IMY (Sweden) - IMY-2022-1558
From GDPRhub
| IMY - IMY-2022-1558 | |
|---|---|
 | |
| Authority: | IMY (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 32(1) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 27.11.2024 |
| Published: | |
| Fine: | n/a |
| Parties: | Verisure |
| National Case Number/Name: | IMY-2022-1558 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Swedish |
| Original Source: | Integritetsskydds myndigheten (in SV) |
| Initial Contributor: | elu |
After a tip cocerning employees sharing clients´ images for amusement purposes, the Swedish DPA issued a reprimand against alarm management service Verisure for lack of appropriate technical and organisational measures.
English Summary
Facts
The Swedish DPA received a tip saying that the home security company Verisure, the controller, shared, unlawfully, image materials from private individuals´ homes. The controller started an internal investigation and found no indication of improper sharing of personal customer information as described by the tip to the DPA. Moreover, it considered that there is no evidence suggesting ongoing or current violations of the international regulations. More specifically, the image material is available to authorised personnel in the company´s system for a specific amount of time, and is subsequently archived for a certain period of time, to be able to share images with law enforcement authorities. The controller specified that the storing of images is exactly the needed time to comply with the purposes of the processing. Additionally, all image views require logging in with specific credentials, making it impossible to export them outside of the controller´s system.
Holding
First, as to type of log in information, the DPA found that there was no issue with the technical measures in place in the controller´s systems. Second, the DPA highlighted the gravity of processing data subjects´ pictures for amusement purposes and its noncompliance with Article 6 GDPR. However, nothing emerged to indicate that the handling of image material has taken place. The DPA further ascertained the existence appropriate measures as per Article 32(1) GDPR. Since the controller processes personal data of a large number of data subjects and that such processing happens in the context of an alarm management service, the data processed is of a very privacy-sensitive treatment. Moreover, data subjects expect a high degree of confidentiality and protection against unlawful or unauthorised processing. These elements point out that the controller shall implement measures that counter face this high risk to the rights and freedoms of data subjects through a high level of data protection. In light of the above, the DPA considered whether such high level of data protection was in place. The DPA found that the controller did not take the appropriate technical and organisational measures as it did not store the log data on file names long enough to allow tracing of any mismanagement of the personal data related to the images from customers´ cameras. The DPA found that the controller violated Article 32(1) GDPR but that such violation was minor and thus that a reprimand was appropriate.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1(10)
Verisure Sweden AB
Diary number:
IMY-2022-1558 Decision after supervision according to
Date: Data Protection Regulation - Verisure
2024-11-27
Sweden AB
The Privacy Protection Authority's decision
The Swedish Privacy Agency (IMY) states that Verisure Sverige AB (556153-
2176) during the period from 20 April 2022 to August 2022 has processed personal data in
1
violation of Article 32.1 of the Data Protection Regulation by not having taken appropriate measures
measures to ensure an appropriate level of protection for personal data in the form of
footage from cameras in private homes.
IMY gives Verisure Sverige AB a reprimand based on Article 58.2 b i
the data protection regulation for the established violation.
Account of the supervisory matter
Background
The Swedish Privacy Protection Authority (IMY) has taken note of information in the media such as, among other things
claims that employees of Verisure Sverige AB (hereinafter "Verisure" or the company") i
in connection with incoming alarms have shared footage from cameras in private individuals' homes
between themselves in different ways without it being justified. IMY has therefore initiated supervision of
Verisure for the purpose of investigating the company's internal handling of image material from cameras
installed in customers' homes.
After the start of the inspection, IMY has received tips regarding Verisure's technical and
organizational security measures. Verisure has been given the opportunity to make a statement with reason
hence.
What emerged in the case
Postal address: Verisure has, among other things, stated the following.
Box 8114
104 20 Stockholm
About the data in the media
Website: The company has taken the information in the media reporting very seriously and has added
www.imy.se great resources to investigate the claims in the current newspaper article. However, Verisure takes
E-mail:
imy@imy.se
1Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with
Telephone: regarding the processing of personal data and on the free flow of such data and on the cancellation of
08-657 61 00 directive 95/46/EC (general data protection regulation). Data Protection Agency Diary number: IMY-2022-1558 2(10)
Date: 2024-11-27
distance from the information in the media in that nothing in the company's extensive internal
investigation indicates that there would be scope for such processing of image material
as described or that similar treatment actually takes place. The internal investigation has
among other things consisted of interviews with employees and former employees, a technical
review of log data to check whether image material has been handled on a
deviating ways, review of the alarm operators' chat groups and a review
of the technical limitations in the company's system to identify any deficiencies
which could enable incorrect processing of the image material. The company's
internal investigation has also involved a review of the list of handled cases
regarding the request for register extracts in accordance with the data protection regulation, and a
review of compliance with the applicable data protection regulations and the internal
the regulatory framework. Furthermore, the internal investigation has included an examination of the
data protection-related training initiatives that the company carries out for new employees and i
the ongoing work.
The results of the internal investigation show that there is nothing to indicate that
there has been improper sharing of personal customer information in the manner described
in the media. In the internal investigation, Verisure was also unable to find any evidence or otherwise
something that suggests ongoing or current violations of the internal regulations.
The company also has an established whistleblower channel that has been used by employees in
other contexts but there are no reported events to suggest that
improper handling of image material has been reported via that channel.
Had the claims in the media been true, however, there would have been no legal basis
for such obviously unauthorized processing of personal data.
About Verisure's handling of personal data from customers' cameras in general
Verisure is an authorized alarm center which imposes extensive regulatory requirements
the business. Verisure takes its responsibility as a personal data controller very seriously
and works in a structured manner with privacy and data protection issues to safeguard them
registered interests. Customer privacy is an integral and crucial part of
Verisure's business. The company has, among other things, an extensive internal regulatory framework in place
of guidelines and routines.
The company's internal policy clearly states how the alarm operators may handle image material
and in which situations they may look at the images or ask a colleague to look. As one
As a privacy-enhancing measure, Verisure has also implemented detailed instructions
regarding how the cameras may be installed so as not to risk violating the personal
integrity. Verisure has also implemented technical limitations that ensure
that image material is only processed if it is necessary to achieve the purpose of
the treatment.
The image material is available to authorized personnel in the company's system for a certain time, thereafter
it is automatically deleted from the system but archived for a further time, among other things
the need to be able to share images with law enforcement agencies. Verisure has
made the assessment that the time the image material is saved is a sufficiently long period for
the company to store the image files in order to, taking into account the clear privacy interest
still be able to fulfill the company's purposes with the processing. For example, there may be
need to be able to follow up on how a certain incident has been handled or to be able to respond
customers' questions about a particular incident that requires access to visual material.
All image views in the company's system are logged. It is technically impossible to gain access
to the image material without it being logged. This means that if there is no log of the Privacy Protection Agency Diary number: IMY-2022-1558 3(10)
Date: 2024-11-27
handling of images in the system, Verisure can state with certainty that it does not
no access occurred. That all handling of the image material is logged makes it possible
investigation of unauthorized access to the material.
As a general rule, image material should not be exported from Verisure's system. However, there is
exceptions where Veirsure is entitled to share images why there is an opportunity to
export images in special cases. This feature is subject to access restrictions and
actions are logged, so it is always possible to track how an image has been shared.
Verisure only has the ability to investigate misconduct of the type alleged in
media during a certain period backwards in time when image material is deleted from the system i
in accordance with the company's automatic thinning routines. Log data in the form of images
filenames have, however, been saved for a slightly longer time, namely 100 days, before these too
data was deleted. With this information, Verisure has been able to check how many
times a particular operator has opened an image. Since August 2022 has an adjustment of
the storage time for log data has taken place. The adjustment means that all log data,
except for images, stored for five years. The adjustment regarding the storage time for the log data
is partly a result of the need to be able to investigate image processing over a longer period of time
period back in time.
About the tips
Regarding the first tip received by IMY about the correct login information
the information largely disagrees with Verisure's view. There have been good ones
reasons for the current use of a certain type of login information and the procedure
has been designed taking into account the relevant data protection legislation. The usage has
also continued for a limited time and has now been discontinued. Regarding the two
other tips, Verisure is not to be considered the personal data controller for those described
the treatments. In the one tip, one of Verisure's franchisees also has
personal data officer has clearly acted outside of his instructions and the company is therefore
to be considered the personal data controller for the event in question. Although Verisure
is not responsible for personal data for the current processing, the company has, however, taken
tip very seriously and acted accordingly. Among other things, Verisure has assisted the person in question
the franchisee in the investigation of the incident described in the tip. The second tip concerns
another company.
The extent of IMY's review of the case
The Data Protection Regulation contains a large number of rules that must be followed in conjunction
with the processing of personal data. Within the framework of this supervisory matter, IMY reviews
not all rules and issues that can be actualized in Verisure's operations.
IMY's review of the case has been limited to include what is described in the media
the processing of personal data and to intend to the extent that the company has taken appropriate technical measures
and organizational measures to protect the personal data of the company's customers at it
the internal handling of image material in accordance with Article 32 of the Data Protection Regulation.
Justification of the decision
Applicable regulations
According to Article 4.7 of the Data Protection Regulation, the person in charge of personal data is a physical or
legal person, public authority, institution or other body that alone or the Swedish Data Protection Agency Diary number: IMY-2022-1558 4(10)
Date: 2024-11-27
together with others determines the purposes and means of the processing of
personal data.
According to the principle of responsibility in Article 5.2 of the Data Protection Regulation, it must
personal data controller responsible for compliance with the principles described in
first paragraph of the article, including the security principle (article 5.1 f i
data protection regulation). The liability principle has been further developed in Article 24
where it appears that the person in charge of personal data must take appropriate technical and
organizational measures to ensure and be able to demonstrate that the processing is carried out in
in accordance with the data protection regulation.
It follows from Article 28.10 of the data protection regulation that about a personal data assistant
violates this regulation by establishing the purposes and means of
the processing, the personal data assistant shall be considered a personal data controller with
with respect to that treatment, without prejudice to the application of Articles 82,
83 and 84.
It follows from Article 32.1 of the data protection regulation that the person in charge of personal data must
take appropriate technical and organizational measures to ensure a
safety level that is appropriate in relation to the risk of the treatment. At
the assessment of which technical and organizational measures are appropriate must
data controller take into account the latest developments, implementation costs
and the nature, scope, context and purpose of the treatment as well as the risks for
rights and freedoms of natural persons.
According to Article 32(1), appropriate safeguards include, where appropriate,
a) pseudonymisation and encryption of personal data,
b) the ability to continuously ensure confidentiality, integrity, availability
and resilience of treatment systems and services,
c) the ability to restore the availability and access to personal data i
reasonable time in the event of a physical or technical incident, and
d) a procedure for regularly testing, examining and evaluating effectiveness
in the technical and organizational measures that must ensure
the safety of the treatment.
According to article 32.2 of the data protection regulation, when assessing the appropriate
security level special consideration is given to the risks that the treatment entails, in particular
for accidental or unlawful destruction, loss or alteration or for unauthorized disclosure of
or unauthorized access to the personal data transmitted, stored or otherwise
treated.
Personal data responsibility
Personal data responsibility in the tips
Verisure has stated that the company is the personal data controller for it
personal data processing as the first hint about login details has intended,
which is supported by the investigation into the case. IMY assesses that Verisure is
personal data controller for that processing in the sense referred to in Article 4.7 i
data protection regulation.
As for the other two tips, Verisure has stated that the company is not
personal data controller for the described treatments. Regarding the one tip, the Swedish Privacy Protection Agency Diary number: IMY-2022-1558 5(10)
Date: 2024-11-27
IMY assesses that in the light of the current tip
the nature of the personal data processing, there is no reason to question that the processing has been completed
outside the instructions given to the data controller and that Verisure is therefore not
to be considered the personal data controller. Regarding the second tip, IMY notes that
there is no reason to question that another company is responsible for personal data for it
the treatment. IMY therefore assesses that Verisure is not responsible for personal data
the treatments that these two tips refer to why these treatments are not covered
the further examination in this decision.
Responsibility for personal data in general
Verisure has stated that the company is responsible for the processing of personal data
personal data in the form of images within the framework of the company's incident management.
Verisure has also stated that the company is jointly responsible for personal data with
the customer for the monitoring that the customer himself undertakes by using Verisures
monitoring function in their home, plot and other private buildings. According to Verisure
despite this, however, the company will also be considered the sole controller of personal data
regarding the treatment of the so-called private exception in Article 2.2 c i
the data protection regulation is applicable to the customer. This when the customer's treatment of
personal data in that case falls outside the scope of the data protection regulation.
What Verisure stated is supported by other investigations in the case. IMY therefore assesses that
Verisure is the personal data controller for the current personal data processing in it
meaning referred to in Article 4.7 of the Data Protection Regulation.
The tip about login details
In the tip, it has been claimed that Verisure used a certain type of login information
a way that could contravene the data protection regulation. Against the background of what
Verisure stated about the use of the current login details and what i
other findings in the investigation, however, IMY cannot establish any deficiency in relation
to the data protection regulation.
The handling of images alleged in the media
In the media reporting that IMY took part in before the supervision of Verisure began
it was alleged that employees at Verisure shared information about pictures of scantily clad women
people between them and that several of the employees took part in the images through the company's
alarm management system for entertainment purposes. The current news article did too
concerning that pictures could be sent between employees, including in a chat program.
IMY states that the treatment of image material that has been described in the media is
very serious and could mean a major intrusion into the personal privacy of individuals
integrity. Such processing would, as Verisure has also stated, lack legal validity
basis in Article 6 of the Data Protection Regulation and thus be impermissible. To be able to
establish a deficiency according to the data protection regulation, however, it must be clear that the
processing of image material described in the media has taken place.
Verisure has reported on the internal investigation that the company undertook to investigate
the information in the media and has stated that nothing emerged in the investigation which
indicates that handling of image material has taken place in the way that has been described in the media.
IMY notes that Verisure has undertaken an extensive internal investigation to investigate
the alleged handling of image material. The company's internal investigation has not shown that the Swedish Privacy Agency Diary number: IMY-2022-1558 6(10)
Date: 2024-11-27
what has been claimed in the media has occurred. Nor has it through IMY's investigation i
the case in general could be shown that what was described in the media has happened. IMY assesses
because the investigation in the matter does not support that Verisure has failed to comply
of the data protection regulation in the way that has been described in the media.
Verisure has not taken appropriate security measures
Against the background of what emerged from the investigation in the case, IMY finds reason, however
to test whether Verisure has taken appropriate measures to ensure a level of protection which
is appropriate based on the risks of the treatment.
The treatment involved major privacy risks and required a high level of protection
The person in charge of personal data must provide security that is suitable from the outside
the risks of the treatment. The assessment of the appropriate level of protection must be done with
consideration of, among other things, the nature, scope, context and purpose of the processing
as well as the risks, of varying degrees of probability and seriousness, for natural persons
rights and freedoms. During the assessment, special consideration must be given to the risks that
the processing entails, among other things, unauthorized disclosure of or unauthorized access to
the personal data.
IMY states that Verisure handles personal data from a large company in its operations
2
number of registrants. IMY further states that it is an alarm management service
where cameras installed in private individuals' homes are part of that service. The treatment
of personal data that takes place through this is therefore, among other things, collection and
handling of image material consists of people who are in their home environment.
This is a very privacy-sensitive treatment. Furthermore, it can be stated that people
who are customers of Verisure have hired the company for safety and security purposes and
relies on the cameras installed in the home being used only by Verisure
to ensure this purpose. It is therefore a matter of processing personal data
for which data subjects have legitimate expectations of a high degree of
confidentiality and robust protection against unauthorized and unauthorized processing. This type
of personal data processing also takes place within the framework of Verisures
core business, which entails even higher requirements for the level of protection.
Considering, among other things, that the data processed by Verisure has been deleted
privacy-sensitive nature and affected a large number of people has the company's treatment
of personal data in total meant a high risk for the rights of natural persons
and freedoms. The nature, extent and context of the treatment have thus resulted in a
requirements for a high level of data protection. The measures must, among other things, ensure that
personal data is protected against unauthorized disclosure and unauthorized access.
The data has not been adequately protected
The IMY shall then assess whether Verisure has ensured the high level of protection which
required. In order to be able to maintain the security of the personal data processed in
a business's system, it is fundamental to be able to have control over what is happening,
and what has happened to the data. For the registered person, there is also a right to receive
access to their personal data and information about how the data has been processed.
So that the data subject can exercise this right and thereby, among other things
being able to check the legality of the processing is fundamental to it
2According to Verisure's website, the company has approximately 500,000 Swedish customers, see Verisure, "About us".
https://www.verisure.se/om-oss [2024-11-27]The Swedish Data Protection Agency Diary number: IMY-2022-1558 7(10)
Date: 2024-11-27
personal data controller has control over how the data is processed or has
treated. This can, for example, be done through logging.
From the investigation into the matter, it appears that the image material is stored in a certain predetermined location
time and is subsequently deleted from the system. After this period it is not possible to search
operators' handling of individual images. In the context of image management, however, logging is done
also other tasks closely related to the image management for a slightly longer time
time. Before August 2022, log data was saved in the form of the images' file names in
a total of 100 days. This log entry makes it possible to check how many
times a particular operator has opened an image.
Regarding the storage time for Verisure's log data, IMY makes the following assessment.
Image material from customers' cameras in the home are, as previously established, associated
with a weighty privacy interest. In light of this and the purposes
with the treatment that Verisure has described and what the company otherwise stated believes
IMY that the time Verisure stores the image material is proportional.
However, there are other less privacy-sensitive log data that can be used to
check that image material is not handled in an inappropriate manner and thus ensure
that personal data is protected against unauthorized disclosure and unauthorized access.
Log information in the form of the file names of the images is one such log information with which you can
search how many times a certain image has been opened in the system. According to Verisure has
however, these log data were only stored for 100 days, which resulted in no search
of possible mishandling of image material could not be done after this period. With
taking into account the high level of protection that has been required for the personal data assesses
IMY that the current storage time for log information about the file names of the images has been for
card to protect the data against unauthorized disclosure or unauthorized access in sufficient
degree and to ensure the confidentiality of the personal data processed in their
system.
IMY therefore assesses that Verisure has not taken appropriate technical and organizational measures
measures to ensure a level of security that was appropriate in relation to the risk
with the treatment. The reason for this is that Verisure has not stored log information about
the images' file names long enough to be able to search for possible mishandling of
personal data in the form of images from customers' cameras. Through this, Verisure has
also lacked the ability to sufficiently ensure the protection of those registered
rights.
Verisure has, however, within the framework of a general review of storage times during the period of
IMY's supervision, implemented a new retention time for the images' file names which means that
log information about the file names since August 2022 is saved for five years. Verisure has stated
that the adjustment of the storage time of the file names is partly a result of the need to be able
investigate image processing over a longer period back in time. Through this adjustment
IMY considers that, since August 2022, Verisure no longer fails to comply with
the data protection regulation in the manner described above.
Within the framework of this supervision, Verisure has also reported on other technical and
organizational security measures that the company has taken to protect customers
personal data in the internal handling of image material. On account of what
3 Cf. the judgment of the European Court of Justice Pankki S, C-579/21, EU:C:2023:501, paragraphs 37-83. The Swedish Privacy Agency Diary number: IMY-2022-1558 8(10)
Date: 2024-11-27
Verisure stated in this part, IMY notes that it has not emerged other than that they
the other protective measures appear to be appropriate.
Overall, IMY assesses that Verisure has processed personal data in violation of
article 32.1 of the data protection regulation. It can be deduced from the investigation in the case that it
limited storage time for the current log data has existed at least
since the time of the initiation of supervision on 20 April 2022 until August 2022. IMY
therefore assesses that Verisure has processed personal data in violation of
data protection regulation during the period from 20 April 2022 to August 2022.
Choice of intervention
From article 58.2 i and article 83.2 of the data protection regulation it appears that IMY has
power to impose administrative penalty charges in accordance with Article 83.
Depending on the circumstances of the individual case, administrative
penalty fees are imposed in addition to or instead of the other measures referred to in article
58.2, such as injunctions and prohibitions. Furthermore, it is clear from article 83.2 which
factors to be taken into account when deciding whether administrative penalty charges are to be imposed
and when determining the size of the fee. If it is a minor violation
receives IMY as set out in recital 148 in lieu of imposing a penalty charge
issue a reprimand in accordance with Article 58.2 b. Consideration shall be given to aggravating and
mitigating circumstances of the case, such as the nature of the violation, degree of severity
and duration as well as previous violations of relevance.
When assessing the choice of intervention, IMY considers the following. IMY has assessed that
Verisure has violated Article 32.1 of the Data Protection Regulation by, in the meantime,
April 20, 2022 to August 2022 have not stored log information about the file names of the images
long enough to be able to investigate possible mishandling of personal data and
in this way, among other things, be able to ensure that the personal data is protected against
unauthorized disclosure and unauthorized access. A violation of that provision may
incur a penalty charge.
Images containing people in their home environment are very sensitive to privacy
personal data. Unauthorized disclosure or access to such personal data entails
a high risk to the freedoms and rights of the data subjects. Verisure has lacked the ability to
search for possible mishandling of the personal data further back in time than 100
days, which means a risk that unauthorized disclosure or access could have taken place without
that Verisure had the ability to control this and take any appropriate measures.
However, Verisure has within the scope of an internal review, among other things, to do so
possible to investigate image processing further back in time, changed the storage time for them
the current log data in such a way that they are now stored for five years. This was indeed done
after IMY started the current supervision, but means that Verisure has thereby taken action
the lack. Furthermore, the identified deficiency has not in itself meant that personal data has
processed in an impermissible manner but does not concern the possibility of being able to check afterwards
the processing of the data. The Swedish Privacy Agency Diary number: IMY-2022-1558 9(10)
Date: 2024-11-27
In an overall assessment of the circumstances of the case, IMY finds that there is a question
if such a minor infringement within the meaning of recital 148 exists
reason to refrain from imposing a penalty fee on Verisure for the found
the violation. Verisure shall therefore, with the support of Article 58.2 b i
the data protection regulation, instead a reprimand is given for the found
the violation.
__________________________
This decision has been made by unit manager Jenny Bård after a presentation by
Department Counsel Sarah Bodlander. At the final processing of the case has
also the departmental lawyer Andreas Persson and IT- and
information security specialist Petter Flink participated.
Jenny Bård
Copy to
The Data Protection Officer The Privacy Protection Agency Diary number: IMY-2022-1558 10(10)
Date: 2024-11-27
How to appeal
If you want to appeal the decision, you must write to IMY. State in the letter which decision you made
appeals and the change you request. The appeal must have been received by IMY
within three weeks from the day you received the decision. If you are a representing party
however, the general appeal must have been received within three weeks from that day
the decision was announced. If the appeal has been received in time, IMY forwards it on
to the Administrative Court in Stockholm for review.
You can e-mail the appeal to IMY if it does not contain any privacy-sensitive information
personal data or information that may be subject to confidentiality. The authority's
contact details appear on the first page of the decision.
