HDPA (Greece) - 12/2021
From GDPRhub
| HDPA (Greece) - 12/2021 | |
|---|---|
 | |
| Authority: | HDPA (Greece) |
| Jurisdiction: | Greece |
| Relevant Law: | Article 5(1)(c) GDPR Article 6(1)(f) GDPR Article 58(2)(g) GDPR Article 83(2) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 17.02.2021 |
| Published: | 07.04.2021 |
| Fine: | 2000 EUR |
| Parties: | «Ιγνατιάδης Νικόλαος και ΣΙΑ Ε.Ε.» |
| National Case Number/Name: | 12/2021 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Greek |
| Original Source: | HDPA (in EL) |
| Initial Contributor: | n/a |
The Greek DPA fined a controller €2000 for violating employees' rights by using a surveillance camera at its premises without a legal basis, and in violation of the principle of data minimisation.
English Summary
Facts
The complainant made a complaint at the Greek DPA for the implementation of a security camera in his work place. The complainant stated that the camera was focused at his office and was used for surveillance purposes and not for security reasons. The company stated that the camera wasn't focused on the employee's office but was watching the all space especially the entrance of the premises. The DPA requested from the company to provide the documentation that could prove that the camera was not focuses on the complainant's office.
Dispute
Was the use of the camera lawful under articles 5 and 6 GDPR?
Holding
The DPA held that the use of the camera by the Company cannot be justified in the light of the principle of proportionality. The camera was not focused only on the entrance of the premises but instead it was watching as well the employee's offices, violating the principle of data minimization of the GDPR. Additionally the fact that the director of the company was able to watch in real time at any time the images taken form the camera, could not justify the necessity and emergence of having a surveillance camera for security reasons. based on these facts the DPA imposed a fine of 2000€ to the company for violating articles 5(1)(c) and 6(1) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Athens, 07-04-2021
No. Prot.1023
DECISION 12/2021
(Department)
The Personal Data Protection Authority met at
Composition of the Department via video conference on 17-02-2021 at 10:00, after
invitation of its President to consider the case
refers to the history hereof. Presented by George Batzalexis,
Deputy Chairman, disabled by the President of the Authority Konstantinos
Menoudakou, and the alternate members Grigorios Tsolias and Evangelos
Papakonstantinou, as rapporteur, replacing the regular members
Charalambou Anthopoulos and Konstantinos Lambrinoudakis respectively, who,
although they were legally summoned in writing, they did not attend due to obstruction. The regular
member Spyridon Vlachopoulos, although legally summoned in writing, did not attend
due to obstruction. The meeting was attended by George, chaired by the President
Roussopoulos, Specialist Scientist-Auditor as Assistant Rapporteur and Irini
Papageorgopoulou, employee of the Administrative Affairs Department of the Authority,
as secretary.
The Authority took into account the following:
With the number prot. Γ / ΕΙΣ / 4943 / 12-07-2019the complaint of Support
to the Authority that from July 2018, "Ignatiadis Nikolaos and SIAEE." (hereinafter
and "Editor") installed a camera inside its offices
1
1-3 Kifissias Ave., 11523 Athens
T: 210 6475 600 • E: contact@dpa.gr • www.dpa.gr business, which focused on his workplace. He even reports an incident
from which it appears that said camera was used to control ki
not for security purposes. The complainant claims that he objected
first after installing the camera orally and then
in writing with his out-of-court letter dated 22/02/2019.
The complaining company was informed about the complaint with the no.
prot. C / EX / 4943-1 / 09-08-2019 document of the Authority, with which it was exposed
summarize the applicable institutional framework. With this document the company
was invited to submit to the Authority its views on both its legitimacy
operation of the video surveillance system as well as for the exercise of
rights of the complainant as a data subject.
The company responded with the document number G / EIS / 6706 / 04-10-2019
stating, among other things, that the camera has been positioned so that it has
general view of the space focusing on the entrance of its offices so that it has
knowledge of who enters its premises. He states that the camera has
placed for safety reasons and not for employee surveillance, as in
accounting work, payments of money and securities, while the
area is burdened with property offenses. Its owner
company is located in an office from which it has no visual contact with the entrance
of the office. He also mentions that, in the past, he had an office associate
fall victim to theft, but without providing evidence to that effect. As for him
complainant, claims that he had not complained about the camera, which
he knew, while he did so only after his appeals to the Labor Inspectorate for
other issues did not work for him.
The Authority with its latest document (with reference number C / EX / 6706-1 / 14-10-2019)
asked the company to clarify its answer on the basics
technical characteristics related to the operation of the system
video surveillance. Specifically, it was requested: a) to determine in which space it has
the control unit is installed, b) if there is a possibility of remote
internet access and surveillance and for which users, c) and with whom
thus ensuring that access to camera images is restricted only
2suitable for authorized persons. Finally, to clarify the scope
of the camera, it was requested to provide a sample image, in electronic form and
at the highest possible resolution based on the characteristics of the device, so that
the supervised space emerges.
The complaining company replied to the Authority with reference number.
Γ / ΕΙΣ / 7347 / 28-10-2019 its document, while following the reference number Γ / ΕΞ / 7347-
1 / 15-11-2019 document of the Authority provided a detailed sample image from
internal memory of the camera and from the mobile phone of its owner, meto
document no. G / EIS / 8057 / 21-11-2019. With these documents
states that the system does not have a logger, but transmits an image
exclusively on the cell phone of the company owner, who is the only one
can see the images via password. Access is also guaranteed due
of the fact that a legal representative of the company is connected to the internet by
separate internet supply line. The camera has minimal capability
not used in internal memory. From the
specifications of the equipment provided by the complainant company
It turns out that an innovator HD smart WiFi camera is used, while the
used memory card has a capacity of 16Gb. μο
submitted camera manual, can capture video in resolution
720p, has a built-in microphone and speaker, has control software
for both smartphones and PCs with Windows operating system.
Following the above, the Authority proceeded to call the company for
section meeting, initially with reference number C / EX / 1806 / 09-03-2020
its document for 18-03-2020 and after the postponement of the meeting, for 15-
07-2020, with its document no. G / EX / 4486 / 29-06-2020.
company was informed that during the examination of the case the
legality of the operation of the video surveillance system on the premises
and that it must provide any document documenting the
compliance with the principles governing the lawful processing of data
personal.
At the meeting of 15-07-2020, the complained company was present, through B.
3 and the attorney Konstantinos Vervesos, while after receiving
deadline for submission by prot.pr / EIS / 5313 / 29-07-2020 memorandum. With this,
the company confirms what it had stated in its previous documents.
Briefly, in relation to the video surveillance system, it states that the system
was placed for security reasons as in the area (Acharnes Attica) is
crime is high. The camera was mounted on a wardrobe
in order to control the entry of offices and not for the purpose of surveillance
staff, and was never used for the latter purpose. The signal
was transmitted on the mobile phone of the legal representative of the company for
facility safety. Due to a malfunction, the camera has also been removed
no longer works. The company considers that the complaint is false and was made to
revenge by the complainant after his departure and its dissolution
employment contract.
The Authority, after examining the data in the file, after hearing him
rapporteur and clarifications from the assistant rapporteur, who attended without
and withdrew after the discussion of the case and before
the conference and decision-making, after a thorough discussion,
THOUGHT ACCORDING TO THE LAW
1. According to art. 4 items 1 of the General Regulation of Protection
Data 2016/679 (hereinafter referred to as "GKPD"), the audio and video data, if
refer to persons, constitute personal data.
Further, the capture of a face image, which is collected by a system
video surveillance, operating permanently, continuously or at regular intervals
intervals, indoors or outdoors,
recommends the processing of personal data in accordance with art. 4
item 2 of the GCC.
2. Article 5 of the GPA sets out the processing principles governing
processing of personal data. Specifically, it is defined in
4paragraph 1 that personal data, including: '(a)
are processed lawfully and lawfully in a transparent manner in relation to
data subject ("legality, objectivity, transparency"), (…), c)
are appropriate, relevant and limited to what is necessary for their purposes
processed ("data minimization") (…), f)
processed in such a way as to guarantee adequate safety
of personal data, including their protection against non
authorized or illegal processing and accidental loss, destruction or
wear, using appropriate technical or organizational measures
("Integrity and Confidentiality"). "
3. Article 6 par. 1 GCP provides, inter alia, that: “H.
processing is only legal if and when at least one of the
the following conditions: (...) (f) processing is necessary for the purposes
of the legal interests pursued by the controller or a third party, except
if the interests or the fundamental ones prevail over these interests
rights and freedoms of the data subject enforcing the
protection of personal data (...) ". Further, according to
the reporting authority (Article 6 (2) GCC) the controller
responsibility and is able to demonstrate compliance with the above principles.
4. The Authority has issued on the issue of the use of systems
video surveillance for the purpose of protecting persons and property
No 1/2011 Directive of the Authority, the provisions of which shall apply to
in combination with the new provisions of GKPD and law 4624/2019, by which
measures for the implementation of the GPA are defined. It is pointed out in this case that in
specific case, Law 4624/2019 does not apply, as the under consideration
termination concerns a period before its implementation. The European
The Data Protection Council issued guidelines No. 3/2019
lines 1 on the processing of personal data via
video recorder.The text itself provides detailed guidance on how
the GCP applies in relation to the use of cameras for various purposes.Basic
1
https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32019-processing-
personal-data-through-video_el
5condition for the legality of processing through a system
Video surveillance is the observance of the principle of proportionality, as it is
specializes in articles 6 and 7 of the above Directive, but also in the Special Part
her. In particular, Article 7 of the Directive states that the system
video surveillance should not be used for surveillance
employees, except in special exceptional cases such as these
specified in the Directive. As an example it is mentioned that, in a typical space
business offices, video surveillance should be limited to areas
entry and exit, without supervising specific office rooms or
corridors. Exceptions may be specific sites, such as cash registers or
areas with safes, electromechanical equipment, etc., provided that
cameras focus on the good they protect and not on their premises
employees.
Furthermore, in accordance with Article 19 (2) of the aforementioned Directive, which
specifies the principle of proportionality in shopping malls and stores,
cameras may be placed at their entry and exit points
stores, cash registers and safes, warehouses
goods, while, according to article 19 par. 4 of the same Directive,
The operation of cameras in restaurants and leisure areas is prohibited
laboratories, toilets and places where employees work
store and are not accessible to the public. Furthermore, in Article 11 of
Directive 1/2011 of the Authority states that the controller must, between
among others, to take care to avoid irrational use of projection screens, and
avoid disseminating the material to illegal recipients.
5. In this case, the use of the camera by
Complained company can not be documented adheres to its principle
proportionality. In particular, from the documents of the case file and
especially photographs depicting the range of the camera
it is found that a picture of the whole space is taken, without taking it is limited
at the entrance. There is therefore a breach of the principle of minimization
of the data, including a picture of employees leaving, who they are
6 office spaces, in which, as a rule, no money is made
transactions, but accounting work. Further, it turned out to exist
Ability to monitor the camera in real time by its director
mobile company, even though he was absent from his facilities.
This surveillance is not an appropriate means of protecting persons and
goods, as it is practically impossible for the owner to intervene or preventively,
either repressive while increasing the risk of using the material for another purpose,
as for employee supervision. This processing, with the possibility
supervision of the site by the business owner, at all times, and
in fact without the existence of an incident that indicates an increased risk (e.g.
alarm), infringes excessively on the rights of supervised persons,
including "vulnerable" persons such as employees,
therefore it is carried out in violation of article 6 par. 1 f of the GKPD. From
the other components and specifications of the camera show that it does not
there was the possibility of receiving audio, as claimed in the complaint, while no
it turned out that there was recording, although there was the possibility of recording
a few hours to a day, depending on the type of video image compression.
6. The Authority shall, without prejudice to the fact that it is responsible for processing
did not submit evidence of the legality of the processing, while such
information requested. As a mitigation it takes into account that it is very small
company (as shown by the number of employees), that according to
company statement the camera is no longer working, that it turned out to exist
other kind of dispute which does not concern personal data, that
is the first violation for this company and finally, the unfavorable one
economic situation due to the Covid-19 pandemic.
7. Based on the above, the Authority unanimously agrees with Article
5 par. 1 c and article 6 par. 1f of the GCPD the conditions for enforcement are met
to the detriment of the controller, based on article 58 par
taking into account the criteria of article 83 par. 2 of the GCP, of the administrative
ratification, referred to in the operative part of this, which is deemed appropriate
with the gravity of the infringement.
7 FOR THESE REASONS
The Authority imposes on "Ignatiadis Nikolaos and Co. EE" the effective,
proportionate and dissuasive administrative fine appropriate to
specific case according to its more specific circumstances, amounting to two
thousands of euros (2,000.00) euros, for the above violations
Article 5 (1) (c) and Article 6 (1) (f) of Regulation (EU) 2016/679.
The Deputy Chairman The Secretary
George Batzalexis Irini Papageorgopoulou
8
