DPC (Ireland) - 07/SIU/2018

From GDPRhub
Revision as of 06:43, 11 December 2024 by Ao (talk | contribs)
DPC - 07/SIU/2018
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 5(1) GDPR
Article 13 GDPR
Article 24 GDPR
Article 25 GDPR
Article 30 GDPR
Data Protection Act 2018
Type: Investigation
Outcome: Violation Found
Started: 15.06.2018
Decided: 13.11.2024
Published: 05.12.2024
Fine: 29,500 EUR
Parties: Sligo County Council
National Case Number/Name: 07/SIU/2018
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: DPC (in EN)
Initial Contributor: ao

The DPA issued a County Council with a 29,500 fine for the excessive processing of CCTV footage of public spaces as well as footage of speed cameras.

English Summary

Facts

On the 25 June 2018, the Irish DPA (Data Protection Commission - DPC) began an ex-officio investigation into the controller, a local County Council (Sligo).

The controller had installed CCTV cameras at bottle banks and in housing estates stating that they were to aid the enforcement of the Irish Litter Pollution Act 1997 and to help detect anti-social behaviour. The cameras therefore constantly filmed public and private areas This video footage was then stored by the controller. The controller could not demonstrate any records of logs regarding the data processing and it was unclear for how long the data was stored.

The cameras, as they were installed in public spaces filmed passers-by and individuals using nearby facilities such as a community centre. Some of the monitoring screens were in public spaces (such as the community centre) and could therefore be accessed by unauthorised persons. One CCTV footage store monitor was not password protected while another had the capability to log all access to the system but staff had not been trained to use this function.

Holding

The DPC found that the use of the CCTV cameras at the bottle banks could not be justified under the Litter Pollution Act 1997 nor the Waste Management Act 1996. Article 8(2) of the Law Enforcement Directive does not provide for such a broad scope of CCTV footage to be processed. Therefore, the Law Enforcement Directive only applied to some of the processing.

The DPC found a total of 14 issues throughout the course of the inquiry ranging from unlawful processing to failing to conduct a Data Protection Impact Assessment. The DPC found violations of the GDPR as well as the Irish Data Protection Act 2018 which transposes the GDPR into national law.

The DPC found the following violations of the GDPR showing negligence on the part of the controller:

For failing to ensure the appropriate security of the CCTV monitoring screens, the controller had breached Article 5(1)(f) GDPR and Article 32(1) GDPR. The DPC highlighted that passers-by could easily take pictures of what was being shown on the monitoring screens.

For excessively monitoring and processing footage of public spaces the DPC found violations of Article 5(1)(c) GDPR and Article 25 GDPR in relation to the purposes. The DPC highlighted that the controller could have implemented "privacy masking" so that private areas would not be recorded by the cameras.

For retaining the data for longer than necessary the DPC found a violation of Article 5(1)(e) GDPR.

For failing to set up and maintain records of the processing, the DPC found a violation of Article 30 GDPR.

For failing to erect signage informing of the processing and failing to be able to explain a reason for this, the DPC found a violation of Article 13 GDPR.

The DPC issued a fine of €29,500 for the violations and ordered the controller to bring its data processing into compliance.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.