIRD: On 04/12/2023, within the established period, a
appeal for replacement by A.A.A. (hereinafter, the claimed party or the party
appellant) against the resolution outlined in the First Antecedent, dated

03/09/2023, in which it literally reproduces the allegations made to the
draft resolution prepared in the contested procedure and requests that
remember your file.

The appellant party provides a copy of the security service contract signed in

date 11/12/2019 with the company to which the installation, maintenance and
operation of the alarm center, noting that from the analysis of said contract
It can be seen that the video surveillance system in question only has
contracted, in relation to listening to audio, alarms or alert systems that
incorporate microphones that allow listening to audio, but not recording or recording said
audios. By this, he understands that he would not be committing the infringement charged.


On the other hand, in the same writ of appeal the suspension of the
resolution, in accordance with the provisions of article 117 of the LPACAP.



                         FUNDAMENTALS OF LAW

                                        Yo
                                 Competence


The Director of the Spanish Agency is competent to resolve this appeal
of Data Protection, in accordance with the provisions of article 123 of the Law
39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations (hereinafter LPACAP) and article 48.1 of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter, LOPDGDD).



                                       II
                     Response to the allegations presented

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/20









In relation to the statements made by the appellant, which
literally reproduce the brief of allegations to the motion for a resolution that was

presented by the appellant during the processing of the procedure
disciplinary action, it should be noted that they were already analyzed and dismissed in the
Fundamentals of Law II to VIII of the Appealed Resolution, dated 03/09/2023, in
which is considered to have breached the provisions of article 6 of the GDPR and
the evaluation of the tests that have allowed to determine
said breach and the scope granted to it, as well as the circumstances

taken into account for the graduation of the sanction imposed. In said Fundamentals
of law states the following:

                                          <<II
                                 formal issues


In advance, it is deemed appropriate to analyze the formal issues raised
by the party claimed in their pleadings, both at the opening of the
procedure and in relation to the motion for a resolution.

It considers that the procedure is null and void since it was not notified

evidence of the claim in which it originates, of which he was aware with
the notification of the initiation agreement, violating what is established in the LPACAP, in
relation to the essential procedures that must be substantiated in a procedure for
prevent the interested party from suffering defenselessness; and the requirement to notify the act as
necessary requirement for its effectiveness.


The claimed party refers, specifically, to the procedure for transferring the claim
which is outlined in the Second Antecedent, which was not addressed to "A.A.A.", but to
"Group ***GROUP.1", which lacks legal capacity and cannot be interested in
The procedure.


In this regard, this Agency understands that the claimed party has been respected
all the guarantees of the interested party that the procedural regulations provide and it cannot be said
that the incidence indicated in relation to the process of transferring the claim
supposes no reduction of said guarantees causing defenselessness.


The indicated notification of transfer of the claim to the person in charge to whom
refers to the party claimed in its allegations has to do with the process of
admission to processing of the claims received, prior to the agreement of admission of
such claims.


In accordance with the provisions of article 55 of the GDPR, the Spanish Agency
of Data Protection is competent to perform the functions assigned to it.
assigned in its article 57, among them, that of enforcing the Regulation and promoting the
sensitization of controllers and processors about the
obligations incumbent upon them, as well as dealing with claims filed by a

interested and investigate the reason for them.

Correlatively, article 31 of the GDPR establishes the obligation of those responsible
and those in charge of the treatment to cooperate with the control authority that requests it in

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/20








the performance of their duties. In the event that they have designated a
data protection delegate, article 39 of the GDPR attributes to him the function of
cooperate with said authority.


In the same way, the internal legal system, in article 65.4 of the LOPDGDD,
has provided for a mechanism prior to the admission for processing of the claims that are
formulated before the Spanish Agency for Data Protection, which consists of giving
transfer of the same to the data protection delegates designated by the
responsible or in charge of the treatment, for the purposes provided in article 37 of

the aforementioned norm, or to them when they have not designated them, so that they proceed to the
analysis of said claims and to respond to them within a month. In this
Article 65.4 of the LOPDGDD, which regulates the "Admission for processing of
claims”, establishes the following:


"4. Before deciding whether to admit the claim for processing, the Agency
Española de Protección de Datos may send it to the data protection delegate
data that would have, where appropriate, designated the person in charge or in charge of the treatment
or to the supervisory body established for the application of the codes of
conduct for the purposes set forth in articles 37 and 38.2 of this organic law.


The Spanish Agency for Data Protection may also send the claim
to the person in charge or in charge of the treatment when a
data protection officer or adhered to resolution mechanisms
extrajudicial conflict, in which case the person responsible or in charge must give
response to the claim within a month.


According to this regulation, prior to the admission for processing of the claim
that gives rise to this procedure, it was transferred to the person in charge (the
claimed party) to proceed with its analysis, respond to this Agency in
within one month and certify having provided the complaining party with the response

due.

The result of said transfer was not satisfactory, therefore, for the purposes foreseen
in its article 64.2 of the LOPDGDD, it was agreed to admit the claim for processing
presented by means of an agreement that was duly notified to the complaining party,
and not to the claimed party, in accordance with the provisions of article 65.5 of the

LOPDGDD.

This procedure prior to the admission of the claim, according to article 65.4 of the
LOPDGDD previously transcribed, it is an optional procedure, so that
formalized only if this Agency deems it so, without any

legal consequence of the fact that this procedure is not carried out or in case of
that, once attempted, could not have been carried out effectively; nor does it prevent
that the claim can be admitted for processing and given the appropriate course. Neither
these circumstances have no bearing on the validity of the possible procedure
disciplinary action that could be initiated later.


In this case, in addition, the notification of the transfer process, as detailed in the
antecedents of this act, it occurred in a valid and reliable manner at the address
in which the claimed party carries out its activity, the same indicated by said

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/20








party as address for notification purposes. The letter in question was delivered
at that address by the Postal Service on 05/31/2022.


It is true, as has been pointed out, that the notification was addressed to "Grupo GRUPO.1" and
no to “A.A.A.” However, in the proceedings it has been proven that the party
claimed operates under the trademark “Grupo ***GRUPO.1”. own part
claimed is presented in their public profiles accessible on the websites "***URL.1"
e “***URL.2” as “(…)” since September 2016.


Also, in his pleadings brief at the opening of the proceeding, he points out the party
claimed as contact information, in addition to the postal address to which the
transfer process, the email address "***EMAIL.1". Both
addresses, postal and electronic, also appear as contact information on the site
website “***URL.3”.


Despite this, the period of one month granted to the claimed party to inform
on the issues raised by the claim and addressing it took place without
that this Agency received any response.

The defendant, in its allegations to the proposed resolution, reproduces its

previous allegations on the nullity of actions for the sending of the notification
of the transfer of the claim to "Group ***GROUP.1", without considering the arguments
above, about which it does not mention.

                                           II

                       The image and voice are personal data

The physical image and voice of a person, according to article 4.1 of the GDPR, are a
Personal data and its protection, therefore, is the subject of said Regulation. In the article
4.2 of the GDPR defines the concept of "processing" of personal data.


The images and voice captured by a system of cameras or video cameras are data
of a personal nature, so its treatment is subject to the regulations of
Data Protection.

It is, therefore, pertinent to analyze whether the processing of personal data (image and voice

of the complaining party, who serves as an employee in the company of the party
claimed, and of the natural persons who come as clients to the establishment of
said company, open to the public) carried out through the system of
denounced video surveillance is in accordance with the provisions of the GDPR.


                                           IV.
                                       Infringement

The complaining party bases its claim on two grounds. First of all,
questions that the complained party can access the computer he uses at work,

using an application that allows remote access to the device. Without
However, it is a company computer accessed by the party claimed in
his status as head of the organization. Furthermore, the complaining party
It only refers to access to a shared folder in which they are hosted

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/20








company jobs. Thus, from what was provided and stated by the claimant
no indications of infringement are deduced.


The second reason for the claim has to do with the audio capture by the
video surveillance system installed in the workplace of the complaining party and the
legality of the processing of personal data that it entails.

Article 6.1 of the GDPR establishes the assumptions that allow the use of
processing of personal data:


"1. Processing will only be lawful if at least one of the following is fulfilled
conditions:

a) the interested party gave his consent for the processing of his personal data

for one or more specific purposes;
b) the treatment is necessary for the execution of a contract in which the interested party
is part of or for the application at the request of the latter of pre-contractual measures;
c) the processing is necessary for compliance with a legal obligation applicable to the
responsible for the treatment;
d) the processing is necessary to protect vital interests of the data subject or of another

Physical person;
e) the treatment is necessary for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers conferred on the data controller;
f) the treatment is necessary for the satisfaction of legitimate interests pursued
by the person in charge of the treatment or by a third party, provided that on said

interests do not outweigh the interests or fundamental rights and freedoms of the
interested party that require the protection of personal data, in particular when the
interested is a child.
The provisions of letter f) of the first paragraph shall not apply to the treatment
carried out by public authorities in the exercise of their functions.


The permanent implantation of a system of video cameras for reasons of
security has a legitimate basis in the LOPDGDD, the explanatory statement of which indicates:

“Together with these assumptions, others are included, such as video surveillance… in which the
legality of the treatment comes from the existence of a public interest, in the terms

established in article 6.1.e) of Regulation (EU) 2016/679”.

Regarding treatment for video surveillance purposes, article 22 of the LOPDGDD
establishes that natural or legal persons, public or private, may carry out
carry out the treatment of images through systems of cameras or video cameras

in order to preserve the safety of people and property, as well as their
facilities.

On the legitimacy for the implementation of video surveillance systems in the field
labor, this same article 22, in its section 8, provides that "The treatment by the

Employer data obtained through camera or video camera systems will be
submits to the provisions of article 89 of this organic law”.

Royal Legislative Decree 1/1995, of 03/24, is taken into account, which approves the text

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/20








Consolidated Law of the Workers' Statute (LET), whose article 20.3 states:

"3. The employer may adopt the measures he deems most appropriate for surveillance and

control to verify compliance by the worker with his obligations and duties
labor, keeping in its adoption and application the consideration due to its
dignity and taking into account, where appropriate, the real capacity of workers with
disability".

The permitted surveillance and control measures include the installation of

security cameras, although these systems should always respond at first
of proportionality, that is, the use of video cameras must be proportional to the purpose
pursued, this is to guarantee the security and the fulfillment of the obligations and
job duties.


Article 89 of the LOPDPGDD, referring specifically to the "right to privacy
against the use of video surveillance and sound recording devices in the place
work" and the processing of personal data obtained with camera systems or
video cameras for the exercise of control functions of the workers, allows
that employers can process the images obtained through security systems
cameras or camcorders for the exercise of the functions of control of the

workers or public employees provided for, respectively, in article 20.3
of the Workers' Statute and in the civil service legislation, provided that
These functions are exercised within its legal framework and with the limits inherent to the
same.


In relation to sound recording, the aforementioned article 89 of the LOPDGDD
sets the following:

"2. In no case will the installation of sound recording systems or
of video surveillance in places destined to the rest or recreation of the

workers or public employees, such as changing rooms, toilets, dining rooms and
analogues.
3. The use of systems similar to those referred to in the previous sections to
the recording of sounds in the workplace will be allowed only when they are
relevant risks to the safety of facilities, goods and people
derived from the activity carried out in the workplace and always

respecting the principle of proportionality, the principle of minimum intervention and guarantees
provided in the previous sections. The suppression of sounds preserved by
These recording systems will be carried out in accordance with the provisions of section 3
of article 22 of this law”.


On the other hand, it is interesting to note that, according to the doctrine of the Constitutional Court, the
recording conversations between workers or between them and customers is not justified
for the verification of compliance by the worker with his obligations or duties.
In a Judgment dated 04/10/2000 (2000/98), issued in rec. num. 4015/1996, it
declares the following:


In this sense, it must be taken into account that the managerial power of the employer,
essential for the smooth running of the productive organization and recognized
expressly in art. 20 LET, attributes to the employer, among other faculties, that of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/20








adopt the surveillance and control measures it deems most appropriate to verify the
compliance of the worker with his labor obligations (art. 20.3 LET). more that
faculty must occur in any case, as is logical, with due respect for the

dignity of the worker, as expressly reminds us of the labor regulations (arts.
4.2.e and 20.3 LET)…

... it should be remembered that the jurisprudence of this Court has repeatedly insisted
in the full effectiveness of the fundamental rights of the worker within the framework of the
employment relationship, since this cannot imply in any way the deprivation of such

rights for those who serve in productive organizations... In
Consequently, and as this Court has also affirmed, the exercise of such
rights only admits limitations or sacrifices to the extent that they are
develops within an organization that reflects other recognized rights
constitutionally in the arts. 38 and 33 CE and which imposes, according to the assumptions, the

necessary adaptability for the exercise of all of them...

Therefore, the premise from which the Judgment under appeal is based must be rejected,
consisting of affirming that the workplace is not by definition a space
in which the right to privacy is exercised by workers, in such a way that
so that the conversations that workers have with each other and with

Clients in the performance of their work activity are not covered by art. 18.1
CE and there is no reason why the company cannot know the content of
those, since the aforementioned right is exercised in the sphere of the private sphere of the
worker, that in the workplace it must be understood limited to places of
rest or recreation, changing rooms, toilets or the like, but not to those places

in which the work activity takes place...

…Such a statement is rejectable, since it cannot be ruled out that also in
those places of the company where the work activity is carried out may
illegitimate interference by the employer in the right to

privacy of the workers, such as the recording of conversations between
a worker and a client, or between the workers themselves, in which they are addressed
issues unrelated to the employment relationship that are integrated into what we have called
own sphere of development of the individual (SSTC 231/1988, of December 2,
FJ 4 and 197/1991, of October 17, FJ 3, for all). In short, it will be necessary to attend
only to the place of the work center where the systems are installed by the company

control audiovisuals, but also to other elements of judgment (if the installation is
does or not indiscriminately and massively, if the systems are visible or have been
surreptitiously installed, the real purpose pursued with the installation of such
systems, if there are security reasons, by the type of activity that takes place in
the workplace in question, which justifies the implementation of such means of

control, etc.) to elucidate in each specific case if these means of surveillance and
control respect the right to privacy of workers. Certainly the
installation of such means in places of rest or recreation, changing rooms,
toilets, dining rooms and the like is, a fortiori, harmful in any case to the right to
privacy of workers, without further consideration, for obvious reasons... But this

does not mean that this injury cannot occur in those places where it is performed
the work activity, if any of the exposed circumstances that allow
classify business action as an illegitimate intrusion into the right to privacy
from the workers. It will be necessary, then, to attend to the concurrent circumstances in the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/20








Specific assumption to determine whether or not there is a violation of art. 18.1 EC.

…its limitation [of the fundamental rights of the worker] by the

entrepreneurial powers can only derive well from the fact that the company itself
nature of the contracted work implies the restriction of the right (SSTC 99/1994,
FJ 7, and 106/1996, FJ 4), either of a proven need or business interest, without
that its mere invocation is sufficient to sacrifice the fundamental right of the
worker (SSTC 99/1994, FJ 7, 6/1995, FJ 3 and 136/1996, FJ 7)...


These limitations or modulations must be the indispensable and strictly
necessary to satisfy a business interest deserving of guardianship and protection, of
so that if there are other less aggressive possibilities of satisfying said interest
and affecting the right in question, it will be necessary to use the latter and not those
others more aggressive and affecting. It is, ultimately, the application of the principle

of proportionality…

The question to be resolved is, therefore, whether the installation of microphones that allow recording
the conversations of workers and clients in certain areas... it adjusts in
the assumption that concerns us to the essential requirements of respect for the right to
The intimacy. In this regard, we must begin by pointing out that it is indisputable that the

installation of sound capture and recording devices in two specific areas…
It is not without utility for the business organization, especially if one takes into account
note that these are two areas where economic transactions take place
of some importance. However, the mere utility or convenience for the company does not
simply legitimizes the installation of listening and recording devices, taking into account

that the company already had other security systems than the security system
hearing is intended to complement…

In short, the implementation of the listening and recording system has not been in this
case in accordance with the principles of proportionality and minimum intervention that govern

the modulation of fundamental rights by the requirements of the
interest of the business organization, since the purpose pursued (to give a plus
security, especially in the event of customer complaints) is
disproportionate to the sacrifice that implies the right to privacy of the
workers (and even customers...). This system allows for feedback
private, both from clients and workers..., comments from others by

completely to the corporate interest and therefore irrelevant from the perspective of control
of labor obligations, and may, however, have negative consequences
for the workers who, in any case, are going to feel constrained to carry out
any type of personal comment before the conviction that they are going to be
heard and recorded by the company. It is, in short, an intrusion

illegitimate in the right to privacy enshrined in art. 18.1 CE, since there is no
definitive argument that authorizes the company to listen and record the
private conversations that workers… have with each other or with employees
customers".


In any case, employers must inform in advance, and in a
express, clear and concise, to workers or public employees and, where appropriate, to
their representatives, about this measure (article 89.1 of the LOPDGDD).


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/20








                                            V
                       Video surveillance obligations


In accordance with the foregoing, the processing of images through a system
video surveillance, to comply with current regulations, must comply with the
following requirements:

1.- Individuals or legal entities, public or private, can establish a system
video surveillance in order to preserve the safety of people and property,

as well as its facilities.

It must be assessed whether the intended purpose can be achieved in another less
intrusive to the rights and freedoms of citizens. Personal data only
should be processed if the purpose of the processing cannot reasonably be achieved by

other means, recital 39 of the GDPR.

2.- The images obtained cannot be used for a subsequent purpose
incompatible with the one that motivated the installation of the video surveillance system.

3.- The duty to inform those affected provided for in articles

12 and 13 of the GDPR, and 22 of the LOPDGDD.

In this sense, article 22 of the LOPDGDD provides in relation to video surveillance
a “layered information” system.


The first layer must refer, at least, to the existence of the treatment
(video surveillance), the identity of the person responsible, the possibility of exercising the rights
provided for in articles 15 to 22 of the GDPR and where to obtain more information about the
processing of personal data.


This information will be contained in a device placed in a sufficiently
visible and must be provided in advance.

Second layer information should be easily available in one place
accessible to the affected person, whether it is an information sheet at a reception, cashier, etc…,
placed in a visible public space or in a web address, and must refer to the

other elements of article 13 of the GDPR.

4.- Images of the public thoroughfare cannot be captured, since the treatment of
images in public places, unless there is government authorization, only
It can be carried out by the Security Forces and Bodies.


On some occasions, for the protection of private spaces, where
cameras installed on facades or inside, may be necessary to ensure the
security purpose the recording of a portion of the public thoroughfare.


That is, cameras and camcorders installed for security purposes may not be
obtain images of public roads unless it is essential for said purpose, or
it is impossible to avoid it due to their location. And in such a case
extraordinary, the cameras will only be able to capture the minimum portion necessary to

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/20








preserve the safety of people and property, as well as its facilities.

Installed cameras cannot get images from third-party proprietary space

and/or public space without duly accredited justified cause, nor can they affect
the privacy of passers-by who move freely through the area.

It is not allowed, therefore, the placement of cameras towards the private property of
neighbors with the purpose of intimidating them or affecting their private sphere without cause
justified.


In no case will the use of surveillance practices beyond the environment be admitted.
object of the installation and in particular, not being able to affect public spaces
surroundings, adjoining buildings and vehicles other than those that access the space
guarded.


Images cannot be captured or recorded in spaces owned by third parties without the
consent of their owners, or, where appropriate, of the people who are in them
find.

It is disproportionate to capture images in private spaces, such as

changing rooms, lockers or rest areas for workers.

5.- The images may be kept for a maximum period of one month, except in
those cases in which they must be kept to prove the commission of acts
that threaten the integrity of people, property or facilities.


In this second case, they must be made available to the authority
competent authority within a maximum period of 72 hours from the knowledge of the
recording existence.


6.- The controller must keep a record of processing activities
carried out under his responsibility in which the information to which he makes
reference article 30.1 of the GDPR.

7.- The person in charge must carry out a risk analysis or, where appropriate, an evaluation
of impact on data protection, to detect those derived from the implementation

of the video surveillance system, assess them and, where appropriate, adopt security measures.
appropriate security.

8.- When a security breach occurs that affects the processing of
cameras for security purposes, whenever there is a risk to the rights and

freedoms of natural persons, you must notify the AEPD within a maximum period of
72 hours.

A security breach is understood to be the destruction, loss or accidental alteration or
unlawful transfer of personal data, stored or otherwise processed, or the

communication or unauthorized access to said data.

9.- When the system is connected to an alarm center, it can only be
installed by a qualified private security company

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/20








contemplated in article 5 of Law 5/2014 on Private Security, of April 4.

The Spanish Data Protection Agency offers through its website

[https://www.aepd.es] access to:

    . the legislation on the protection of personal data, including the GDPR
    and the LOPDGDD (section "Reports and resolutions" / "regulations"),
    . the Guide on the use of video cameras for security and other purposes,
    . the Guide for compliance with the duty to inform (both available at the

    section "Guides and tools").

It is also of interest, in case of carrying out low-risk data processing,
the free tool Facilita (in the "Guides and tools" section), which, through
specific questions, allows to assess the situation of the person in charge with respect to the

processing of personal data that it carries out, and where appropriate, generate various
documents, informative and contractual clauses, as well as an annex with measures
indicative security considered minimum.

                                           SAW
          Administrative offense. Classification and qualification of the infraction.


The claim is based on the alleged illegality of the installed video surveillance system
by the claimed party in the premises where it carries out its business activity, in
relation to sound capture.


The claimed party is the owner and responsible for the video surveillance system
denounced and, therefore, the person responsible for the data processing involved in the
use of said system. The data processing carried out includes
the collection of personal data related to the voice of employees and third parties that
can access the premises, which appears to be an establishment open to the public,

in view of the image provided by the claimant.

In relation to said system, the complaining party has stated that the system is
was installed when he began to serve as an employee of the part
claimed, in 2019, "supposedly as a security measure for the premises"; and?
has never been informed about the capture of sound or its use for purposes

of labor control, which constitutes, in the opinion of the complaining party, a use
"for a purpose other than that which is stated to have been installed."

Therefore, the legality of the video surveillance system installed by the party is questioned.
claimed in the premises where it carries out its business activity, in relation to the

sound capture, which has been duly accredited by the claimant
with the contribution of a WhatsApp conversation in which the claimed party
refers to his access to the video surveillance system and the sound captured by the
same.


The claimed party has not provided any justification in relation to the issues
raised by the complaining party, despite the fact that it was expressly required with
occasion of the process of transfer of the claim, which was not answered by that one.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/20








It has limited itself to denying having received that request for information, according to
been exposed in the Fundamentals of Law II.


It has indicated that if it had received that communication it would have provided the
required information. However, he has had occasion, twice, to formulate
allegations at the opening of this disciplinary proceeding, and also in
response to the motion for a resolution, and has not provided information and/or
any documentation relating to the system installed in the establishment in question.


It is interesting to note in this regard that the defendant was asked to prove
have informed the workers that the video surveillance system is used for the
labor control and to provide a technical report on said system.

In arranging for sound pickup, the defendant disregards the limits

provided for in article 20.3 of the Workers' Statute Law (LET); it
established in article 89.3 of the LOPDGDD, which admits the collection and recording of
sounds only when the risks are relevant and respecting the principles
proportionality and minimal intervention; nor the doctrine of the Constitutional Court,
already expressed, according to which the "implementation of listening and recording systems" does not
is legitimized, without further ado, by the "mere utility or convenience of the company", which the

"gathering private comments, both from customers and workers" is
outside the business interest and is not justified by the verification of compliance by the
worker from his obligations or duties.

Consequently, it is understood disproportionate the capture of the voice of both the

workers and clients of the claimed party for the video surveillance function
intended. It is taken into account that the capture of voice supposes a greater intrusion
in privacy.

The defendant, in its allegations to the proposed resolution, has stated

that it is false that the video surveillance system collects and stores personal data
related to the voice of employees and customers, and considers that the screenshot
provided by the claimed party does not prove the facts, thus invoking the
principles of presumption of innocence and “indubio pro reo”.

However, this Agency considers that the capture of sounds by the indicated

security system is accredited by the content of the message sent by the
claimed party to the claiming party through Whatsapp, which is outlined in
the Fourth Proven Fact. In this message, the claimed party declares to have
entered “into the camera” and accessed the sound captured by it (“they heard
news").


Moreover, in the same allegations it expressly acknowledges that the system "that has
contracted" incorporates microphones "that allow listening to audios".

By not recording or recording audios, the claimed party considers that he is not committing

the infraction that is imputed, without considering that the mere capture of audios, even without
to proceed with its recording and conservation, constitutes data processing
personal information that requires a legitimate basis to be able to carry it out, in order to
in accordance with the provisions of article 6 of the GDPR.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/20









Article 4 of the same GDPR defines "processing" in the following terms:


"2) "processing": any operation or set of operations carried out on
personal data or sets of personal data, either by procedures
automated or not, such as the collection, registration, organization, structuring,
conservation, adaptation or modification, extraction, consultation, use,
communication by transmission, diffusion or any other form of authorization of
access, collation or interconnection, limitation, deletion or destruction”.


Therefore, it is considered that the claimed party performs data processing without
have a legitimate basis, violating the provisions of article 6 of the GDPR, which
supposes the commission of an infraction typified in article 83.5 of the GDPR, which
provides the following:


Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of maximum EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:


a) the basic principles for the treatment, including the conditions for the
consent in accordance with articles 5, 6, 7 and 9;”.

For the purposes of the limitation period for infringements, the infringement indicated in the

previous paragraph is considered very serious in accordance with article 72.1.b) of the LOPDGDD,
which states that:

"Based on what is established in article 83.5 of Regulation (EU) 2016/679,
are considered very serious and will prescribe after three years the infractions that

a substantial violation of the articles mentioned therein and, in particular, the
following:

b) The processing of personal data without the fulfillment of any of the conditions of
legality of the treatment established in article 6 of Regulation (EU) 2016/679”.


                                          VII
                                        Sanction

Article 58.2 of the GDPR establishes:


"Each control authority will have all the following corrective powers
indicated below:
(...)
d) order the person in charge or person in charge of treatment that the operations of
treatment comply with the provisions of this Regulation, where appropriate,

in a certain way and within a specified period;
(...)
i) impose an administrative fine in accordance with article 83, in addition to or instead of
the measures mentioned in this paragraph, according to the circumstances of each

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/20








particular case".

According to the provisions of article 83.2 of the GDPR, the measure provided for in article

58.2.d) of the aforementioned Regulation is compatible with the sanction consisting of a fine
administrative.

Regarding the infringement of article 6 of the GDPR, based on the facts
exposed, it is considered that the sanction that would correspond to be imposed is a fine
administrative.


The fine imposed must be, in each individual case, effective, proportionate
and dissuasive, in accordance with the provisions of article 83.1 of the GDPR. Thus
considers, in advance, the microenterprise status of the claimed party,
who develops economic activity as a natural person under the condition of

autonomous entrepreneur.

In order to determine the administrative fine to be imposed, the
provisions of article 83.2 of the GDPR, which states the following:

"2. Administrative fines will be imposed, depending on the circumstances of each

individual case, in addition to or in lieu of the measures contemplated in
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administration and its amount in each individual case shall be duly taken into account:
a) the nature, seriousness and duration of the offence, taking into account the
nature, scope or purpose of the processing operation in question

such as the number of interested parties affected and the level of damages that
have suffered;
b) intentionality or negligence in the infraction;
c) any measure taken by the controller or processor to
alleviate the damages and losses suffered by the interested parties;

d) the degree of responsibility of the controller or processor,
taking into account the technical or organizational measures that they have applied under
of articles 25 and 32;
e) any previous infringement committed by the controller or processor;
 f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the potential adverse effects of the infringement;

g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority became aware of the infringement, in
particular whether the person in charge or the person in charge notified the infringement and, if so, in what
extent;
i) when the measures indicated in article 58, paragraph 2, have been ordered

previously against the person in charge or the person in charge in relation to the
same matter, compliance with said measures;
j) adherence to codes of conduct under article 40 or to mechanisms of
certification approved in accordance with article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the case,

such as financial benefits obtained or losses avoided, directly or
indirectly, through the infringement”.

For its part, article 76 "Sanctions and corrective measures" of the LOPDGDD,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/20








Regarding section k) of the aforementioned article 83.2 GDPR, it provides:

"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation

(UE) 2016/679 will be applied taking into account the graduation criteria
established in section 2 of said article.
2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
may also be taken into account:

a) The continuing nature of the offence.

b) The link between the activity of the offender and the performance of data processing.
personal information.
c) The benefits obtained as a consequence of the commission of the infraction.
d) The possibility that the conduct of the affected party could have led to the commission
of the offence.

e) The existence of a merger by absorption process subsequent to the commission of the
violation, which cannot be attributed to the absorbing entity.
f) The affectation of the rights of minors.
g) Have, when it is not mandatory, a data protection delegate.
h) Submission by the person responsible or in charge, on a voluntary basis, to
alternative conflict resolution mechanisms, in those cases in which

there are controversies between those and any interested party”.

In this case, the graduation criteria are considered concurrent as aggravating factors.
following:


    . Article 83.2.a) of the GDPR: "a) the nature, seriousness and duration of the
    infringement, taking into account the nature, scope or purpose of the operation
    treatment in question as well as the number of interested parties affected and the
    level of damages they have suffered”.


         . The nature and seriousness of the infringement, taking into account that the party
         claimant and the rest of those affected (third parties who access the establishment
         of the claimed party) are unaware of the data processing that is being
         being carried out (sound capture by the video surveillance system) and the
         use that will be made of personal data, which affects the ability to
         data subjects to exercise real control over their personal data.


    . Article 83.2.b) of the GDPR: "b) intentionality or negligence in the infringement".

    The negligence appreciated in the installation of video surveillance cameras that
    allow the collection of audio in a work environment, without even informing

    employees and others affected, and even though these systems have a
    special and express regulation that imposes special care on those responsible
    in its use.

    . Article 83.2.d) of the GDPR: "d) the degree of responsibility of the controller or the

    processor, taking into account technical or organizational measures
    that they have applied by virtue of articles 25 and 32”.

    The claimed party does not have adequate action procedures in place

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/20








    in the collection and processing of personal data, as regards
    to the collection and processing of personal data related to the voice of the person
    employee in your company, so that the infringement is not the result of a

    anomaly in the operation of said procedures but rather a defect in the
    personal data management system designed by the controller.

    . Article 83.2.g) of the GDPR: "the categories of personal data
    affected by the infringement”;


    Although "Special categories of personal data" have not been affected,
    as defined by the GDPR in article 9, the personal data to which they refer
    actions (voice of stakeholders) has a particularly
    sensitive and increases the risks to your privacy.


Considering the exposed factors, the valuation reached by the fine for the
violation of article 6 of the GDPR is 5,000 euros (five thousand euros).

In view of what is stated in this Legal Basis, it is not true what
indicated by the party claimed in its allegations, according to which the sanction
imposed is not related to the objective and subjective circumstances

concurrent, nor does it attend to the seriousness and transcendence of the fact.

It also refers to the absence of antecedents of the offender and the absence of
damages, but without providing any reasoning that justifies the consideration of
these grading factors.


None of the grading factors considered is mitigated by the fact that
that the claimed entity has not been subject to a disciplinary procedure with
above, this circumstance is alleged by the claimed party to be
considered as a mitigation.


In this regard, the Judgment of the AN, of 05/05/2021, rec. 1437/2020, indicates:

"It considers, on the other hand, that the non-commission of a
previous violation. Well, article 83.2 of the GDPR establishes that it must be
into account for the imposition of the administrative fine, among others, the

circumstance "e) any previous infringement committed by the person in charge or in charge
treatment". This is an aggravating circumstance, the fact that he did not
the budget for its application concurs entails that it cannot be taken into
consideration, but it does not imply or allow, as the plaintiff claims, its application
as mitigation."


According to the aforementioned article 83.2 of the GDPR, when deciding to impose a fine
administration and its amount must take into account "any previous infraction committed
by the person responsible." It is a normative provision that does not include the inexistence of
previous infractions as a factor for grading the fine, which must be

be understood as a criterion close to recidivism, although broader.

                                         VIII
                                  possible measures

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/20









It is appropriate to impose on the controller the obligation to adopt appropriate measures to
adjust its performance to the regulations mentioned in this act, in accordance with the

established in the aforementioned article 58.2 d) of the GDPR, according to which each authority of
control may “order the person in charge or person in charge of the treatment that the
processing operations comply with the provisions of this Regulation,
where appropriate, in a specified manner and within a specified period…”.

The text of this resolution establishes which have been the infractions

allegedly committed and the facts that give rise to the violation of the regulations
of data protection, from which it is clearly inferred what are the measures to
adopt, notwithstanding that the type of procedures, mechanisms or instruments
specific measures to implement them correspond to the sanctioned party, since it is the
controller who fully knows his organization and has to decide,

based on proactive responsibility and risk approach, how to comply with the
GDPR and the LOPDGDD.

However, in this case, regardless of the foregoing, this Agency estimates
proceeding to require the person in charge so that within the period determined in the part
device suppresses the capture of sounds by the video surveillance system object of

the performances.

It is noted that not meeting the requirements of this body may be
considered as an administrative offense in accordance with the provisions of the GDPR,
classified as an infraction in its article 83.5 and 83.6, being able to motivate such conduct the

opening of a subsequent sanctioning administrative procedure>>.


                                        II
                                   Conclusion


In its appeal, the appellant limits itself to reproducing some of the
arguments set forth in the pleadings submitted during the
processing of the procedure that gave rise to the contested resolution, without considering
the facts verified and the grounds that determined the resolution adopted, in
which, in addition, extensively analyze the circumstances revealed

by said entity and the reasons that determined its dismissal are exposed.

Therefore, the allegations contained in the appeal are amply refuted with
the transcribed arguments, which are considered valid and sufficient to reject the
file of the proceedings requested.


It is considered opportune, however, to reiterate that the infraction results from the treatment
of personal data that involves the collection of the voice of those affected through the
video surveillance system installed object of the proceedings, which was recognized by
the appellant itself in its statement of allegations to the resolution proposal and

which is now ratified in the writ of reversal appeal, which is attached to the
corresponding security service contract signed indicating that it includes
alarms or alert systems that incorporate microphones that allow listening
audio, as recognized by the appellant. The offense is consummated

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/20








with this audio capture, which constitutes in itself a data processing
personal, regardless of whether or not the audio is recorded on the system.


Regarding the request for suspension of the enforceability of the resolution, it is worth
point out that in the case of a disciplinary procedure, the resolution issued is not
until it becomes final, as established in article 98.1.b) of the
the LPACAP:

“Article 98. Enforceability.

1. The acts of the Public Administrations subject to Administrative Law will be
immediately executive, unless:

b) It is a resolution of a procedure of a punitive nature against
which there is room for any appeal through administrative channels, including the optional

replacement".

Consequently, in this appeal for reversal, the appellant has not
provided new facts or legal arguments that allow reconsidering the validity
of the contested decision.



Given the aforementioned precepts and others of general application,
the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: DISMISS the reversal appeal filed by A.A.A. against

resolution of this Spanish Data Protection Agency issued on date
03/09/2023, in file EXP202205820.

SECOND: NOTIFY this resolution to A.A.A..


THIRD: REQUEST A.A.A. so that, within a month, counted from the
notification of this resolution, adapt its action to the regulations of
protection of personal data, with the scope expressed in the Basis of
Law VIII of the appealed resolution, and justify before this Spanish Agency of
Protection of Data the attention of the present requirement in the same term.


FOURTH: Warn the penalized party that the sanction imposed must be made effective by
Once this resolution is enforceable, in accordance with the provisions of Article
Article 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, within the voluntary payment period indicated in the
Article 68 of the General Collection Regulations, approved by Royal Decree

939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17
December, by depositing it in the restricted account number ES00 0000 0000 0000 0000
0000, opened in the name of the Spanish Data Protection Agency in the Bank
CAIXABANK, S.A. or otherwise, it will proceed to its collection in period
executive.


Once the notification has been received and once executed, if the execution date is
between the 1st and 15th of each month, both inclusive, the term to make the payment
voluntary will be until the 20th day of the following or immediately following business month, and if

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/20








between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediately following business month.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.


Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of Law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations
(LPACAP), interested parties may file a contentious-administrative appeal before
the Contentious-Administrative Chamber of the National Court, in accordance with the

provided in article 25 and in section 5 of the fourth additional provision of the
Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction,
within two months from the day following the notification of this act,
according to the provisions of article 46.1 of the aforementioned Law.


Finally, it is noted that in accordance with the provisions of art. 90.3 a) LPACAP, may be
provisionally suspend the firm resolution in administrative proceedings if the interested party
expresses its intention to file a contentious-administrative appeal. if this is
the case, the interested party must formally communicate this fact in writing

addressed to the Spanish Data Protection Agency, presenting it through the
Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or
through any of the other records provided for in art. 16.4 of the aforementioned
LPACAP. You must also transfer to the Agency the documentation proving the
effective filing of the contentious-administrative appeal. If the Agency did not have

knowledge of the filing of the contentious-administrative appeal within the period of
two months from the day following the notification of this resolution, it would consider
the injunction has ended.

                                                                                  180-111122
Mar Spain Marti

Director of the Spanish Data Protection Agency























C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es