DPC (Ireland) - 07/SIU/2018
| DPC - 07/SIU/2018 | |
|---|---|
 | |
| Authority: | DPC (Ireland) |
| Jurisdiction: | Ireland |
| Relevant Law: | Article 5(1) GDPR Article 13 GDPR Article 24 GDPR Article 25 GDPR Article 30 GDPR Data Protection Act 2018 |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 15.06.2018 |
| Decided: | 13.11.2024 |
| Published: | 05.12.2024 |
| Fine: | 29,500 EUR |
| Parties: | Sligo County Council |
| National Case Number/Name: | 07/SIU/2018 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | English |
| Original Source: | DPC (in EN) |
| Initial Contributor: | ao |
The DPA issued a County Council with a 29,500 fine for the excessive processing of CCTV footage of public spaces as well as footage of speed cameras.
English Summary
Facts
On the 25 June 2018, the Irish DPA (Data Protection Commission - DPC) began an ex-officio investigation into the controller, a local County Council (Sligo).
CCTV cameras
The controller had installed CCTV cameras at bottle banks and in housing estates stating that they were to aid the enforcement of the Irish Litter Pollution Act 1997 and to help detect anti-social behaviour. The cameras therefore constantly filmed a public area and this video footage was then stored by the controller.
ANPR cameras
The controller processed data of Automated Number Plate Recognition (ANPR) cameras.
Holding
The DPC found that the use of the CCTV cameras at the bottle banks could not be justified under the Litter Pollution Act 1997 nor the Waste Management Act 1996. Article 8(2) of the Law Enforcement Directive does not provide for such a broad scope of CCTV footage to be processed.
The DPC found a total of 14 issues throughout the course of the inquiry ranging from unlawful processing to failing to conduct a Data Protection Impact Assessment. The DPC found violations of the GDPR as well as the Irish Data Protection Act 2018 which transposes the GDPR into national law.
The DPC found the following violations of the GDPR showing negligence on the part of the controller:
For failing to ensure the appropriate security of the CCTV monitoring screens, the controller had breached Article 5(1)(f) GDPR and Article 32(1) GDPR.
For excessively monitoring and processing footage of public spaces the DPC found violations of Article 5(1)(c) GDPR and Article 25 GDPR in relation to the purposes.
For retaining the data for longer than necessary the DPC found a violation of Article 5(1)(e) GDPR.
For failing to set up and maintain records of the processing, the DPC found a violation of Article 30 GDPR.
For failing to erect signage informing of the processing and failing to be able to explain a reason for this, the DPC found a violation of Article 13 GDPR.
The DPC issued a fine of €29,500 for the violations and ordered the controller to bring its data processing into compliance.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
