AEPD (Spain) - E/02666/2020

From GDPRhub
AEPD - E/02666/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 14 GDPR
Article 35 GDPR
LOPDGDD
Type: Complaint
Outcome: Rejected
Started:
Decided:
Published: 24.03.2021
Fine: None
Parties: AYUNTAMIENTO DE FUENLABRADA
National Case Number/Name: E/02666/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA considered that the use of drones by the municipality of Fuenlabrada (Spain) for vehicle traffic control purposes was compliant with GDPR.

English Summary

Facts

A claim was filled against the municipality of Fuenlabrada (Spain) because of its usage of drones in order to control vehicle traffic. The claim concerned the lack of communication of the identity of the controller and of the place where to exercise data subjects' rights.

The municipality of Fuenlabrada pointed out that the information on the processing operation is shared through electronic means, through the social networks of the Local Police, through posters in the interested areas, and publication on the website of the City Municipality.

The Spanish DPA asked the municipality of Fuenlabrada to provide copy of the Data Protection Impact Assessment (DPIA) completed before the processing activity. The municipality did not complete a DPIA because it considered that risk for data subjects would be "acceptable".

Dispute

Is the municipality of Fuenlabrada complying with the obligation of providing information on the processing activity? Was the municipality of Fuenlabrada supposed to carry out a DPIA?

Holding

The Spanish DPA considered that the defendant fulfilled the duty of information in accordance with GDPR.

The Spanish DPA considered that Article 35 GDPR applies in this case and thus a DPIA is necessary. The controller has therefore carried out the aforementioned evaluation and provided a copy of it. In the DPIA is concluded that the images recorded with the drones do not have to be treated especially sensitive and may not affect the rights or freedoms of people, since, except for pedestrians that can be visualized momentarily (that are not usually recognizable), in these recordings only vehicles appear in traffic, so the treatment itself would not offer a special risk. Therefore, the controller considers that the treatment can be carried out with the measures taken so far and without the need to apply more incisive measures, specifying that the sum of circumstances that occur in this treatment and the type of personal data that is treated implies that the residual risk is acceptable.

Taking in consideration this ex post DPIA, the Spanish DPA concluded that the Municipality of Fuenlabrada complies with GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                               1/8








     Procedure Nº: E / 02666/2020

                  RESOLUTION OF ACTION FILE



Of the actions carried out by the Spanish Agency for Data Protection and
based on the following


                                      FACTS

FIRST: The claim filed by A.A.A. (hereinafter, the claimant) has
entry dated October 8, 2019 in the Spanish Agency for the Protection of
Data. The claim is directed against FUENLABRADA CITY COUNCIL, with
NIF P2805800F (hereinafter, the claimed one). The reasons on which you base the claim

are

“It has started in Fuenlabrada (Madrid) surveillance and control of traffic in
different areas of the town using a drone from the aerial surveillance section.
These areas have been marked incorrectly as they are not indicated or

responsible for the treatment or where the rights can be exercised.

The information has been published on the social network Twitter with a video where
appreciate the cited faulty signage. Explicit mention is also made in a
tweet to the signal clearly seeing that it does not comply with the RGPD.


[…] "

Along with the claim, provide a document referring to the tweets
indicated in the claim.


SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), with reference number E / 10122/2019, a transfer of
said claim to the defendant, so that it could proceed to its analysis and inform this
Agency within a month, of the actions carried out to adapt to the

requirements provided in the data protection regulations.

On December 2, 2019, this Agency received a written statement of
answer in which it is stated that the person responsible for the treatment is the Police
Local of the Fuenlabrada City Council, since according to Organic Law 4/1997, of 4

of August, which regulates the use of video cameras by the Forces and Corps of
Safety in public places, the installation and use of these devices will be carried out
by the authority in charge of traffic regulation. The Royal Legislative Decree
6/2015, of October 30, which approves the Law on Traffic, Circulation of Vehicles to
Motor and Road Safety, contemplates the powers of the Municipalities in matters of
traffic and Royal Decree 596/1999, which develops Organic Law 4/1997, states in the

point 4 of the Sole Additional Provision that the use of mobile means of
image capture and playback (as in the case of drones) will not require
resolution of the Municipal Administration.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/8








It also points out that the information on the processing of data through drones
It is facilitated through electronic means, through the Police social networks
Local, by means of posters in the areas of influence of the drones (one appropriate to the

Royal Decree 596/1999 that is published on social networks and another appropriate to the
LOPDGDD so that drivers who circulate on the affected roads can
know the person responsible for the treatment and the email where to exercise their
rights), and publication on the website of the City Council. They have included these
treatments in the Register of Data Processing Activities of the City Council and
have carried out a risk analysis to establish security measures

relevant.

Regarding the flights that are carried out to guarantee citizen security, the
Local Police always request permission from the Government Delegation informing of the
flight plan and dates, the Delegation determining the guarantees that must be

be established to respect the privacy of people.

THIRD: On December 20, 2019, a copy of the document is requested
that contains the evaluation of the impact on data protection of the
treatment carried out through the drones used by the City Council and, once
It has been verified that this treatment is not included in the record of activities of

treatment published on the website of the City Council, the
inclusion of this treatment in the aforementioned registry.

On January 3, 2020, this Agency receives a letter stating that
states that no impact assessment is provided because it is not considered necessary.
Yes, a risk analysis has been carried out with the "Manage" tool

getting the result of ACCEPTABLE. Links are provided to the Registry of
Treatment Activities where the one related to drones is now included as well as
links to the Municipal Police website where the activity is mentioned
carried out with drones and shows the poster that is published on social networks
the days the devices are used ..


They present a copy of the risk analysis.

THIRD: On March 12, 2020, the Director of the Spanish Agency for
Data Protection agreed to accept for processing the claim presented by the

claimant.

SECOND: The Subdirectorate General for Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts that are the object of the
of the claim. On February 2, 2021, the action report is issued
previous research in which the following are highlighted:


“Asked the City Council to specify if the use of drones is carried out with
traffic control purposes, for the prevention of criminal acts and protection of
persons and goods, or both, and in the case of one or the other case, present in this
Agency the mandatory impact assessment in case of "systematic observation of

large scale of an area of public access "—in compliance with article 35.2 c) of the
Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter
RGPD) - or the opinion of the Video Surveillance Guarantees Committee of the Delegation

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/8








of Government, dated September 18, 2020, this Agency receives,
brief of allegations stating the following:


Regarding the purpose of the drone and image capture.

- Drones are used to control traffic in trouble spots and register
the possible infractions that take place.

- Flights usually occur once a month or at most twice a month.


- In the place and at the time of the flight, informational posters of the
video surveillance, and also communicates through social networks the day and time in which it is
will produce the flight.


- The frames try to be as accurate as possible and are aimed at capturing
of traffic, being accidental the recording of pedestrians or passers-by. The images
are recorded on the drone's memory card and if necessary to
present proof of any infraction, they would be transferred and stored in a
pendrive. The images are used only as evidence in the case of registering
any infraction, not being viewed after the recording unless,

in the course of this, there is any infraction in terms of road safety and
image recovery is necessary.

- The images on the card are deleted, being replaced by the new ones, in the
next flight of the drone, and those stored on the pendrive, are deleted when they have

rescued the useful parts of the recording.

- There is no publication or publicity of the images by any channel, these being
completely confidential from the moment of its capture until its elimination.


- The only personal data collected, and that may appear reflected in the image, is the
license plate of the vehicle, but in this context it responds to the capture of the data
minimum personnel necessary for the police to know the author of the
infringement and contact him.

Regarding the impact assessment requested by this Agency:


- They state that the treatment that is being mentioned could be classified
among which the AEPD itself in its guide "Drones and data protection" classifies as
“Operations with risk of processing personal data in a collateral way or
inadvertent ”not being, in any case, the purpose of this activity the capture of

images of people that, if filmed, would be a circumstance
totally accidental and marginal.

- Notwithstanding the foregoing, as requested by this Agency, attach an impact assessment
carried out by the Fuenlabrada Local Police Service with the collaboration of the

Data Protection Department of the Fuenlabrada City Council.

- In said evaluation, the following threats and risks are detected (i) Possibility of
drone crash and loss of images. (ii) Possibility of accessing the credit card

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/8








memory of the drone and (iii) Possibility of loss of the pendrive where the
images. In this sense, they point out that the probability of the first threat is
very low because in this case there are always the flight operators for the

collection of the drone, and regarding the preservation of the images, both the drone and
the pendrive remain in the municipal police facilities guarded by
this, being accessible only by those people related to the
treatment.

- This evaluation is completed by indicating that after analyzing these risks and the treatment of

the data is concluded that they are not images especially
sensitive or that may affect the rights or freedoms of people, since,
except for a pedestrian that can be seen momentarily, which also does not usually
be recognizable, in these recordings only vehicles appear in transit, so
they understand that the treatment itself poses no special risk. Therefore, they estimate

that the treatment can be carried out with the measures taken until the
moment and without the need to apply more incisive measures, specifying that the
sum of circumstances that occur in this treatment and the type of personal data that
it is treated implies that the residual risk is acceptable. "



                                FOUNDATIONS OF LAW

                                                I

In accordance with the investigative and corrective powers that article 58 of the RGPD

granted to each supervisory authority, and in accordance with the provisions of article 47 of the
LOPDGDD, is competent to resolve these investigation actions the
Director of the Spanish Agency for Data Protection.

                                                II


These actions have their origin in the claim presented about the
lack of adequacy to the RGPD of the information provided to those affected by the
responsible for data processing derived from the video surveillance system of the
traffic through drones in the Fuenlabrada municipality.


Article 22 of the LOPDGDD, which has the heading "Treatments for the purpose of
video surveillance ", provides in section 6 that" The processing of personal data
from images and sounds obtained by using cameras
and video cameras by the Security Forces and Bodies and by the
competent for surveillance and control in prisons and for control,

regulation, surveillance and discipline of traffic, will be governed by the legislation of
transposition of Directive (EU) 2016/680, when the treatment is for the purpose of
prevention, investigation, detection or prosecution of criminal offenses or
execution of criminal sanctions, including protection and prevention against
threats to public safety. Outside of these assumptions, said treatment is

will be governed by its specific legislation and additionally by Regulation (EU)
2016/679 and this organic law. "



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/8








In accordance, therefore, with the transcribed precept, and taking into account that the purpose
stated by the person in charge is to control traffic in prevention of
infractions but does not respond to an objective of prevention, investigation or

prosecution of criminal offenses, it is necessary to resort to the legislation
specific information on the use of video cameras by the Forces and Corps of
Security in order to determine the provisions on data protection that
They will be applicable to the treatment carried out. This legislation, which is constituted
by Organic Law 4/1997 and its implementing regulations, only includes certain
provisions regarding the retention period of recordings or the

information to be provided to interested parties, while establishing - in the
Eighth additional provision of the aforementioned Organic Law 4 / 1997— a reference to
the general data protection regulations when it states that “the installation and use
of camcorders and any other means of capturing and reproducing images
for the control, regulation, surveillance and discipline of traffic will be carried out by the

authority in charge of regulating traffic for the purposes set forth in the text
Articles of the Law on Traffic, Circulation of Motor Vehicles and Road Safety,
approved by Legislative Royal Decree 339/1990, of March 2, and other regulations
specific in the matter, and subject to the provisions of Organic Laws 5/1992,
of October 29, of Regulation of the Automated Treatment of the Data of
Personal Character, and 1/1982, of May 5, of Civil Protection of the Right to Honor,

to Personal and Family Intimacy and Self Image, within the framework of the principles
of use of the same provided for in this Law. "

Sitting, therefore, the data protection regulations will apply to the
treatments derived from a traffic video surveillance system, both by application

supplementary of the RGPD and LOPDGDD in matters not provided for by specific legislation
as by the legislator's own will that this type of treatment complies with
current regulations on data protection, the duty of information
must comply with the provisions of said standards.


In the specific case that is the object of this procedure and in accordance with the evidence
available, it can be affirmed that the defendant fulfills the duty of
information in accordance with the provisions of the data protection regulations. So and
As indicated in the second fact, the information on the treatment of
Data through drones is facilitated through electronic means, through the
Social networks of the Local Police, through posters in the areas of influence of the

drones (one appropriate to Royal Decree 596/1999 that is published on social networks and
another appropriate to the LOPDGDD so that drivers who circulate on the roads
affected can know the person responsible for the treatment and the email where
exercise their rights), and publication on the website of the City Council.


                                            III

In another vein, article 35 of the RGPD, referring to the impact assessment
regarding data protection provides:


"one. When a type of treatment is likely, in particular if you use newer
Technologies, by their nature, scope, context or purposes, pose a high risk to
the rights and freedoms of natural persons, the data controller
carry out, before the treatment, an evaluation of the impact of the operations of

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/8








treatment in the protection of personal data. A single evaluation may address
a series of similar treatment operations involving high risks
Similar.


[…]

3. The impact assessment relating to the protection of the data referred to in the
section 1 will be required in particular in case of:


a) systematic and exhaustive evaluation of personal aspects of natural persons
that is based on automated processing, such as profiling, and on
the basis of which decisions are made that produce legal effects for people
physical or significantly affecting them in a similar way;


b) large-scale treatment of the special categories of data referred to in the
Article 9, paragraph 1, or personal data regarding convictions and offenses
penalties referred to in article 10, or

c) large-scale systematic observation of a public access area.


4. The supervisory authority shall establish and publish a list of the types of operations
of treatment that require an impact assessment related to the protection of
data in accordance with section 1. The supervisory authority shall communicate these
lists to the Committee referred to in Article 68.


[…] "

As can be seen, the aforementioned article establishes that this evaluation of
impact will be necessary for those data processing that may involve
is likely to be a high risk and makes explicit in its section 3, a non-exhaustive list of

assumptions to which this obligation reaches, to which it will be necessary to add, in the case
Spanish, those cases that meet the criteria that have been published by
this Agency in accordance with the provisions of article 35.4 of the RGPD.

Applying the aforementioned article 35.3 to the specific case that is the object of these actions,
note that the traffic surveillance system meets the above characteristics

in section c), because:

1. It is a systematic observation since it responds to observations
carried out by a system and is part of a traffic control strategy.


2. It is a large-scale treatment in that the images that are susceptible to
be captured correspond to an area of influence.

3. Data processing is carried out in publicly accessible areas.


In addition, it should be taken into account that the aforementioned treatment would comply with another
of the requirements that both the European Data Protection Committee and the Agency
Spanish Data Protection considered as indicative of setting up a
probable high risk, which is to make use of technological innovations.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/8









Therefore, and based on the foregoing, it can be considered that the processing of data in

The issue requires a prior impact assessment. Now in this sense, if
It is true that the Local Police of the Fuenlabrada City Council had not carried out
said evaluation since the risk analysis carried out previously had
given as a result that of ACCEPTABLE, it is not less than after the requirement of
information made by this Agency, the person in charge has made the aforementioned

evaluation, of which you attach a documentary copy in your answering brief of 18
September 2020 and in which it is concluded that some images would not be treated
especially sensitive or that may affect the rights or freedoms of the
people, since, except for a pedestrian that can be visualized momentarily, that
Furthermore, it is not usually recognizable, in these recordings only vehicles appear in

traffic, so the treatment itself would not offer a special risk. Therefore, the
responsible considers that the treatment can be carried out with the measures
taken so far and without the need to apply more incisive measures,
specifying that the sum of circumstances that occur in this treatment and the type of
personal data that is treated implies that the residual risk is acceptable.


                                            IV

Once analyzed, therefore, the evidence available at present
procedure, this Agency considers that the data processing carried out by

the drone video surveillance system launched by the Local Police of
Fuenlabrada complies with data protection regulations.


Therefore, in accordance with the provisions, by the Director of the Spanish Agency for

Data Protection, IT IS AGREED:


FIRST: PROCEED WITH THE FILING of these actions.


SECOND: NOTIFY this resolution to the claimant and claimed.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

















C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/8









Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, and in accordance with the provisions of the

arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may
file, optionally, an appeal for reconsideration before the Director of the Agency
Spanish Data Protection within a period of one month from the day

following notification of this resolution or directly contentious appeal
administrative before the Contentious-Administrative Chamber of the National Court,
in accordance with the provisions of article 25 and paragraph 5 of the provision
Additional fourth of Law 29/1998, of July 13, regulating the Jurisdiction

Contentious-Administrative, within two months from the next day
upon notification of this act, as provided in article 46.1 of the aforementioned Law.

                                                                                        940-0419
Mar Spain Martí

Director of the Spanish Agency for Data Protection













































28001 - Madrid 6 sedeagpd.gob.es