AEPD (Spain) - PS/00618/2022
|AEPD - PS/00618/2022|
|Relevant Law:||Article 6(1) GDPR|
Article 13 GDPR
Article 83(5) GDPR
|National Case Number/Name:||PS/00618/2022|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
English Summary[edit | edit source]
Facts[edit | edit source]
A resident has installed, without the authorization of the Comunidad de Propietarios ("Community of Property Owners"), video surveillance cameras oriented to common areas of said Community/neighborhood, with signs of video surveillance area without information of the data controller, the purpose of the system and the proper address for the exercise of data subject's rights.
Holding[edit | edit source]
The Spanish DPA highlighted that in order to install cameras in common areas, it is necessary to have the authorization of the Neighbors Council, the request must be presented in the corresponding agenda of the Council's meeting and the approval must follow the terms of the LPH (Horizontal Property Law).
AEPD also stated that cameras installed by private individuals must be oriented towards their private space, avoiding the capture of the private area of third parties.
In its conclusion, AEPD stated that there was no informative poster(s) with an effective address or information identifying the data controller and that in no case shall the use of surveillance practices be allowed beyond the surroundings of the installation and in particular, they may not affect surrounding public spaces, adjacent buildings and vehicles other than those accessing the monitored space.
Security cameras installed in private spaces may not obtain images of public spaces, since the security function of public spaces corresponds exclusively to the State Security Forces and Corps. Likewise, in the case of false cameras, they must be oriented towards a private area to avoid intimidation of adjacent neighbors who do not know whether or not they are processing personal data.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/7 File No.: EXP202209511 RESOLUTION OF SANCTIONING PROCEDURE From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND FIRST: A.A.A. (*hereinafter, the complaining party) dated August 23, 2022 filed a claim with the Spanish Data Protection Agency. The claim- tion is directed against B.B.B. with NIF ***NIF.1 (hereinafter, the claimed part). The The reasons on which the claim is based are the following: “has installed, without authorization from the Community of Owners in which it has your home, video surveillance cameras aimed at common areas of said Community. ity, having installed video surveillance zone signs without information on the person in charge. know about the treatment and the direction to go for the exercise of rights”—folio nº1--. Provides images of the location of the cameras at the access door to the home (Annex I). SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), said claim was transferred to the claimed party in faith. cha 09/14/22 and 10/10/22, to proceed with its analysis and inform this Agency within one month, of the actions carried out to adapt to the requirements provided for in the data protection regulations. After consulting the database of this Agency, it is clear that the attempt(s) to notify cation of this organization was returned by the official Post and Telegraph Service for “Absent in delivery”. THIRD: On November 15, 2022, in accordance with article 65 of the LOPDGDD, the claim presented by the complaining party was admitted for processing. FOURTH: On January 17, 2023, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against the claimed party, in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (hereinafter te, LPACAP), for the alleged violation of Article 6.1 and 13 of the RGPD, typified in the Article 83.5 of the GDPR. FIFTH: The database of this organization was consulted on April 19, 2023 It is clear that the notification was carried out by the Official Post and Telegraph Service. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/7 on 01/30/23 and a second notification attempt on 01/31/23 leaving “notice” in the claimant's mailbox. Item was published via B.O.E on 02/15/23 in accordance with article 44 of Law 39/2015 (October 1) as the postal notification made. SIXTH: On 02/20/23, a request for collaboration is requested from the Forces and State Security Corps to travel to the scene of the events, without that any response has been produced to date. SEVENTH: On 04/27/23, <Proposal for Resolution> is issued through the which confirms the presence of a camera in a community area without having a sign informative, which justifies the proposal of a penalty of €1,500 (€1,000+€500) for the violation of articles 6 and 13 GDPR. EIGHTH: On 05/26/23, the associated proposal is published in the B.O.E. to PS/00618/22 after postal notification to the associated address was unsuccessful to the investigated (responsible). Of the actions carried out in this procedure and the documentation recorded in the file, the following have been accredited: PROVEN FACTS First. The facts give rise to the claim dated 08/23/22 through the which transfers the following facts: “has installed, without authorization from the Community of Owners in which it has your home, video surveillance cameras aimed at common areas of said Community. ity, having installed video surveillance zone signs without information on the person in charge. know about the treatment and the direction to go for the exercise of rights”—folio nº1--. Second. B.B.B. is accredited as the main person responsible. with NIF ***NIF.1. Third. The presence of video surveillance cameras installed in community area without informing the person responsible for processing the data or the final ity of the system. Room. There is no evidence that the defendant has proceeded to inform the governing bodies of the Community of owners, nor has it proceeded to place an informative badge. I command that it is a video-surveillance area. FOUNDATIONS OF LAW C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/7 Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (Re- General Data Protection Regulation, hereinafter RGPD), grants each authorization control and in accordance with the provisions of articles 47, 48.1, 64.2 and 68.1 of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed ted by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions- dictated in its development and, insofar as they do not contradict them, with a sub- subsidiary, by the general rules on administrative procedures." II In the present case, we proceed to examine the claim that is being transferred to this Agency through which the presence of a video surveillance camera is communicated in common areas, affecting the rights of third parties without authorization from the board of owners. To install cameras in common areas, authorization from the Board is required. of neighbors of the property, and must request it in the corresponding order of the day, and must in all cases be approved in the terms of the LPH (Property Law). Horizontal). Individuals are responsible for ensuring that the video surveillance systems installed are comply with current legislation, and must be able to prove such extremes. before the competent authority. Cameras installed by individuals must be oriented towards their private space. vative avoiding the capture of third parties' private area without justified cause. In no case will the use of surveillance practices beyond the target environment be permitted. of the installation and in particular, not being able to affect the surrounding public spaces. dantes, adjacent buildings and vehicles other than those that access the monitored space. Security cameras installed in private spaces will not be able to obtain images. tions of public spaces, the security function of public spaces corresponding It exclusively applies to the State Security Forces and Bodies. Likewise, in the case of false cameras, they must be oriented towards the private area, avoiding intimidation to the neighboring neighbors who do not know They do not know whether or not they process personal data. Fake cameras can also affect personal privacy. sonal of the claimed, in such a way that it is a criterion maintained by this Agency that They limit their radius of action (orientation) towards the private area, respecting the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/7 tranquility of the private life of the affected person, who does not have to know the nature- of the system, but also cannot bear to be intimidated by it in its sphere personal and/or domestic. Remember that there are less invasive measures for the protection of property. privacy, such as alarm systems or interior cameras, avoiding the use of this type of cameras in outdoor areas that affect neighbor coexistence. nal. III In accordance with the evidence provided in this document, sanctioning procedure, it is considered that the claimed party has proceeded to install a camera on the common wall affecting the common area, without having the backup necessary for this in the terms set forth. The evidence provided allows us to verify the irregularities described in the claim, as well as the obvious misorientation of the device that affects areas common and with them to the data of third parties without justified cause. The known facts constitute an infringement, attributable to the party claimed, for violation of the content of article 6.1 letter e) RGPD. e) the processing is necessary for the fulfillment of a mission carried out in public interest or in the exercise of public powers conferred on the person responsible for the treatment (…). Article 72.1 letter b) LOPDGDD (LO 3/2018), “Based on what is established- ce article 83.5 of Regulation (EU) 2016/679 are considered very serious and prescribed. Infractions that involve a substantial violation of the rights of the articles mentioned in that and, in particular, the following: b) The processing of personal data without any of the conditions concurring. ns of legality of the treatment established in article 6 of the Regulation (EU) 2016/679. IV The claim reflects the claimant's statement of absence of information on the information sign that indicates the purpose of the “treatment” or the responsible for the same for the appropriate legal purposes. “The duty of information provided for in article 12 of the Regulation (EU) 2016/679 will be understood to be fulfilled through the placement of an information device. in a sufficiently visible place identifying, at least, the existence of the treatment. to, the identity of the person responsible and the possibility of exercising the rights provided for in Articles 15 to 22 of Regulation (EU) 2016/679. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/7 A connection code or code may also be included in the information device. Internet address to this information” (*bold belongs to this organization)—art. 22 section 4 of the LOPDGDD--. The events described above imply an impact on the content of the article 13 RGPD, lacking informative sign(s) with an effective address to the that, where appropriate, be able to address or indicate, where appropriate, the main person responsible for the treatment. ment of the data. Article 13 GDPR “Information that must be provided when the data per- “sonals are obtained from the interested party.” 1. When personal data relating to him or her is obtained from an interested party, the res- responsible for the treatment, at the time these are obtained, will provide you with all the information indicated below: a) the identity and contact details of the person responsible sable and, where appropriate, his representative; b) the contact details of the product representative data protection, if applicable; c) the purposes of the processing for which the data are intended personal and the legal basis of the treatment (…). Article 72 section 1 of the LOPDGDD (LO 3/2018, December 5) in relation to tion to the limitation period for very serious infractions “the three years” and in particular the following: h) The omission of the duty to inform the affected person about the treatment of their personal data in accordance with the provisions of articles 13 and 14 of the Regulation (EU) 2016/679 and 12 of this organic law. V The art. 83.5 GDPR provides the following: “Violation of the provisions following will be sanctioned, in accordance with section 2, with administrative fines of a maximum of EUR 20 000 000 or, in the case of a company, an equivalent amount. valued at a maximum of 4% of the total global annual turnover of the financial year. previous financial statement, opting for the highest amount: a) the basic principles for the treatment, including the conditions for the consent under articles 5, 6, 7 and 9; b) the rights of the interested parties under articles 12 to 22 (..). In the present case, it is taken into account when motivating the sanction that it is a particular, although the events must be classified as serious, as they affect communal areas. disproportionately and ignoring the recommendations of the governing bodies of the Community of owners, which justifies a sanction tion of €1,500, for the violation of article 6 RGPD (€1,000) and 13 of the RGPD (€500), upon be considered the conduct as gross negligence, a sanction located on the rior for this type of behavior. SAW C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/7 The text of the resolution establishes what infractions have been committed and the events that have given rise to the violation of the data protection regulations cough, from which it is clearly inferred what measures to adopt, without prejudice to that the type of procedures, mechanisms or specific instruments to implement tarlas corresponds to the sanctioned party, since it is the person responsible for the treatment who knows its organization fully and must decide, based on the responsibility active and risk-focused, how to comply with the RGPD and the LOPDGDD. It is warned that failure to comply with the possible order to adopt measures imposed by this body in the sanctioning resolution may be considered as an infraction. administrative action in accordance with the provisions of the RGPD, classified as an infraction in its article 83.5 and 83.6, such conduct may motivate the opening of a subsequent procedure. administrative sanctioning order. Therefore, in accordance with the applicable legislation and evaluated the graduation criteria tion of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE B.B.B., with NIF ***NIF.1, for a violation of Article 6.1 and another of article 13 of the RGPD, typified in Article 83.5 letters a) and b) of the RGPD, a fine of €1,500 (€1,000+€500). SECOND: ORDER the defendant so that within a period of 15 business days from from the following to the notification of this act: -Remove the data collection device(s) from its current location. images of community area. -Proceed to provide a photograph (date and time) of the before and after that proves uninstalling the system. THIRD: NOTIFY this resolution to B.B.B.. FOURTH: Warn the sanctioned person that he must make the sanction imposed effective once this resolution is executive, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, of the Administrative Procedure of the Public Administrations (hereinafter LPACAP), within the voluntary payment period. lunary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by entering it, indicating the NIF of the sanctioned person and the number of procedure that appears in the heading of this document, in the account restricted IBAN number: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code: XXXXXX- XX), opened in the name of the Spanish Data Protection Agency in the entity bank CAIXABANK, S.A.. Otherwise, it will be collected in person. executive river. Once the notification is received and once enforceable, if the enforceable date is between the 1st and 15th of each month, both inclusive, the period to make the voluntary payment voluntary will be until the 20th of the following month or immediately following business month, and if C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/7 falls between the 16th and last day of each month, both inclusive, the payment period is until the 5th of the second following or immediately following business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the inter- rescheduled may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month from the day following notification of this resolution or directly contentious appeal administrative before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the additional provision final fourth of Law 29/1998, of July 13, regulating the Contentious Jurisdiction- administrative, within a period of two months counting from the day following the notification. tion of this act, as provided for in article 46.1 of the aforementioned Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party do expresses his intention to file a contentious-administrative appeal. If so- If applicable, the interested party must formally communicate this fact in writing. addressed to the Spanish Data Protection Agency, presenting it through the Re- Electronic register of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or to through one of the remaining records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer the documentation to the Agency that proves the effective filing of the contentious-administrative appeal. If the Agency was not aware of the filing of the contentious-administrative appeal treatment within a period of two months from the day following notification of this resolution, would end the precautionary suspension. 938-181022 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es