AEPD - PS/00027/2019 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(b) GDPR Article 83(5) GDPR Article 77.1(c) LOPDGDD Article 77.2 LOPDGDD Article 77.4 LOPDGDD Article 77.5 LOPDGDD Article 77.6 LOPDGDD |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | n/a |
Published: | 6. 3.2020 |
Fine: | None |
Parties: | Anoymous Ministry for Internal affairs |
National Case Number/Name: | PS/00027/2019 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in es) |
Initial Contributor: | n/a |
The AEPD issued a reprimand to the Ministry of internal affairs due to their misuse of surveillance cameras in a police station. The controller did not inform about the specific purposes of the surveillances cameras which were used for the employees' monitoring and, thus, breached the principle of purpose limitation.
English Summary
Facts
Prior to the entry in force of the GDPR, a police inspector requested a copy of the surveillance cameras in a police station. Although the cameras were installed for the “security and protection” of the detainees and the police station, he requested the copy to check if one of the police officers followed his instruction: to wear the regulatory uniform. While, there was no proof that disciplinary procedure has been initiated, the copy of the images has been delivered.
The employee filed a complaint with the AEPD.
Dispute
The question was whether the information on the use of surveillance cameras for “security and protection” was sufficient to cover employees’ surveillance.
Holding
The AEPD ruled that the use of the cameras for the employees' surveillance was against the principle of purpose limitation, Article 5(1)(b) GDPR.
Indeed, the controller carried out a disciplinary control though surveillance cameras and did not inform the affected data subjects accordingly. Insofar the data subjects have not been properly informed of the surveillance specific purpose, the controller could not have legitimated the processing disputed on the consent.
The AEPD ruled that it constituted a misused of the system and as mentioned in another court case-law, “it was necessary to expressly, precisely, clearly and unequivocally inform the workers of the monitoring purpose with a prior notice” and that “it should specify the characteristics and scope of the data processing to be carried out, i.e. in which cases the recordings could be examined, for how long and for what purposes, explaining in particular that they could be used to impose disciplinary measures for breaches of the employment contract”.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the **Spanish** original. Please refer to the **Spanish** original for more details.
### DISCIPLINARY PROCEDURE RESOLUTION From the procedure conducted by the Spanish Data Protection Agency and based on the following ### BACKGROUND **FIRST:** On 22/05/2018, a complaint was received from A.A.A. against the PROVINCIAL COMMISSIONER OF ***CITY.1 OF THE NATIONAL POLICE FORCE for the use of images from the police station's surveillance system to initiate a disciplinary procedure, deviating from the intended purpose of the system, and without being informed that this device could be used for such a purpose. Additionally, there was a lack of proportionality in its use. The complainant, an Inspector of the CNP, holds the position of ***POSITION.1 in a police group of the ***BRIGADE.1 of the ***CITY.1 police station. He states that he performs his duties in rotating shifts and in uniform assigned to the Citizen Security Brigade. On the night of ***DATE.1, he was on duty and at 23:30, Inspector ***POSITION.2 of the Provincial Brigade of Citizen Security, B.B.B., along with the ***POSITION.1 (head of the police station), came to the station. At that time, the officers were about to have dinner, and the complainant was wearing a black fleece over his uniform due to the cold in the station's premises. Images captured by the station's detainee surveillance system, where he is seen as mentioned, were used to initiate a disciplinary procedure against him. The complainant notes that there were no detainees that night, and the images were requested by Inspector ***POSITION.2 on ***DATE.3 to "sanction the complainant for improper uniformity." The images were procured by the telecommunications officer on ***DATE.2. He argues that the use of these images for this purpose is inappropriate, as there were other officers present who could have testified about the incident. The Ministry of the Interior's instruction 12/2015 states that detention centers must have a video surveillance system to ensure the physical security of the detained persons and the officers in charge of their custody. He provides a partially redacted copy of: 1. A statement made by Inspector ***POSITION.2, B.B.B., on ***DATE.3, as "denounced," in relation to the "workplace harassment" complaint filed by the complainant. In this statement, derived from judicial proceedings, the Inspector mentions that he saw the complainant on the night of ***DATE.1 because he went to deliver a leave denial notice and saw him without the proper uniform. He admonished him and requested the next morning to obtain a copy of the surveillance images near the lobby of his office to check if he had changed and complied with the order. "Since he later took medical leave, no disciplinary action was taken." 2. A statement (with numerous redactions) from the Commissioner, as a witness, stating that Inspector ***POSITION.2 informed him of the complainant's uniform infraction and the next morning the Inspector told him he had requested the lobby surveillance footage to verify compliance. 3. A statement from the telecommunications officer, as a witness, indicating that he received an order to obtain a copy of the images from 00:00 to 04:00 on ***DATE.2, "later learning that the purpose of the request was to check if ***POSITION.1 was wearing the proper uniform." A copy of the act of delivery of recordings from ***DATE.2 at the request of Inspector ***POSITION.2 is provided. **SECOND:** In view of the reported facts, the Data Inspection Subdirectorate forwards the complaint to the DIRECTORATE GENERAL OF THE POLICE to send the relevant documentation related to the actions taken by the data controller in connection with the reported facts, including: 1. Clear specification of the reasons for the incident that led to the complaint. 2. Details of the measures taken by the controller to resolve the incident and prevent similar incidents. 3. Documentation showing that appropriate measures have been taken under Article 12 of the GDPR to facilitate the exercise of the affected party's rights under Articles 15 to 22, including full copies of communications sent in response to requests made. 4. Documentation showing that the complainant's right to be informed about the course and outcome of the complaint has been respected. The Directorate General of the Police, on 03/08/2018, regarding the use of surveillance cameras at the Provincial Police Station of ***CITY.1, states: a) An attached report from the Informatics and Communications Unit of the Central Logistics and Innovation Directorate of the Directorate General of the Police. It indicates that "the management of the CCTV equipment installed in the cells of the ***CITY.1 police station is conducted from the station itself" and continues with details about the system. **THIRD:** On 05/09/2018, the respondent indicates that there has been no response from the Data Protection Officer, and on 05/12/2018, another letter indicating no response from the AEPD. The same type of letter from the complainant stating no response was received on 21/02/2019 and 13/03/2019. On 04/03/2019, a letter was sent informing him of the status of his complaint. **FOURTH:** On 01/04/2019, the Director of the AEPD agreed to: "initiate disciplinary proceedings against the Ministry of the Interior-Directorate General of the Police (Provincial Police Station of ***CITY.1 of the National Police Force) for the alleged infringement of Article 5.1.b) of the GDPR, classified as an infringement under Article 83.5.a) of the GDPR." In the notice sent through the notifi@ platform, it is certified: "The Electronic Notifications Service and Electronic Address Service Support Service CERTIFIES: - That the Ministry of Territorial Policy and Public Function (through the General Secretariat of Digital Administration) is currently the holder of the Electronic Notifications Service (SNE) and Electronic Address Service (DEH) under Order PRE/878/2010 and Royal Decree 769/2017, of July 28. The service provider since June 26, 2015, is the National Currency and Stamp Factory-Royal Mint (FNMT-RCM), according to the Management Commission in force from the Ministry of Finance and Public Administrations. - That the notification was sent through this service: Reference: 94162555ca5cd5c8ab84 Acting Administration: Spanish Data Protection Agency (AEPD) Holder: DIRECTORATE GENERAL OF THE POLICE-SERVICES CENTRAL-MIR - S2816015H Subject: "Notification available in the folder or DEH of the indicated holder" with the following result: Date of availability: 07/04/2019 05:00:38 Automatic rejection date: 15/04/2019 00:00:00 Automatic rejection occurs, in general, after ten calendar days from its availability for access according to paragraph 2, article 43, of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations. Specifically, the deadline set by the acting Administration according to the applicable legal regulations has been exceeded. The LPCAP adds in its article 14 "Right and obligation to communicate electronically with Public Administrations": 2. In any case, the following subjects are required to communicate electronically with Public Administrations for any procedure of an administrative procedure: a) Legal persons." And it is specified in article 41 "General conditions for the practice of notifications": 1. Notifications will preferably be made electronically and, in any case, when the interested party is obliged to receive them by this means. However, the Administrations may practice notifications by non-electronic means in the following cases: a) When the notification is made on the occasion of the spontaneous appearance of the interested party or their representative in the offices of assistance in matters of registration and requests personal communication or notification at that time. b) When to ensure the effectiveness of the administrative action, it is necessary to practice the notification by direct delivery by a public employee of the notifying Administration. Regardless of the means used, notifications will be valid as long as they allow verification of their dispatch or availability, receipt or access by the interested party or their representative, their dates and times, the full content, and the reliable identity of the sender and recipient. Proof of the notification will be incorporated into the file." As a result, the notification of the agreement is considered to have been produced with all legal effects. **FIFTH:** A copy of the 1/2012 instruction of 1/10/2015, (numbered as 12/2015) from the Secretary of State for Security (SES), approving the "protocol of action in the custody areas of detainees of the forces and bodies of state security," was obtained from the web. It is incorporated into the file as associated object 2 in the managing application. It states: 2 f. Video surveillance: The detention centers of the State Security Forces and Bodies will have video surveillance systems with recording to guarantee the physical integrity and security of the detained persons and the police officers in charge of their custody. This recording must be permanently active, regardless of whether the custody officers must maintain permanent control of the cells through video surveillance means. The video surveillance systems will be governed by the provisions of Organic Law 4/1997, of 4/08, which regulates the use of video cameras by the Security Forces and Bodies in public places. In no case may they allow the visualization of toilet areas to preserve the privacy of detained persons. A copy of instruction 4/2018, signed on 14/05/2018 by the SES, which updates the "protocol of action in the custody areas of detainees of the State Security Forces and Bodies" and repeals instruction 12/2015, was obtained from the internet. It is incorporated into the file as associated object 1 in the managing application. It states in its point 2.f): "Video surveillance: The detention centers of the State Security Forces and Bodies will have video surveillance and recording systems that allow viewing under the light conditions of their compartments to guarantee the physical integrity and security of the detained persons and the police officers in charge of their custody. This recording must be permanently active, regardless of whether the custody officers must maintain control of the cells through video surveillance means. The recordings will be kept for thirty days from their capture. After this period, they will be destroyed unless an incident occurs during the custody of a detainee or they are related to serious or very serious criminal or administrative offenses in public security matters; an ongoing police investigation; or an open judicial or administrative procedure. In these cases, the recording will be kept at the disposal of the competent Authorities." **SIXTH:** During the evidence period, the respondent is notified on 24/06/2019 of the beginning of the evidence period, requesting: - A sketch of the ***CITY.1 police station where the events occurred, showing the location of the camera that captured the image of the complainant and the type of room where the images were captured and selected. A color image of the field captured by the camera identifying the spaces it focuses on. - Indicate whether the officers providing custody and guard services to detainees have been given a guide explaining the use or purpose of these cameras and whether they have been informed that they may be subject to disciplinary action, under what circumstances, and how they have been informed. Specifically, the complainant. - If the complainant has been sanctioned, a copy of the resolution, a copy of the documents in the procedure, and if there is administrative and/or judicial appeal. - The position/hierarchy of the person requesting the extraction of the images and whether the Directorate General of the Police has issued any instructions on requesting data from the video surveillance systems, the procedures to follow when requesting such data, the registration of requests, who decides whether to deliver them, and if their preparation is deemed appropriate. - Whether, at a disciplinary level, the person who requested the extraction of images can initiate a disciplinary procedure, the steps to follow. A copy of the initiation agreement is sent so that the respondent can read and understand it and provide the requested information and any allegations deemed appropriate. Upon receiving the notice on 8/07/2019, the respondent submits a statement without addressing the questions raised, providing: a) A report prepared by the Provincial Police Station of ***CITY.1, subject: "sending report on CCTV use for disciplinary purposes" signed by Inspector ***POSITION.2 Mr. B.B.B. on 2/01/2019. It highlights: - "At 23:30 hours on the night of ***DATE.1, the ***POSITION.1 of the police station (complainant) was in his office, observed by the Inspector, as the complainant recognizes in his statement, wearing civilian clothes two hours after starting the service." He was reprimanded and ordered to put on the uniform. "He was aware that the officer did not wear the uniform during night shifts but lacked evidence." "In anticipation that he would violate the order to be on duty in uniform again, he formally requested the CCTV system manager to view the images from the night of ***DATE.1 from 23:45 to check if he had changed and, if not, extract the necessary images to report to the Commissioner and prove it." "The Inspector-complainant took medical leave from ***DATE.4 and then reported him for workplace harassment and violations of Organic Law 4/2010 of the disciplinary regulations for violating the law on the use of video cameras. "Both complaints were dismissed" by the administrative dispatch unit. The report states that the images are obtained and used by the state security forces and bodies, governed by the relevant regulations. It mentions the 2009 reports, numbers 286 and 472 of the AEPD, on the possibility of using recordings from the CCTV system installed in police premises as evidence to demand disciplinary responsibilities, indicating that "it lacks competence to assess what evidence can or cannot be provided in a disciplinary procedure." It states that the system's purpose is the security of the police station and the protection of the building's interior and exterior. Therefore, it considers that although "they are installed for that purpose, it does not exclude their use to verify and check facts under investigation, making it relevant, legal, justified, and proportionate to use them to prove and thus determine disciplinary responsibilities if any." It is limited to cameras for public safety and controlling citizens' entry and exit schedules, including service hours. The 286/2009 report from the AEPD Legal Office, signed by the State Attorney on 12/06/2009, is associated with the procedure, found in the SIJ application managing such reports, with the following text: Ref. 177676/2009 (Union Section S.E.P.-CV of the Benidorm City Council) After examining your request for a report, submitted to this Legal Office, regarding the query raised by the Union Section S.E.P.-CV of the Benidorm City Council, I inform you as follows: The query raises several questions related to the installation of video surveillance systems by the Benidorm City Council to determine if they comply with the provisions of Organic Law 15/1999, of December 13, on Personal Data Protection. The first question is whether the City Council has obtained authorization from the Spanish Data Protection Agency to install the video surveillance system in the local police building. It is communicated that the Spanish Data Protection Agency lacks competence to authorize video surveillance systems, with its competence being to ensure that data processing from such systems complies with Organic Law 15/1999, of December 13, on Personal Data Protection, and Instruction 1/2006, of November 8 of this Agency. However, we can state that the mentioned City Council notified and registered a video surveillance file in the General Data Protection Registry, named "Access Control and Surveillance of the Police Building" and "video surveillance." In the declaration of the mentioned file, it states that the General Provision for creating the file was published in the Provincial Gazette, number 00067 and dated April 9, 2008. Regarding the period for retaining images, considering the purpose described in the file creation provision, Instruction 1/2006, of November 8, of the Spanish Data Protection Agency, on the processing of personal data for surveillance purposes through camera systems, where Article 6 states that "Data will be canceled within a maximum period of one month from their capture." Regarding the period for retaining images, the Agency has stated in the report of July 3, 2008, that "Article 6 of Instruction 1/2006, where the retention period for images is regulated, is closely related to Article 4.5 of Organic Law 15/1999, which states that 'Data will be canceled when they are no longer necessary or pertinent for the purpose for which they were collected or recorded.' This provision is reiterated in Article 8.6 of the Regulation implementing the Organic Law. The Agency's criterion, considering this principle, has been to understand that images recorded to fulfill the security purpose should be retained for a maximum of one month. Once this period is fulfilled, they should be canceled. Therefore, this period remains valid after the Regulation's entry into force as it does not oppose its provisions. Furthermore, it is important to highlight that the one-month period established in the Instruction for canceling images is not arbitrary, as the same criterion as the one set in Organic Law 4/1997, of August 4, regulating the use of video cameras by the State Security Forces in public places, which in its Article 8 states that 'Recordings will be destroyed within a maximum period of one month from their capture.' On the other hand, the Instruction explicitly states in Article 6 that 'Data will be canceled within a maximum period of one month from their capture,' meaning that once this period has passed, the images must be canceled, implying their blocking as established by Organic Law 15/1999, which in Article 16.3 states that 'Cancellation will result in blocking the data, retaining them only at the disposal of Public Administrations, Judges, and Courts to address potential responsibilities arising from the treatment during the prescription period of these responsibilities. Once this period is fulfilled, the data must be suppressed.' The query also asks whether the omission of the duty to inform about the rights of access, rectification, cancellation, and opposition of the data makes the cameras illegal. To comply with the data protection regulations, installing such cameras requires meeting certain requirements, such as the legality of processing images. Article 6.1 of Organic Law 15/1999, referred to by Article 2 of Instruction 1/2006, states that 'The processing of personal data requires the affected party's consent unless otherwise provided by law.' This necessitates a law that allows processing images without obtaining the affected party's consent. In this regard, Organic Law 2/1986, of March 13, on the State Security Forces, in its Article 11, regulates their functions, stating that '1. The State Security Forces have the mission to protect the free exercise of rights and freedoms and ensure public safety by performing the following functions: (..) c) To watch over and protect public buildings and facilities that require it.' Consequently, we can conclude that Organic Law 2/1986 legitimizes processing images collected in police premises. Furthermore, compliance with the duty to inform under Article 3 of Instruction 1/2006 and notifying and registering the file in the General Data Protection Registry is required. Additionally, allowing the exercise of the rights referred to in Articles 15 and following of Organic Law 15/1999, in the terms of Article 5 of the Instruction, is necessary. In exercising these rights, the specialities of Article 23 of Organic Law 15/1999, which regulate exceptions to access, rectification, and cancellation rights in files managed by the State Security Forces, must be considered. Lastly, the query asks if recordings obtained through the video surveillance system installed in local police premises can be used as evidence to demand disciplinary responsibilities from police officers. On this point, it must be stated that the Agency lacks competence to assess which evidence can or cannot be provided in a disciplinary procedure. However, given the purpose declared in the General Data Protection Registry, the file created is for controlling and monitoring access to the building. Therefore, if the disciplinary responsibilities derive from access to the building (police officers' entry and exit times), they could be used. They cannot be used for other purposes not declared. Lastly, if the consultant raises the existence of actions allegedly contrary to Organic Law 15/1999, a complaint must be filed with this Agency to take the necessary measures to determine whether to open the corresponding sanctioning procedure. Article 37.1.g) of the Law grants this Agency the sanctioning authority in data protection matters. In any case, the allegations made by the complainant should contain documentation proving the actual facts. The complaint must be submitted in writing and addressed to the Spanish Data Protection Agency under the terms established by Article 70 of the Law on the Legal Regime of Public Administrations and Common Administrative Procedure, containing: a) Name and surname of the interested party and, if applicable, the person representing them, as well as the identification of the preferred means or the place designated for notification purposes. b) Facts, reasons, and petition clearly specifying the request. c) Place and date. d) Signature of the applicant or proof of the authenticity of their will expressed by any means. e) Body, center, or administrative unit to which it is addressed (in this case, it would be the Data Inspection Subdirectorate of this Agency)." The 472/2009 report from the State Attorney, dated 20/10/2009, is associated with the procedure: Ref. ***REFERENCE.1 (***FOUNDATION.1) "After examining your request for a report, submitted to this Legal Office, regarding the query raised by the ***FOUNDATION.1, I inform you as follows: The query raises several questions related to video surveillance issues to adapt their actions to Organic Law 15/1999, of December 13, on Personal Data Protection, its implementing regulations, and Instruction 1/2006, of November 8, on the processing of personal data for surveillance purposes through camera systems. The first question refers to the obligation to retain blocked images. In this regard, it must be stated that the retention period for images, according to Article 6 of Instruction 1/2006, is "Data will be canceled within a maximum period of one month from their capture." Regarding the retention period for images, the Agency has stated in the report of July 3, 2008, that "Article 6 of Instruction 1/2006, where the retention period for images is regulated, is closely related to Article 4.5 of Organic Law 15/1999, which states that 'Data will be canceled when they are no longer necessary or pertinent for the purpose for which they were collected or recorded.' This provision is reiterated in Article 8.6 of the Regulation implementing the Organic Law. The Agency's criterion, considering this principle, has been to understand that images recorded to fulfill the security purpose should be retained for a maximum of one month. Once this period is fulfilled, they should be canceled. Therefore, this period remains valid after the Regulation's entry into force as it does not oppose its provisions. Furthermore, it is important to highlight that the one-month period established in the Instruction for canceling images is not arbitrary, as the same criterion as the one set in Organic Law 4/1997, of August 4, regulating the use of video cameras by the State Security Forces in public places, which in its Article 8 states that 'Recordings will be destroyed within a maximum period of one month from their capture.' On the other hand, the Instruction explicitly states in Article 6 that 'Data will be canceled within a maximum period of one month from their capture,' meaning that once this period has passed, the images must be canceled, implying their blocking as established by Organic Law 15/1999, which in Article 16.3 states that 'Cancellation will result in blocking the data, retaining them only at the disposal of Public Administrations, Judges, and Courts to address potential responsibilities arising from the treatment during the prescription period of these responsibilities. Once this period is fulfilled, the data must be suppressed.' The Regulation implementing the LOPD, approved by Royal Decree 1720/2007, of December 21, defines in its Article 5.1.b) cancellation as 'A procedure by which the controller ceases using the data. Cancellation will imply the blocking of the data, consisting of identifying and reserving them to prevent their treatment except for making them available to Public Administrations, Judges, and Courts to address potential responsibilities arising from the treatment and only during the prescription period of these responsibilities. Once this period is fulfilled, the data must be suppressed.' Regarding how to carry out the blocking, the Agency's report of June 5, 2007, stated that 'it must be done so that it is impossible for the personnel who usually have access to the data to access them, for example, the staff providing services at the consulting center, limiting access to a person with the highest responsibility and based on a judicial or administrative request for this purpose. Thus, despite the data's retention, access to them would be entirely restricted to the persons referred to.' Regarding the retention period for blocked images, we can only reiterate what was stated in the report attached by the consulting entity on February 18, 2009, which indicates 'it is impossible to establish a comprehensive list of them, mainly considering, as already indicated, the prescription periods for actions that may arise from the legal relationship binding the consultant with their client, as well as those derived from tax regulations or the three-year prescription period, provided in Article 47.1 of Organic Law 15/1999 in relation to very serious infractions.' Regarding the last question raised, it is necessary to distinguish whether the recording system is digital or not. If it is digital, there is an automated data processing, requiring compliance with the basic security measures provided in Article 94 of the Regulation implementing Organic Law 15/1999." b) A copy of the report from the General Subdirectorate of Logistics and Innovation of 3/12/2018, addressed to the "Data Protection Officer. Technical Office" It mentions the "video surveillance" file for the purpose of "guaranteeing the protection of the interior and exterior of the police stations of the National Police and the buildings, facilities, and centers monitored by it. Its use is aimed at 'security and protection.'" The system is regulated by Internal Order 1865 of 30/11/2016 of the Ministry of the Interior, modifying Order INT/1202/2011, of 4/05, regulating the personal data files of the Ministry of the Interior, BOE 12/12/2016. The single article indicates that both the new creation of the files contained and the modification are governed by the LOPD and its implementing regulations. The file "Video surveillance" is created, highlighting: a.2) Purpose: Guaranteeing the security and protection of the interior and exterior of the National Police Stations and the buildings, facilities, and centers monitored by it. a.3) Intended uses: Security and protection. b) Source of data: b.1) Group: People in video-monitored areas of the National Police Stations or the buildings, facilities, and centers monitored by it. b.2) Origin and collection procedure: Closed-circuit television. c) Basic file structure: c.1) Description of data: Identifiable data: Image/voice. c.2) Treatment system: Automated. d) Planned data communications: Judicial bodies, Public Prosecutor's Office, and other National Police services for the exercise of legally entrusted functions, as well as other Security Forces for the exercise of their public security protection functions, under Article 22.2 of Organic Law 15/1999, of December 13, in compliance with the principles of collaboration, mutual assistance, and reciprocal information established by Organic Law 2/1986, of March 13. e) Planned international data transfers to third countries: None. f) Responsible body: General Subdirectorate of Logistics, Julián González Segador Street, without number, 28043 Madrid. g) Service or Unit where the rights of access, rectification, cancellation, and opposition can be exercised: General Secretariat of the General Subdirectorate of Logistics, Julián González Segador Street, without number, 28043 Madrid. i) Security level: High. It adds that "Currently, the telecommunications area of the Informatics and Communications Unit has a procedure for processing video surveillance images, determining the following aspects:" The access control system for images consists of an alphanumeric key with two user categories: administrator with permissions for viewing and extracting images and basic user only with viewing permissions. TIC delegates have user administration permissions and, therefore, for extracting images in all provincial police stations of the National Police." **SEVENTH:** On 18/09/2019, a response is sent to the complainant's letter requesting information on the procedure status, asking to be considered an interested party in the case, deciding to inform them of the procedure's conclusion for consultation on the resolution. **EIGHTH:** On 18/11/2019, a resolution proposal was issued with the text: "That the Director of the Spanish Data Protection Agency sanction the DIRECTORATE GENERAL OF THE POLICE (MINISTRY OF THE INTERIOR) with a warning for an infringement of Article 5.1 b) of the GDPR, classified in Article 83.5 of the GDPR." The respondent submits allegations indicating that the events occurred before the GDPR came into force, which is important because "During the period of the previous LOPD, the courts maintained that the use of images from police station cameras to check the proper functioning of police services cannot be considered a prohibited incompatible purpose by the Law, although their main use is the security of property and people." ### PROVEN FACTS 1. Inspector ***POSITION.2 of the provincial security brigade of the ***CITY.1 police station, Mr. B.B.B., observed on the night of ***DATE.1 that the complainant, Inspector of the CNP and ***POSITION.1, was not properly uniformed, wearing a black fleece as declared by the complainant, being admonished and ordered to properly uniform by Inspector ***POSITION.2, who then left. The next day, Inspector ***POSITION.2 decided to verify if the complainant complied with his order and requested a copy of the camera images between 00:00 and 04:00 on ***DATE.2. The extraction of the images was done by telecommunications personnel at the same ***CITY.1 police station, personnel who stated that no reason was provided, later learning that the purpose of the request was to check if ***POSITION.1 was wearing the proper uniform. No written request for image extraction is available, and a copy of the act of delivery of recordings on ***DATE.2, at the request of Inspector ***POSITION.2, is provided. 2. The complainant states that there were no detainees in the police station on the night of ***DATE.1. 3. The CNP police station in ***CITY.1, where the complainant serves, has video surveillance cameras for detainee cells. This capture is governed by the protocol of action in the Custody Areas of Detainees of the State Security Forces, instruction of the Secretary of State for Security 4/2018, signed on 14/05/2018, replacing instruction number 12/2015. It states as the objective "to establish the rules of action for personnel in charge of detainee custody... to ensure the rights of detainees and their safety and that of police personnel." "Recordings will be kept for thirty days from their capture. After this period, they will be destroyed unless an incident occurs during detainee custody or they are related to serious or very serious criminal or administrative offenses in public security matters; an ongoing police investigation; or an open judicial or administrative procedure. In these cases, the recording will be kept at the disposal of the competent Authorities." Unlike the previous instruction, this one does not state that the video surveillance systems will be governed by Organic Law 4/1997, of 4/08, regulating the use of video cameras by the Security Forces in public places. 4. During the evidence period, it is also indicated by the ***CITY.1 police station that it has cameras for the station's security and protection of the building's interior and exterior, and in the report from the General Subdirectorate of Logistics and Innovation of 3/12/2018, addressed to the "Data Protection Officer. Technical Office," it is stated that these cameras are for the purpose of "ensuring the protection of the interior and exterior of the police stations of the CNP and the buildings, facilities, and centers monitored by it. Its use is aimed at 'security and protection.'" This system is subject to the LOPD, and since May 2018, the GDPR, according to the file creation order - Order INT/1202/2011, of 4/05, regulating the personal data files of the Ministry of the Interior, BOE 12/12/2016. 5. The respondent did not specify, failing to respond in evidence, the type of camera used to capture the images regarding the complainant's uniform compliance, the spaces where they were taken, which system it belongs to (detainee surveillance or general station surveillance), and the existing protocol for requesting and delivering images. 6. Neither of the two data collection systems' purposes, video surveillance, includes the use of their images for verifying behaviors, internal regulation compliance, or disciplinary offenses that agents may commit, which was the purpose of the request and extraction of the complainant's images on the night of ***DATE.2. 7. Additionally, it is proven that the image request and delivery to Inspector ***POSITION.2, the complainant's superior, is not included in any protocol regulating the matter, with access to the images exclusively for authorized persons expressly documented in some document or protocol regulating the image request, reasons, and documentation of these aspects. 8. It is not proven that a disciplinary procedure has been initiated or resolved against the complainant based on the lack of uniformity on the night of ***DATE.1, although the image request and delivery are confirmed. ### LEGAL GROUNDS I Under the powers granted by Article 58.2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27/04/2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter, GDPR); recognized to each supervisory authority, and as established in Article 47 of Organic Law 3/2018, of 5/12, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), the Director of the AEPD is competent to initiate and resolve this procedure. II In this case, given the respondent's lack of specificity, failing to indicate the type of camera, its location, or regime under which the images communicated by the complainant were captured, it can be deduced that there could be two types of cameras at the police station where the events occurred. The result is that regardless of the camera system used, the extraction for the reasons it occurred and directly by the complainant's immediate superior violates the GDPR, as neither system contemplates the use for reprimanding irregular conduct by agents, and it is also not regulated who should request the images. On the one hand, the cameras monitoring detainee cells, with their applicable regime of Organic Law ***LAW.1 regulating the use of video cameras by the Security Forces in public places, require prior authorization, including a report by a collegiate body, and the "resolution authorizing the use must be motivated and specific to the public place to be observed by the video cameras. This resolution will also include all necessary limitations or conditions of use, particularly the prohibition of recording sounds, except in specific and precise risk situations, as well as those related to the qualifications of the personnel in charge of operating the image and sound processing system and the measures to ensure compliance with the legal provisions in force. Additionally, it must specify the physical area that can be recorded, the type of camera, its technical specifications, and the duration of the authorization, which will have a maximum validity of one year, after which renewal must be requested." Authorization criteria to be considered include: "To authorize the installation of video cameras, the following criteria will be taken into account, according to the principle of proportionality: ensuring the protection of public buildings and facilities and their access; safeguarding facilities useful for national defense; detecting security breaches; and preventing harm to persons and property." Article 4 Article 6 outlines the "principles of video camera use: 1. The use of video cameras will be governed by the principle of proportionality, in its dual version of suitability and minimal intervention. 2. Suitability determines that video cameras may only be used when appropriate, in a specific situation, for maintaining public safety, as provided in this Law. 3. Minimal intervention requires balancing, in each case, the intended purpose and the possible impact on the right to honor, personal image, and privacy. 4. The use of video cameras will require a reasonable risk to public safety in the case of fixed cameras or a specific danger in the case of mobile cameras. 5. Video cameras cannot be used to capture images or sounds from the interior of homes or their vestibules, except with the owner's consent or judicial authorization, nor in places mentioned in Article 1 of this Law when directly and severely affecting personal privacy. Images and sounds accidentally obtained in these cases must be immediately destroyed by the person responsible for their custody." The space these cameras focus on is related to the mandatory existence of video surveillance cameras to observe and ensure the security of detainees in police cells. This modality related to public security does not appear directly related to the lack of uniformity of the public employee complainant, who states, being the night of ***DATE.1, that due to the intense cold in the police station, he was wearing a fleece over the uniform. Therefore, by subject matter, neither the cameras intended for detainee cell surveillance nor those installed in the police station, subject to the LOPD and since May 2018, the GDPR, are intended for the purpose they were used for, without prior notice of such purpose. For this, the data controller would have had to decide beforehand that following potential conduct subject to disciplinary action through this video surveillance means for agents in the police station would be undertaken, affecting their labor rights and privacy, and assessing the proportionality and suitability of the system, or for which cases. Instruction 1/201/2006, of 8/11, of the Spanish Data Protection Agency, on the processing of personal data for surveillance purposes through camera systems, BOE 12/12 stated in its preamble: Regarding the installation of video camera systems, it is necessary to balance the protected legal interests. Therefore, any installation must respect the principle of proportionality, ultimately adopting, whenever possible, less intrusive means to individuals' privacy to prevent unjustified interference with fundamental rights and freedoms. Given the respondent's lack of clarification on the type of cameras used to capture the images, providing nothing in response to the requested evidence, it must be stated that the use of cameras or video cameras should not be the initial means for surveillance purposes. Thus, from an objective perspective, using these systems must be proportional to the intended legitimate purpose. Regarding proportionality, despite being an indeterminate legal concept, the Constitutional Court's Judgment 207/1996 determines that it is a "common and constant requirement for the constitutionality of any measure restricting fundamental rights, including those involving interference with rights to physical integrity and privacy, and particularly measures restricting fundamental rights adopted in the course of a criminal process determined by strict observance of the principle of proportionality." Article 4 states: 1. Under Article 4 of Organic Law 15/1999, of December 13, on Personal Data Protection, images will only be processed when adequate, relevant, and not excessive concerning the legitimate and explicit purposes justifying the installation of the cameras or video cameras. Article 1 of the GDPR states: "This Regulation establishes rules for the protection of individuals regarding the processing of personal data and the free movement of such data. 2. This Regulation protects the fundamental rights and freedoms of individuals, particularly their right to personal data protection." Articles 4.1 and 4.2 of the GDPR state: "1) 'personal data': any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person; 2) 'processing': any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction." The video surveillance system in this case involves direct identification of the person whose actions are recorded within its recording space. In this case, the police station had two different systems: detainee cell surveillance and general security surveillance for the station's facilities, with different purposes, neither of which was intended for verifying conduct or disciplining infractions by agents. In this case, personal data includes the Agent's physical appearance, identifiable along with their attire, relating to whether the complainant had complied with the internal uniform regulations, capturing images to provide clear evidence of obtaining images focused on that space during a specific time frame, selected by ***POSITION.2, who had seen and warned the complainant about the uniform deficiency hours earlier to sanction an infraction. Using images from both systems—recording, retaining, and extracting—relates to the security of individuals, agents, or facilities. However, in this case, they were used in the workplace as a means of verification. The AEPD does not assess the validity of images provided in the disciplinary procedure but the legitimacy and legality of the process under data protection regulations and the processing of personal data confirmed to be carried out with the affected person's data. Article 18.4 of the Spanish Constitution states: "The law will limit the use of informatics to guarantee the honor and personal and family privacy of citizens and the full exercise of their rights." According to the Constitutional Court's Judgment 254/1993, initiating the doctrine of the right to data protection: "...As a result, the content of the fundamental right to data protection consists of a power of disposition and control over personal data, allowing the individual to decide which data to provide to a third party, whether the State or a private party, or which data the third party can collect, and also allows the individual to know who holds those personal data and for what purpose, being able to oppose such possession or use. These powers of disposition and control over personal data, which constitute part of the content of the fundamental right to data protection, are legally specified in the right to consent to the collection, obtaining, and access to personal data, their subsequent storage and processing, as well as their use or possible uses by a third party, whether the State or a private party. And this right to consent to the knowledge and processing, whether computerized or not, of personal data, requires as indispensable complements, on the one hand, the right to know at all times who holds those personal data and for what purpose, and, on the other hand, the power to oppose such possession and uses." As a conclusion from the two reports of the AEPD Legal Office cited by the respondent, it cannot be inferred that video surveillance cameras for internal control in police stations, whether for entry control or other purposes not referred to in the reports, given that their purpose is the security of the facilities and personnel, can be used extensively for disciplinary conduct correction of their employees, whether police agents or other personnel, such as monitoring the complainant's uniform. Using data processing for this disciplinary purpose affects the legal sphere of personnel, creating a verification means for compliance with conduct without prior information affecting a fundamental right, with no legal certainty regarding its use, authorized subjects for requesting, extraction, and rights of the affected party for access, cancellation, retention, non-manipulation, security, etc. It is also incorrect to assert that the LOPD enabled different uses from the intended file or treatment purpose. Moreover, the incompatible use is not sanctioned but a use for a purpose that was not informed, unrelated to employee expectations. III Article 5.1.b) of the GDPR states: "1. Personal data shall be: b) collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes; according to Article 89, paragraph 1, further processing of personal data for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered incompatible with the initial purposes ("purpose limitation")." A requirement for data processing to comply with the established regulations is that it must be legitimized under Article 6 and conform to its principles under Article 5. However, legitimizing video surveillance data processing for verifying internal regulation compliance cannot be based on employee consent. Another legitimate basis must be used, such as compliance with established legal obligations, which would require evaluating various elements and considering aspects such as proportionality of use. In this case, the images are processed for a purpose not provided by the established processing operations for the police station's video surveillance systems. Whether applying the LOPD or the GDPR, the basic principle violated, if the system is considered proportional to the purposes and implemented, is that the affected parties, in this case, the complainant, were not informed about the system's use, its consequences, and the derived rights. The failure to do so constitutes a purpose deviation, as the system was intended for the security of the police station, agents, or detainees. The principle violated is the one for which the respondent is sanctioned, 5.1.b) of the GDPR. Additionally, the consequences in both regulations are the declaration of an LOPD violation or a warning, GDPR. Both cases imply declaring a non-compliant conduct with data protection regulations and requiring conduct adjustment in the future, if not done during the process, as the regulation stipulates. In this regard, it is unknown if the video surveillance system has been used subsequently for a similar case to the one reported in that police station, given the lack of explanations in response to the requested evidence. IV Moreover, for the system to function effectively, the principle of prior information to employees and consultation with their representatives must be complied with. The Constitutional Court's Judgment 29/2013 of 11/02, in a case of video surveillance control of a University of Seville employee suspected of irregularities in fulfilling their working hours, stated in its legal basis VII: "This right to information also applies when there is legal authorization to collect data without consent, as it is clear that the need for the affected party's authorization is different from the duty to inform them about the data holder and the processing purpose. It is true that this informational requirement cannot be absolute, as there may be limitations for constitutionally admissible and legally provided reasons, but it should not be forgotten that the Constitution requires that the Law, and only the Law, can set limits to a fundamental right, demanding that the limitation be necessary to achieve the legitimate purpose, proportionate to achieve it, and in any case, respectful of the essential content of the restricted fundamental right (SSTC 57/1994, of February 28, F. 6; 18/1999, of February 22, F. 2, and in relation to the right to data protection, STC 292/2000, FF. 11 and 16)." There is no express legal authorization for omitting the right to information on personal data processing in labor relations, and the interest in controlling the activity is not sufficient to justify it. Nor is it enough that, in the specific case, such data processing is eventually proportionate to the pursued purpose. The TCo, 29/2013, added that prior and express, precise, clear, and unequivocal information must be given to workers about the control purpose of the activity to which that capture could be directed, specifying the characteristics and scope of the data processing to be carried out, including the cases in which the recordings could be examined, how long and for what purposes, explicitly stating that they could be used for disciplinary sanctions for breaches of the employment contract. The idea is to determine the essential content of the right enshrined in Article 18.4 of the CE, that if the legislation recognizes certain guarantees linked to the fundamental right to personal data protection, in this case, the prior information duty must be respected, allowing full knowledge of who holds the personal data and their use. Only in this way can the worker or employee know the use and consequences of their data collection, self-determination, and request, as part of their right, the limitation, access, cancellation, or deletion of the data. In this case, the specific and predetermined extraction of a time frame in which the complainant was not in uniform has been directly used to control uniform compliance with a video surveillance system that did not have that purpose. V Article 58.2 b) and d) of the GDPR states: "Each supervisory authority shall have all of the following corrective powers: b) to issue warnings to a controller or processor that the intended processing operations are likely to infringe provisions of this Regulation; d) to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period." Imposing this measure is compatible with the warning sanction under Article 83.2 of the GDPR. No specific measures are imposed on the respondent, as the treatment with the intended purpose has not been detailed, and it should not be used again unless the proportionality of the purpose for disciplinary regulation verification is demonstrated and adequate and clear information on such use is provided to the affected parties. As indicated in this resolution, a new purpose would have to be added if it decided to carry out disciplinary control through the video surveillance system in the police station interiors, complying with the GDPR requirements. Article 83.5.a) of the GDPR states: "5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: a) the basic principles for processing, including conditions for consent pursuant to Articles 5, 6, 7, and 9." Article 83.7 of the GDPR states: "Without prejudice to the corrective powers of supervisory authorities pursuant to Article 58(2), each Member State may lay down rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State." The LOPDGDD, in Article 77, states: The Spanish legal system has opted not to sanction public entities with fines, as indicated in Article 77.1.c) and 2, 4, 5, and 6 of the LOPDGDD: "1. The regime established in this article shall apply to treatments for which the following are responsible or in charge: c) The General State Administration, the Administrations of the autonomous communities, and the entities that make up the Local Administration. 2. When the responsible or in-charge enumerated in paragraph 1 commit any of the infringements referred to in Articles 72 to 74 of this organic law, the competent data protection authority will issue a resolution sanctioning them with a warning. The resolution will also establish the measures to be adopted to cease the conduct or correct the effects of the infringement committed. The resolution will be notified to the responsible or in charge of the treatment, the hierarchical superior body if applicable, and the affected parties considered interested, if applicable. 4. The resolutions on the measures and actions referred to in the preceding paragraphs must be communicated to the data protection authority. 5. Actions and resolutions under this article shall be communicated to the Ombudsman or, where applicable, to analogous institutions of the autonomous communities. 6. When the competent authority is the Spanish Data Protection Agency, it will publish on its website with due separation the resolutions referred to the entities in paragraph 1 of this article, expressly indicating the identity of the responsible or in charge of the treatment that committed the infringement." The Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE a warning sanction on the DIRECTORATE GENERAL OF THE POLICE (MINISTRY OF THE INTERIOR), with NIF S2816015H, for an infringement of Article 5.1 b) of the GDPR, in accordance with Articles 83.5 and 58.2.b) of the GDPR. SECOND: NOTIFY this resolution to the DIRECTORATE GENERAL OF THE POLICE (MINISTRY OF THE INTERIOR). THIRD: COMMUNICATE this resolution to the OMBUDSMAN, as provided in Article 77.5 of the LOPDGDD. FOURTH: Against this resolution, which ends the administrative route under Article 48.6 of the LOPDGDD, and in accordance with Article 123 of the LPACAP, interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within one month from the day following the notification of this resolution or directly file a contentious-administrative appeal before the Contentious-Administrative Chamber of the National Court, under Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within two months from the day following the notification of this act, according to Article 46.1 of the referred Law. Finally, it is stated that under Article 90.3 a) of the LPACAP, the final administrative resolution may be provisionally suspended if the interested party expresses their intention to file a contentious-administrative appeal. In this case, the interested party must formally communicate this fact through a written statement addressed to the Spanish Data Protection Agency, submitting it through the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the remaining registers provided in Article 16.4 of the cited Law 39/2015, of October 1. The interested party must also provide documentation proving the effective filing of the contentious-administrative appeal. If the Agency is not informed of the filing of the contentious-administrative appeal within two months from the day following the notification of this resolution, the provisional suspension will be considered terminated. Mar España Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es