AEPD (Spain) - EXP202103983

AEPD - EXP202103983
Authority:	AEPD (Spain)
Jurisdiction:	Spain
Relevant Law:	Article 4(1) GDPR Article 4(2) GDPR Article 5(1)(c) GDPR Article 22 Ley Orgánica de Protección de Datos Personales y Garantía de los Derechos Digitales
Type:	Investigation
Outcome:	Violation Found
Started:	14.10.2022
Decided:	05.05.2022
Published:
Fine:	300 EUR
Parties:	n/a
National Case Number/Name:	EXP202103983
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Spanish
Original Source:	AEPD agencia espanola proteccion datos (in ES)
Initial Contributor:	Maria-Antonia Toggenburg

In a surveillance camera case, the Spanish DPA considered that installing a security camera that also captured the private garden of their neighbour was not be justified by security reasons, and was not proportionate.

English Summary

Facts

A data subject realised that their neighbour (controller) installed surveillance cameras that were monitoring their private garden. They considered that the monitoring was violating the Spanish data protection law (Art.22 LOPDGDD) in force.

The data subject therefore filed a complaint with the Spanish DPA.

Holding

The Spanish DPA recalled that image of a person, according to article 4.1 GDPR, is a personal data and its protection is, therefore, subject of this Regulation. The concept of "processing" of personal data is defined in Article 4.2 of the GDPR. Article 22 of the LOPDGDD (Spanish national data protection law: Ley Orgánica de Protección de Datos Personales y Garantía de los Derechos Digitales BOE-A-2018-11673) sets out the specific rules for the processing of data for video surveillance purposes and stating that natural or legal persons, may carry out the processing of images through camera or video camera systems for the purpose of preserving the security of persons and property, as well as of their installations. However, images may only be captured from the public insofar as it is essential for these security reasons.

Against this background the DPA holds that Video cameras may not capture images of persons who are outside the private space where the video surveillance system is installed, since the processing of images in public places can only be carried out by the Security Forces and Corps.

In the prersent case, the DPA found that there were no security reasons that justified the monitoring of a private garden.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

File No.: EXP202103983
RESOLUTION OF SANCTIONING PROCEDURE
From the procedure carried out by the Spanish Data Protection Agency and on the basis of the following on the basis of the following
BACKGROUND
FIRST: On 14/10/2021, the Spanish Data Protection Agency received a letter presented by A.A.
Protection Agency was received a letter presented by A.A.A. (hereinafter, the claimant) by claimant) by means of which he formulates a claim against B.B.B. with Tax Identification Number ***NIF.1 (hereinafter, the complained party), for the installation of a video surveillance system located at ***DIRECCIÓN.1, there being indications of a possible breach of the provisions of the data protection regulations.
The grounds for the complaint are as follows:
"I want to denounce the (...) for having two of his home security cameras
pointing directly at my house, said cameras are exterior cameras in your house and they
They capture and record my outside garden depriving me of my privacy in my own home.
The rest of the cameras that they have, about 5 exterior cameras, some of them I want to
I want to denounce that they are pointing towards the neighborhood street, where my youngest disabled son plays, recording disabled child plays, recording these images.
[...]"
She attaches three photographs of the location of the video surveillance cameras and a copy of the
Resolution of recognition of the degree of disability of her son.
SECOND: Prior to the admission of the claim for processing, this Agency sent by mail a Request for Information to the claimant on the following dates 05/11/2021 and 29/11/2021, resulting on both occasions in "Returned to origin due to surplus (not picked up at the office). As of today, this Agency has not received any reply.
THIRD: On 14/01/2022, in accordance with article 65 of the LOPDGDD, the claim filed by the claimant was admitted for processing.
FOURTH: On 12/04/2022, the Director of the Spanish Data Protection Agency (Agencia Española de Protección of Data Protection Agency agreed to initiate sanctioning proceedings against the claimant for the alleged infringement of Article 5.1.c) of the RGPD, typified in Article 83.5.a) of the RGPD.
FIFTH: An attempt was made to notify the agreement to initiate this sanctioning procedure by postal mail, which resulted in "Returned to origin at C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es surplus (not withdrawn in office)", according to the Notice issued by Correos on 10/05/2022.
Thus, the notification was made by means of a notice published in the Official State Gazette on 17/05/2022. Boletín Oficial del Estado on 17/05/2022 and a hearing period of TEN DAYS HÁVAGES was granted. TEN BUSINESS DAYS in order to formulate allegations and present the evidence that it considered appropriate, in accordance with the provisions of Articles 73 and 76 of the Law 39/2015, of October 1, 2015, of Law 39/2015, of October 1, 2015, of the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP).
SIXTH: After the term granted for the formulation of allegations to the agreement to initiate the
procedure, it has been verified that no allegations have been received by the respondent.
Article 64.2.f) of Law 39/2015, of October 1, 2015, on the Common Administrative Procedure of the Public Administrations (in Spanish).
Administrative Procedure of the Public Administrations (hereinafter LPACAP) -a provision of which the respondent was informed of in the agreement to initiate the proceeding-establishes that if no allegations are made within the period provided on the content of the initiation agreement, when the latter contains a precise pronouncement on the responsibility imputed, it may be considered as a resolution proposal.
In the present case, the agreement of initiation of the sanctioning file determined the facts in
on which the imputation was based, the infringement of the GDPR attributed to the respondent and the sanction that could be imposed. Therefore, taking into consideration that the respondent has not submitted any allegations in response to the agreement to initiate the proceedings, and in accordance with the provisions of Article 64.2.f) of the LPACAP, the aforementioned agreement to initiate the proceeding is resolution proposal in the present case.
SEVENTH: The resolution to initiate the proceeding agreed in the fourth point of the operative part the fourth point of the operative part "INCORPORATE to the sanctioning file, for purposes of evidence, the claims presented by the claimants and the claims presented by the claimants and the information and documentation obtained by the S.D.D.R. obtained by the General Subdirectorate of Data Inspection in the information phase prior to the decision to admit the claim for processing".
In view of all the actions taken by the Spanish Data Protection Agency in the present proceedings, the following are considered to be proven facts.
PROVEN FACTS
FIRST: Installation of a video surveillance system, consisting of at least 4 cameras, on the outside of the house of the claimant, located at
***ADDRESS.1,
which could capture images of the neighborhood street and the complainant's private garden.
This is evidenced by the photographic report provided by the Complainant, which shows that the Respondent's plot is delimited by fences.
the Complainant's plot is delimited with fences, which are not fences and, therefore, the cameras could record images outside his property.
SECOND: B.B.B. is identified as the person responsible for the system.
***NIF.1.
THIRD: The Spanish Data Protection Agency has notified to the respondent the te agreement to open this sanctioning proceeding, but has not presented any allegations or evidence contradicting the facts denounced.
LEGAL GROUNDS
I
Pursuant to the powers that Article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), grants to each supervisory authority and in accordance with the provisions of Articles 47 and 48.1 of the Organic Law 3/2018, of 5 December Organic Law 3/2018, of December 5, 2018, on the Protection of Personal Data and the guarantee of digital rights (hereinafter, LOPDGDD), it is competent to initiate and resolve this procedure the Director of the Spanish Data Protection Agency.
Likewise, Article 63.2 of the LOPDGDD determines that: "The proceedings processed by the Spanish Data Protection Agency shall be governed by the provisions of the Regulation (EU) in Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its provisions issued in its development and, insofar as they do not contradict them, in the subsidiary subsidiary, by the general rules on administrative procedures."
II
The image of a person, according to article 4.1 of the RGPD, is a personal data and its protection is, therefore, subject of this Regulation. Article 4.2 of the GDPR defines the concept of "processing" of personal data. The concept of "processing" of personal data is defined in Article 4.2 of the GDPR.
Article 22 of the LOPDGDD sets out the specific rules for the processing of data for video surveillance purposes and states the following:
"1. Natural or legal persons, whether public or private, may carry out the processing of images through camera or video camera systems for the purpose of preserving the security of persons and property, as well as of their installations.
2. Images may only be captured from the public thoroughfare insofar as it is essential for the purpose mentioned in the previous paragraph.
However, it shall be possible to capture images of the public thoroughfare over a greater extension when it is necessary to guarantee the security of strategic goods or installations or of infrastructures linked to transport, but in no case may it involve the capture of images of the interior of a private home.
3. The data shall be deleted within a maximum period of one month from their capture, except when they have to be kept to prove the commission of acts against the integrity of persons, goods or facilities. In such a case, the images be made available to the competent authority within a maximum period of seventy-two hours from the date of seventy-two hours after the existence of the recording is known.
The blocking obligation provided for in article 32 of this Organic Law shall not apply to such processing.
4. The duty to provide information provided for in Article 12 of Regulation (EU) 2016/679 shall be understood to be fulfilled by the posting of an informative device in a sufficiently visible place identifying, at least, the existence of the processing, the identity of the controller and the possibility of exercising the rights provided for in Articles 15 to 22 of Regulation (EU) 2016/679. A connection code or internet address to this information may also be included in the informative device.
In any case, the controller shall keep at the disposal of the data subjects the information to which the data subjects the information referred to in the aforementioned regulation.
5. Pursuant to Article 2.2.c) of Regulation (EU) 2016/679, it is considered to be excluded from its scope of application the processing by a natural person of images that only capture the interior of his or her own home.
This exclusion does not cover processing carried out by a private security entity that has been contracted for the surveillance of a home and has access to the images.
6. The processing of personal data from images and sounds obtained through the use of cameras and video cameras by the Security Forces and Corps and by the competent bodies for the surveillance of the home and by the competent bodies for the surveillance and control in penitentiary centers and for the control, regulation, surveillance and discipline of traffic, shall be governed by the legislation transposing the Directive (EU) 2016/680, where the processing is for the purposes of prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal sanctions, including the protection of and prevention against threats to public security. Outside these cases, such processing shall be governed by their specific legislation and supplementarily by Regulation (EU) 2016/679 and this organic law.
7. The provisions of this article shall be understood without prejudice to the provisions of Law
5/2014, of 4 April, on Private Security and its implementing provisions.
8. The processing by the employer of data obtained through camera or video camera systems is subject to the provisions of article 89 of this organic law.

III
In accordance with the above, the processing of images through a video surveillance system, in order to comply with the regulations in force, must comply with the following requirements:
- Respect the principle of proportionality.
- When the system is connected to an alarm center, it can only be installed by a private security company.
be installed by a private security company that complies with the requirements of article 5 of the
requirements set forth in Article 5 of Law 5/2014 on Private Security, of April 4, 2014.
- Video cameras may not capture images of persons who are outside the private space where the video surveillance system is installed, since the image processing in video surveillance system is installed, since the processing of images in public places can only be carried out, unless there is governmental authorization, by the Security Forces and Corps. Neither may the following be captured or recorded: spaces owned by third parties without the consent of their owners, or, as the case may be, of the persons who are in them.
This rule admits some exceptions since, on some occasions, for the protection of private spaces, where cameras have been installed on façades or in the or inside, it may be necessary, in order to guarantee the security purpose, to record a portion of the  public road. In other words, cameras and video cameras installed for security purposes may not obtain images from the public roadway
of the public roadway unless it is essential for this purpose, or it is impossible to avoid it due to the location of the cameras and, exceptionally, the minimum space for such purpose shall also be included. Therefore, the cameras could exceptionally capture the minimum portion necessary for the intended security purpose.
- The duty to inform the data subjects provided for in Articles
12 and 13 of the RGPD and 22.4 of the LOPDGDD.
- The data controller must keep a record of the processing activities carried out under its responsibility, including the information referred to in article 30.1 of the GDPR.
- The installed cameras may not obtain images of private spaces of third parties and/or public space without a duly accredited justified cause, nor may they affect the privacy of passers-by passing freely through the area. It is not permitted, therefore, to place cameras on the private property of neighbors with the purpose of of intimidating them or affecting their private sphere without justified cause.
- In no case shall the use of surveillance practices be allowed beyond the area of the surroundings of the installations and, in particular, may not affect the surrounding public spaces, adjoining surrounding public spaces, adjoining buildings and vehicles other than those accessing the accessing the area under surveillance.
In relation to the foregoing, in order to facilitate the consultation of the interested parties, the Spanish Data Protection Agency offers, through its web page, the following information
[https://www.aepd.es] access to the legislation on the protection of personal data, including the RGPD and the LOPDGDD (section "Reports and resolutions/ "regulations"), to the "the Guide on the use of video cameras for security and other purposes, and to the Guide for the purposes and to the Guide for compliance with the duty to inform (both available in the "Guides and tools" section).
Also of interest in the case of low-risk data processing is the free Facilita tool (in the "Guides and tools" section), which, by means of a series of specific questions, allows, by means of specific questions, the situation of the data controller to be assessed.
With respect to the processing of personal data and, where appropriate, to generate various documents, informative clauses and various documents, informative and contractual clauses, as well as an appendix with indicative security measures considered to be minimum.
IV
In the present case, the Respondent has not submitted allegations or evidence that contradict the facts. In accordance with the evidence available and which has not been disproved during the the sanctioning proceeding, the Respondent has installed four video surveillance cameras four video surveillance cameras on the exterior of the property, located at ***1, which could capture images of the neighboring street and the garden owned by the Complainant.
In view of the foregoing, the facts imply a violation of the provisions of article 5.1 c) of the article 5.1 c) of the RGPD, which implies an infringement typified in article 83.5 a) of the RGPD, which provides as follows:
"Infringements of the following provisions shall be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of an undertaking, an amount equivalent to 4% of the total annual aggregate turnover of the previous financial year, whichever is higher:
(a) the basic principles for processing, including the conditions for consent within the meaning of Articles 5, 6, 8 and 9.
(a) The basic principles for processing, including the conditions for consent within the meaning of Articles 5, 6, 7 and 9;
(...)
For the mere effects of prescription, article 72.1 of the LOPDGDD qualifies as very
serious:
(a) The processing of personal data in violation of the principles and guarantees
established in Article 5 of Regulation (EU) 2016/679;
(...)

V
The corrective powers available to the Spanish Data Protection Agency, as supervisory authority, are set forth in Article 58.2 of the GDPR. Among the powers to impose an administrative fine in accordance with Article 83 of the GDPR - Article 58.2 i) of the GDPR , or the power to order the controller or processor to that the processing operations comply with the provisions of the GDPR, where applicable, in a specified manner and within a specified period of time - Article 58.2 (i).
According to Article 83(2) of the GDPR, the measure provided for in Article 58(2)(d) of the GDPR is compatible with the provisions of the GDPR.
In the present case, in view of the facts, it is considered that the sanction that should be imposed is an administrative fine. The fine to be imposed must be, in each individual case, effective, proportionate and dissuasive, in accordance with Article 83.1 of the GDPR. In order to determine the administrative fine to be imposed, the provisions of Article 83.1 of the GDPR must be observed.
The provision of Article 83.2 of the GDPR states:
"2. Administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or in substitution of the measures referred to in Article 58(2)(a) to (h) and (j). When deciding on the imposition of an administrative fine and its amount in each individual case, due account shall be taken of:
(a) the nature, extent or purpose of the processing operation in question, as well as the number of data subjects concerned and the number of data subjects concerned and the level of damage they have suffered; 
(b) the number of data subjects concerned and the level of damage they have suffered;
b) the intent or negligence of the infringement;
(c) any measures taken by the controller or processor to mitigate the damage suffered; 
(d) the extent of the responsibility of the controller or processor, taking into account the technical or organizational measures implemented by them pursuant to Articles 25 and 32
(e) any previous infringement committed by the controller or processor;
(f) the extent of cooperation with the supervisory authority in order to remedy the breach and mitigate the possible adverse effects of the breach;
(g) the categories of personal data affected by the breach;
(h) the manner in which the supervisory authority became aware of the breach, in particular whether the controller or processor notified the breach to the supervisory authority.
(i) where the measures referred to in Article 58(2) have been ordered in advance against the controller or processor concerned in relation to the same matter, compliance with those measures;
(j) adherence to codes of conduct under Article 40 or certification mechanisms approved under Article 42,
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefit gained or loss avoided, directly or indirectly, through the infringement".
For its part, in relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its article 76, "Sanctions and penalties for infringement", states
Article 76, "Sanctions and corrective measures", provides:
"1. The sanctions provided for in Article 83(4), (5) and (6) of Regulation (EU) 2016/679 shall be applied taking into account the graduation criteria laid down in paragraph 2 of the aforementioned Article.
2. In accordance with the provisions of Article 83(2)(k) of Regulation (EU) 2016/679 the following may also be taken into account:
(a) The continuing nature of the infringement.
b) The linking of the offender's activity with the processing of personal data.
c) The benefits obtained as a result of the commission of the infringement.
d) The possibility that the conduct of the affected party could have been included in the commission of the infringement.
e) The existence of a process of merger by absorption subsequent to the infringement, which cannot be imputed to the absorbing entity.
f) The involvement of the rights of minors.
g) The availability, when not mandatory, of a data protection officer.
h) The submission by the person responsible or in charge, on a voluntary basis, to alternative
dispute resolution mechanisms, in those cases in which there are disputes between them and any data subject".
The balance of the circumstances contemplated, with regard to the infringement committed
by violating the provisions of articles 5.1 c) of the GDPR, allows to set a fine of 300 (three hundred euros). Therefore, in accordance with the applicable legislation and having taken into account the criteria for the graduation of the sanctions whose existence has been accredited, the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: IMPOSE on B.B.B., with Tax ID ***NIF.1, for an infringement of Article 5.1.c) of the RGPD, as typified in article 83.5.a) of the RGPD, a fine of 300 (three hundred euros).
SECOND: TO ORDER B.B.B., with tax identification number ***NIF.1 that, by virtue of Article 58.2.d)
of the RGPD, within ten working days, to adopt the following measures:
- Prove to have proceeded to the removal of the devices in question by providing
documentary evidence with date and time that accredits such end, or, failing that,
accredits the regularization of the cameras in accordance with the regulations in force.
in force.
THIRD: TO NOTIFY this resolution to B.B.B., with NIF ***NIF.1.
FOURTH: To warn the sanctioned party that he/she will have to pay the sanction imposed once this resolution becomes enforceable, in accordance with the provisions of art. 98.1.b) of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations  (hereinafter LPACAP), within the voluntary payment period established in art. 68 of the General Collection Regulation, approved by Royal Decree 939/2005, , of July 29, in relation to art. 62 of Law 58/2003, of December 17, 2003, by means of payment, indicating the NIF of the sanctioned party and the number of the proceeding the procedure number that appears in the heading of this document, into the restricted account number ES00 0000 0000 0000 0000 0000 0000 0000 0000, opened in the name of the Spanish Data Protection Agency in the bank CAIXABANK, S.A.. Otherwise, it will be collected during the enforcement period.
Once the notification has been received and once it is enforceable, if the enforceability date is between the 1st and 15th of every month, both inclusive, the deadline for voluntary payment will be until the 20th day of the following month or the immediately following business day, and if it is between the 16th and the last day of the following month, the deadline for payment shall be until the 5th day of the second following month or the immediately following business month.
In accordance with the provisions of Article 50 of the LOPDGDD, the present Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties may lodge an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month as of the day following the date of notification of this resolution or directly before the Court of contentious-administrative appeal before the Contentious-Administrative Chamber, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, 1998, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, in accordance with the provisions of Article 46.1 of the aforementioned Law.
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, administrative decision may be suspended as a precautionary measure if the interested party declares its intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact to the Spanish Data Protection Agency, submitting it through the Electronic Register of the Agency [Agencia Española de Protección de Datos, https://sedeagpd.gob.es/sede-electronicaweb/], or through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of 1 January 2015, of 1 January 2015. If the Agency is not aware of the filing of the contentious-administrative appeal in the administrative appeal within a period of two months from the day following the notification of the present resolution, the precautionary suspension will be considered as terminated.
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es