DVI (Latvia) - SIA "QUANTRUM"
DVI - SIA "QUANTRUM" | |
---|---|
Authority: | DVI (Latvia) |
Jurisdiction: | Latvia |
Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 6(1) GDPR Article 25(1) GDPR § 4.24 Ministru kabineta noteikumi Nr. 369 |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | 08.02.2023 |
Decided: | 08.02.2024 |
Published: | 28.06.2024 |
Fine: | n/a |
Parties: | SIA Quantrum |
National Case Number/Name: | SIA "QUANTRUM" |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Lithuanian |
Original Source: | DVI (in LT) |
Initial Contributor: | fb |
The DPA found that a controller cannot be held liable for an employee’s actions who deliberately disregarded the controller’s instructions.
English Summary
Facts
The controller is a company which provides security services. In its premises, it uses a CCTV system which records both the video and the audio.
The data subject filed a complaint with the DPA and argued that, after they were recorded by the CCTV system, the footage was sent to them by an employee of the controller on WhatsApp and Telegram.
On 8 February 2023, the DPA opened an investigation.
The controller argued that none of its instructions to employees include copying video material onto any kind of private devices. Therefore, in the present case, the video footage was sent to the data subject by an employee without any instruction or order by the controller.
Moreover, the controller informed the DPA that the footage had been deleted and the employment relationship with the employee had been terminated.
Holding
Firstly, the DPA noted that the controller has established procedures to manage access authorisations, access control, for organising video surveillance, for viewing the archive of video surveillance recordings, and for creating, issuing and storing a copy of recordings. The DPA held that these technical and organisational measures adopted by the controller comply with the requirements of Article 25(1) GDPR.
Moreover, the DPA found that the controller cannot be held liable for the action of its employees who deliberately disregarded the rules set by the controller and obtain CCTV footage without the appropriate authorisation.
On these grounds, the DPA did not find an infringement and dismissed the complaint.
However, the DPA decided ex officio to extend the scope of the investigation with regard to the fact that the CCTV was equipped with an audio recording function. The DPA noted that this audio recording had been conducted on the basis of the Cabinet of Ministers Regulation of 21 June 2022 No. 369. Sub-paragraph 4.24 of this regulation states that the conversations between security personnel that take place by means of remote communication must be recorded and stored for three months.
The DPA, after asking an opinion to the Ministry of the Interior, stated that the audio recording through CCTV cameras does not fall into the scope of sub-paragraph 4.24, as it only recorded the voice of one of the two people having the conversation.
Therefore, the DPA found that this processing activity was not compliant with Articles 5(1)(a) and (c) and 6(1) GDPR.
On these grounds, the DPA ordered to the controller to cease the recording of audio in connection with the video surveillance.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Lithuanian original. Please refer to the Lithuanian original for more details.
Elijas iela 17, Riga, LV-1050, tel. 67223131, e-mail pasts@dvi.gov.lv, www.dvi.gov.lv In case no. [..] SIA "QUANTRUM" in e-Address The decision Riga, February 8, 2024 No. [..] On the application of the corrective measure [1.] The Data State Inspectorate (hereinafter - the Inspectorate) has received [..] (hereinafter - the Data Subject) submission, in which the Data Subject informed about [..] actions, downloading from SIA without a corresponding order "QUANTRUM" (hereinafter - SIA) video surveillance system video surveillance camera recording, that by sending the Data to the subject in the online network application for smartphones WhatsApp, as well as by uploading it in Telegram, an online networking app for smartphones. [2.] In order to verify the compliance of the technical and organizational measures introduced by the SIA In accordance with the requirements of the General Data Protection Regulation (hereinafter - the Data Regulation) and in accordance with the Individual of the data processing law (hereinafter – the Data Law), Article 4, Part 1, Clause 1 and Article 5, First parts 1. point 1 of Article 57 of the Data Regulation. Clauses a) and h) Inspection carried out the following actions and found the following conditions. [2.1.] On February 8, 2023, examination case no. [..] about the technical and compliance of organizational measures with the requirements of the Data Regulation. [2.2.] Inspections of February 8, 2023, June 29, 2023 and September 11, 2023 2 in the letters invited SIA to provide information about the technical and organizational measures introduced by SIA measures, ensuring the integrity of the video surveillance system. [2.3.] SIA provided its explanations on March 7, 2023, September 14, 2023 letters . [3.] As a result of the actions indicated in points [1-2] of this decision, the following has been clarified. [3.1.] The video surveillance carried out by SIA in the security control center did not foresee the actions of employees such as refilming or copying of video material on any kind of private data media, incl. on mobile phones. In the specific case [..], acting without the order or instruction of SIA, the video material was obtained arbitrarily. Upon receiving information about a possible data protection violation, SIA took steps to correct it terminated, that is, the obtained video material would have been deleted from private data carriers. At the same time SIA informed that the employment legal relationship between [..] and SIA was terminated. 1Regulation of the European Parliament and the Council of April 27, 2016 No. 2016/679 on the protection of natural persons in relation to processing of personal data and free circulation of such data and repealing Directive 95/46/EC 2Inspection's letter of February 8, 2023 [...] "On the initiation of the inspection and request for information", dated 2023 Letter of June 29 No[..]"Regarding additional information request", September 11, 2023 letter No[..] "Regarding repeated request for additional information" 3 SIA letter b/n of March 7, 2023 (registered in the inspection on March 7, 2023 a[..), September 14, 2023 letter b/n (registered in the inspection on September 14, 2023 [..),. 2 [3.2.] In view of the data protection violation that occurred, SIA reviewed the technical and organizational measures, as well as reviewing the rules of the personal data processing system. [3.3.] At the same time, from the information provided by SIA, it can be established that the security control center of SIA the video surveillance system is equipped with an audio recording function. Audio recording by SIA, based on Regulation of the Cabinet of Ministers of June 21, 2022 No. 369 "Rules on the activity register of security guards, registration of security operations and requirements for the security control center" (hereinafter - Regulations No. 369) 4.21. and 4.24. subsection. [4.] In accordance with the points [1-3] of this decision, the Inspection concludes the following. [4.1.] In accordance with Article 4, subsection 7) of the Data Regulation on the compliance of personal data processing is responsible manager. [4.2.] Clause 1 of Article 24 of the Data Regulation stipulates that, taking into account the nature and extent of the processing, context and intentions, as well as risks of varying likelihood and severity with respect to physical rights and freedoms of individuals, the manager implements appropriate technical and organizational measures, to ensure and be able to demonstrably demonstrate that processing takes place in accordance with this regulation. If necessary, the mentioned measures are reviewed and updated. Article 25(1) of the Data Regulation states that, taking into account the state of the art, implementation costs and the nature, extent, context and purposes of the processing, as well as various likelihoods and severities degree of risks regarding the rights and freedoms of natural persons caused by the processing, both by the controller appropriate technical and organizational measures, such as pseudonymization, which are designed to effectively implement the data protection principles such as data minimization and to integrate the necessary safeguards into the processing in order to fulfill the requirements of this regulation and to protect the rights of data subjects. [4.3.] In accordance with the basic principles of data processing referred to in Article 5, Clause 1 of the Data Regulation, 5 incl. in accordance with subsection (f), the controller must ensure the security of personal data, including protection against against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (integrity and confidentiality). Recital 39 of the Data Regulation explains that [...] personal data should be processed in a way that ensures adequate security and confidentiality of personal data, including preventing unauthorized access to personal data data or its unauthorized use and unauthorized access to equipment used for processing. In addition, in accordance with the principle of accountability established in Article 5, Clause 2 of the Data Regulation, directly to the controller is obliged to provide such a personal data processing process that allows to prove that the controller performed processing of personal data complies with the requirements of the data protection regulatory framework. On the other hand in accordance with Article 32, Clause 4 of the Data Regulation, the manager and the processor take measures to ensure, that any natural person acting under the authority of the controller or processor and having access personal data, they are not processed without the controller's instructions, except when the said person is required to do so in accordance with Union or Member State law. [4.4.] The inspection, after evaluating the personal data processing rules submitted by SIA, finds that SIA has determined the management of access permits, access control, organization of video surveillance procedures, procedures for viewing the archive of video surveillance records and making copies of records, issuance and storage procedures. Thus, it can be concluded that SIA has introduced and is implementing such technical and organizational measures measures that meet the requirements of Article 25, Paragraph 1 of the Data Regulation. At the same time, the Inspection takes taking into account that SIA cannot be responsible for the actions of employees who deliberately disregard the rules of SIA, and obtaining video surveillance footage without proper authorization. In view of the aforementioned, in the part of the examination file on the technical and organizational measures, ensuring the integrity of the video surveillance system, are completed without finding a violation. 4 a natural or legal person, public institution, agency or other body that alone or jointly with others determines the purposes and means of personal data processing [..] 5a) legality, integrity and transparency, b) purpose limitations; c) data minimization, d) accuracy; e) storage restriction; f) integrity and confidentiality 3 [5.] At the same time, observing 3.3 of this decision. personal data of the SIA found in sub-para processing – audio recording with video surveillance in the security control center – Self-inspection initiatives expanded the scope of the examination and concluded the following. [5.1.] Pursuant to Article 5, Clause 2 of the Data Regulation, the controller is obliged to perform data processing in accordance with the basic principles of data processing referred to in Article 5 of the Data Regulation and Article 6 of the Data Regulation to the established legal basis. Article 5(1)(a) of the Data Regulation provides that persons data is processed lawfully, in good faith and in a manner transparent to the data subject ("lawfulness", "integrity" and "transparency"), while subparagraph (c) requires that the data are adequate, relevant and include only what is necessary for the purposes of their processing ("data minimization"). Therefore, every processing of personal data carried out by the manager must be in accordance with Article 6 of the Data Regulation for the specified legal basis. Only in that case can it be considered that personal data is being processed done legally [5.2.] Regulation no. 369 4.24. subsection stipulates that there must be a security control center means of communication with other security personnel, security commercial mobile groups, security service recipients, other persons and institutions. Contact information is available recorded and stored for at least three months. According to the information provided by SIA, SIA Regulation No. 369 4.24. subsection is executed with for video surveillance cameras installed in the security control center, which are equipped with audio recording performance function. [5.3.] Considering that from Regulation No. 369 4.24. the redactions of subsection are not unambiguous it can be concluded that a CCTV camera equipped with an audio recording function is 6 sufficient Regulation No. 369 4.24. for the implementation of subsection, the Inspectorate asked for the opinion of the Internal Affairs to the Ministry on whether the security merchant in the security control center should make an audio recording for them for conversations that take place between persons in the security control center, or however this subsection for enforcement, the security merchant must make a record only for the communication that took place through the communication means (such as a telephone or radio). 7 [5.4.] According to the opinion of the Ministry of the Interior, the security merchant is obliged to provide the existence of means of communication (for example, a radio station, telephone) through which communication takes place between employees of the security merchant with other employees located outside the control center, for the security merchant's mobile groups, security service recipients, other persons and institutions, and is also instructed to ensure the recording and storage of the mentioned communication information. [5.5.] Thus, it can be concluded that the security merchant, which is also an LLC, in order to ensure the Regulation No. 369 4.24. the execution of sub-paragraph, the conversations that are carried out through communication must be recorded funds. The inspection takes into account that, when guarding the object, it is essential to have in the event of an incident available as large a body of evidence as possible to help reveal both the circumstances of the incident and actions of the security guards, therefore it is essential that the communications provided during communication are recorded information so that, if necessary, you can listen to what both participants of the conversation said. When making an audio recording with video surveillance, SIA does not provide Regulation No. 369 4.24. full implementation of the subsection, because the audio recording made by the video surveillance camera records only what the security control center employee says, but what the other participant in the conversation says is not recorded. In addition, during audio recording with video surveillance, SIA processes (obtains, stores) conversations between to persons who are in the security control center, and these conversations may be unrelated to anyone security incident. Taking into account the above, it can be established that the data processing carried out by SIA, when making an audio recording, does not meet the requirements of Article 5(1)(a) and (c) and Article 6(1) of the Data Regulation. [6.] We inform you that the Inspection implements the "Consult first" principle in its activities, which provides that The primary tasks of the inspection are the effective protection of data of natural persons (instructions on the controller 6 7Inspection's letter of September 29, 2023[.. "Regarding the request for an opinion" The letter of the Ministry of the Interior dated October 30, 2023[..]"About giving an opinion" (Registered in the Inspectorate in 2023 On 31 October with [..) 4 deficiencies identified in the personal data processing and providing suggestions for their elimination) and in case of illegal processing of personal data, performing the necessary actions with the aim of to stop it as soon as possible, thereby reducing the damage caused to the data subject. [7.] Article 58, paragraph 2, subparagraph d) of the Data Regulation provides for the authority of the Inspectorate to issue an order to the manager or processor to coordinate processing activities with the provisions of the Data Regulation, if necessary - in a specific way and in a specific period of time. Article 23 of the Data Regulation stipulates that The inspection, when making decisions regarding the imposition of a legal obligation, applies the Administrative process law (hereinafter - APL). According to the first part of Article 66 of the APL, it is necessary to decide on the issuance of an administrative act utility. Namely, when making a decision on the prevention of data processing of an unlawful person, the Inspection the possibility of deciding on a smaller limitation of personal rights should be evaluated. Evaluating the necessity and necessity of the administrative act, the Inspectorate concludes that the decision adoption is both necessary and necessary to achieve the goal of preventing Data Regulations violations of the rules in the personal data processing carried out by SIA, by making an audio recording with video surveillance. The administrative act is a suitable means to achieve the goal, as it creates a legal obligation for SIA to prevent detected violations within a specific procedural term, as well as prevent similar violations occurrence in the future. The administrative act can be considered as the most proportionate means for achieving the goal, because in comparison with the decision on imposing an administrative penalty is considered more lenient. At the same time, legal the imposition of the obligation is aimed at the data subject in the Data Regulation, the Data Law and other regulatory acts provision of the expected basic rights to personal data protection. In compliance with the above, the Inspection, on the basis of Article 58, paragraph 1, subparagraph e) of the Data Regulation and sub-paragraph d) of paragraph 2, Article 23 of the Data Regulation, Article 5 of the first part 3 of the Data Law and Clause 6 and Clause 2) of the first part of Article 63 of the APL, decides: oblige SIA to stop audio recording with video surveillance, par to notify the execution of the decision in writing by March 12, 2024, by submitting information to the Inspectorate about the measures taken by SIA. According to the first and second parts of Article 70 of the APL, the decision enters into force from the moment it is announced to the addressee, while the decision is notified to the addressee in accordance with the Notification Law. Notification Act The second part of Article 4 provides that the legal entity is notified of the document at its legal address. Notifications The third and fourth parts of Article 8 of the law stipulate that a document notified as registered mail, shall be considered notified on the seventh day after its delivery to the post office, as well as if a statement is received from the post office delivery of a shipment or a returned document does not in itself affect the notification of the document fact. This decision in accordance with the first and second parts of Article 76, Article 79 of the Law on Administrative Procedure the first part and 24 of the Data Law. the first part of the article can be appealed within one month of its entry into force days Data to the Director of the State Inspection. [8.] The Inspectorate informs that Article 83, Clause 5 of the Data Regulation provides for the application of administrative fines of up to EUR 20,000,000 or, in the case of a company, up to 4% of its total worldwide annual turnover of the previous financial year, depending on the amount greater, in accordance with Clause 2 for violations of the following rules: on the basic principle of processing, including conditions for consent, subject to Articles 5, 6, 7 and 9, the data subject's rights under Data Articles 12 - 22 of the regulation, if the order of the supervisory authority or temporary or final processing is not followed 8 the last day for submitting a written answer by post or sending it electronically with a secure electronic signature 5 or restriction of data circulation in accordance with Article 58, paragraph 2 of the Data Regulation, or access has not been granted, in violation of Article 58, paragraph 1 of the Data Regulation. In compliance with the above, the Inspectorate informs that in the event that the provisions of this decision are not complied with order, the Inspectorate will exercise other powers granted to the Inspectorate in the Data Regulation. Deputy Director L. Dilba [..]