AEPD (Spain) - PS/00377/2021

From GDPRhub
Revision as of 10:18, 20 October 2021 by SR (talk | contribs) (→‎Facts)
AEPD (Spain) - PS/00377/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(c) GDPR
Article 13 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 18.10.2021
Fine: None
Parties: Municipality of [Redacted Location]
National Case Number/Name: PS/00377/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: aepd.es (in ES)
Initial Contributor: Giel Ritzen

The Spanish DPA (AEPD) warned a Municipality for failing to meet its information obligations to its employees regarding the placement of video surveillance cameras that also record audio.

English Summary

Facts

The data subject, an employee of the Municipality, filed a complaint with the AEPD because of a video surveillance system that recorded employees and citizens actions within the Municipality's premises, even though no proper authorisation was requested and granted. Moreover, since the cameras could also record audio, personal conversations of employees and visitors could be recorded. Lastly, although there was a sign that informed visitors and employees of the presence video surveillance cameras, it was unclear for which purpose these cameras were installed. The AEPD informed the Municipality (hereafter: respondent) regarding the complaint but never got a reply. Hence, it agreed to process the complaint.

Holding

The AEPD upheld the complaint.

First, the recording of personal conversations is an invasion of privacy. This is therefore strictly forbidden and can lead to a violation of Article 5(1)(c) GDPR, with the exceptions of prior judicial authorisation, or recording by persons that are competent to do so in “exceptional situations”.

Second, the cameras must be limited to the purpose for which they are intended. Also, the way of capturing and processing this data must be proportionate in relation to this purpose (surveillance/security).

Third, the AEPD recalls that, in order to comply with Article 12 GDPR, a clear sign must be placed in a visible area (e.g. access door) indicating that it is a video-surveilled area, and it must indicate:

  • the existence of the processing.
  • the identity of the data controller.
  • the possibility of exercising the rights provided for in Articles 15 to 22 GDPR.

If there is not a clear sign informing employees of the video-surveillance area, which provides this information, this leads to a violation of Article 13 GDPR. Respondent had failed to install and show a clear sign that provided this information. Moreover, the purpose of security had not been known to the legal representatives of all the public employees of the aforementioned entity, although they must be aware of the purpose(s) of the images obtained. Hence, this constituted an infringement, attributable to the respondent, for violation of Articles 5(1)(c) and 13 GDPR.

Therefore, the AEPD (1) imposed a warning on the Municipality and (2) ordered respondent to:

  • Place information signs duly approved to the current GDPR at the main entrances to the Town Hall within one month of the decision.
  • Inform all public employees of the measures adopted, in particular those related to the purpose(s) of the processing.
  • To place the entrance camera so that it is used for the security function of the Town Hall, but avoids capturing the work area of the employees exclusively, disabling the audio option if necessary.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                1/9








     Procedure No.: PS / 00377/2021

                RESOLUTION OF SANCTIONING PROCEDURE


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following

                                       FACTS


FIRST: Mrs. A.A.A. (* hereinafter, the complaining party) dated April 17,
2021 filed a claim with the Spanish Data Protection Agency. The
claim is directed against CITY COUNCIL OF *** LOCALIDAD.1 with CIF
P4626100D (hereinafter, the claimed part). The reasons on which the
claim are the following, as collected in your writing,


       “On March 12, video surveillance cameras were installed in the City Hall.
location of *** LOCALIDAD.1 (Valencia). These cameras were installed at the entrance to the
Town Hall and at the counter, from where they record employees and citizens
damages that enter the municipal offices (...)


       On several occasions I showed my disagreement to the mayor and the secretary
on these aspects. I called the Government Delegation to check if there was
granted authorization for its installation in accordance with the provisions of the Decree
596/1999 and Organic Law 4/1997, and there was no such authorization, but it is that neither if-

want it had been requested ”.

       “I have not been informed about the installation of the system (…) I can only think
that I have been recorded without prior notice of the camera's start-up, that's why
They are knowledgeable about my private conversations held in these dependencies
(…) ”.


       Together with the claim, it provides documentary evidence (photograph No. 1) that
It accredits the presence of the poster even though it is not filled in in its essential aspects.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5

December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transmitted to the claimed party in fe-
cha *** DATE.1, so that it could proceed with its analysis and inform this Agency in the
period of one month, of the actions carried out to adapt to the prerequisites
seen in the data protection regulations.


       No response to this letter has been received to date from this Agency, nor
no explanation has been given to that effect.

THIRD: On July 19, 2021, the Director of the Spanish Agency for Pro-
Data protection agreed to admit for processing the claim presented by the complaining party.

keep.

FOURTH: On September 7, 2021, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure for the complained party, by the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/9








alleged violation of Article 5.1.c) of the RGPD, typified in Article 83.5 of the
GDPR.


FIFTH: In accordance with article 73.1 of the LPCAP, the term to formulate
allegations to the Initiation Agreement is ten days computed from the following
of the notification.

Article 64.2. LPACAP, indicates that the accused will be informed of the right to
formulate allegations, the "right to a hearing in the procedure and the deadlines

for its exercise, as well as the indication that in case of not making allegations in
The term foreseen on the content of the initiation agreement may be
considered a resolution proposal when it contains a precise pronouncement
about the imputed responsibility ”. (The underlining is from the AEPD)


The agreement to initiate the disciplinary proceedings at hand contained a
precise statement on the responsibility of the claimed entity: in the aforementioned
agreement was specified what was the offending conduct, the type of sanction in which it was
subsumable, the circumstances of the responsibility described and the sanction that in judgment
of the AEPD proceeded to impose.


 In consideration of the foregoing and in accordance with the provisions of article
64.2.f) of the LPACAP, the agreement to initiate PS / 00375/2021 is considered
Resolution Proposal: Notified the initiation agreement, the one claimed at the time of the
This resolution has not submitted a brief of allegations, so it is
application of what is stated in article 64 of Law 39/2015, of October 1, of the

Common Administrative Procedure of Public Administrations, which in its
section f) establishes that in case of not making allegations within the established period
on the content of the initiation agreement, it may be considered a proposal for
resolution when it contains a precise pronouncement about the responsibility
imputed, for which a Resolution is issued.


In view of all the actions, by the Spanish Agency for Data Protection
In this proceeding, the following are considered proven facts:

First. The facts bring cause of the claim dated 04/17/21 through the
which is transferred to this AEPD the following:


       “On March 12, video surveillance cameras were installed in the City Hall.
location of *** LOCALIDAD.1 (Valencia). These cameras were installed at the entrance to the
Town Hall and at the counter, from where they record employees and citizens
damage that enters the municipal offices (...)


       On several occasions I showed my disagreement to the mayor and the secretary
on these aspects. I called the Government Delegation to check if there was
granted authorization for its installation in accordance with the provisions of the Decree
596/1999 and Organic Law 4/1997, and there was no such authorization, but it is that neither if-

want it had been requested ”.

       “I have not been informed about the installation of the system (…) I can only think
that I have been recorded without prior notice of the camera's start-up, that's why

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/9








They are knowledgeable about my private conversations held in these dependencies
(…) ”- folio nº 1--.


Second. The entity City Council of
*** LOCALITY. 1.

Third. It is proven that the installed video surveillance system is not
duly reporting, suffering from irregularities, such as the fact of mentioning
a repealed regulation or failure to indicate the person responsible for data processing.


Room. The presence of a video surveillance device in the area of
entrance to the property, without claiming whether it can obtain audio
of the area where it is installed.


                            FOUNDATIONS OF LAW

                                             I

By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in articles 47 and 48 of the LOPDGDD, the Director

of the Spanish Data Protection Agency is competent to initiate and to re-
solve this procedure.

                                             II


On 04/17/21 the claim of the epigraph is received at this Agency by means of
from which the following is transferred as the main fact:

        “On March 12, video surveillance cameras were installed in the City Hall.
location of *** LOCALIDAD.1 (Valencia). These cameras were installed at the entrance to the

City Hall and at the counter, from where employees and citizens are taxed.
damages that enter the municipal offices (...)

        On several occasions I showed my disagreement to the mayor and the secretary
on these aspects. I called the Government Delegation to check if there was
granted authorization for its installation in accordance with the provisions of the Decree

596/1999 and Organic Law 4/1997, and there was no such authorization, but it is that neither if-
want it had been requested ”.

        The initial events took place in the presence of video-visual devices
gilancia that could record conversations (audio / video) inside the

municipal pendencies, without the system being duly informed for this purpose.

        The recording of personal conversations both in the company and in community
owners' entities, supposes an invasion of the privacy of the user, therefore
which is strictly prohibited, with the exception of an authorization

judicial review and the recordings are made by the competent persons to make-
it in "exceptional" situations.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/9








        The cameras installed must be limited to the purpose pursued with the same
moreover, the legal representatives of public employees must be informed
of such aspects, as well as having the corresponding signage that informs that

it is a video-monitored area.

        The Spanish Agency for Data Protection refers to how they should treat
take and capture the images from the security cameras in your guide to video surveillance.
lance, emphasizing that there must be a relationship of proportionality between the purpose
pursued (in this case security) and the way in which the

data.

        Access to security camera recordings is only allowed to the
owner of the company, the contracted security company or the personnel in charge of
such effect, as stipulated in the LOPDGDD.


        Surveillance teams at work and viewing and storage rooms
of images should be located in rooms with access restricted to personnel
authorized.

        Recording the conversations of public employees can lead to

a violation of art. 5.1 c) RGPD, as the obtaining of conversations is excessive
private rights of the same, without prejudice to the affectation to the privacy of these in
their conversations whatever their nature or context.

        Cameras must adhere to their role protecting access security

to municipal agencies, without them being able to be oriented in any way
permanent connection to their workstations (eg computer monitor), nor allow the
audio recording of the private conversations of the em-
employed in auxiliary tasks of entry and documentary registration.


        The installed posters denote that they are incomplete in terms of
the required information, which implies an affectation to art.-13 RGPD.

        Reporting on video surveillance according to RGPD is an obligation included in
this legislative framework.


        An information device must be available in a visible area (eg.
access) indicating that it is a video-monitored area, it must indicate
car:

            the existence of the treatment.

            the identity of the person in charge.
            possibility of exercising the rights provided for in articles 15 to 22
               of Regulation (EU) 2016/679.


        The image of a person insofar as it identifies or can identify the person
It constitutes a personal data, which can be processed
for various purposes.

        Article 22 section 4 of the LOPDGDD provides the following:

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/9









        "The duty of information provided for in article 12 of the Regulation (EU)
2016/679 will be understood as fulfilled by placing an information device

in a sufficiently visible place identifying, at least, the existence of the treatment,
the identity of the person in charge and the possibility of exercising the rights provided in the
Articles 15 to 22 of Regulation (EU) 2016/679. It may also be included in the device
informative site a connection code or internet address to this information
(…) ”.


                                            III

In accordance with the evidence available in this proceeding
sanctioner, it is considered that the complained party has proceeded to install a system
of video surveillance cameras, which are provided with "audio", lacking the same

of information badges duly homologated to the regulations in force.

        The documentary evidence provided makes it possible to verify the "irregularities"
of the poster in the access area, as well as the presence of a web-cam confirms the
presence of a device at the reception desk with the possibility of audio
(video) without having been informed about the purpose (s) thereof.


        It is recalled that any labor control measure must be put into
knowledge of the legal representatives of all public employees of the
cited entity, having to be aware of the purpose (s) of the images that are
obtain with it, considering in any case the preservation of the privacy of

conversations that could take place during working hours without further ado
Additional considerations.

The known facts constitute an infringement, attributable to the party
claimed, for violation of the content of articles 5.1 c) and 13 RGPD, above-

mind described.

                                            IV

The facts described suppose an administrative offense (s) typified in the
Article 83.5 letters a) and b) RGPD.


"Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of
of a company, of an amount equivalent to a maximum of 4% of the volume of
total annual global business of the previous financial year, opting for the one with the highest

amount:

        a) the basic principles for the treatment, including the conditions for the treatment
consent in accordance with articles 5, 6, 7 and 9;


        b) the rights of the interested parties in accordance with articles 12 to 22;

                                             V


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/9








Without prejudice to the provisions of article 83 of the RGPD, the aforementioned Regulation provides
ne in its art. 58.2 b) the following:

“2 Each supervisory authority shall have all the following corrective powers in-
listed below:

(…)

        b) direct a warning to any person in charge or in charge of the treatment
when the processing operations have infringed the provisions of this
Regulation;"

Likewise, article 77 of the LOPDGDD provides the following:


“Regime applicable to certain categories of managers or persons in charge of the work
treatment.

1. The regime established in this article will be applicable to the treatment of
who are responsible or in charge:


a) Constitutional or constitutionally relevant bodies and institutions of
the autonomous communities analogous to them.
b) The jurisdictional bodies.
c) The General State Administration, the Administrations of the Autonomous Communities

tonomas and the entities that make up the Local Administration.
d) Public bodies and related or dependent public law entities
of the Public Administrations.
e) The independent administrative authorities.
f) The Bank of Spain. g) Public law corporations when finalized
from the treatment are related to the exercise of powers of public law.

h) Public sector foundations.
i) Public Universities.
j) Consortia.
k) The parliamentary groups of the Cortes Generales and the Legislative Assemblies
autonomic, as well as the political groups of the Local Corporations.


2. When the managers or managers listed in section 1 commit
any of the infractions referred to in articles 72 to 74 of this organic law.
ca, the competent data protection authority will issue a sanction resolution
advising them with warning. The resolution will also establish the

measures to be taken to stop the conduct or correct the effects of the
infraction that had been committed.

The resolution will be notified to the person in charge of the treatment, the body of the
that depends hierarchically, where appropriate, and those affected who had the condition
interested party, if applicable.


3. Without prejudice to the provisions of the previous section, the protection authority of
data will also propose the initiation of disciplinary actions when there are
Enough sayings for it. In this case, the procedure and the penalties to be applied
will be those established in the legislation on disciplinary or sanctioning regime that

result of application.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/9









Likewise, when the infractions are attributable to authorities and managers, and
certify the existence of technical reports or recommendations for the treatment that

had not been duly attended to, in the resolution imposing the
The sanction will include a reprimand with the name of the responsible position and
will order the publication in the corresponding Official Gazette of the State or Autonomous Region.

4. The data protection authority must be notified of the resolutions that
fall in relation to the measures and actions referred to in the sections

previous.

5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions
of the autonomous communities the actions carried out and the resolutions issued
under this article.


6. When the competent authority is the Spanish Agency for Data Protection,
This will publish on its website with due separation the resolutions referring to
the entities of section 1 of this article, with express indication of the identity
of the person in charge or in charge of the treatment that had committed the infringement.


When the competence corresponds to an autonomous data protection authority
The publicity of these resolutions will be governed by what their
specific regulations. "

       In accordance with art. 58.2 d) RGPD the complained party must clarify

everything related to the installed system, as well as documentary proof (vgr.
photograph date and time) that has an informative mark (s) homologated to the norm
valid, without prejudice to the allegations that it deems necessary to make, such as
measures taken to inform the legal representatives of the employees
of the City Council or to them on the installed video-surveillance system.


       It is recalled that this body can travel to the scene of the events
effects of carrying out the inquiries it deems necessary, being able to demand the fulfillment of
implementation of the widely indicated measures for the sake of the protection of legality
valid.


       The rest of the issues exceed the competence framework of this Agency, narrowly
This Resolution is addressed to the accredited issues in the framework of the protection
of data.

Therefore, in accordance with the applicable legislation and the graduation criteria assessed

tion of the sanctions whose existence has been proven,

the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: IMPOSE TO THE CITY COUNCIL OF *** LOCALIDAD.1, with CIF P4626100D,

for a violation of Article 5.1.c) of the RGPD and 13 RGPD, typified in Article
83.5 a) and b) of the RGPD, a sanction of APPEARANCE.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/9








SECOND: ORDER the claimed entity *** LOCALITY CITY COUNCIL-
DAD.1 so that within a period of one month from the notification of this act, the

gives:

       -Place informational badge duly approved to the current RGPD in
the main accesses to the Town Hall.


       -Inform all public employees of the measures adopted in
particularly those related to the purpose (s) of the treatment.

       -Credit the reorientation of the inlet camera so that it is
adheres to the security function of the Town Hall, avoiding capturing the traffic area

low of the employees exclusively, deactivating the option
audio of it.

THIRD: NOTIFY this resolution to the entity denounced FAST-
*** LOCALITY LIE. 1.


FOURTH: COMMUNICATE this resolution to the Ombudsman, of
in accordance with the provisions of article 77.5 of the LOPDGDD.

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the inte-
Residents may file, optionally, an appeal for reconsideration before the Director

of the Spanish Agency for Data Protection within a month from
the day after notification of this resolution or directly contentious appeal
administrative before the Contentious-Administrative Chamber of the National Court,
in accordance with the provisions of article 25 and section 5 of the additional provision
Fourth nal of Law 29/1998, of July 13, regulating the Contentious Jurisdiction-

administrative, within a period of two months from the day following the notification
tion of this act, as provided in article 46.1 of the aforementioned Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the interested party

do manifests its intention to file a contentious-administrative appeal. Of being
In this case, the interested party must formally communicate this fact in writing
addressed to the Spanish Agency for Data Protection, presenting it through the Re-
Electronic registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or to
through any of the other records provided for in art. 16.4 of the aforementioned Law

39/2015, of October 1. You must also forward the documentation to the Agency
that certifies the effective filing of the contentious-administrative appeal. If the
Agency was not aware of the filing of the contentious-administrative appeal
trative within two months from the day following notification of this
resolution, would terminate the precautionary suspension.



                                                                                  938-131120
Mar Spain Martí
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/9











Director of the Spanish Agency for Data Protection















































































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es