IMY (Sweden) - DI-2018-22697
IMY (Sweden) - DI-2018-22697 | |
---|---|
Authority: | IMY (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 6(1)(e) GDPR Article 32(1) GDPR Article 32(4) GDPR § 7 Camera Surveillance Act |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 09.06.2021 |
Published: | 09.06.2021 |
Fine: | 350000 SEK |
Parties: | Räddningstjänsten Östra Skaraborg |
National Case Number/Name: | DI-2018-22697 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Swedish |
Original Source: | Decision (in SV) |
Initial Contributor: | Kave Noori |
The Swedish DPA fined a fire department €34 555 (SEK 350 000) for installing CCTV cameras that monitored firefighters in a way that was more intrusive than necessary.
Facts
The firefighting Rescue Service of Eastern Skaraborg (Räddningstjänsten Östra Skaraborg) started CCTV monitoring of 8 fire stations in March-April 2015 until May 6, 2021. The CCTV cameras monitored the fire trucks' storage hall where employees change into firefighters' clothes when responding to an emergency.
The CCTV surveillance was in operation around the clock. The video stream was not recorded, but the operator in the command center could maneuver the camera and also activate the microphone to interact with the firefighters. Each time the microphone was activated, a light came on.
The Swedish DPA Integrietsskyddsmyndigheten (IMY) opened an investigation following a complaint it received. The complaint stated that it had happened that firefighters who had been called in at night time had only appeared in their nightgowns. Therefore, the complaint said, it had occurred that firefighters had changed clothes while naked or in their underwear under the surveillance of the camera.
The introduction of CCTV in 2015 was not without controversy. Firefighters placed a piece of cardboard in the camera's field of view, covering the area where equipment is stored. After someone broke into the fire station, the Rescue Service removed the piece of cardboard after negotiations with a local union representative. The Rescue Service claimed to have received no complaints since 2015 but decided to end CCTV surveillance on May 6, 2021, pending a decision from the regulator IMY.
Holding
Did the CCTV require a permit?
First, the DPA examined whether the CC -TV required a permit. The Swedish Camera Surveillance Act (kamerabevakningslagen), which contains supplementary rules to the GDPR, sometimes requires a permit for the use of CCTV. 7 § of the Camera Surveillance Act requires a permit if the surveillance is carried out by a public authority and if the surveillance is of a "place to which the public has access". The DPA concluded that a fire station is not a place to which the public has access and that the Rescue Service did not need a permit for CCTV.
Was there a legal basis?
The DPA considered whether there was a legal basis in Article 6(1)(e) GDPR for processing data for the performance of a task carried out in the public interest. On the one hand, the DPA found that the monitoring of the staff who are in a vulnerable position, in this case was constant, intimate, and intrusive. However, given the particular role that society has given to the Rescue Service and the need for the command center to be able to effectively manage and organize a response to an emergency, the DPA found that there was a legal basis for the processing
Fairness and data minimization
Next, the DPA considered whether the monitoring complied with the principle of lawfulness, fairness and transparency under Article 5(1)(a) GDPR. The DPA referred to the preparatory work of the Swedish GDPR Implementation Act when it noted that the legislator intended that the proportionality of the monitoring must be assessed by balancing the conflicting interests, even if a legal basis exists. The DPA recognised that the employer had very strong reasons justifying the surveillance. Nevertheless, the DPA considered that the surveillance was too wide-ranging. Firefighters were monitored in places where they changed, without censorship or demarcation.
The DPA also investigated whether the Rescue Service had practiced data minimisation under Article 5(1)(c) GDPR. The DPA found that the purposes of the monitoring were legitimate, but that the means chosen were too intrusive and breached the principle of data minimisation.
The DPA considered that the monitoring was unfair and breached Article 5(1)(a) GDPR, as well as the lack of data minimisation practice to breach Article 5(1)(c) GDPR. For these two violations, the DPA imposed a fine of SEK 300 000.
Was the data sufficiently protected?
Finally, the DPA assessed whether the monitoring data was adequately protected. The CCTV were monitored live from the command center. The command center had 29 staff, 6 of whom held the position of inner command and were authorized to view the camera stream. The Rescue Service stated that it was possible for any employee present in the command center to view the camera stream and witness what was going on at a particular fire station. The Rescue Service had also not issued any guidelines regarding the monitoring of the CCTV.
The DPA acknowledged that it is sometimes warranted to allow a wider range of command staff to view the CCTV. However, given the nature, scope, and intrusiveness of the monitoring of the CCTV, the DPA held that the Rescue Service was at fault for not issuing guidance. The DPA stated that the more sensitive the processing, the higher the data protection requirements. The lack of policies could have led the staff of command center to monitor firefighters more than was necessary and lawful. The DPA found that the Rescue Service had breached Article 32(1) GDPR and Article 32(4) GDPR by failing to take the necessary organizational measures. For this, the DPA imposed a fine of SEK 50 000.
Fines overview
Violation | Fine in SEK |
---|---|
Article 5(1)(a) GDPR – principle of lawfulness, fairness and transparency and Article 5(1)(c) GDPR – principle of data minimization | 300 000 |
Article 32(1) GDPR and Article 32(4) GDPR – organizational measures | 50 000 |
Total | 350 000 |
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1 (17) The Executive Board of the Rescue Service Östra Skaraborg Majorsgatan 1 54141 Skövde By e-mail: raddningstjansten@rtos.se Record number: DI-2018-22697 Decision after supervision according to Your registration number: the Data Protection Regulation - 2019–000014 camera surveillance within Date: 2021-06-09 The rescue service Östra Skaraborg Content The Integrity Protection Authority's decision ................................................ ........................... 2 Report on the supervisory matter ............................................... ....................................... 2 Grounds for the decision ............................................... .................................................. ... 4 Personal data controller ................................................. ...................................... 4 The time of the trial ............................................... .............................................. 4 Rules for the Rescue Service's camera surveillance .............................................. 4 The Camera Surveillance Act ................................................. .......................... 4 Data Protection Ordinance ................................................. .......................... 5 Is the Rescue Service's camera surveillance allowed according to the Data Protection Regulation? ................................................ ..................................... 5 Legal basis for the processing of personal data (Article 6) ................... 5 Basic principles for the processing of personal data (Article 5) .... 7 Principles of legality and regularity (Article 5 (1) (a)) ............................. 8 The principle of data minimization (Article 5 (1) (c)) ...................................... 11 Safety in connection with the treatment (Article 32) ............................... 12 Choice of intervention ............................................... ........................................... 14 Legal regulation ................................................ ..................................... 14 Penalty fee ................................................. ...................................... 14 Postal address: How to appeal ............................................. .................................................. ....... 17 Box 8114 104 20 Stockholm Website: www.imy.se E-mail: imy@imy.se Phone: 08-657 61 00Integrittsskyddsmyndigheten Record number: DI-2018-22697 2 (17) Date: 2021-06-09 The decision of the Privacy Protection Authority The Privacy Protection Authority states that the Executive Board of the Eastern Rescue Service Skaraborg, with organization number 222000-1115, from 25 May 2018 until on May 6, 2021 by having camera surveillance in the car park at eight fire stations processed personal data in violation of 1 - Article 5 (1) (a) of the Data Protection Regulation by employing camera surveillance place for replacement in case of alarm in violation of the principle of correctness, Article 5 (1) (c) of the Data Protection Regulation by processing more personal data than has been necessary for the purposes contrary to the principle of task minimization, and Article 32 (1) and (4) of the Data Protection Regulation as instructions from it personal data controller has been missing for how the personal data has been received be used and the requirement for appropriate organizational measures, to ensure a level of safety that is appropriate in relation to the risk, thus is not fulfilled. The Privacy Protection Authority decides on the basis of ch. Section 2 of the Data Protection Act and 2 Articles 58 (2) and 83 of the Data Protection Ordinance to the Executive Board of the Emergency Services Östra Skaraborg must pay an administrative sanction fee of 350,000 (three hundred and fifty thousand) kronor, of which 300,000 (three hundred thousand) kronor refers infringements of Article 5 (1) (a) and 5.1 c and SEK 50,000 (fifty thousand) infringements of Article 32 (1) and Article 32 (4) of the Data Protection Regulation. Report on the supervisory matter The Privacy Protection Agency (IMY) has received complaints alleging that The Executive Board of the Rescue Service Östra Skaraborg (Rescue Service) conducts camera surveillance in the fire station's car park with space for replacement in the event of an alarm and has initiated supervision of the Rescue Service. The inspection has been initiated for the purpose of reviewing the Rescue Service's personal data processing in the form of camera surveillance has taken place in accordance with the principles of legality and regularity set out in Article 5 (1) (a) of the Data Protection Regulation; the principle of data minimization in Article 5 (1) (c), the legal basis requirement in Article 6 and the requirements for organizational security in Article 32. When reviewing the processing of personal data in the form of camera surveillance of the carriage halls have mainly emerged the following. Camera surveillance has been conducted from March – April 2015 until 6 May 2021 stations in Skövde, Mariestad, Hjo, Tibro, Karlsborg, Hova, Gullspång and Töreboda. A camera has been mounted on each station. All cameras have been placed in carriages at the fire stations and has guarded a space used as garage for rescue vehicles. The staff hall also stores the staff's emergency clothing, REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and on repeal of Directive 95/46 / EC (General Data Protection Regulation). 2 Act (2018: 218) with supplementary provisions to the EU Data Protection Regulation. Integrity Protection Authority Record number: DI-2018-22697 3 (17) Date: 2021-06-09 alarm stand, which must be able to be put on quickly before expression in the event of an alarm. For other types of exchanges there are special changing rooms that are not monitored by cameras. The camera surveillance of the car parks has been conducted around the clock in real time without image recording. The cameras have been movably mounted and have shown a number of views accordingly a predetermined movement pattern. The cameras have also been able to be controlled manually and have optics that can zoom. The film material has been examined in real time by internal officers from the command center in Skövde when alarm has been activated at a fire station. The control center that the cameras are connected to staff in emergency situations. Examination of what was captured by the camera's shooting range has only occurred in these situations. Sound has been able recorded in real time after the internal commander has activated a microphone to be able to talk with the intrusive force. A light has been lit in the car park when the microphone has been on activated. The camera-monitored fire stations are staffed by staff who are as well full-time employee (Skövde and Mariestad) as a part-time employee (all audited stations). When part-time staff move in, firefighters should normally be within five minutes from the alarm goes off, switch left the fire station in a vehicle. Then shall the firefighters have gone to the fire station, often in a private car, changed and ha placed in the correct vehicle. Full-time staff are usually at the fire station when alarms go and change from station uniform. Firefighters are on it guarded the place in the carriage hall for about a minute. The complaint has stated that it has happened to intruding staff in the event of an alarm in the middle of the night has arrived at the fire station in a bathrobe with underwear or nothing at all underneath, which has meant that staff have been camera-monitored naked or only in underwear when changing to an alarm stand. The rescue service has in an opinion received on 31 May 2021 stated that it does not occur at all that rescue personnel on standby arrive at the respective station in the event of an alarm only wearing bathrobe with only underwear or nothing at all underneath. Opinion received on 22 May 2019, it is stated that no employee will be staying in the Rescue Service's premises naked, except in changing rooms intended for this, as it can be experienced as troublesome and offensive to other employees. Furthermore, it has been stated that the alarm place is designed as such that its function is maintained regardless of whether the employee chooses to dress only in alarm stand or chooses to have undergarments under the alarm stand. The employees who choose to do not use e.g. underwear can choose to only wear underwear underneath the alarm place and will thus in such cases only wear underwear under one shorter time when dressing and undressing the alarm place. Furthermore, it has emerged that the employees at one of the fire stations protested against the camera surveillance in connection with the introduction in 2015 by covering for some of the surface where alarm places hang with a cardboard board. The rescue service has in the opinion which came in on May 22, 2019, with completion on May 28, 2019, stated that the cardboard board was removed after collaboration with a local union representative after a burglary. At collaboration with employee organizations in 2015, views emerged as among another argued that camera surveillance should not include a place where replacement takes place, that it would be an advantage to activate the camera only in the event of an alarm, that it was perceived as offensive to be monitored and that the information about the camera surveillance has been broken. Infront of collaboration in August 2015, it was stated that the employer's focus was that measures would taken so that areas where staff change could not be monitored by cameras. At the collaboration meeting was decided to ensure that each station would be adapted so that the Privacy Protection Agency Record number: DI-2018-22697 4 (17) Date: 2021-06-09 camera surveillance of changing rooms would not take place. The rescue service has stated that since August 2015 there have been no complaints against the camera surveillance or that the issue is raised on collaboration again. As for the information about the camera surveillance that is provided The rescue service stated that it is now on the checklist at the time of introduction that inform new employees about the camera surveillance, that a written information has been taken to ensure this information and that it is signposted on the premises camera surveillance. To its final opinion in May 2021, the rescue service attached a decision made on 6 May 2021 where it appears that the camera surveillance that is examined will end with immediate effect. Furthermore, the need for camera surveillance must be reassessed accordingly that the IMY has made a decision in the current case. Grounds for the decision Personal data manager The Executive Board of the Rescue Service Östra Skaraborg is stated to be personal data manager for the Rescue Service's personal data processing. IMY shares this view. The time for the trial The audited camera surveillance has been going on from March-April 2015 until 6 May 2021. When the Data Protection Ordinance first came into force on 25 May 2018, IMY's review, which takes place on the basis of the said regulation, limited to circumstances that have existed during the period thereafter. Circumstances in connection with the introduction of The camera surveillance in 2015 is thus outside the IMY's supervision. Rules for the Rescue Service's camera surveillance Camera surveillance is a form of personal data processing. How and in which to the extent that it is permitted to camera surveillance in the case in question is regulated in the Data Protection Ordinance and the Camera Surveillance Act (2018: 1200) which supplement the Data Protection Regulation. The Camera Surveillance Act Section 4 of the Camera Surveillance Act states that the Act applies to camera surveillance in accordance with section 3. takes place with equipment located in Sweden. Of § 3 point 1 of the Camera Surveillance Act It appears that camera surveillance includes a television camera, another optical-electronic instruments or comparable equipment, without being operated on site used in such a way as to involve permanent or regular repetition personal surveillance. The camera surveillance that the Rescue Service has conducted has not maneuvered on site and has involved a permanent monitoring of the employees as well other visitors. The Camera Surveillance Act therefore applies to the Rescue Service coverage. The Camera Surveillance Act contains provisions on when a permit is required to camera surveillance. It follows from section 7 of the Camera Surveillance Act that a permit is required for surveillance of a place to which the public has access if the surveillance is carried out by an authority or someone other than an authority when performing a task of general interest as the Privacy Protection Authority Record number: DI-2018-22697 5 (17) Date: 2021-06-09 follows from law or other statute, collective agreement or decision issued with support by law or other statute. The rescue service Östra Skaraborg is a municipal association and thus one authority, and is basically subject to a permit for camera surveillance. The question is then if the public is considered to have access to the place provided by the Rescue Service camera guards. Practice shows that the concept of "place to which the public has access" shall be interpreted broadly (see the Supreme Administrative Court's decision RÅ 2000 ref. 52). Many workplaces are, however, considered to be a place to which the public does not have access (Bill. 2017/18: 23 p.22). In the light of what has emerged about the location of the surveillance, IMY assesses that it is not a question of a place to which the public has access. Some requirement to apply permission does not exist. However, the fact that the camera surveillance is unlicensed does not mean that surveillance is allowed. In addition to the provision on permits, there are other rules in the Camera Surveillance Act, e.g. on the obligation of professional secrecy regarding the recorded material, obligation to negotiate with workers' organizations and information requirements, which may be relevant to follow during camera surveillance. In addition, the rules in the Data Protection Regulation. Data Protection Regulation According to Article 2 (1), the Data Protection Regulation shall apply, inter alia, to the processing of personal data in a completely automatic way. Of Article 4 (1) of the Data Protection Regulation it appears that any information relating to an identified or identifiable natural person is a personal information. According to Article 4 (2), "treatment" means a measure concerning: personal data, such as collection, registration, reading and deletion. About one surveillance camera captures an identifiable person or other personal data in image, the rules in the Data Protection Regulation must therefore be followed. Since The rescue service has filmed, and recorded sounds from, identifiable people with theirs cameras apply to the Data Protection Regulation. The Data Protection Regulation contains a large number of rules that must be followed Processing of personal data. Within the framework of this supervisory matter is the IMY's review limited to whether the Rescue Service has a legal basis under Article 6 i the Data Protection Ordinance to conduct the current camera surveillance, if The rescue service has lived up to the basic principles of treatment of personal data in Article 5 (1) (a) on legality and regularity and in Article 5 (1) (c) on data minimization, and whether the Rescue Service has met the requirements for security in Article 32 by taking appropriate organizational measures. Is the Rescue Service's camera surveillance allowed according to the Data Protection Regulation? Legal basis for the processing of personal data (Article 6) Article 6 of the Data Protection Regulation states that processing is only legal if at least one of the conditions set out in the article is met, that is, there is a legal basis for the treatment. The processing is necessary to perform a task of general interest, 6.1 e The rescue service has stated that the legal basis for the surveillance is that the surveillance is necessary to perform a task of general interest under Article 6.1 e in the Data Protection Ordinance. Integrity Protection Authority Record number: DI-2018-22697 6 (17) Date: 2021-06-09 Of the preparatory work for a law (2018: 218) with supplementary provisions to the EU The Data Protection Ordinance (hereinafter the Data Protection Act) states the following in Bill. 2017/18: 105 (p. 60). In order for the processing of personal data to be permitted according to the article 6.1 e of the Data Protection Regulation requires the purpose of the processing is necessary to perform the task. This is according to the government assessment is not interpreted as meaning that the task must be of general interest delimited so that it can only be performed in one way. The method as it personal data controller chooses to perform his task must, however - like all public administration - be efficient, effective and proportionate and must therefore not unnecessarily infringe individuals' privacy. The more detailed a particular task has been regulated, the more there should be less space for the person responsible for personal data to choose different approaches. This in turn leads to a larger predictability in terms of what personal data processing can updated. If an assignment has instead been settled on one more overall and results-oriented level, it can probably be performed at many different ways, which in relation to each other can be more or less necessary within the meaning of the Data Protection Regulation. In addition, pursuant to Article 6 (3), treatment pursuant to Article 6 (1) (e) shall be determined in accordance with with Union law or the national law of a Member State. The rescue service's activities are regulated nationally in the Act (2003: 778) on protection against accidents. By rescue service is meant according to ch. § 2 the rescue efforts by the state or the municipalities shall be responsible for in the event of accidents and imminent danger of accidents, for to prevent and limit damage to people, property or the environment. Of ch. § 3 states that the rescue service must be planned and organized so that the rescue efforts can be started within an acceptable time and implemented in an efficient manner. Although detailed provisions for how the Rescue Service is to process personal data missing, the regulation needs to be specific enough to be used as a basis for the assessment of legal basis in Article 6 of the Data Protection Regulation. That the legislation is overall can provide a greater opportunity for the Rescue Service to choose how their assignments must be carried out than if the regulation had been more specific. The rescue service has stated that the purposes that have been established for the surveillance are following. - To facilitate leadership and efficiency during a rescue operation - To facilitate the presence control of firefighters who step in after alarms - To facilitate vehicle selection - To make it possible to ensure that the force leader feels good and can handle the task To secure the shell protection and - To assess the correctness of any alarm connected to the key cabinets on the stations IMY assesses that the purposes can be divided into two categories. The initial four the purposes are intended to enable work management and efficiency in the event of an alarm situation. The the latter two purposes relate to physical security at the fire station.Integritetsskyddsmyndigheten Record number: DI-2018-22697 7 (17) Date: 2021-06-09 The rescue service has stated that the camera surveillance at all fire stations except at Tibro station with automatic has also taken place of the space there the expression clothes are stored. This means that at other fire stations have the surveillance includes the place where the staff changes to alarm stands. The reason for the camera at Tibro station has not monitored the place for replacement in case of alarm is one incorrect programming which has meant that the camera's movement pattern has not covered the location for replacement, if the camera has not been manually controlled to monitor it. According to However, the rescue service has intended to remedy this so that also the camera surveillance at Tibro station would include a place for replacement. Compared to those stations where the place for replacement has been guarded, the Rescue Service has stated that it is on Tibro station has been worse conditions for the management capacity and efficiency at emergency. It has been more difficult to ensure attendance control and to ensure that the force leader feels good in the event of an alarm. Through camera surveillance, the purposes can the surveillance relating to the alarm situation is achieved at the same time as the staff ready to go on alarm, that is, the working method is cost and execution efficient. IMY's assessment - legal basis IMY states that the camera surveillance conducted by the Rescue Service refers to monitoring of employees at their workplace where the staff must be under working hours. The registered are in a position of dependence and are guarded in their everyday environment. The monitoring has involved round-the-clock monitoring in real time and the catchment area has also included space for replacement. There is information that it has happened that employees for efficiency reasons during the change have stayed on the exchange site completely without clothes, which, however, has been rejected by the Rescue Service. Both the scope of surveillance and what is captured by the cameras has increased the intrusion of the individual. The camera surveillance, which among other things has included the employees in underwear, means that the Rescue Service has camera-monitored the employees in privacy-sensitive situations. The processing, however, has not included specific categories of personal data, so sensitive personal data, in accordance with Article 9 of the Data Protection Regulation. The national law which, in accordance with Article 6 (3), is to lay down the legal basis therefore need not be more precise than in the law on protection against accidents, but can be generally held. In the light of the above and with regard to the Rescue Service's special assignments and requirements for efficiency, IMY makes the assessment that the treatment has been necessary to perform a task of general interest and that the Rescue Service has had a legal basis in accordance with Article 6 (1) (e) of the Data Protection Regulation for the person in question the treatment. The question then becomes whether the current treatment has lived up to some of them basic principles for the processing of personal data in Article 5. Basic principles for the processing of personal data (Article 5) Article 5 of the Data Protection Regulation contains a number of basic principles such as that personal data controllers must take into account when processing personal data. It follows from Article 5 (1) (a), inter alia, that all personal data processing, in addition to being legal, must also be correct (the principles of legality and correctness). By article 5.1 c follows that personal data that is processed must be adequate, relevant and not the Privacy Protection Agency Record number: DI-2018-22697 8 (17) Date: 2021-06-09 too extensive in relation to the purposes for which they are dealt with (the principle of task minimization). Finally, it follows from Article 5 (2) that the personal data controller shall be responsible for and be able to demonstrate compliance with the principles set out in Article 5 (1) (the principle of liability). Principles of legality and regularity (Article 5 (1) (a)) The fact that the processing must be lawful means that there must be a legal basis in Article 6. IMY has assessed above that the Rescue Service fulfills the requirement of a legal basis in Article 6 (1) (e), task of general interest. The treatment is therefore judged to be compatible with the principle on legality in Article 5 (1) (a). With regard to the treatment being correct, the following is stated in the preparatory work for the Data Protection Act (Bill 2017/18: 105 p. 47). As far as the principle of correctness is concerned, in a comparison with other language versions are questioned about the Swedish term correctly corresponds to the purpose of the provision. In the Danish language version states instead that the data should be processed reasonably. On the equivalent way is used in the English language version the term fairly, which means fair, reasonable or reasonable. In the French language version the term loyale is used, which has the same meaning as English fairly. In the German language version, the term Treu is used und Glauben, which is usually translated as good faith or faith and honor. All these terms indicate, in the Government's opinion, more clearly than that Swedish term correctly, that a balance of interests must be struck. In it In the individual case, it can thus e.g. be incompatible with the principle of correctness to take a particular treatment measure, even if this in and for could be considered legally established under Article 6, namely if the processing is unreasonable in relation to the data subject. The legislator has stated here that even if there is a legal basis, it should at a assessment of whether the treatment lives up to the principle of correctness is still made one balancing of interests to determine whether the treatment is unreasonable in relation to it registered, in this case the employees. In the statement received on 22 May 2019, the rescue service stated that it did not there are some other, less privacy violating solutions to do the same thing without that the rescue effort is negatively affected. However, it has also been stated that it is not it is necessary for camera surveillance to take place around the clock to conduct rescue services, but that it only needs to happen in the event of an alarm to the current station. Furthermore, the Rescue Service has stated that the cameras are technically connected to the application they are shown on a daily basis around. To the balance of interests that the legislator believes should be made in an examination of the principle of correctness lacks further guidance. European Data Protection Board, EDPB, however, has in EU guidelines on built-in data protection and data protection as standard stated that, inter alia, the following circumstances shall be taken into account in the examination of whether 3 the principle of correctness is complied with. It states, for example, that the treatment should comply with the reasonable expectations of the data subjects. Furthermore, the balance of power should 3EDPB Guidelines 4/2019 on Article 25, Built-in data protection and data protection as standard, version 2.0, p. 18 et seq. Date: 2021-06-09 be a central goal for the relationship between the personal data controller and the registered. The data controller must also respect the data subjects fundamental rights and take appropriate measures and safeguards. The The person responsible for personal data must also ensure the impact of the processing on the individual rights and dignity. IMY's assessment - the principle of correctness Regarding the balance of interests to be made, IMY makes the following assessment of the different interests. IMY initially states that the Rescue Service through the law on protection against Accidents have a requirement for their business that it must be conducted efficiently with regard to both time and execution, to prevent and limit damage in the event of accidents and danger of accidents people, property or environment. The rescue service has stated that, among other things, they are prepared for people which end up in distress at sea and other life-threatening situations, toxic substances released into nature, traffic accidents, fires that occur in buildings and terrain as well as people and property threatened by extreme weather. It is not uncommon for life to be endangered by them events The rescue service is alerted and then both seconds and minutes can make a difference. The purpose of the Rescue Service's camera surveillance, which is now being examined, is described in detail above and can be summarized to enable workflow and alarm efficiency respectively to ensure the physical safety of the fire station. The rescue service has stated that there are no other less privacy-sensitive ways to achieve the same efficiency. At Tibro fire station, where surveillance of place for replacement has not taken place automatically, the conditions for conductivity and emergency response has been worse compared to other stations. The staff do not stay at the station for more than the time they put on the alarm stand, which means that if communication with them is to take place without delaying the rescue operation, it must it takes place at the same time as the exchange takes place. Overall, IMY assesses that the Rescue Service's need for camera surveillance is on the place weighs heavily, especially in case of alarms. One of the purposes of the surveillance is to check the presence of firefighters who enter after noise. IMY notes that camera surveillance to perform presence check on one workplace is in principle not allowed. In the current case, the interest in surveillance has been judged to weigh heavy, especially in case of alarm. IMY makes the assessment that the Rescue Service's surveillance is one such a case where camera surveillance as presence control can be considered permissible. At it In the assessment, special consideration has been given to the requirement for efficiency in the event of an alarm The rescue service, where seconds and minutes can make a difference for life and health. As regards the interests of the data subjects, it can be stated that the places as camera-monitored are workplaces where the employees, who are dependent on their employer, must be present during their working hours. The employees stay in the car park both in the event of an alarm but also in the performance of other tasks. The character of the place means that the employees are there in their everyday environment and can not opt out be monitored by cameras. The interest in integrity therefore weighs heavily as a starting point. The Privacy Protection Agency Record number: DI-2018-22697 10 (17) Date: 2021-06-09 When it comes to listening and recording sound in connection with camera surveillance is this is particularly sensitive to privacy and is only exceptionally allowed. As privacy enhancing action, however, a light comes on when the microphone enables oral communication between the control center and the car park is activated. IMY notes that audio listening is thus limited to situations that require communication and that the microphone has been used in sharp situations in case of alarm, when the need to monitor weighs particularly heavily. Furthermore, the sound that is listened to is mainly a conversation with them which is monitored. That the staff is part of the conversation in combination with lamp activation does that they are aware that eavesdropping is taking place. The measure reduces the intrusion somewhat applies to listening and recording of sound. IMY therefore makes the assessment that sound recording in the event of an alarm as it has been conducted is permitted. Furthermore, it appears that the surveillance area also includes a place for change during pick-up and undressing of alarm stands, where the camera surveillance in case of alarm for a short time has caught the employees in underwear or underwear when they change into expression clothing. If the staff in some cases has been monitored completely without clothing has not been clarified in the case. The rescue service believes that the employees are extremely used to handling privacy-sensitive situations both in the performance of their duties in rescue operations towards third parties, but also at the station work and internally in the organization then it exchanges take place in front of each other at each alarm situation, but also at regular practice and education. The rescue service believes that the internal commander who has access to real-time surveillance has a management responsibility regardless of whether it takes place in the physical space or via technical equipment, for the best possible management. According to the Rescue Service assessment, the exchange in front of colleagues and officers fits well in a proportionality perspective. IMY assesses that the interest in privacy at the place where the exchange takes place is significantly more prominent than in the rest of the carriage hall. However, it should be considered that the solution with replacement to the alarm stand in the car park and the camera surveillance of this is deemed necessary for the efficiency of the business, which reduces the intrusion somewhat. IMY does though overall assessment that the integrity interest in the site as a whole weighs very heavy, as the guarding has been conducted. This also applies if the staff in the change situation has underwear or underwear on. In assessing the two sides of the balance of interests, IMY has thus assessed that the need for surveillance weighs heavily, especially in the event of alarms, and that it was recorded, they employees, interests in terms of camera surveillance of the place of exchange weigh a lot heavy. When balancing between the needs of the Rescue Service and the interests of the employees do IMY further the following assessment. As for whether the data subjects can expect it current camera surveillance, the Rescue Service has stated that it currently has informed about the surveillance in several ways, including through signs in the premises. However, it has emerged that there are no guidelines for the situations in which the competent person staff have had the right to access real-time surveillance, which may mean that they employees have had difficulty assessing the extent to which the material has been used. In question on the balance of power between the Rescue Service and the employees, it has been established that the employees are in a dependent relationship with their employer, which means that the balance of power is uneven. As the monitoring of exchanges includes privacy-sensitive information, higher requirements are set than otherwise on protective measures to reduce the invasion of privacy. IMY thinks it is necessary with privacy-enhancing measures, such as a partial shielding of the place of exchange. The rescue service has stated as integrity-enhancing measures that the Privacy Protection Agency Record number: DI-2018-22697 11 (17) Date: 2021-06-09 in addition to the fact that a lamp is lit when the microphone is activated, the sound can only be heard from the car park in a headset in the control center and that there is access restriction to the control center. As for, for example, masking or demarcating parts of the site for replacement to minimize the collection of this data, have any such action not emerged during the IMY review. Regarding masking the place for replacement, the Rescue Service has in an opinion on 22 May 2019, stated the following (p.7). Given that most stations have alarm points hanging in the carriage hall, the purpose of the cameras on these surfaces completely disappeared was screened off, that is, the carriage hall would not be seen in the cameras. Of images from the camera surveillance that the Rescue Service has sent in an opinion on it January 16, 2019, however, it seems in the IMY's opinion that it is clear that without much difficulty should be able to partially delimit the uptake of the place of exchange from respective camera, so that no more than, for example, heads are captured by the surveillance. This can be done, for example, either by a mask on the camera views that show the place for replacement or through a physical screen in each carriage hall. With regard to the impact of camera surveillance on employees' rights and dignity, the IMY notes that it has not emerged that it has been possible to avoid that be camera-monitored during the change to alarm stand. To have camera surveillance when changing occurs in the event of an alarm, could have meant that the employees have repeatedly stayed in their underwear short periods in the guarded area. In an objective assessment, it can be considered go beyond what is proper treatment on the part of an employer. Overall, IMY states that the purposes of the Rescue Service are justified. The rescue service's interest in surveillance has been judged to weigh heavily, especially in the event of an alarm. However, the interests of the data subjects have been judged to weigh very heavily, especially as regards place for switching to alarm stands, which have been camera-monitored without masking or demarcation. Even when the special circumstances and requirements have been taken into account effectiveness that prevails in the Rescue Service's efforts, IMY states that they the interests of employees weigh more heavily in the question of the place of exchange in the event of an alarm and that the surveillance in this situation, as it has been carried out, is unreasonable in relation to employees. The monitoring of the exchange situation in the event of an alarm without delimitation has therefore contrary to the principle of correctness in Article 5 (1) (a) of the Data Protection Regulation. The principle of data minimization (Article 5 (1) (c)) Article 5 (1) (c) of the Data Protection Regulation states that personal data processed shall be adequate, relevant and not too extensive in relation to the purposes for which which they are processed, which is the principle of data minimization. The camera surveillance that is now being examined has been conducted around the clock in real time in the car hall at eight fire stations and has included space for replacement without any masking or demarcation. Internal officers at the command center have examined the camera surveillance at alarm. The rescue service has stated that it is not necessary to monitor the car park with cameras around the clock, without it only having to take place in the event of an alarm to the relevant station. The cameras have however, have been connected to the technical solution where the camera image is displayed around the clock around.Integritetsskyddsmyndigheten Record number: DI-2018-22697 12 (17) Date: 2021-06-09 As for the surveillance of the place for replacement, the Rescue Service has stated that it does not there are other less privacy-sensitive ways to achieve the same efficiency. The surveillance of the place for replacement is necessary as the staff does not stay at the station anymore than the time when they put on alarm racks. This means that communication with them must take place at the same time as they change, so that the rescue effort is not delayed. IMY's assessment - the principle of data minimization IMY has stated above that monitoring employees who change involves treatment of privacy-sensitive information that goes beyond what the individual should need accept. The surveillance of the fire stations has included employees, who are in dependency on their employer. It places special demands on the employer to take measures to reduce the invasion of privacy for employees. Any adaptation of the surveillance has not been carried out, in addition to access restriction, and place for replacement has been monitored by a camera without masking or delimitation. The monitoring has been ongoing around the clock in real time, even though it has been stated to be necessary only in the event of an alarm. Against this background, the IMY states that the Rescue Service's camera surveillance has entailed an excessive processing of personal data in relation to purposes. The treatment has thus taken place in violation of the principle of data minimization in Article 5 (1) (c) of the Data Protection Regulation. The purpose of the rescue service which has been intended for physical safety fire stations, ie to ensure shell protection and to assess the correctness of alarms connected to the key cabinets at the stations do not have, according to the Rescue Service including preventing and investigating crime. IMY states that the purposes are justified, but that camera surveillance around the clock is too far-reaching for specified purposes. It should be possible to achieve the said objectives with less far-reaching measures, to example through another access solution or an activated alarm in case of alarm from the key cabinet. This treatment has also taken place in violation of the principle of data minimization in Article 5 (1) (c) of the Data Protection Regulation. Security of processing (Article 32) As far as the rescue service's safety in connection with the camera surveillance is concerned, IMY has reviewed the organizational security in terms of authorization management and guidelines for the handling of the monitoring material. Article 32 of the Data Protection Regulation regulates security in connection with the processing. According to paragraph 1, the personal data controller and the personal data assistant shall among other taking into account recent developments, implementation costs and the nature, scope, context and purpose of the treatment and the risks, of varying degrees of probability and seriousness, for the rights and freedoms of natural persons take appropriate technical and organizational measures to ensure a level of safety appropriate to the risk. According to paragraph 2, special consideration shall be given to the assessment of the appropriate level of safety risks posed by the treatment, in particular accidental or unlawful destruction; loss or alteration or to unauthorized disclosure of or unauthorized access to the personal data that has been transferred, stored or otherwise processed.Integritetsskyddsmyndigheten Record number: DI-2018-22697 13 (17) Date: 2021-06-09 Point 4 states that the person responsible for personal data and the personal data assistant shall take measures to ensure that every natural person performing work under it oversight of the personal data controller or personal data assistant, and who may access to personal data, only processes these on instructions from it personal data controllers. Recital 39 of the Data Protection Ordinance states, among other things, that personal data should treated in a manner that ensures appropriate security and confidentiality for personal data and prevents unauthorized access to and unauthorized use of personal data and the equipment used for the processing. The rescue service has stated that 29 people have had access to the command center where the camera surveillance in the event of an alarm has been taken up to full screen view, of which 6 internal officers as has its workplace in the command center, 16 other officers and managers who have tasks in the control center in the event of an alarm or staff work and 7 operating technicians for maintenance of premises and technology. Not all employees stay there at the same time, but the employee who has taken note of the camera material is on-duty internal officer in case of alarm. Every however, employees who have access to the management center have had the opportunity to see the camera image and what is going on at a fire station in real time. In cases where the effort is complicated or several parallel operations in progress may be several internal commanders or others management functions are in the management center at the same time and have then been able to see the camera image. The rescue service has stated that there have been no guidelines for when a competent person has been allowed to look at the camera image. The approach, however, has been to the camera image manually recorded in full screen view in the event of an alarm at the current station. IMY's assessment - safety of treatment As for who has access to the footage from the camera surveillance IMY states that the Rescue Service has stated that a number of people have access to the room where the camera surveillance is displayed in real time, the control center. Even if it is not it is clear how the full screen view showing the camera surveillance is delimited, IMY states that at different times and situations there may be a need for more people have access to real-time surveillance in the event of an alarm, as the Rescue Service has described the handling. The business also runs around the clock, which means that more than otherwise need to have access to the material. IMY therefore finds that it may be justified to a larger number of employees are authorized to access information from the camera surveillance. However, it is central that the person responsible for personal data then has organizational measures in place to ensure the security of the data. Among otherwise clear guidelines are needed for who should have access to the material, under which conditions and whether the competence is surrounded by special restrictions for the handling of the image material. The IMY states that a data controller in accordance with Article 32 (1) shall take appropriate action technical and organizational measures to ensure a level of security that is appropriate in relation to the risk. When assessing the appropriate level of security, special account is taken of the risks posed by the treatment, including unauthorized access the personal data processed. The person responsible for personal data must, according to the article 32.4 of the Data Protection Regulation also take measures to ensure that a physical person only processes personal data according to instructions from it personal data controller.Integritetsskyddsmyndigheten Record number: DI-2018-22697 14 (17) Date: 2021-06-09 The more sensitive the information that is processed, the higher the security requirements for it it shall be considered appropriate in relation to the treatment carried out. That guidelines has been missing for when and how the camera surveillance may be used may mean that those who has handled the camera surveillance has gone beyond what is necessary and thus allowed. It also means that there may be uncertainty for those who have camera surveillance, in which situations the camera surveillance has been used and whether it has been limited to situations where surveillance has been necessary. As the monitoring has been conducted, it has included systematic monitoring of employees and privacy-sensitive processing of personal data with regard to surveillance of employees changing. The requirements for security are thus raised for it to be considered have an appropriate level. As guidelines are said to have been completely missing, IMY states that The rescue service has breached the requirement to ensure that personal data only handled according to instructions from the person responsible for personal data and that the requirement for appropriate organizational measures to ensure an appropriate level of security in relation to the risk is thus not met. IMY therefore notes that The civil protection service has processed personal data in violation of Article 32 (1) and (4) of the Data Protection Regulation. Choice of intervention Legal regulation If there has been a violation of the Data Protection Regulation, IMY has a number corrective powers under Article 58 (2) of the Data Protection Regulation. The supervisory authority may, among other things, order the person responsible for personal data to ensure this that the processing takes place in accordance with the Regulation and if required in a specific way and within a specific period. It follows from Article 58 (2) of the Data Protection Regulation that in accordance with Article 83, the IMY shall: impose penalty fees in addition to or instead of other corrective measures such as referred to in Article 58 (2), depending on the circumstances of each individual case. For authorities, Article 83 (7) of the Data Protection Regulation may specify national rules that authorities may be subject to administrative penalty fees. According to ch. 6 § 2 Under the Data Protection Act, penalty fees can be decided for authorities, but up to a maximum SEK 5,000,000 or SEK 10,000,000 depending on whether the violation relates articles covered by Article 83 (4) or 83 (5) of the Data Protection Regulation. Article 83 (2) sets out the factors to be taken into account when deciding on an administrative sanction fee shall be imposed, but also what shall affect the penalty fee size. Of central importance for the assessment of the seriousness of the infringement is its character, severity and duration. In the case of a minor infringement may, in accordance with recital 148 of the Data Protection Regulation, issue a reprimand instead of imposing a penalty fee. Penalty fee The inspections carried out by IMY have shown that the Rescue Service has processed personal data in violation of Article 5 (1) (a) and (c) and Article 32 (1) and (4) of the Data Protection Regulation. In assessing whether the violations are so serious that an administrative sanction fee is to be imposed, IMY has taken into account that the processing of personal data has been intended camera surveillance of employees in a position of dependence, in their everyday environment that has including privacy-sensitive situations. The monitoring has taken place systematically under the Integrity Protection Authority. Record number: DI-2018-22697 15 (17) Date: 2021-06-09 long time. The monitoring has meant that more information than necessary has been processed then on the other hand, it has taken place around the clock in real time, despite the fact that there is only a need for alarms, and partly without any masking or demarcation having taken place of the area where the employees changes. The scope of the surveillance has been relatively large as it has taken place around the clock around in real time in the car park at eight fire stations, which means a not insignificant number of registrants has been affected. Furthermore, it has not emerged that the Rescue Service, while the camera surveillance is in progress, in addition to a light indicating activated microphone as well as certain access restrictions, have taken some measures to reduce the intrusion on the employees. IMY's assessment is that the treatment did not involve one minor infringement. The violations must therefore lead to an administrative penalty fee. The provisions of the Data Protection Ordinance that the Rescue Service has violated covered by both Article 83 (4) of the Data Protection Regulation and Article 83 (5). The the maximum amount of the penalty fee is according to Article 83.4 and 83.5 and ch. 6 § 2 second paragraph of the Data Protection Act SEK 5 million regarding the violations of the article SEK 32 and 10 million in respect of the infringements of Article 5. The administrative penalty fee shall be effective, proportionate and deterrent. This means that the amount must be determined so that the administrative the penalty fee leads to correction, that it has a preventive effect and that it moreover, is proportionate in relation to both current infringements and to the supervisee's ability to pay. In determining an amount that is effective, proportionate and dissuasive can IMY note that the Rescue Service has camera-monitored employees who are in dependent relationship with their employer, in a privacy-sensitive situation when switching to alarm stand, which has meant that they have been systematically filmed in underwear or underwear at their workplace. Surveillance has been going on around the clock in real time despite that need has only existed in the event of an alarm. The rescue service has in these respects not have taken the necessary measures to limit the collection of data. The surveillance has taken place systematically for a long time and included eight fire stations. It has been the question of a relatively large number of people in the command center who have been able to take part of the surveillance. Although these have been authorized to take part in the surveillance has there was a complete lack of guidelines and instructions for the situations of competent persons had the right to access the camera surveillance. These circumstances are seen as aggravating. In its assessment, IMY has taken into account the Rescue Service's weighty need for the camera surveillance and the requirement for efficiency that is the responsibility of the Rescue Service, as well the socially important task of preventing and limiting accidents in the event of accidents and danger damage to people, property or the environment where seconds and minutes can be crucial. Account has also been taken of the fact that the current rules only began to be applied in May 2018. The trial has thus been limited to the time thereafter. It has also emerged that the camera surveillance has now ceased. It is clear that the decision in the case has dragged on not the Rescue Service to blame for the assessment of the violations. After an overall assessment, IMY finds that the Executive Board of the Rescue Service East Skaraborg must pay an administrative sanction fee of SEK 350,000, of which SEK 300,000 refers to the violations of Article 5 (1) (a) and 5.1 (c), respectively, and SEK 50,000 refers to infringements of Article 32 (1) and Article 32 (4) of the Data Protection Regulation. Integrity Protection Authority Record number: DI-2018-22697 16 (17) Date: 2021-06-09 This decision was made by the Director General Lena Lindgren Schelin after the presentation by lawyer Jenny Bård. At the final processing, the unit manager also has Charlotte Waller Dahlberg and lawyer Jeanette Bladh Gustafson participated. During David Törngren, Chief Justice, also participated in the proceedings. Lena Lindgren Schelin, 2021-06-09 (This is an electronic signature) Appendix Information on payment of penalty fee Copy to The Executive Board of the Rescue Service Östra Skaraborg's data protection representative: dataskyddsombud@skovde.seIntegritetsskyddsmyndigheten Record number: DI-2018-22697 17 (17) Date: 2021-06-09 How to appeal If you want to appeal the decision, you must write to the Privacy Protection Authority. Enter i the letter which decision you are appealing and the change you are requesting. The appeal shall have been received by the Privacy Protection Authority no later than three weeks from the date of the decision was announced. If the appeal has been received in time, send The Integrity Protection Authority forwards it to the Administrative Court in Stockholm examination. You can e-mail the appeal to the Privacy Protection Authority if it does not contain any privacy-sensitive personal data or data that may be covered by secrecy. The authority's contact information can be found on the first page of the decision.