IMY (Sweden) - 2023-15373
From GDPRhub
| IMY - 2023-15373 | |
|---|---|
 | |
| Authority: | IMY (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 6(1)(f) GDPR Article 13(1) GDPR Article 13(2) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 12.11.2024 |
| Published: | |
| Fine: | 200,000 SEK |
| Parties: | Granit Bostad Beritsholm |
| National Case Number/Name: | 2023-15373 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Swedish |
| Original Source: | Integritetsskyddsmyndigheten (in SV) |
| Initial Contributor: | elu |
The DPA fined a landlord SEK 200,000 (EUR 17,366) for placings eighteen cameras in the common areas of a residential building and for failing to respond to an information request.
English Summary
Facts
After a complaint by some tenants of apartments in a building, the data subjects, concerning unauthorized camera surveillance in apartment building in Malmo and impairment of data subjects´ right of information, the Swedish DPA started an investigation.
The investigation revealed eighteen cameras in all entrances to the buildings, garage, shared wet rooms, with some pointing towards some apartment doors. The data subjects unsuccessfully requested information about the data processed to the controller, as the information on the controller´s website was not exhaustive.
When the DPA requested the same information, the controller replied that they took over the camera system from the previous owner of the building and that, given that the neighborhood had precedents with bicycle thefts, attempted burglaries, storage break-ins, car break-ins and vandalism, the cameras were installed for safety reasons. It was specified that the recording activated through motion detection and that no real time surveillance or audio recording took place. Moreover, the data was stored for 14 days and only three people had access to the footage.
Holding
The DPA considered two main issues: the legal basis for the presence of the eighteen cameras under Article 6(1)(f) GDPR, and the possible violations of the right of information under Article 13 GDPR.
Violation of Article 6(1)(f) GDPR
First, the DPA considered that interest required was legitimate, as protecting property, health and life falls within the scope of Article 6(1)(f) GDPR. Second, the DPA conceded that alternative and less invasive measures were taken previously and that these measures did not have the same efficacy as camera surveillance. Third, the DPA considered that CCTV surveillance in residential environments is, as a starting point, very sensitive from a privacy point of view.
However, this privacy interest varies on the basis of the specific areas of surveillance. The DPA considered each of the surveilled areas and found:
- in relation to entrances and stairwells: the interest of residents in not being monitored outweighs the controller´s interest when surveilling he entrances and stairwells.
- in relation to basements, bicycles storage rooms, laundry rooms, corridors, garbage rooms and storage rooms: the risk of privacy invasion is reduced in these areas. However, there should have been actual incidents at these sites for an actual interest in camera surveillance. Here, the controller´s interest in camera surveillance of these areas does not outweigh the residents' interest in not being monitored.
- in relation to the garage: camera surveillance in the garage is less sensitive. Moreover, considering that the burglaries took place in the garage with cars being stolen, the company has a legal basis under Article 6(1)(f) GDPR.
Therefore, overall the DPA found that the controller only has a legal basis for the data camera surveillance that ongoing in the garage, and thus, that a violation of Article 6(1)(f) GDPR occurred in relation to the other cameras.
Violation of Article 13 GDPR
The DPA found that the controller failed to respond effectively to the information request as required both under Article 13(1) and (2) GDPR.
In relation to the controller´s argument that data subjects already were in possession of the information about the processing as they were available in the website, the DPA considered that, while at the beginning information on the presence of cameras was provided to the data subjects, the lack of updating of some information (for example: who was the data controller, the contact details) entailed a violation of Article 13 GDPR.
Fine
In light of these considerations, the DPA found a violation of Article 6(1)(f) and 13 GDPR and deemed it appropriate to fine the controller SEK 200,000 (EUR 17,366).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1(16)
THE APPELLANT
See Appendix 1
SUPERVISION OBJECTS
Granit Bostad Beritsholm AB
Diary number:
IMY-2023-15373 Decision after supervision according to
Date: data protection regulation - Granit
2024-12-11
Bostad Beritsholm AB's
camera surveillance
Table of contents
1. The Privacy Protection Authority's decision............................................... ..........................2
2. Statement of the supervisory matter ............................................... .....................................2
2.1 Background................................................... ................................................ ......2
2.2 What emerged in the case............................................. ..........................2
2.3 The extent of IMY's review of the matter............................................. ........3
3. Justification of the decision................................... ................................................ ..4
3.1 Which legislation applies to current camera surveillance?.................................4
3.1.1 The Data Protection Regulation .............................................. ...................4
3.1.2 The Camera Surveillance Act............................................ ...................4
3.2 Is the company responsible for personal data? ................................................ ............4
3.3 Has the camera surveillance had a legal basis in the data protection regulation?..........5
3.3.1 Is there a legitimate interest?............................................ .............5
3.3.2 Is the camera surveillance necessary to achieve what is justified
the interest?................................................ ................................................ .5
3.3.3 Does the security interest outweigh the privacy interest
the place?................................................ ................................................ ...6
3.4 Has the company fulfilled the requirement for information and its obligation to inform? .9
3.4.1 The requirement for information according to the Camera Surveillance Act......................9
Mailing address: 3.4.2 The obligation to provide information in the data protection regulation..........................9
Box 8114
104 20 Stockholm 3.5 Choice of intervention............................................ ..............................................11
3.5.1 Penalty fee to be imposed ............................................. ...............12
Website:
www.imy.se 3.5.2 Size of the penalty fee ......................................... .....................13
E-mail:
imy@imy.se 3.5.3 Injunction.......................................... ........................................15
Telephone: 4. How to appeal ........................................... ................................................ .....16
08-657 61 00 The Swedish Privacy Agency Diary number: IMY-2023-15373 2(16)
Date: 2024-12-11
1. The Data Protection Authority's decision
The Privacy Protection Authority states that Granit Bostad Beritsholm AB
(556529–2215) during the period 1 November 2022 up to and including 11 December 2024 has
processed personal data in violation of Article 6.1 and Article 13 i
1
the data protection regulation by conducting camera surveillance without a legal basis i
the company's property at Limhamnsvägen 22a in Malmö. Granit Bostad Beritsholm AB
also does not meet the requirement for information to the registered regarding
the camera surveillance.
Administrative penalty fee
IMY decides with the support of articles 58.2 and 83 of the data protection regulation that Granit
Bostad Beritsholm AB must pay an administrative sanction fee of 200,000
(two hundred thousand) kroner for the violations of the articles noted above
6.1 and 13 of the data protection regulation.
Order
The Privacy Protection Authority orders Granit Bostad Beritsholm AB according to article
58.2 d of the data protection regulation that no later than four weeks after this decision has been made
force take steps to ensure that
1. the company ceases the camera surveillance of all places in the property
except the garage.
2. the camera surveillance signs contain information about the company's identity and
and contact information for the company, in the form of an email address or telephone number.
2. Statement of the supervisory matter
2.1 Background
IMY has initiated supervision of Granit Bostad Beritsholm AB (the company) with the aim of investigating a
complaint that the company conducts unauthorized camera surveillance in apartment buildings on
Limhamnsvägen 22a in Malmö as well as shortcomings in its obligation to provide information.
2.2 What emerged in the case
The appellant has essentially stated the following. The appellant lives in the rental property at
Limhamnsvägen 22a in Malmö where extensive camera surveillance is carried out. There is
cameras at three main entrances, at elevators and at apartment doors on the ground floor as well
several cameras in the basement corridor next to the entrance to the storage room, laundry room and sauna.
There are also several cameras in the garage, bicycle storage, garbage room, recycling room and
indoors at the entrance at the rear of the property. The complainant has contacted the landlord
regarding the extent of camera surveillance and the lack of information. There is
no physical information on site, or otherwise, such as visitors and tenants
can take part in. The complainant believes that there should be information in general about treatment
of personal data to the tenants, such as logging the use of tags for
1
regarding the processing of personal data and on the free flow of such data and on the cancellation of aver med
directive 95/46/EC (general data protection regulation). The Swedish Privacy Agency Diary number: IMY-2023-15373 3(16)
Date: 2024-12-11
entry. The area where the property is located is generally very quiet without further ado
problem, therefore the scope of the camera surveillance should be done in a way that
minimizes the uptake in relation to the problems. In December 2022, the appellant received
response from the landlord that they should review the need for information regarding
the camera surveillance. The complainant has not received any concrete information about measures and
therefore do not feel safe about personal data, which is collected through
camera surveillance, is processed correctly and securely and in accordance with the data protection regulation.
The company has essentially stated the following. In connection with the company taking over
the property on November 1, 2022, they also took over the operation of
the camera surveillance system. It is unknown when the surveillance began, an extensive one
system reconstruction took place in 2013. The area has historically had problems with
incidents in the form of e.g. bicycle thefts, attempted burglaries, warehouse burglaries, car burglaries,
vandalism and graffiti in public areas. Most incidents have been investigated
successfully.
The company operates camera surveillance at Limhamnsvägen 22a in Malmö and is
personal data controller for the processing of personal data. The camera surveillance takes place
with 18 cameras that are mounted in the garage, basement, storage room, operation, laundry room and
garbage room. The cameras are aimed at the garage, basement entrance to the gym, bicycle storage,
central heating, outside office, corridor to laundry room and garage, stairwell A-C, basement
on staircase C, storage room and garbage room. The camera surveillance takes place around the clock because
incidents and crimes occur at all hours of the day, on weekdays and weekends.
Recording takes place when motion is detected with all cameras. None happens
real-time monitoring and no audio recording. There have been burglaries and vandalism
during varying times of the day, hence the choice of time for the surveillance. Image material
saved for 14 days due to the fact that there is only one trustee and the office does not have
fixed staffing hours. It can also take time to detect an incident. Three people have
access to recorded footage.
The purpose of the surveillance is to counter and prevent crime, create a safe living environment,
document documentation in the event of incidents and counteract large costs in the event of extensive
missorting and nuisance due to vermin. Furthermore, the camera surveillance takes place in
deterrent purpose. The cameras are appreciated by the tenants and they have one
deterrent function in terms of burglary and attempted fraud. The company has generally received
a positive impression from the residents regarding the camera surveillance.
The company has received, among other things, a documented balancing of interests, a blueprint which
shows where cameras are mounted, screenshots from all cameras, copy of older ones
signs and new signs, map image, group structure that the company is part of, a
compilation of incidents and police reports taken from the police and a copy
on privacy policy.
2.3 The extent of IMY's review of the matter
IMY's review of the case is limited to the questions about it
personal data processing that the camera surveillance entails, since 1 November 2022,
has had a legal basis according to the data protection regulation and if the company has fulfilled the requirement
on information according to § 15 of the Camera Surveillance Act (2018:1200) and the obligation to
provide information in accordance with Article 13 of the Data Protection Regulation. IMY's review in this
supervisory matters do not include whether the company's camera surveillance is carried out in accordance with the others
current regulations in the data protection regulation. The Swedish Privacy Agency Diary number: IMY-2023-15373 4(16)
Date: 2024-12-11
3. Justification of the decision
3.1 Which legislation applies to current camera surveillance?
Camera surveillance typically means that personal data is processed. If
and to what extent it is permissible for camera surveillance to be regulated in
the data protection regulation and the camera surveillance act.
3.1.1 The Data Protection Regulation
According to Article 2.1, the Data Protection Regulation shall be applied to the processing of
personal data that is fully or partially processed automatically. Of Article 4.1 i
the data protection regulation states that any information relating to an identified or
identifiable natural person is a personal data. According to Article 4.2, treatment is intended
an action or combination of actions concerning personal data, for example
collection, registration, storage, reading and deletion.
If a surveillance camera films an identifiable person, or someone else
personal data, personal data is processed and the rules in
the data protection regulation must be followed. IMY states that the company's surveillance cameras
films identifiable persons and that the provisions of the Data Protection Regulation thereby
applies to current personal data processing.
The personal data controller must identify the legal basis in Article 6 i
the data protection regulation before the camera surveillance begins, and is responsible - both
towards the registered and in relation to the supervisory authority - because the principles
2
if the processing of personal data in Article 5 of the data protection regulation is complied with.
The principle of liability in Article 5.2 of the Data Protection Regulation means that it
personal data controller must be able to demonstrate that Article 5.1 has been complied with, which means that
the application of the data protection regulation often needs to be documented.
3.1.2 The Camera Surveillance Act
The Camera Surveillance Act (2018:1200), is a supplementary law in relation to
data protection regulation. It appears from § 3 § 1 of the Camera Surveillance Act that with
camera surveillance means a television camera, another optical-electronic instrument or a
comparable equipment which, without being operated on site, is used in a
in such a way as to involve permanent or regularly repeated personal surveillance.
The current camera surveillance is not operated on site and involves a permanent
surveillance of residents and other visitors to the property. IMY assesses that also
the camera surveillance act is therefore applicable to the surveillance in question.
3.2 Is the company responsible for personal data?
According to Article 4.7 of the Data Protection Ordinance, personal data controller means the
natural or legal person who, alone or together with others, decides
the purposes and means for the processing of personal data. Crucial to the question of
who is responsible for personal data is who or who have decided why and how
the processing takes place, and exerts an influence on which personal data is collected
and processed, how long they are stored and who has access. The assessment of who
2 Prop. 2017/18:105, New Data Protection Act, p. 47 f. Privacy Protection Agency Diary number: IMY-2023-15373 5(16)
Date: 2024-12-11
or who is responsible for personal data for certain processing must always be based on them
the actual circumstances of the specific case. 3
Granit Bostad Beritsholm AB has stated that the company is responsible for personal data
the processing of personal data that takes place through current camera surveillance on
Limhamnsvägen 22a in Malmö. IMY believes that this is supported in the investigation and assesses
because the company is responsible for personal data for the person in question
the processing of personal data in the sense referred to in Article 4.7 i
data protection regulation.
3.3 Has the camera surveillance had a legal basis in
data protection regulation?
In order for the processing of personal data to be legal, there must be support in at least one
on the legal grounds stated in Article 6.1 of the Data Protection Regulation. The company has
stated that current camera surveillance is supported by the legal basis stated in the article
6.1 f of the data protection regulation, which is the so-called balancing of interests. There is
three prerequisites that must all be met for the camera surveillance to work
can take place with the support of Article 6.1 f of the data protection regulation: The
personal data controllers must be able to demonstrate 1) that there is a legitimate interest, 2) that
the current processing of personal data is necessary to achieve that interest,
and 3) that the legitimate interest (guarding interest) weighs in a balance
heavier than the basic freedoms and rights of the data subjects (privacy interest) on
the place. 4
3.3.1 Is there a legitimate interest?
In order for the interest that the surveillance intends to protect to be considered justified, it needs
it normally has support in relevant national law or in EU law. A
condominium association that wants to protect the property, health and life of the condominium owners
can be considered to have such a legitimate interest. Protecting property, health and life can
constitute a legitimate interest in camera surveillance, provided it is in question
of an actual interest and not an interest which is fictitious or speculative at the time
for the processing of personal data. This usually means that a crime must have occurred
or other incidents which mean that there is a concrete need for surveillance.
The company has stated that the purpose of the camera surveillance is to increase security and
security for the tenants, prevent and investigate crime and protect the property
property. The company has also stated that the monitoring is done as a deterrent.
The surveillance makes it more difficult to break into apartments, attics and basements because
people are watched on the way out with any stolen goods. It appears from the investigation
that since 2019 there have been incidents in the form of i.a. car break-in, theft,
vandalism, graffiti, burglary and attempted burglary. IMY assesses that the company has one
legitimate interest in conducting camera surveillance to increase security and
security for tenants, preventing and investigating crime and protecting property.
3.3.2 Is the camera surveillance necessary to achieve the legitimate interest?
That the camera surveillance carried out must be necessary means that it is justified
the interest cannot reasonably be protected as effectively in other ways as in smaller
3
EDPB guidelines 07/2020 regarding the concepts of personal data controller and personal data processor in the GDPR, version
2.0, adopted on 7 July 2021, 07/2020, paragraph 25.
4 Dom Rīgas satiksme, C-13/16, EU:C:2017:336, paragraph 28.
5 Dom TK, C-708/18, EU:C:2019:1064, paragraph 42.
6EDPB Guidelines 3/2019 for the processing of personal data through video devices, adopted on 29 January 2020, point
20. The Swedish Privacy Agency Diary number: IMY-2023-15373 6(16)
Date: 2024-12-11
extent infringes on the fundamental freedoms and rights of the registered. It should
taken into account if the cameras have been used in a way that limits the intrusion into it
the personal integrity that the surveillance entails without jeopardizing it for the sake of it
the effectiveness of the surveillance, which includes an assessment of whether it is, for example,
enough that the camera surveillance is limited to certain places or times.
Necessity must be tested together with the principle of data minimization in the article
5.1 c of the data protection regulation, which means that personal data collected must
be adequate, relevant and not too extensive in relation to the purposes for which
they are treated.
From the investigation into the matter, it appears that alternative measures have been taken by
restrict access to the property using access systems with tags, upgrade
of stronger gate automation, installation of grilles in front of doors and motion detectors for
automatic lighting and improvement of lighting. There is lighting at the basement entrance
which is turned on when there is movement due to people moving close to tenants
balconies during the evening. The measures were taken by previous owners and have not been reduced
the incidents to a sufficient extent according to the company. The company states that in the areas where
cameras are installed, it has had a deterrent function regarding burglary and
attempted fraud. IMY states that previous property owners have taken alternative measures
and less privacy-sensitive measures to camera surveillance and that the surveillance
according to the company has had a deterrent effect. IMY assesses that even if the company
neither has limited the coverage in time or coverage area, e.g. By
masking, with the aim of reducing the invasion of privacy, the surveillance can be considered to be
necessary to protect the legitimate interests of the company and the residents.
3.3.3 Does the security interest outweigh the privacy interest at the site?
That the legitimate interest that the surveillance intends to protect (the surveillance interest)
in a balance must weigh more heavily than the basic free and
rights (the interest in privacy), means that the personal data controller must
evaluate the risks of infringement of the data subject's rights. The decisive criterion is
the intensity of the infringement for the data subject's rights and freedoms, which i.a. can
is defined based on the information content, the scope, the situation in question and the
8
registered actual interests. Furthermore, the type of
personal data processing in question and how this is done concretely. At 9
the balance between the privacy interest and the surveillance interest must also be taken into account
were recorded reasonable expectations at the time and in connection with the treatment of
10
its personal data.
With regard to the privacy interest, IMY notes the following. All camera surveillance means
an intrusion into the individual's privacy. The European Data Protection Board (EDPB) has i
guidelines, which are indicative of how the provisions of the data protection regulation should
interpreted, stating that data subjects should not reasonably expect to be subject to surveillance
in residential areas. IMY believes that camera surveillance in residential environments such as
starting point is very sensitive from a privacy point of view. The privacy interest varies
however, depending on the specific area of coverage.
Regarding the surveillance interest, the company has stated that many people move in
the area where the property is located. Partly because it i.a. is there a beach in
the vicinity that many people visit. The company refers to information in
7
8 Dom TK, C-708/18, EU:C:2019:1064, paragraphs 46-48 and 50.
EDPB guidelines 3/2019, point 32.
9 CJEU judgment in case C-708/18 TK, paragraph 57.
10Recital 47 of the data protection regulation and Dom TK C-708/18 TK, paragraph 58.
11EDPB's guidelines 3/2019, point 37. The Swedish Privacy Agency Diary number: IMY-2023-15373 7(16)
Date: 2024-12-11
The Crime Prevention Council's latest edition of Crime statistics, reported crimes 2023. I
edition shows that in metropolitan municipalities such as Malmö is reported in large numbers
crime due to the high throughput of non-residents in
municipality, which explains the high crime rate in the area. The company has received
with a compilation of 25 incidents that occurred in the area where the property is
located during the period 13 September 2017 and 13 December 2023. The company has
also submitted a compilation of incidents and police reports
relating to the year 2019 up to and including the year 2024, taken from the police, which occurred in the area where
the property is located and the area around the property. The company has further stated that
the police are not allowed to hand out reports and events relating to the property. IMY
considers that the company has shown that there were crimes and incidents in the area there
the property is located. However, it has not been shown that these crimes and incidents have occurred
in the property or in the places in the property that are guarded. IMY therefore does not consider that
the basis that the company submitted affects IMY's assessment
the surveillance interest in the property in question where the company operates camera surveillance.
Entrances and stairwells
Camera surveillance that takes place inside the entrance or in the stairwell of apartments is seen
generally as particularly sensitive to privacy because the residents are monitored when they
coming to and leaving their residences. It enables mapping of the residents
habits, visits and social circle. It is now a question of camera surveillance around the clock
entrances to all stairwells, both stairwells A, B and C, and one more basement entrance
the property by a gym. Within the catchment area of stairwell B there is also one
guest apartment, which means that several different people can be met by the security, which
increases the privacy interest somewhat. The interest in privacy is somewhat weakened by it
the fact that the surveillance is partly aimed at protecting the people who become
subject of the surveillance. In an overall assessment, IMY considers that
the privacy interest in entrances and stairwells weighs heavily.
With regard to the surveillance interest, IMY notes the following. The company has left one
account of crimes and incidents that occurred during the period 13 May 2019 to and including
by 31 December 2023. The documentation shows that a burglar alarm has been triggered in stairwell B
and C due to unauthorized access, an alarm about suspected unauthorized access i
stairwell B, burglary in stairwell B, alarm about unauthorized access in stairwell B, alarm at
scaffolding on the outside of the property, broken windowpanes to the stairwell and a
police intervention in an apartment which resulted in damage to the apartment and stairwell. The company
has further stated that unauthorized access to the property occurs three to four times a year
through emergency exits damaged as a result and that damage in the form of
graffiti has occurred in the stairwells. The company has stated that there have been problems
in the then owner's property portfolio in Malmö with unauthorized access, i
especially drug addicts, which caused insecurity for tenants. IMY notes that
there have been incidents and crimes in the property, e.g. problems with unauthorized access
in the property, which IMY understands affects the safety of the residents. However, IMY believes that
these are incidents that are not of a sufficiently serious nature to
the security interest in entrances and stairwells shall be considered to outweigh
the privacy interest at the site. In an overall assessment, IMY considers that
the security interest in entrances and stairwells is relatively light.
In light of the incidents that occurred at the locations, IMY assesses that
the surveillance interest at the site weighs relatively lightly. Considering the weighty
the privacy interest at the locations, IMY assesses that the company's interest in
camera surveillance of entrances and stairwells does not outweigh the residents' interest in that
do not be monitored by cameras there. The Swedish Data Protection Agency Diary number: IMY-2023-15373 8(16)
Date: 2024-12-11
IMY therefore believes that the camera surveillance of entrances and stairwells cannot be supported
a balancing of interests according to Article 6.1 f of the data protection regulation. Neither has it
emerged that it would be possible to support the surveillance on someone else legal
basis in Article 6.1 of the data protection regulation. The company has thus treated
personal data in violation of Article 6.1 of the data protection regulation.
Basement, storage, operations, laundry room, garbage room and corridors to the sites
Camera surveillance of bicycle storage, garbage rooms, storerooms and the like are not considered the same
sensitive to privacy such as camera surveillance in connection with apartments, because they
residents do not have to pass through these spaces to get to and from their homes,
nor does it stay there for long periods of time. However, IMY notes that
the company operates extensive camera surveillance around the clock in the property. The residents
because of this cannot escape the camera surveillance, which speaks for a higher risk of
breach of privacy. However, the risk of privacy breaches is somewhat reduced in the case of
the surveillance of said spaces, especially during later evening and night time, then
residents to a lesser extent can be assumed to stay on the sites. The interest in privacy
is somewhat weakened by the fact that the surveillance is partly aimed at protecting them
persons who have been subject to surveillance. IMY assesses that the privacy interest in
basement, storage, operation, laundry room, garbage room and corridors to the sites weigh relatively heavily.
With regard to the surveillance interest, IMY notes the following. Of the account of crime and
incidents that the company has provided show that there has been an alarm about a suspect
unauthorized access to the power station, alarm that the door to the waste room has been broken open and alarm about
damaged door to garbage room probably due to attempted burglary. In addition to these incidents
has there been vandalism in the form of graffiti on the sites. IMY notes that it
it is required that there is an actual interest in monitoring, i.e. it should have occurred actual
incidents in the places that are monitored by cameras. IMY believes that the company has shown that it
there have been incidents at some locations that are monitored, but not at all locations. The
are not mainly about recurring incidents either. IMY assesses
all in all, that even if some incidents have occurred, the security interest weighs in
places relatively easily.
Overall, IMY assesses that the company's interest in camera surveillance of basements, storerooms,
operation, laundry room, garbage room and corridors to the places do not weigh more than the occupants
interest in not being camera-surveillance there.
IMY therefore considers that the camera surveillance of the basement, storeroom, operation, laundry room, garbage room
and corridors to the sites cannot be supported on a balance of interests according to Article 6.1 f
in the data protection regulation. Nor has it emerged that it would be possible to
support the monitoring on any other legal basis in Article 6.1 of the Data Protection Regulation.
The company has thus processed personal data in violation of Article 6.1 i
the data protection regulation also in this part.
Garage
IMY also considers here that camera surveillance of garages is less sensitive, because
individuals do not need to pass these spaces to get to their homes, and do not
rather stays there for longer periods of time. This means that the privacy interest
weighs slightly lighter on the spot.
With regard to the surveillance interest, IMY states the following. The investigation shows that
the garage door was hit on one occasion in 2023, the garage was burglarized in 2019 and
in 2023 when cars were robbed of steering wheels and headlights. IMY notes that in
the garage contains property susceptible to theft, which differs from other places in the property, Privacy Protection Agency Diary number: IMY-2023-15373 9(16)
Date: 2024-12-11
for example, basement and laundry room. It is a different kind of place that
guarded and other property that must be protected than in the property in general, which affects
the assessment of the security interest, which is considered to weigh more heavily in the garage than in the others
places in the property.
IMY therefore assesses that the company's interest in camera surveillance of the garage, even if a
incident is a number of years back in time, weighs somewhat more than the interest of the residents
not to be monitored by cameras there. The company thus has a legal basis according to Article 6.1 f i
the data protection regulation regarding the monitoring of the garage.
IMY's summary assessment
In summary, IMY assesses that the company has a legal basis according to Article 6.1 f i
the data protection regulation for the camera surveillance that takes place in the garage. On the contrary
the company lacks a legal basis according to Article 6 of the Data Protection Ordinance for its monitoring i
other.
3.4 Has the company fulfilled the requirement for information and its obligation
to inform?
3.4.1 The requirement for information according to the Camera Surveillance Act
Section 15 of the Camera Surveillance Act sets out a requirement to provide information on
camera surveillance must be provided through clear signage or on something else effective
way. The provision refers to the actual use of camera surveillance equipment and
not the processing of personal data that the monitoring entails. The provision
contains no requirements regarding what information must be provided and
the obligation to provide information may thus be considered fulfilled if the person conducting the surveillance
in a clear way provides information that camera surveillance takes place in a certain location.
From the investigation into the matter, it appears that there are signs on the entrance doors, at the gate and the door
as well as on the facade. The company has submitted a drawing of the basement including garage
and a drawing of all stairwells (A, B and C). The drawings show that signs
sits at all entrances to the property.
IMY assesses that the company has provided information about the surveillance through clear
signage and thereby fulfilled the information requirement in Section 15 of the Camera Surveillance Act.
3.4.2 The information obligation in the data protection regulation
IMY must also assess whether the company has lived up to its obligations to inform
the processing of personal data according to Article 13 of the Data Protection Regulation. Article 13 i
the data protection regulation regulates which information must be provided when
the personal data is collected from the data subject. In case of camera surveillance is considered
13
personal data is collected from the data subject.
12 Prop. 2017/18:231, New Camera Surveillance Act, p. 87 f.
13 Article 29 working group, Guidelines on transparency according to Regulation (EU) 2016/679, WP260rev.01, point 26 and
EDPB's Guidelines 3/2019, point 110. However, see the Court of Appeal in Stockholm's judgment of 26 January 2023 in case no. 1552-22 in
which the Court of Appeal judged that it is not Article 13 but Article 14 that should be applicable to camera surveillance.
The judgment has been appealed to the Supreme Administrative Court (case no. 870-23) and has thus not gained legal force. With
taking into account the position that the EDPB's guidelines have according to the regulation and pending a legally binding decision
does IMY base its assessment on the EDPB's guidelines and that it is Article 13 of the Data Protection Regulation that must be applied in
the case. In the case, the Supreme Administrative Court (HFD) has requested a preliminary ruling from the EU Court regarding
article 13 or 14 is applicable in case of monitoring with a body-worn camera. The Swedish Privacy Agency Diary number: IMY-2023-15373 10(16)
Date: 2024-12-11
According to Article 13.1 of the Data Protection Regulation, the personal data controller shall, when
the personal data is obtained, provide information to the registrant about e.g. following.
• The identity and contact details of the person in charge of personal data.
• Contact details for any data protection officer.
• The purposes of the processing for which the personal data is intended as well as
the legal basis for the processing.
• If the legal basis is Article 6.1 f (balancing of interests), which is justified
interest the processing aims to safeguard.
• The recipients or the categories of recipients who are to take part
the personal data, where applicable.
According to Article 13.2 of the data protection regulation, the personal data controller shall, at
the collection of the personal data, provide information to the registrant about i.a.
following.
• The period during which the personal data will be stored or the criteria
which is used to determine this period.
• That there is a right to request access to the personal data controller
and correction or deletion of personal data or restriction of processing
relating to the data subject or to object to processing.
• That the registered person has the right to lodge a complaint with a supervisory authority.
From article 13.4 it appears that points 1, 2 and 3 of article 13 shall not be applied if and in
insofar as the data subject already has the information.
The investigation shows that when the company took possession of the property in 2022, it is on the signage
lack of information about i.a. the purpose of the personal data processing
(the camera surveillance), the identity of the personal data controller (the company),
contact details for the person in charge of personal data (the company), a statement that they
monitored can exercise their rights according to the data protection regulation, for how long
image material is stored and reference to where to find out more about
the processing of personal data.
During the course of the inspection, the signs were updated, however, without the company's involvement.
On the new signs, information about the personal data controller has been missing
identity (the company) and contact details of the person in charge of personal data (the company) at
the signs. IMY notes that the company has stated that the signage will
clarified with information that the company is responsible for personal data
the camera surveillance.
The company has stated that information about the processing of personal data that is ongoing at
camera surveillance is provided to those registered via the company's website which
updated on June 4, 2024 with full information. On August 29, 2024
the website was updated with i.a. additional information about the purpose of
the camera surveillance and a clarification that the company is responsible for personal data.
Those registered have previously been referred to the company's property manager's website with
information about the camera surveillance. That information has been available since
on November 1, 2022. The website was redesigned and the information updated
November 27, 2023. At that time there was no information about who it was
personal data controller is, contact details for the personal data controller,
information about the purpose of the camera surveillance, legal basis for the surveillance and the Privacy Protection Agency Diary number: IMY-2023-15373 11(16)
Date: 2024-12-11
how long the surveillance material is stored. If the legal basis is Article 6.1 f i
the data protection regulation (balancing of interests), it must also be stated which is entitled
interest the processing aims to safeguard. Information about this must also appear
the recipients or the categories of recipients who will have access to the personal data i
occurring cases. There was also missing information that the registered have the right to
of the person in charge of personal data (the company) request deletion of personal data or to
object to treatment.
The property manager has informed orally in connection with showing apartments
about the camera surveillance and referred to the company's website for more information.
The manager has also informed all new tenants about the camera surveillance
and where they can find more information about it. Information about camera surveillance does not have
sent out in physical form to the registered and not provided to the registered on
other way.
IMY assesses that there have been deficiencies in the first and second layers of information,
but there is not a total lack of information about the processing of personal data. IMY
states that even if the property manager when showing apartments orally has
informed that camera surveillance takes place and referred to the company's website for more
information, other than the residents are also staying in the guarded spaces, such as guests
to the residents, craftsmen, etc. These have thus been referred to the signs about
camera surveillance. The signs about camera surveillance have been updated during the inspection
time as well as the website with information about the camera surveillance. Although the new ones
the signs and website contain more information than before, IMY finds that
there are still some deficiencies in the first layer of information. On
the camera surveillance signs are missing information about the personal data controller
identity (the company) and contact details for the company, in the form of an email address or
phone number. According to IMY, this information can be obtained with relatively simple means
be added to the existing signs. IMY assesses overall that the information
which has been submitted does not meet all requirements according to Article 13.1 and 13.2 i
data protection regulation.
IMY therefore states that since 1 November 2022 the company has processed
personal data in violation of Article 13 of the Data Protection Regulation.
3.5 Choice of intervention
In the event of violations of the data protection regulation, IMY has a number of corrective measures
powers, including reprimands, injunctions and penalty charges. It follows from
article 58.2 a–j of the data protection regulation.
IMY shall impose penalty fees in addition to or in lieu of other corrective measures
as referred to in Article 58(2) of the Data Protection Regulation, depending on the circumstances i
each individual case. If it is a question of a minor violation, the supervisory authority may,
under recital 148 of the Data Protection Regulation, issue a reprimand instead of imposing one
penalty fee. Consideration must be given to aggravating and mitigating circumstances i
the case, such as the nature, severity and duration of the breach and previous
violations of relevance.
Each supervisory authority must ensure that the imposition of administrative
penalty charges in each individual case are effective, proportionate and dissuasive. The
stated in Article 83.1 of the Data Protection Regulation. In article 83.2, the factors that must
Date: 2024-12-11
taken into account in determining whether an administrative penalty fee should be imposed and at
the assessment of the size of the penalty fee.
When assessing the amount of the penalty fee, among other things, must be taken into account
article 83.2 a (the nature, severity and duration of the violation), c (the measures
which the personal data controller has taken) and k (other aggravating or
mitigating factor for example direct or indirect financial gain).
The EDPB has adopted guidelines on the calculation of administrative penalty fees according to
the data protection regulation which aims to create a harmonized method and principles
for calculation of penalty fees. 14
According to article 83.5 of the data protection regulation, in the event of violations of articles 6 and
13 of the data protection regulation administrative penalty fees are imposed on up to
EUR 20,000,000 or, in the case of companies, of up to 4 percent of the total global
the annual turnover during the previous budget year, depending on which value is the highest.
When determining the maximum amount of a penalty charge to be imposed on a company
shall the definition of the concept of company be used as used by the EU Court of Justice
application of Articles 101 and 102 of the TFEU (see recital 150 i
data protection regulation). The court's practice shows that this includes every unit
that carries out economic activities, regardless of the legal form of the entity and the way of doing so
financing as well as even if the unit in the legal sense consists of several physical or
15
legal persons.
The rules for group liability in EU competition law revolve around the concept
economic unit. A parent company and a subsidiary company are considered part of the same
economic entity when the parent company exercises decisive influence over
the subsidiary. The decisive influence (ie control) can be achieved either through
ownership or by agreement. Jurisprudence shows that one hundred percent or almost
100% ownership implies a presumption for control to be considered to exist.
However, the presumption can be rebutted if the company provides sufficient evidence that
16
proof that the subsidiary acts independently on the market.
3.5.1 A penalty fee must be imposed
IMY has found that the company has violated Article 6.1 of the data protection regulation by
without legal basis to conduct camera surveillance in the company's property on Limhamnsvägen
22a in Malmö during the period 1 November 2022–11 December 2024. The company has further
processed personal data in violation of Article 13 of the Data Protection Regulation by
not fulfill the requirement for information to the registered regarding the camera surveillance.
IMY states that the processing of personal data through camera surveillance of
private persons in direct connection with their homes has taken place without a legal basis. Against this one
background, IMY assesses that it is not a question of such minor violations as
referred to in recital 148 of the data protection regulation. IMY thus finds that a penalty fee
cannot be replaced by a reprimand.
The European Court of Justice has clarified that it is required that the person in charge of personal data has committed a
Violation intentionally or negligently to administrative penalty fees
14EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR (finally adopted on 24 May
2023).
15 ECJ judgment Akzo Nobel, C-516/15, EU:C:2017:314, p. 48.
16 ECJ judgment Akzo Nobel and Others, C-97/08, EU:C:2009:536, p. 59–61. The Swedish Privacy Agency Diary number: IMY-2023-15373 13(16)
Date: 2024-12-11
must be enforceable according to the data protection regulation. The European Court of Justice has stated that
data controllers may be subject to penalty fees for actions if they cannot
are deemed to have been unaware that the conduct constituted a breach, regardless of whether they
were aware that they violated the provisions of the data protection regulation. 17
IMY notes that the company, in its capacity as a personal data controller, is responsible for it
personal data processing that takes place within the company and for it to take place in accordance with
the data protection regulation through the principle of responsibility in article 5.2. IMY has
assessed that the company has not complied with the data protection regulation regarding the requirements for
legal basis and the information to be provided to data subjects. Against the background of
The statement of the European Court of Justice mentioned above and taking into account previous supervisory decisions
18
from IMY and the investigation into the case, it appears that the company cannot be considered to have been
unaware that the action could constitute a violation of the data protection regulation.
Against this background, IMY believes that the company has been negligent in relation to them
violations of the data protection regulation that have been established. There is thus
prerequisites for imposing an administrative sanction fee on the company.
3.5.2 Amount of the penalty fee
IMY states that Granit Bostad Beritsholm AB according to the latest information available
group structure from December 2022 is a wholly owned subsidiary within a group
with the parent company Granit Bostad AB (559300–4913). The group includes, in addition to Granit
Bostad Beritsholm AB, the following companies. Granit Bostad 1 AB (559304-5825), Granit
Bostad Bilen AB (556823-6235), Granit Bostad Bredäng AB (556832-5335), Granit
Bostad Forskningen AB (556865-7281), Granit Bostad Sorgenfri AB (556883-2819),
Granit Bostad 2 AB (556995-9330), Granit Bostad Annedal AB (556833-4741), Granit
Bostad Hjorthagskvarteret AB (556832-5285), Granit Bostad Klippern AB (556833-
4782), Granit Bostad Rosendal AB (556917-7164), Granit Bostad 3 AB (556994-5768),
Granit Bostad Bryggvägen AB (556833-4733), Granit Bostad Fyrislundsgatan AB
(556879-2716), Granit Bostad Kommendörkaptenen AB (556823-6367), Granit Bostad
4 AB (559318-0846), Granit Bostad Duvan 4 AB (559317-1282), Granit Bostad Duvan
AB (556807-4214), Granit Bostad Korpen 4 AB (559317-1274), Granit Bostad Korpen
AB (556886-3400), Granit Bostad Lissabon AB (559340-8429), Granit Bostad 5 AB
19
(559381-9708) and Granit Bostad Malmö 5 AB (559395-2350). The parent company's
ownership is one hundred percent in the subsidiaries, which in turn own one hundred percent
ownership in its subsidiaries.
Against the background of what has been reported above, one hundred percent or almost
one hundred percent ownership a presumption for control to be considered to exist and that
the parent company and the subsidiaries must be taken into account in the calculation.
The company has stated that information about the group structure of which the company is a part deviates
the following way. Granit Bostad 4 Duvan AB has been merged into Granit Bostad Duvan AB,
Granit Bostad 4 Korpen AB has been merged into Granit Bostad Korpen AB and Granit
Bostad Malmö 5 AB has been merged into Granit Bostad Beritsholm AB. Two companies have
acquired; Granit Bostad Slottstaden AB and Granit Bostad Villandia AB. The company has
further stated that the company acquired more properties in 2023, which meant that
net sales for 2023 increased to SEK 274,053,000. The company's results had at the same time
17 CJEU judgment Nacionalinis sistemas sistemas centras, C-683/21, EU:C:2023:949, paragraph 81, and judgment
Deutsche Wohnen, C-807/21, EU:C:2023:950, p. 76.
18 Supervisory decision DI-2018-14593, BRF Gårdsbjörken, decided on 15 June 2020, supervisory decision DI-2020-4534,
Uppsalahem AB, decided on 14 December 2020 and supervisory decision DI-2021-2172, Bergsporten, decided on 18 April
2024 (the two first-mentioned decisions were published at the decision date on the IMY website where they are still available,
Bergsporten has appealed to the administrative court and thus has not gained legal force).
19 Group structure, Bisnode Infotorg as of 10 December 2024. Data Protection Authority Diary number: IMY-2023-15373 14(16)
Date: 2024-12-11
a strong negative development during the year as a result of rising interest costs and a
decrease in value of the property portfolio. The property value decreased by 360,251,000
SEK in 2023, which resulted in a negative net result of minus SEK 318,734,000.
With regard to the financial changes that took place during the year, IMY does the following
assessment. According to the data protection regulation's provision on calculation of
administrative penalty fee, the calculation must be made based on the total global
20
the annual turnover during the previous budget year. The negative net result in 2023
shall therefore not affect the calculation of the penalty fee. IMY thus does not find
reason to disregard the provision and the penalty fee must be calculated based on this
the total annual turnover.
IMY assesses that the annual turnover to be used as a basis for its calculation
the administrative sanction fee that Granit Bostad Beritsholm AB can be imposed is
all the companies reported above that are part of the group with Granit Bostad AB as
parent company. Annual reports for the financial year 2023 for the company show that
the total turnover amounts to SEK 274,053,000. 4% of that amount is
SEK 10,962,120. Since this amount is lower than EUR 20,000,000 shall
the penalty fee is set at an amount between 0 and 20,000,000 EUR.
As regards the assessment of the seriousness of the infringements, there is one
beginning factors which mean that there are reasons to take the violations more seriously.
The personal data processing has intended camera surveillance of residents in direct
connection to their homes and visitors to residences. Camera surveillance has been carried out
around the clock with a large number of cameras of large parts of the property for a longer period
time. The company has guarded entrances and stairwells in the property, which has meant that they
residents have been monitored every time they have moved to and from their homes and it has
has not been possible to avoid being monitored by cameras. That the people who are met by
the monitoring has not received all the information that the company has been obliged to
providing has further entailed a risk that the data subject did not become aware of
their rights or that they have exercised their rights to a lesser extent than they did
have the right to according to the data protection regulation.
IMY notes at the same time that the company has shown that there have been some problems with
burglary of the garage and has had a legitimate interest as well as taken other measures to
come to terms with this, which means that it has not been deliberate
violations. IMY also states that the surveillance was limited to the residents
and visitors. During the course of the inspection, the company has updated signs
camera surveillance and their website with information about camera surveillance and more
information than before and have thus attempted to take corrective action to comply
the information obligation.
In the light of the above circumstances, IMY assesses that, in total, it concerns
for violations of a low level of seriousness. The starting point for the calculation of
the penalty fee should therefore be set low in relation to the current maximum amount.
In addition to assessing the seriousness of the violations, IMY must assess whether they exist
any aggravating or mitigating circumstances that become relevant
the amount of the penalty fee. IMY assesses that there is no further aggravating factor or
20 Article 83.5 of the data protection regulation. Data protection authority Diary number: IMY-2023-15373 15(16)
Date: 2024-12-11
mitigating circumstances, in addition to those taken into account in the assessment of
the degree of seriousness above, which affects the amount of the penalty fee.
In light of the nature and seriousness of the violations, the IMY decides that it
the administrative sanction fee for Granit Bostad Beritsholm AB can stay
200,000 kroner. IMY considers this amount to be effective, proportionate and
deterrent in the present case.
3.5.3 Injunction
According to Article 58.2 d, the supervisory authority has the authority to issue a
personal data controller to ensure that the processing takes place in accordance with the regulations
in the data protection regulation and if required in a specific way and within a specific
period.
Because the surveillance, as far as the investigation shows, is still ongoing, it is
urgent that the company ceases the surveillance that is not permitted. It exists therefore
reason to, based on Article 58.2 d of the data protection regulation, order the company to
cease camera surveillance of all places in the property, with the exception of the garage.
According to IMY, it is also important that the company takes measures to ensure that they
registrants receive correct and complete information regarding it
personal data processing through camera surveillance that takes place. IMY decides with support
of article 58.2 d of the data protection regulation that the company must be ordered to, no later than four
weeks after this decision takes effect, take steps to ensure that
1. the company ceases the camera surveillance of all places in the property
except the garage,
2. there is information about the company's identity on the camera surveillance signs
and contact information for the company, in the form of an email address or telephone number.
That measures must have been taken no later than four weeks after this decision came into force
means that if the decision is not appealed, action must have been taken no later than four weeks after
that the appeal period has expired.
__________________________
This decision has been made by unit manager Jenny Bård after a presentation by the lawyer
Khadija Faras.
Jenny Bård
Appendices
1. Complainant's personal data
2. Information on payment of penalty fee
3. Information about camera surveillance in multi-apartment buildings The Swedish Privacy Agency Diary number: IMY-2023-15373 16(16)
Date: 2024-12-11
4. How to appeal
If you want to appeal the decision, you must write to IMY. State in the letter which decision you made
appeals and the change you request. The appeal must have been received by IMY
no later than three weeks from the day you were informed of the decision. If you are a representing party
however, the general appeal must have been received within three weeks from that day
the decision was announced. If the appeal has arrived in time, IMY forwards it to
The administrative court in Stockholm for examination.
You can e-mail the appeal to IMY if it does not contain any privacy-sensitive information
personal data or information that may be subject to confidentiality. The authority's
contact details appear on the first page of the decision.
