AEPD - E/02666/2020
|AEPD - E/02666/2020|
|Relevant Law:||Article 14 GDPR|
Article 35 GDPR
|Parties:||AYUNTAMIENTO DE FUENLABRADA|
|National Case Number/Name:||E/02666/2020|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
The use of drones by the municipality of Fuenlabrada (Spain) for vehicle traffic control purposes was deemed compliant with GDPR by the Spanish DPA.
A claim was filled against the municipality of Fuenlabrada (Spain) because of its usage of drones in order to control vehicle traffic. The claim concerned the lack of communication of the identity of the controller and of the place where to exercise data subjects' rights.
The municipality of Fuenlabrada pointed out that the information on the processing operation is shared through electronic means, through the social networks of the Local Police, through posters in the interested areas, and publication on the website of the City Municipality.
The Spanish DPA asked the municipality of Fuenlabrada to provide copy of the Data Protection Impact Assessment (DPIA) completed before the processing activity. The municipality did not complete a DPIA because it considered that risk for data subjects would be "acceptable".
Is the municipality of Fuenlabrada complying with the obligation of providing information on the processing activity? Was the municipality of Fuenlabrada supposed to carry out a DPIA?
The Spanish DPA considered that the defendant fulfilled the duty of information in accordance with GDPR.
The Spanish DPA considered that Article 35 GDPR applies in this case and thus a DPIA is necessary. The controller has therefore carried out the aforementioned evaluation and provided a copy of it. In the DPIA is concluded that the images recorded with the drones do not have to be treated especially sensitive and may not affect the rights or freedoms of people, since, except for pedestrians that can be visualized momentarily (that are not usually recognizable), in these recordings only vehicles appear in traffic, so the treatment itself would not offer a special risk. Therefore, the controller considers that the treatment can be carried out with the measures taken so far and without the need to apply more incisive measures, specifying that the sum of circumstances that occur in this treatment and the type of personal data that is treated implies that the residual risk is acceptable.
Taking in consideration this ex post DPIA, the Spanish DPA concluded that the Municipality of Fuenlabrada complies with GDPR.
Share your comments here!
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/8 Procedure Nº: E / 02666/2020 RESOLUTION OF ACTION FILE Of the actions carried out by the Spanish Agency for Data Protection and based on the following FACTS FIRST: The claim filed by A.A.A. (hereinafter, the claimant) has entry dated October 8, 2019 in the Spanish Agency for the Protection of Data. The claim is directed against FUENLABRADA CITY COUNCIL, with NIF P2805800F (hereinafter, the claimed one). The reasons on which you base the claim are “It has started in Fuenlabrada (Madrid) surveillance and control of traffic in different areas of the town using a drone from the aerial surveillance section. These areas have been marked incorrectly as they are not indicated or responsible for the treatment or where the rights can be exercised. The information has been published on the social network Twitter with a video where appreciate the cited faulty signage. Explicit mention is also made in a tweet to the signal clearly seeing that it does not comply with the RGPD. […] " Along with the claim, provide a document referring to the tweets indicated in the claim. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), with reference number E / 10122/2019, a transfer of said claim to the defendant, so that it could proceed to its analysis and inform this Agency within a month, of the actions carried out to adapt to the requirements provided in the data protection regulations. On December 2, 2019, this Agency received a written statement of answer in which it is stated that the person responsible for the treatment is the Police Local of the Fuenlabrada City Council, since according to Organic Law 4/1997, of 4 of August, which regulates the use of video cameras by the Forces and Corps of Safety in public places, the installation and use of these devices will be carried out by the authority in charge of traffic regulation. The Royal Legislative Decree 6/2015, of October 30, which approves the Law on Traffic, Circulation of Vehicles to Motor and Road Safety, contemplates the powers of the Municipalities in matters of traffic and Royal Decree 596/1999, which develops Organic Law 4/1997, states in the point 4 of the Sole Additional Provision that the use of mobile means of image capture and playback (as in the case of drones) will not require resolution of the Municipal Administration. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/8 It also points out that the information on the processing of data through drones It is facilitated through electronic means, through the Police social networks Local, by means of posters in the areas of influence of the drones (one appropriate to the Royal Decree 596/1999 that is published on social networks and another appropriate to the LOPDGDD so that drivers who circulate on the affected roads can know the person responsible for the treatment and the email where to exercise their rights), and publication on the website of the City Council. They have included these treatments in the Register of Data Processing Activities of the City Council and have carried out a risk analysis to establish security measures relevant. Regarding the flights that are carried out to guarantee citizen security, the Local Police always request permission from the Government Delegation informing of the flight plan and dates, the Delegation determining the guarantees that must be be established to respect the privacy of people. THIRD: On December 20, 2019, a copy of the document is requested that contains the evaluation of the impact on data protection of the treatment carried out through the drones used by the City Council and, once It has been verified that this treatment is not included in the record of activities of treatment published on the website of the City Council, the inclusion of this treatment in the aforementioned registry. On January 3, 2020, this Agency receives a letter stating that states that no impact assessment is provided because it is not considered necessary. Yes, a risk analysis has been carried out with the "Manage" tool getting the result of ACCEPTABLE. Links are provided to the Registry of Treatment Activities where the one related to drones is now included as well as links to the Municipal Police website where the activity is mentioned carried out with drones and shows the poster that is published on social networks the days the devices are used .. They present a copy of the risk analysis. THIRD: On March 12, 2020, the Director of the Spanish Agency for Data Protection agreed to accept for processing the claim presented by the claimant. SECOND: The Subdirectorate General for Data Inspection proceeded to carry out of previous investigative actions to clarify the facts that are the object of the of the claim. On February 2, 2021, the action report is issued previous research in which the following are highlighted: “Asked the City Council to specify if the use of drones is carried out with traffic control purposes, for the prevention of criminal acts and protection of persons and goods, or both, and in the case of one or the other case, present in this Agency the mandatory impact assessment in case of "systematic observation of large scale of an area of public access "—in compliance with article 35.2 c) of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD) - or the opinion of the Video Surveillance Guarantees Committee of the Delegation C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/8 of Government, dated September 18, 2020, this Agency receives, brief of allegations stating the following: Regarding the purpose of the drone and image capture. - Drones are used to control traffic in trouble spots and register the possible infractions that take place. - Flights usually occur once a month or at most twice a month. - In the place and at the time of the flight, informational posters of the video surveillance, and also communicates through social networks the day and time in which it is will produce the flight. - The frames try to be as accurate as possible and are aimed at capturing of traffic, being accidental the recording of pedestrians or passers-by. The images are recorded on the drone's memory card and if necessary to present proof of any infraction, they would be transferred and stored in a pendrive. The images are used only as evidence in the case of registering any infraction, not being viewed after the recording unless, in the course of this, there is any infraction in terms of road safety and image recovery is necessary. - The images on the card are deleted, being replaced by the new ones, in the next flight of the drone, and those stored on the pendrive, are deleted when they have rescued the useful parts of the recording. - There is no publication or publicity of the images by any channel, these being completely confidential from the moment of its capture until its elimination. - The only personal data collected, and that may appear reflected in the image, is the license plate of the vehicle, but in this context it responds to the capture of the data minimum personnel necessary for the police to know the author of the infringement and contact him. Regarding the impact assessment requested by this Agency: - They state that the treatment that is being mentioned could be classified among which the AEPD itself in its guide "Drones and data protection" classifies as “Operations with risk of processing personal data in a collateral way or inadvertent ”not being, in any case, the purpose of this activity the capture of images of people that, if filmed, would be a circumstance totally accidental and marginal. - Notwithstanding the foregoing, as requested by this Agency, attach an impact assessment carried out by the Fuenlabrada Local Police Service with the collaboration of the Data Protection Department of the Fuenlabrada City Council. - In said evaluation, the following threats and risks are detected (i) Possibility of drone crash and loss of images. (ii) Possibility of accessing the credit card C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/8 memory of the drone and (iii) Possibility of loss of the pendrive where the images. In this sense, they point out that the probability of the first threat is very low because in this case there are always the flight operators for the collection of the drone, and regarding the preservation of the images, both the drone and the pendrive remain in the municipal police facilities guarded by this, being accessible only by those people related to the treatment. - This evaluation is completed by indicating that after analyzing these risks and the treatment of the data is concluded that they are not images especially sensitive or that may affect the rights or freedoms of people, since, except for a pedestrian that can be seen momentarily, which also does not usually be recognizable, in these recordings only vehicles appear in transit, so they understand that the treatment itself poses no special risk. Therefore, they estimate that the treatment can be carried out with the measures taken until the moment and without the need to apply more incisive measures, specifying that the sum of circumstances that occur in this treatment and the type of personal data that it is treated implies that the residual risk is acceptable. " FOUNDATIONS OF LAW I In accordance with the investigative and corrective powers that article 58 of the RGPD granted to each supervisory authority, and in accordance with the provisions of article 47 of the LOPDGDD, is competent to resolve these investigation actions the Director of the Spanish Agency for Data Protection. II These actions have their origin in the claim presented about the lack of adequacy to the RGPD of the information provided to those affected by the responsible for data processing derived from the video surveillance system of the traffic through drones in the Fuenlabrada municipality. Article 22 of the LOPDGDD, which has the heading "Treatments for the purpose of video surveillance ", provides in section 6 that" The processing of personal data from images and sounds obtained by using cameras and video cameras by the Security Forces and Bodies and by the competent for surveillance and control in prisons and for control, regulation, surveillance and discipline of traffic, will be governed by the legislation of transposition of Directive (EU) 2016/680, when the treatment is for the purpose of prevention, investigation, detection or prosecution of criminal offenses or execution of criminal sanctions, including protection and prevention against threats to public safety. Outside of these assumptions, said treatment is will be governed by its specific legislation and additionally by Regulation (EU) 2016/679 and this organic law. " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/8 In accordance, therefore, with the transcribed precept, and taking into account that the purpose stated by the person in charge is to control traffic in prevention of infractions but does not respond to an objective of prevention, investigation or prosecution of criminal offenses, it is necessary to resort to the legislation specific information on the use of video cameras by the Forces and Corps of Security in order to determine the provisions on data protection that They will be applicable to the treatment carried out. This legislation, which is constituted by Organic Law 4/1997 and its implementing regulations, only includes certain provisions regarding the retention period of recordings or the information to be provided to interested parties, while establishing - in the Eighth additional provision of the aforementioned Organic Law 4 / 1997— a reference to the general data protection regulations when it states that “the installation and use of camcorders and any other means of capturing and reproducing images for the control, regulation, surveillance and discipline of traffic will be carried out by the authority in charge of regulating traffic for the purposes set forth in the text Articles of the Law on Traffic, Circulation of Motor Vehicles and Road Safety, approved by Legislative Royal Decree 339/1990, of March 2, and other regulations specific in the matter, and subject to the provisions of Organic Laws 5/1992, of October 29, of Regulation of the Automated Treatment of the Data of Personal Character, and 1/1982, of May 5, of Civil Protection of the Right to Honor, to Personal and Family Intimacy and Self Image, within the framework of the principles of use of the same provided for in this Law. " Sitting, therefore, the data protection regulations will apply to the treatments derived from a traffic video surveillance system, both by application supplementary of the RGPD and LOPDGDD in matters not provided for by specific legislation as by the legislator's own will that this type of treatment complies with current regulations on data protection, the duty of information must comply with the provisions of said standards. In the specific case that is the object of this procedure and in accordance with the evidence available, it can be affirmed that the defendant fulfills the duty of information in accordance with the provisions of the data protection regulations. So and As indicated in the second fact, the information on the treatment of Data through drones is facilitated through electronic means, through the Social networks of the Local Police, through posters in the areas of influence of the drones (one appropriate to Royal Decree 596/1999 that is published on social networks and another appropriate to the LOPDGDD so that drivers who circulate on the roads affected can know the person responsible for the treatment and the email where exercise their rights), and publication on the website of the City Council. III In another vein, article 35 of the RGPD, referring to the impact assessment regarding data protection provides: "one. When a type of treatment is likely, in particular if you use newer Technologies, by their nature, scope, context or purposes, pose a high risk to the rights and freedoms of natural persons, the data controller carry out, before the treatment, an evaluation of the impact of the operations of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/8 treatment in the protection of personal data. A single evaluation may address a series of similar treatment operations involving high risks Similar. […] 3. The impact assessment relating to the protection of the data referred to in the section 1 will be required in particular in case of: a) systematic and exhaustive evaluation of personal aspects of natural persons that is based on automated processing, such as profiling, and on the basis of which decisions are made that produce legal effects for people physical or significantly affecting them in a similar way; b) large-scale treatment of the special categories of data referred to in the Article 9, paragraph 1, or personal data regarding convictions and offenses penalties referred to in article 10, or c) large-scale systematic observation of a public access area. 4. The supervisory authority shall establish and publish a list of the types of operations of treatment that require an impact assessment related to the protection of data in accordance with section 1. The supervisory authority shall communicate these lists to the Committee referred to in Article 68. […] " As can be seen, the aforementioned article establishes that this evaluation of impact will be necessary for those data processing that may involve is likely to be a high risk and makes explicit in its section 3, a non-exhaustive list of assumptions to which this obligation reaches, to which it will be necessary to add, in the case Spanish, those cases that meet the criteria that have been published by this Agency in accordance with the provisions of article 35.4 of the RGPD. Applying the aforementioned article 35.3 to the specific case that is the object of these actions, note that the traffic surveillance system meets the above characteristics in section c), because: 1. It is a systematic observation since it responds to observations carried out by a system and is part of a traffic control strategy. 2. It is a large-scale treatment in that the images that are susceptible to be captured correspond to an area of influence. 3. Data processing is carried out in publicly accessible areas. In addition, it should be taken into account that the aforementioned treatment would comply with another of the requirements that both the European Data Protection Committee and the Agency Spanish Data Protection considered as indicative of setting up a probable high risk, which is to make use of technological innovations. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/8 Therefore, and based on the foregoing, it can be considered that the processing of data in The issue requires a prior impact assessment. Now in this sense, if It is true that the Local Police of the Fuenlabrada City Council had not carried out said evaluation since the risk analysis carried out previously had given as a result that of ACCEPTABLE, it is not less than after the requirement of information made by this Agency, the person in charge has made the aforementioned evaluation, of which you attach a documentary copy in your answering brief of 18 September 2020 and in which it is concluded that some images would not be treated especially sensitive or that may affect the rights or freedoms of the people, since, except for a pedestrian that can be visualized momentarily, that Furthermore, it is not usually recognizable, in these recordings only vehicles appear in traffic, so the treatment itself would not offer a special risk. Therefore, the responsible considers that the treatment can be carried out with the measures taken so far and without the need to apply more incisive measures, specifying that the sum of circumstances that occur in this treatment and the type of personal data that is treated implies that the residual risk is acceptable. IV Once analyzed, therefore, the evidence available at present procedure, this Agency considers that the data processing carried out by the drone video surveillance system launched by the Local Police of Fuenlabrada complies with data protection regulations. Therefore, in accordance with the provisions, by the Director of the Spanish Agency for Data Protection, IT IS AGREED: FIRST: PROCEED WITH THE FILING of these actions. SECOND: NOTIFY this resolution to the claimant and claimed. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/8 Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, and in accordance with the provisions of the arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may file, optionally, an appeal for reconsideration before the Director of the Agency Spanish Data Protection within a period of one month from the day following notification of this resolution or directly contentious appeal administrative before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and paragraph 5 of the provision Additional fourth of Law 29/1998, of July 13, regulating the Jurisdiction Contentious-Administrative, within two months from the next day upon notification of this act, as provided in article 46.1 of the aforementioned Law. 940-0419 Mar Spain Martí Director of the Spanish Agency for Data Protection 28001 - Madrid 6 sedeagpd.gob.es