IMY (Sweden) - 2023-15373
IMY - 2023-15373 | |
---|---|
Authority: | IMY (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 6(1)(f) GDPR Article 13(1) GDPR Article 13(2) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 12.11.2024 |
Published: | |
Fine: | 200,000 SEK |
Parties: | Granit Bostad Beritsholm |
National Case Number/Name: | 2023-15373 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Swedish |
Original Source: | Integritetsskyddsmyndigheten (in SV) |
Initial Contributor: | elu |
The DPA fined a landlord SEK 200,000 (EUR 17,366) for placings eighteen cameras in the common areas of a residential and for failing to respond to access requests.
English Summary
Facts
After a complaint by some tenants of apartments in a building, the data subjects, concerning unauthorized camera surveillance in apartment building in Malmo and impairment of data subjects´ right of access, the Swedish DPA started an investigation.
The investigation revealed eighteen cameras in all entrances to the buildings, garage, shared wet rooms, with some pointing towards some apartment doors. The data subjects unsuccessfully requested information about the data processed to the controller, as the information on the controller´s website was not exhaustive.
When the DPA requested the same information, the controller replied that they took over the camera system from the previous owner of the building and that, given that the neighborhood had precedents with bicycle thefts, attempted burglaries, storage break-ins, car break-ins and vandalism, the cameras were installed for safety reasons. It was specified that the recording activated through motion detection and that no real time surveillance or audio recording took place. Moreover, the data was stored for 14 days and only three people had access to the footage.
Holding
The DPA considered two main issues: the legal basis for the presence of the eighteen cameras under Article 6(1)(f) GDPR, and the possible violations of the right of access under Article 13 GDPR.
Violation of Article 6(1)(f) GDPR
First, the DPA considered that interest required was legitimate, as protecting property, health and life falls within the scope of Article 6(1)(f) GDPR. Second, the DPA conceded that alternative and less invasive measures were taken previously and that these measures did not have the same efficacy as camera surveillance. Third, the DPA considered that CCTV surveillance in residential environments is, as a starting point, very sensitive from a privacy point of view.
However, this privacy interest varies on the basis of the specific areas of surveillance. The DPA considered each of the surveilled areas and found:
- in relation to entrances and stairwells: the interest of residents in not being monitored outweighs the controller´s interest when surveilling he entrances and stairwells.
- in relation to basements, bicycles storage rooms, laundry rooms, corridors, garbage rooms and storage rooms: the risk of privacy invasion is reduced in these areas. However, there should have been actual incidents at these sites for an actual interest in camera surveillance. Here, the controller´s interest in camera surveillance of these areas does not outweigh the residents' interest in not being monitored.
- in relation to the garage: camera surveillance in the garage is less sensitive. Moreover, considering that the burglaries took place in the garage with cars being stolen, the company has a legal basis under Article 6(1)(f) GDPR.
Therefore, overall the DPA found that the controller only has a legal basis for the data camera surveillance that ongoing in the garage, and thus, that a violation of Article 6(1)(f) GDPR occurred in relation to the other cameras.
Violation of Article 13 GDPR
The DPA found that the controller failed to provide the data subjects with the information required both under Article 13(1) and (2) GDPR.
In relation to the controller´s argument that data subjects already were in possession of the information about the processing as they were available in the website, the DPA considered that, while at the beginning information on the presence of cameras was provided to the data subjects, the lack of updating of some information (for example: who was the data controller, the contact details) entailed a violation of Article 13 GDPR.
Fine
In light of these considerations, the DPA found a violation of Article 6(1) and 13 GDPR and deemed it appropriate to fine the controller SEK 200,000 (EUR 17,366).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1(16) THE APPELLANT See Appendix 1 SUPERVISION OBJECTS Granit Bostad Beritsholm AB Diary number: IMY-2023-15373 Decision after supervision according to Date: data protection regulation - Granit 2024-12-11 Bostad Beritsholm AB's camera surveillance Table of contents 1. The Privacy Protection Authority's decision............................................... ..........................2 2. Statement of the supervisory matter ............................................... .....................................2 2.1 Background................................................... ................................................ ......2 2.2 What emerged in the case............................................. ..........................2 2.3 The extent of IMY's review of the matter............................................. ........3 3. Justification of the decision................................... ................................................ ..4 3.1 Which legislation applies to current camera surveillance?.................................4 3.1.1 The Data Protection Regulation .............................................. ...................4 3.1.2 The Camera Surveillance Act............................................ ...................4 3.2 Is the company responsible for personal data? ................................................ ............4 3.3 Has the camera surveillance had a legal basis in the data protection regulation?..........5 3.3.1 Is there a legitimate interest?............................................ .............5 3.3.2 Is the camera surveillance necessary to achieve what is justified the interest?................................................ ................................................ .5 3.3.3 Does the security interest outweigh the privacy interest the place?................................................ ................................................ ...6 3.4 Has the company fulfilled the requirement for information and its obligation to inform? .9 3.4.1 The requirement for information according to the Camera Surveillance Act......................9 Mailing address: 3.4.2 The obligation to provide information in the data protection regulation..........................9 Box 8114 104 20 Stockholm 3.5 Choice of intervention............................................ ..............................................11 3.5.1 Penalty fee to be imposed ............................................. ...............12 Website: www.imy.se 3.5.2 Size of the penalty fee ......................................... .....................13 E-mail: imy@imy.se 3.5.3 Injunction.......................................... ........................................15 Telephone: 4. How to appeal ........................................... ................................................ .....16 08-657 61 00 The Swedish Privacy Agency Diary number: IMY-2023-15373 2(16) Date: 2024-12-11 1. The Data Protection Authority's decision The Privacy Protection Authority states that Granit Bostad Beritsholm AB (556529–2215) during the period 1 November 2022 up to and including 11 December 2024 has processed personal data in violation of Article 6.1 and Article 13 i 1 the data protection regulation by conducting camera surveillance without a legal basis i the company's property at Limhamnsvägen 22a in Malmö. Granit Bostad Beritsholm AB also does not meet the requirement for information to the registered regarding the camera surveillance. Administrative penalty fee IMY decides with the support of articles 58.2 and 83 of the data protection regulation that Granit Bostad Beritsholm AB must pay an administrative sanction fee of 200,000 (two hundred thousand) kroner for the violations of the articles noted above 6.1 and 13 of the data protection regulation. Order The Privacy Protection Authority orders Granit Bostad Beritsholm AB according to article 58.2 d of the data protection regulation that no later than four weeks after this decision has been made force take steps to ensure that 1. the company ceases the camera surveillance of all places in the property except the garage. 2. the camera surveillance signs contain information about the company's identity and and contact information for the company, in the form of an email address or telephone number. 2. Statement of the supervisory matter 2.1 Background IMY has initiated supervision of Granit Bostad Beritsholm AB (the company) with the aim of investigating a complaint that the company conducts unauthorized camera surveillance in apartment buildings on Limhamnsvägen 22a in Malmö as well as shortcomings in its obligation to provide information. 2.2 What emerged in the case The appellant has essentially stated the following. The appellant lives in the rental property at Limhamnsvägen 22a in Malmö where extensive camera surveillance is carried out. There is cameras at three main entrances, at elevators and at apartment doors on the ground floor as well several cameras in the basement corridor next to the entrance to the storage room, laundry room and sauna. There are also several cameras in the garage, bicycle storage, garbage room, recycling room and indoors at the entrance at the rear of the property. The complainant has contacted the landlord regarding the extent of camera surveillance and the lack of information. There is no physical information on site, or otherwise, such as visitors and tenants can take part in. The complainant believes that there should be information in general about treatment of personal data to the tenants, such as logging the use of tags for 1 regarding the processing of personal data and on the free flow of such data and on the cancellation of aver med directive 95/46/EC (general data protection regulation). The Swedish Privacy Agency Diary number: IMY-2023-15373 3(16) Date: 2024-12-11 entry. The area where the property is located is generally very quiet without further ado problem, therefore the scope of the camera surveillance should be done in a way that minimizes the uptake in relation to the problems. In December 2022, the appellant received response from the landlord that they should review the need for information regarding the camera surveillance. The complainant has not received any concrete information about measures and therefore do not feel safe about personal data, which is collected through camera surveillance, is processed correctly and securely and in accordance with the data protection regulation. The company has essentially stated the following. In connection with the company taking over the property on November 1, 2022, they also took over the operation of the camera surveillance system. It is unknown when the surveillance began, an extensive one system reconstruction took place in 2013. The area has historically had problems with incidents in the form of e.g. bicycle thefts, attempted burglaries, warehouse burglaries, car burglaries, vandalism and graffiti in public areas. Most incidents have been investigated successfully. The company operates camera surveillance at Limhamnsvägen 22a in Malmö and is personal data controller for the processing of personal data. The camera surveillance takes place with 18 cameras that are mounted in the garage, basement, storage room, operation, laundry room and garbage room. The cameras are aimed at the garage, basement entrance to the gym, bicycle storage, central heating, outside office, corridor to laundry room and garage, stairwell A-C, basement on staircase C, storage room and garbage room. The camera surveillance takes place around the clock because incidents and crimes occur at all hours of the day, on weekdays and weekends. Recording takes place when motion is detected with all cameras. None happens real-time monitoring and no audio recording. There have been burglaries and vandalism during varying times of the day, hence the choice of time for the surveillance. Image material saved for 14 days due to the fact that there is only one trustee and the office does not have fixed staffing hours. It can also take time to detect an incident. Three people have access to recorded footage. The purpose of the surveillance is to counter and prevent crime, create a safe living environment, document documentation in the event of incidents and counteract large costs in the event of extensive missorting and nuisance due to vermin. Furthermore, the camera surveillance takes place in deterrent purpose. The cameras are appreciated by the tenants and they have one deterrent function in terms of burglary and attempted fraud. The company has generally received a positive impression from the residents regarding the camera surveillance. The company has received, among other things, a documented balancing of interests, a blueprint which shows where cameras are mounted, screenshots from all cameras, copy of older ones signs and new signs, map image, group structure that the company is part of, a compilation of incidents and police reports taken from the police and a copy on privacy policy. 2.3 The extent of IMY's review of the matter IMY's review of the case is limited to the questions about it personal data processing that the camera surveillance entails, since 1 November 2022, has had a legal basis according to the data protection regulation and if the company has fulfilled the requirement on information according to § 15 of the Camera Surveillance Act (2018:1200) and the obligation to provide information in accordance with Article 13 of the Data Protection Regulation. IMY's review in this supervisory matters do not include whether the company's camera surveillance is carried out in accordance with the others current regulations in the data protection regulation. The Swedish Privacy Agency Diary number: IMY-2023-15373 4(16) Date: 2024-12-11 3. Justification of the decision 3.1 Which legislation applies to current camera surveillance? Camera surveillance typically means that personal data is processed. If and to what extent it is permissible for camera surveillance to be regulated in the data protection regulation and the camera surveillance act. 3.1.1 The Data Protection Regulation According to Article 2.1, the Data Protection Regulation shall be applied to the processing of personal data that is fully or partially processed automatically. Of Article 4.1 i the data protection regulation states that any information relating to an identified or identifiable natural person is a personal data. According to Article 4.2, treatment is intended an action or combination of actions concerning personal data, for example collection, registration, storage, reading and deletion. If a surveillance camera films an identifiable person, or someone else personal data, personal data is processed and the rules in the data protection regulation must be followed. IMY states that the company's surveillance cameras films identifiable persons and that the provisions of the Data Protection Regulation thereby applies to current personal data processing. The personal data controller must identify the legal basis in Article 6 i the data protection regulation before the camera surveillance begins, and is responsible - both towards the registered and in relation to the supervisory authority - because the principles 2 if the processing of personal data in Article 5 of the data protection regulation is complied with. The principle of liability in Article 5.2 of the Data Protection Regulation means that it personal data controller must be able to demonstrate that Article 5.1 has been complied with, which means that the application of the data protection regulation often needs to be documented. 3.1.2 The Camera Surveillance Act The Camera Surveillance Act (2018:1200), is a supplementary law in relation to data protection regulation. It appears from § 3 § 1 of the Camera Surveillance Act that with camera surveillance means a television camera, another optical-electronic instrument or a comparable equipment which, without being operated on site, is used in a in such a way as to involve permanent or regularly repeated personal surveillance. The current camera surveillance is not operated on site and involves a permanent surveillance of residents and other visitors to the property. IMY assesses that also the camera surveillance act is therefore applicable to the surveillance in question. 3.2 Is the company responsible for personal data? According to Article 4.7 of the Data Protection Ordinance, personal data controller means the natural or legal person who, alone or together with others, decides the purposes and means for the processing of personal data. Crucial to the question of who is responsible for personal data is who or who have decided why and how the processing takes place, and exerts an influence on which personal data is collected and processed, how long they are stored and who has access. The assessment of who 2 Prop. 2017/18:105, New Data Protection Act, p. 47 f. Privacy Protection Agency Diary number: IMY-2023-15373 5(16) Date: 2024-12-11 or who is responsible for personal data for certain processing must always be based on them the actual circumstances of the specific case. 3 Granit Bostad Beritsholm AB has stated that the company is responsible for personal data the processing of personal data that takes place through current camera surveillance on Limhamnsvägen 22a in Malmö. IMY believes that this is supported in the investigation and assesses because the company is responsible for personal data for the person in question the processing of personal data in the sense referred to in Article 4.7 i data protection regulation. 3.3 Has the camera surveillance had a legal basis in data protection regulation? In order for the processing of personal data to be legal, there must be support in at least one on the legal grounds stated in Article 6.1 of the Data Protection Regulation. The company has stated that current camera surveillance is supported by the legal basis stated in the article 6.1 f of the data protection regulation, which is the so-called balancing of interests. There is three prerequisites that must all be met for the camera surveillance to work can take place with the support of Article 6.1 f of the data protection regulation: The personal data controllers must be able to demonstrate 1) that there is a legitimate interest, 2) that the current processing of personal data is necessary to achieve that interest, and 3) that the legitimate interest (guarding interest) weighs in a balance heavier than the basic freedoms and rights of the data subjects (privacy interest) on the place. 4 3.3.1 Is there a legitimate interest? In order for the interest that the surveillance intends to protect to be considered justified, it needs it normally has support in relevant national law or in EU law. A condominium association that wants to protect the property, health and life of the condominium owners can be considered to have such a legitimate interest. Protecting property, health and life can constitute a legitimate interest in camera surveillance, provided it is in question of an actual interest and not an interest which is fictitious or speculative at the time for the processing of personal data. This usually means that a crime must have occurred or other incidents which mean that there is a concrete need for surveillance. The company has stated that the purpose of the camera surveillance is to increase security and security for the tenants, prevent and investigate crime and protect the property property. The company has also stated that the monitoring is done as a deterrent. The surveillance makes it more difficult to break into apartments, attics and basements because people are watched on the way out with any stolen goods. It appears from the investigation that since 2019 there have been incidents in the form of i.a. car break-in, theft, vandalism, graffiti, burglary and attempted burglary. IMY assesses that the company has one legitimate interest in conducting camera surveillance to increase security and security for tenants, preventing and investigating crime and protecting property. 3.3.2 Is the camera surveillance necessary to achieve the legitimate interest? That the camera surveillance carried out must be necessary means that it is justified the interest cannot reasonably be protected as effectively in other ways as in smaller 3 EDPB guidelines 07/2020 regarding the concepts of personal data controller and personal data processor in the GDPR, version 2.0, adopted on 7 July 2021, 07/2020, paragraph 25. 4 Dom Rīgas satiksme, C-13/16, EU:C:2017:336, paragraph 28. 5 Dom TK, C-708/18, EU:C:2019:1064, paragraph 42. 6EDPB Guidelines 3/2019 for the processing of personal data through video devices, adopted on 29 January 2020, point 20. The Swedish Privacy Agency Diary number: IMY-2023-15373 6(16) Date: 2024-12-11 extent infringes on the fundamental freedoms and rights of the registered. It should taken into account if the cameras have been used in a way that limits the intrusion into it the personal integrity that the surveillance entails without jeopardizing it for the sake of it the effectiveness of the surveillance, which includes an assessment of whether it is, for example, enough that the camera surveillance is limited to certain places or times. Necessity must be tested together with the principle of data minimization in the article 5.1 c of the data protection regulation, which means that personal data collected must be adequate, relevant and not too extensive in relation to the purposes for which they are treated. From the investigation into the matter, it appears that alternative measures have been taken by restrict access to the property using access systems with tags, upgrade of stronger gate automation, installation of grilles in front of doors and motion detectors for automatic lighting and improvement of lighting. There is lighting at the basement entrance which is turned on when there is movement due to people moving close to tenants balconies during the evening. The measures were taken by previous owners and have not been reduced the incidents to a sufficient extent according to the company. The company states that in the areas where cameras are installed, it has had a deterrent function regarding burglary and attempted fraud. IMY states that previous property owners have taken alternative measures and less privacy-sensitive measures to camera surveillance and that the surveillance according to the company has had a deterrent effect. IMY assesses that even if the company neither has limited the coverage in time or coverage area, e.g. By masking, with the aim of reducing the invasion of privacy, the surveillance can be considered to be necessary to protect the legitimate interests of the company and the residents. 3.3.3 Does the security interest outweigh the privacy interest at the site? That the legitimate interest that the surveillance intends to protect (the surveillance interest) in a balance must weigh more heavily than the basic free and rights (the interest in privacy), means that the personal data controller must evaluate the risks of infringement of the data subject's rights. The decisive criterion is the intensity of the infringement for the data subject's rights and freedoms, which i.a. can is defined based on the information content, the scope, the situation in question and the 8 registered actual interests. Furthermore, the type of personal data processing in question and how this is done concretely. At 9 the balance between the privacy interest and the surveillance interest must also be taken into account were recorded reasonable expectations at the time and in connection with the treatment of 10 its personal data. With regard to the privacy interest, IMY notes the following. All camera surveillance means an intrusion into the individual's privacy. The European Data Protection Board (EDPB) has i guidelines, which are indicative of how the provisions of the data protection regulation should interpreted, stating that data subjects should not reasonably expect to be subject to surveillance in residential areas. IMY believes that camera surveillance in residential environments such as starting point is very sensitive from a privacy point of view. The privacy interest varies however, depending on the specific area of coverage. Regarding the surveillance interest, the company has stated that many people move in the area where the property is located. Partly because it i.a. is there a beach in the vicinity that many people visit. The company refers to information in 7 8 Dom TK, C-708/18, EU:C:2019:1064, paragraphs 46-48 and 50. EDPB guidelines 3/2019, point 32. 9 CJEU judgment in case C-708/18 TK, paragraph 57. 10Recital 47 of the data protection regulation and Dom TK C-708/18 TK, paragraph 58. 11EDPB's guidelines 3/2019, point 37. The Swedish Privacy Agency Diary number: IMY-2023-15373 7(16) Date: 2024-12-11 The Crime Prevention Council's latest edition of Crime statistics, reported crimes 2023. I edition shows that in metropolitan municipalities such as Malmö is reported in large numbers crime due to the high throughput of non-residents in municipality, which explains the high crime rate in the area. The company has received with a compilation of 25 incidents that occurred in the area where the property is located during the period 13 September 2017 and 13 December 2023. The company has also submitted a compilation of incidents and police reports relating to the year 2019 up to and including the year 2024, taken from the police, which occurred in the area where the property is located and the area around the property. The company has further stated that the police are not allowed to hand out reports and events relating to the property. IMY considers that the company has shown that there were crimes and incidents in the area there the property is located. However, it has not been shown that these crimes and incidents have occurred in the property or in the places in the property that are guarded. IMY therefore does not consider that the basis that the company submitted affects IMY's assessment the surveillance interest in the property in question where the company operates camera surveillance. Entrances and stairwells Camera surveillance that takes place inside the entrance or in the stairwell of apartments is seen generally as particularly sensitive to privacy because the residents are monitored when they coming to and leaving their residences. It enables mapping of the residents habits, visits and social circle. It is now a question of camera surveillance around the clock entrances to all stairwells, both stairwells A, B and C, and one more basement entrance the property by a gym. Within the catchment area of stairwell B there is also one guest apartment, which means that several different people can be met by the security, which increases the privacy interest somewhat. The interest in privacy is somewhat weakened by it the fact that the surveillance is partly aimed at protecting the people who become subject of the surveillance. In an overall assessment, IMY considers that the privacy interest in entrances and stairwells weighs heavily. With regard to the surveillance interest, IMY notes the following. The company has left one account of crimes and incidents that occurred during the period 13 May 2019 to and including by 31 December 2023. The documentation shows that a burglar alarm has been triggered in stairwell B and C due to unauthorized access, an alarm about suspected unauthorized access i stairwell B, burglary in stairwell B, alarm about unauthorized access in stairwell B, alarm at scaffolding on the outside of the property, broken windowpanes to the stairwell and a police intervention in an apartment which resulted in damage to the apartment and stairwell. The company has further stated that unauthorized access to the property occurs three to four times a year through emergency exits damaged as a result and that damage in the form of graffiti has occurred in the stairwells. The company has stated that there have been problems in the then owner's property portfolio in Malmö with unauthorized access, i especially drug addicts, which caused insecurity for tenants. IMY notes that there have been incidents and crimes in the property, e.g. problems with unauthorized access in the property, which IMY understands affects the safety of the residents. However, IMY believes that these are incidents that are not of a sufficiently serious nature to the security interest in entrances and stairwells shall be considered to outweigh the privacy interest at the site. In an overall assessment, IMY considers that the security interest in entrances and stairwells is relatively light. In light of the incidents that occurred at the locations, IMY assesses that the surveillance interest at the site weighs relatively lightly. Considering the weighty the privacy interest at the locations, IMY assesses that the company's interest in camera surveillance of entrances and stairwells does not outweigh the residents' interest in that do not be monitored by cameras there. The Swedish Data Protection Agency Diary number: IMY-2023-15373 8(16) Date: 2024-12-11 IMY therefore believes that the camera surveillance of entrances and stairwells cannot be supported a balancing of interests according to Article 6.1 f of the data protection regulation. Neither has it emerged that it would be possible to support the surveillance on someone else legal basis in Article 6.1 of the data protection regulation. The company has thus treated personal data in violation of Article 6.1 of the data protection regulation. Basement, storage, operations, laundry room, garbage room and corridors to the sites Camera surveillance of bicycle storage, garbage rooms, storerooms and the like are not considered the same sensitive to privacy such as camera surveillance in connection with apartments, because they residents do not have to pass through these spaces to get to and from their homes, nor does it stay there for long periods of time. However, IMY notes that the company operates extensive camera surveillance around the clock in the property. The residents because of this cannot escape the camera surveillance, which speaks for a higher risk of breach of privacy. However, the risk of privacy breaches is somewhat reduced in the case of the surveillance of said spaces, especially during later evening and night time, then residents to a lesser extent can be assumed to stay on the sites. The interest in privacy is somewhat weakened by the fact that the surveillance is partly aimed at protecting them persons who have been subject to surveillance. IMY assesses that the privacy interest in basement, storage, operation, laundry room, garbage room and corridors to the sites weigh relatively heavily. With regard to the surveillance interest, IMY notes the following. Of the account of crime and incidents that the company has provided show that there has been an alarm about a suspect unauthorized access to the power station, alarm that the door to the waste room has been broken open and alarm about damaged door to garbage room probably due to attempted burglary. In addition to these incidents has there been vandalism in the form of graffiti on the sites. IMY notes that it it is required that there is an actual interest in monitoring, i.e. it should have occurred actual incidents in the places that are monitored by cameras. IMY believes that the company has shown that it there have been incidents at some locations that are monitored, but not at all locations. The are not mainly about recurring incidents either. IMY assesses all in all, that even if some incidents have occurred, the security interest weighs in places relatively easily. Overall, IMY assesses that the company's interest in camera surveillance of basements, storerooms, operation, laundry room, garbage room and corridors to the places do not weigh more than the occupants interest in not being camera-surveillance there. IMY therefore considers that the camera surveillance of the basement, storeroom, operation, laundry room, garbage room and corridors to the sites cannot be supported on a balance of interests according to Article 6.1 f in the data protection regulation. Nor has it emerged that it would be possible to support the monitoring on any other legal basis in Article 6.1 of the Data Protection Regulation. The company has thus processed personal data in violation of Article 6.1 i the data protection regulation also in this part. Garage IMY also considers here that camera surveillance of garages is less sensitive, because individuals do not need to pass these spaces to get to their homes, and do not rather stays there for longer periods of time. This means that the privacy interest weighs slightly lighter on the spot. With regard to the surveillance interest, IMY states the following. The investigation shows that the garage door was hit on one occasion in 2023, the garage was burglarized in 2019 and in 2023 when cars were robbed of steering wheels and headlights. IMY notes that in the garage contains property susceptible to theft, which differs from other places in the property, Privacy Protection Agency Diary number: IMY-2023-15373 9(16) Date: 2024-12-11 for example, basement and laundry room. It is a different kind of place that guarded and other property that must be protected than in the property in general, which affects the assessment of the security interest, which is considered to weigh more heavily in the garage than in the others places in the property. IMY therefore assesses that the company's interest in camera surveillance of the garage, even if a incident is a number of years back in time, weighs somewhat more than the interest of the residents not to be monitored by cameras there. The company thus has a legal basis according to Article 6.1 f i the data protection regulation regarding the monitoring of the garage. IMY's summary assessment In summary, IMY assesses that the company has a legal basis according to Article 6.1 f i the data protection regulation for the camera surveillance that takes place in the garage. On the contrary the company lacks a legal basis according to Article 6 of the Data Protection Ordinance for its monitoring i other. 3.4 Has the company fulfilled the requirement for information and its obligation to inform? 3.4.1 The requirement for information according to the Camera Surveillance Act Section 15 of the Camera Surveillance Act sets out a requirement to provide information on camera surveillance must be provided through clear signage or on something else effective way. The provision refers to the actual use of camera surveillance equipment and not the processing of personal data that the monitoring entails. The provision contains no requirements regarding what information must be provided and the obligation to provide information may thus be considered fulfilled if the person conducting the surveillance in a clear way provides information that camera surveillance takes place in a certain location. From the investigation into the matter, it appears that there are signs on the entrance doors, at the gate and the door as well as on the facade. The company has submitted a drawing of the basement including garage and a drawing of all stairwells (A, B and C). The drawings show that signs sits at all entrances to the property. IMY assesses that the company has provided information about the surveillance through clear signage and thereby fulfilled the information requirement in Section 15 of the Camera Surveillance Act. 3.4.2 The information obligation in the data protection regulation IMY must also assess whether the company has lived up to its obligations to inform the processing of personal data according to Article 13 of the Data Protection Regulation. Article 13 i the data protection regulation regulates which information must be provided when the personal data is collected from the data subject. In case of camera surveillance is considered 13 personal data is collected from the data subject. 12 Prop. 2017/18:231, New Camera Surveillance Act, p. 87 f. 13 Article 29 working group, Guidelines on transparency according to Regulation (EU) 2016/679, WP260rev.01, point 26 and EDPB's Guidelines 3/2019, point 110. However, see the Court of Appeal in Stockholm's judgment of 26 January 2023 in case no. 1552-22 in which the Court of Appeal judged that it is not Article 13 but Article 14 that should be applicable to camera surveillance. The judgment has been appealed to the Supreme Administrative Court (case no. 870-23) and has thus not gained legal force. With taking into account the position that the EDPB's guidelines have according to the regulation and pending a legally binding decision does IMY base its assessment on the EDPB's guidelines and that it is Article 13 of the Data Protection Regulation that must be applied in the case. In the case, the Supreme Administrative Court (HFD) has requested a preliminary ruling from the EU Court regarding article 13 or 14 is applicable in case of monitoring with a body-worn camera. The Swedish Privacy Agency Diary number: IMY-2023-15373 10(16) Date: 2024-12-11 According to Article 13.1 of the Data Protection Regulation, the personal data controller shall, when the personal data is obtained, provide information to the registrant about e.g. following. • The identity and contact details of the person in charge of personal data. • Contact details for any data protection officer. • The purposes of the processing for which the personal data is intended as well as the legal basis for the processing. • If the legal basis is Article 6.1 f (balancing of interests), which is justified interest the processing aims to safeguard. • The recipients or the categories of recipients who are to take part the personal data, where applicable. According to Article 13.2 of the data protection regulation, the personal data controller shall, at the collection of the personal data, provide information to the registrant about i.a. following. • The period during which the personal data will be stored or the criteria which is used to determine this period. • That there is a right to request access to the personal data controller and correction or deletion of personal data or restriction of processing relating to the data subject or to object to processing. • That the registered person has the right to lodge a complaint with a supervisory authority. From article 13.4 it appears that points 1, 2 and 3 of article 13 shall not be applied if and in insofar as the data subject already has the information. The investigation shows that when the company took possession of the property in 2022, it is on the signage lack of information about i.a. the purpose of the personal data processing (the camera surveillance), the identity of the personal data controller (the company), contact details for the person in charge of personal data (the company), a statement that they monitored can exercise their rights according to the data protection regulation, for how long image material is stored and reference to where to find out more about the processing of personal data. During the course of the inspection, the signs were updated, however, without the company's involvement. On the new signs, information about the personal data controller has been missing identity (the company) and contact details of the person in charge of personal data (the company) at the signs. IMY notes that the company has stated that the signage will clarified with information that the company is responsible for personal data the camera surveillance. The company has stated that information about the processing of personal data that is ongoing at camera surveillance is provided to those registered via the company's website which updated on June 4, 2024 with full information. On August 29, 2024 the website was updated with i.a. additional information about the purpose of the camera surveillance and a clarification that the company is responsible for personal data. Those registered have previously been referred to the company's property manager's website with information about the camera surveillance. That information has been available since on November 1, 2022. The website was redesigned and the information updated November 27, 2023. At that time there was no information about who it was personal data controller is, contact details for the personal data controller, information about the purpose of the camera surveillance, legal basis for the surveillance and the Privacy Protection Agency Diary number: IMY-2023-15373 11(16) Date: 2024-12-11 how long the surveillance material is stored. If the legal basis is Article 6.1 f i the data protection regulation (balancing of interests), it must also be stated which is entitled interest the processing aims to safeguard. Information about this must also appear the recipients or the categories of recipients who will have access to the personal data i occurring cases. There was also missing information that the registered have the right to of the person in charge of personal data (the company) request deletion of personal data or to object to treatment. The property manager has informed orally in connection with showing apartments about the camera surveillance and referred to the company's website for more information. The manager has also informed all new tenants about the camera surveillance and where they can find more information about it. Information about camera surveillance does not have sent out in physical form to the registered and not provided to the registered on other way. IMY assesses that there have been deficiencies in the first and second layers of information, but there is not a total lack of information about the processing of personal data. IMY states that even if the property manager when showing apartments orally has informed that camera surveillance takes place and referred to the company's website for more information, other than the residents are also staying in the guarded spaces, such as guests to the residents, craftsmen, etc. These have thus been referred to the signs about camera surveillance. The signs about camera surveillance have been updated during the inspection time as well as the website with information about the camera surveillance. Although the new ones the signs and website contain more information than before, IMY finds that there are still some deficiencies in the first layer of information. On the camera surveillance signs are missing information about the personal data controller identity (the company) and contact details for the company, in the form of an email address or phone number. According to IMY, this information can be obtained with relatively simple means be added to the existing signs. IMY assesses overall that the information which has been submitted does not meet all requirements according to Article 13.1 and 13.2 i data protection regulation. IMY therefore states that since 1 November 2022 the company has processed personal data in violation of Article 13 of the Data Protection Regulation. 3.5 Choice of intervention In the event of violations of the data protection regulation, IMY has a number of corrective measures powers, including reprimands, injunctions and penalty charges. It follows from article 58.2 a–j of the data protection regulation. IMY shall impose penalty fees in addition to or in lieu of other corrective measures as referred to in Article 58(2) of the Data Protection Regulation, depending on the circumstances i each individual case. If it is a question of a minor violation, the supervisory authority may, under recital 148 of the Data Protection Regulation, issue a reprimand instead of imposing one penalty fee. Consideration must be given to aggravating and mitigating circumstances i the case, such as the nature, severity and duration of the breach and previous violations of relevance. Each supervisory authority must ensure that the imposition of administrative penalty charges in each individual case are effective, proportionate and dissuasive. The stated in Article 83.1 of the Data Protection Regulation. In article 83.2, the factors that must Date: 2024-12-11 taken into account in determining whether an administrative penalty fee should be imposed and at the assessment of the size of the penalty fee. When assessing the amount of the penalty fee, among other things, must be taken into account article 83.2 a (the nature, severity and duration of the violation), c (the measures which the personal data controller has taken) and k (other aggravating or mitigating factor for example direct or indirect financial gain). The EDPB has adopted guidelines on the calculation of administrative penalty fees according to the data protection regulation which aims to create a harmonized method and principles for calculation of penalty fees. 14 According to article 83.5 of the data protection regulation, in the event of violations of articles 6 and 13 of the data protection regulation administrative penalty fees are imposed on up to EUR 20,000,000 or, in the case of companies, of up to 4 percent of the total global the annual turnover during the previous budget year, depending on which value is the highest. When determining the maximum amount of a penalty charge to be imposed on a company shall the definition of the concept of company be used as used by the EU Court of Justice application of Articles 101 and 102 of the TFEU (see recital 150 i data protection regulation). The court's practice shows that this includes every unit that carries out economic activities, regardless of the legal form of the entity and the way of doing so financing as well as even if the unit in the legal sense consists of several physical or 15 legal persons. The rules for group liability in EU competition law revolve around the concept economic unit. A parent company and a subsidiary company are considered part of the same economic entity when the parent company exercises decisive influence over the subsidiary. The decisive influence (ie control) can be achieved either through ownership or by agreement. Jurisprudence shows that one hundred percent or almost 100% ownership implies a presumption for control to be considered to exist. However, the presumption can be rebutted if the company provides sufficient evidence that 16 proof that the subsidiary acts independently on the market. 3.5.1 A penalty fee must be imposed IMY has found that the company has violated Article 6.1 of the data protection regulation by without legal basis to conduct camera surveillance in the company's property on Limhamnsvägen 22a in Malmö during the period 1 November 2022–11 December 2024. The company has further processed personal data in violation of Article 13 of the Data Protection Regulation by not fulfill the requirement for information to the registered regarding the camera surveillance. IMY states that the processing of personal data through camera surveillance of private persons in direct connection with their homes has taken place without a legal basis. Against this one background, IMY assesses that it is not a question of such minor violations as referred to in recital 148 of the data protection regulation. IMY thus finds that a penalty fee cannot be replaced by a reprimand. The European Court of Justice has clarified that it is required that the person in charge of personal data has committed a Violation intentionally or negligently to administrative penalty fees 14EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR (finally adopted on 24 May 2023). 15 ECJ judgment Akzo Nobel, C-516/15, EU:C:2017:314, p. 48. 16 ECJ judgment Akzo Nobel and Others, C-97/08, EU:C:2009:536, p. 59–61. The Swedish Privacy Agency Diary number: IMY-2023-15373 13(16) Date: 2024-12-11 must be enforceable according to the data protection regulation. The European Court of Justice has stated that data controllers may be subject to penalty fees for actions if they cannot are deemed to have been unaware that the conduct constituted a breach, regardless of whether they were aware that they violated the provisions of the data protection regulation. 17 IMY notes that the company, in its capacity as a personal data controller, is responsible for it personal data processing that takes place within the company and for it to take place in accordance with the data protection regulation through the principle of responsibility in article 5.2. IMY has assessed that the company has not complied with the data protection regulation regarding the requirements for legal basis and the information to be provided to data subjects. Against the background of The statement of the European Court of Justice mentioned above and taking into account previous supervisory decisions 18 from IMY and the investigation into the case, it appears that the company cannot be considered to have been unaware that the action could constitute a violation of the data protection regulation. Against this background, IMY believes that the company has been negligent in relation to them violations of the data protection regulation that have been established. There is thus prerequisites for imposing an administrative sanction fee on the company. 3.5.2 Amount of the penalty fee IMY states that Granit Bostad Beritsholm AB according to the latest information available group structure from December 2022 is a wholly owned subsidiary within a group with the parent company Granit Bostad AB (559300–4913). The group includes, in addition to Granit Bostad Beritsholm AB, the following companies. Granit Bostad 1 AB (559304-5825), Granit Bostad Bilen AB (556823-6235), Granit Bostad Bredäng AB (556832-5335), Granit Bostad Forskningen AB (556865-7281), Granit Bostad Sorgenfri AB (556883-2819), Granit Bostad 2 AB (556995-9330), Granit Bostad Annedal AB (556833-4741), Granit Bostad Hjorthagskvarteret AB (556832-5285), Granit Bostad Klippern AB (556833- 4782), Granit Bostad Rosendal AB (556917-7164), Granit Bostad 3 AB (556994-5768), Granit Bostad Bryggvägen AB (556833-4733), Granit Bostad Fyrislundsgatan AB (556879-2716), Granit Bostad Kommendörkaptenen AB (556823-6367), Granit Bostad 4 AB (559318-0846), Granit Bostad Duvan 4 AB (559317-1282), Granit Bostad Duvan AB (556807-4214), Granit Bostad Korpen 4 AB (559317-1274), Granit Bostad Korpen AB (556886-3400), Granit Bostad Lissabon AB (559340-8429), Granit Bostad 5 AB 19 (559381-9708) and Granit Bostad Malmö 5 AB (559395-2350). The parent company's ownership is one hundred percent in the subsidiaries, which in turn own one hundred percent ownership in its subsidiaries. Against the background of what has been reported above, one hundred percent or almost one hundred percent ownership a presumption for control to be considered to exist and that the parent company and the subsidiaries must be taken into account in the calculation. The company has stated that information about the group structure of which the company is a part deviates the following way. Granit Bostad 4 Duvan AB has been merged into Granit Bostad Duvan AB, Granit Bostad 4 Korpen AB has been merged into Granit Bostad Korpen AB and Granit Bostad Malmö 5 AB has been merged into Granit Bostad Beritsholm AB. Two companies have acquired; Granit Bostad Slottstaden AB and Granit Bostad Villandia AB. The company has further stated that the company acquired more properties in 2023, which meant that net sales for 2023 increased to SEK 274,053,000. The company's results had at the same time 17 CJEU judgment Nacionalinis sistemas sistemas centras, C-683/21, EU:C:2023:949, paragraph 81, and judgment Deutsche Wohnen, C-807/21, EU:C:2023:950, p. 76. 18 Supervisory decision DI-2018-14593, BRF Gårdsbjörken, decided on 15 June 2020, supervisory decision DI-2020-4534, Uppsalahem AB, decided on 14 December 2020 and supervisory decision DI-2021-2172, Bergsporten, decided on 18 April 2024 (the two first-mentioned decisions were published at the decision date on the IMY website where they are still available, Bergsporten has appealed to the administrative court and thus has not gained legal force). 19 Group structure, Bisnode Infotorg as of 10 December 2024. Data Protection Authority Diary number: IMY-2023-15373 14(16) Date: 2024-12-11 a strong negative development during the year as a result of rising interest costs and a decrease in value of the property portfolio. The property value decreased by 360,251,000 SEK in 2023, which resulted in a negative net result of minus SEK 318,734,000. With regard to the financial changes that took place during the year, IMY does the following assessment. According to the data protection regulation's provision on calculation of administrative penalty fee, the calculation must be made based on the total global 20 the annual turnover during the previous budget year. The negative net result in 2023 shall therefore not affect the calculation of the penalty fee. IMY thus does not find reason to disregard the provision and the penalty fee must be calculated based on this the total annual turnover. IMY assesses that the annual turnover to be used as a basis for its calculation the administrative sanction fee that Granit Bostad Beritsholm AB can be imposed is all the companies reported above that are part of the group with Granit Bostad AB as parent company. Annual reports for the financial year 2023 for the company show that the total turnover amounts to SEK 274,053,000. 4% of that amount is SEK 10,962,120. Since this amount is lower than EUR 20,000,000 shall the penalty fee is set at an amount between 0 and 20,000,000 EUR. As regards the assessment of the seriousness of the infringements, there is one beginning factors which mean that there are reasons to take the violations more seriously. The personal data processing has intended camera surveillance of residents in direct connection to their homes and visitors to residences. Camera surveillance has been carried out around the clock with a large number of cameras of large parts of the property for a longer period time. The company has guarded entrances and stairwells in the property, which has meant that they residents have been monitored every time they have moved to and from their homes and it has has not been possible to avoid being monitored by cameras. That the people who are met by the monitoring has not received all the information that the company has been obliged to providing has further entailed a risk that the data subject did not become aware of their rights or that they have exercised their rights to a lesser extent than they did have the right to according to the data protection regulation. IMY notes at the same time that the company has shown that there have been some problems with burglary of the garage and has had a legitimate interest as well as taken other measures to come to terms with this, which means that it has not been deliberate violations. IMY also states that the surveillance was limited to the residents and visitors. During the course of the inspection, the company has updated signs camera surveillance and their website with information about camera surveillance and more information than before and have thus attempted to take corrective action to comply the information obligation. In the light of the above circumstances, IMY assesses that, in total, it concerns for violations of a low level of seriousness. The starting point for the calculation of the penalty fee should therefore be set low in relation to the current maximum amount. In addition to assessing the seriousness of the violations, IMY must assess whether they exist any aggravating or mitigating circumstances that become relevant the amount of the penalty fee. IMY assesses that there is no further aggravating factor or 20 Article 83.5 of the data protection regulation. Data protection authority Diary number: IMY-2023-15373 15(16) Date: 2024-12-11 mitigating circumstances, in addition to those taken into account in the assessment of the degree of seriousness above, which affects the amount of the penalty fee. In light of the nature and seriousness of the violations, the IMY decides that it the administrative sanction fee for Granit Bostad Beritsholm AB can stay 200,000 kroner. IMY considers this amount to be effective, proportionate and deterrent in the present case. 3.5.3 Injunction According to Article 58.2 d, the supervisory authority has the authority to issue a personal data controller to ensure that the processing takes place in accordance with the regulations in the data protection regulation and if required in a specific way and within a specific period. Because the surveillance, as far as the investigation shows, is still ongoing, it is urgent that the company ceases the surveillance that is not permitted. It exists therefore reason to, based on Article 58.2 d of the data protection regulation, order the company to cease camera surveillance of all places in the property, with the exception of the garage. According to IMY, it is also important that the company takes measures to ensure that they registrants receive correct and complete information regarding it personal data processing through camera surveillance that takes place. IMY decides with support of article 58.2 d of the data protection regulation that the company must be ordered to, no later than four weeks after this decision takes effect, take steps to ensure that 1. the company ceases the camera surveillance of all places in the property except the garage, 2. there is information about the company's identity on the camera surveillance signs and contact information for the company, in the form of an email address or telephone number. That measures must have been taken no later than four weeks after this decision came into force means that if the decision is not appealed, action must have been taken no later than four weeks after that the appeal period has expired. __________________________ This decision has been made by unit manager Jenny Bård after a presentation by the lawyer Khadija Faras. Jenny Bård Appendices 1. Complainant's personal data 2. Information on payment of penalty fee 3. Information about camera surveillance in multi-apartment buildings The Swedish Privacy Agency Diary number: IMY-2023-15373 16(16) Date: 2024-12-11 4. How to appeal If you want to appeal the decision, you must write to IMY. State in the letter which decision you made appeals and the change you request. The appeal must have been received by IMY no later than three weeks from the day you were informed of the decision. If you are a representing party however, the general appeal must have been received within three weeks from that day the decision was announced. If the appeal has arrived in time, IMY forwards it to The administrative court in Stockholm for examination. You can e-mail the appeal to IMY if it does not contain any privacy-sensitive information personal data or information that may be subject to confidentiality. The authority's contact details appear on the first page of the decision.