HDPA (Greece) - 50/2022

From GDPRhub
Revision as of 14:41, 4 November 2022 by Kk (talk | contribs) (Short summary: • When a fine is imposed, mention it in the short summary • Otherwise well written short summary that mentions the most important takeaways from the decision, however I made it focus more on the specific GDPR violations in this case. d Facts: • Added more details to the facts, such as what was the purpose of the surveillance system, what were the arguments submitted by the controller • Assign GDPR roles to the parties involved – who was the data subject/complainant and who is the)
HDPA - Decision 50/2022
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1)(b) GDPR
Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 6(1)(f) GDPR
Article 12 GDPR
Article 13 GDPR
Article 30 GDPR
Guidelines 3/2019 on processing of personal data through video devices
Law 4624/2019
Type: Complaint
Outcome: Upheld
Started:
Decided: 09.09.2022
Published: 09.09.2022
Fine: 15.000 EUR
Parties: Private school
Individual-Ex-employee
National Case Number/Name: Decision 50/2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: Hellenic DPA (in EL)
Initial Contributor: Anastasia Tsermenidou

The Greek DPA imposed a €15,000 fine on a private school for installing a video surveillance system which, among others, did not respect the purpose limitation and accountability principles.

English Summary

Facts

A former teacher (the data subject) at a private primaryschool (the controller) submitted a complaint to the Greek DPA regarding a video surveillance system in the classrooms, which had been recording them without knowledge or consent. The DPA started proceedings to examine the legality of the operation of the system.

The controller submitted that the video surveillance system had been operating since 2007 in order to provide direct visual contact with dangerous places for students (courtyard, balconies) and to discourage possible intruders. According to the controller, persons with access to the transmitted video were the principal, owner and president of the school, via a computer located in their office. Moreover, persons entering the site were informed by signs and verbally about the existence of the video cameras. Similarly, teachers were informed about it verbally, allegedly with no objections. The controller stated that the legal basis for the processing of personal data related to the video cameras was legitimate interest.

In its decision, the DPA considered the legal basis for processing as well as compliance with general data processing principles and data subject rights.

Holding

First, the DPA held that information to parents and employees on the operation of the system was incomplete because, according to the controller, it was given orally, in violation of Articles 5(1)(a) and (b) as well as Articles 12 and 13 GDPR. The controller was not able to prove that such information was given nor which categories of persons were informed. In particular, the DPA noted that children were not appropriately protected in this regard.

Second, the DPA stated that the principle of purpose limitation (Article 5(1)(b) GDPR) was not respected, since the access to the transmitted image by the manager and employees, that is officially unauthorised parties, did not ensure that the purpose of the processing was exclusively the protection of persons and property.

Thrid, the principle of accountability (Article 5(2) GDPR) was not respected because the controller did not keep activity records for the processing of personal data through the video surveillance system, but only provided them after the hearing.

Fourth, with regards to the legal basis for processing, the DPA held that the controller had not ensured that there was an overriding legitimate interest for the installation of cameras to justify the interference with fundamental rights and freedoms of persons, as required by Article 6(1)(f) GDPR. The DPA reasoned that the controller's educational establishment was not so large as to justify the need to monitor remote points of the premises by using surveillance cameras instead of milder means. Hence, there was no valid legal basis for the operation of the system.

Considering the above-mentioned violations, the DPA ordered the controller to uninstall the cameras within one month of the receipt of the notice. Furthemore, the DPA used its powers under Article 58(2)(i) GDPR and imposed a €15,000 fine on the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.