AEPD (Spain) - PS/00030/2020

From GDPRhub
Revision as of 15:29, 13 October 2020 by Mh (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - PS/00030/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 12 GDPR
Article 22(4) LOPDGDD
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 09.10.2020
Fine: 1.000 EUR
Parties: Fuerzas y Cuerpos de Seguridad del Estado (Guardia Civil-Puesto Sanabria)
National Case Number/Name: PS/00030/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA (AEPD) imposed a 1,000 euros fine on the defendant for failing to provide necessary information regarding their responsibility for installing a video surveillance camera system in their parking lot.


English Summary

Facts

The Spanish DPA received a complaint about the installation of a video surveillance camera system in a parking lot. This first complaint was filed by the State Security Forces and Corps (Fuerzas y Cuerpos de Seguridad del estado) in December 2019.

The defendant was found to be the sole person responsible for the installation as a result of the contract between the parties. However, the defendant had failed to stipulate that they were responsible for the installation of the system on the informational poster. The legal requirement to provide such information was outlined in the contract.

Additionally, the defendant did not make information forms available to clients should they seek to exercise their rights pursuant to Article 15 to 22 GDPR.

Dispute

Does the lack of information concerning the person responsible for installing a video surveillance camera system violating Article 22 LOPDGDD and Article 12 GDPR?

Holding

The Spanish DPA found that the defendant could install the video surveillance camera system without authorisation.

However, the DPA clarified the defendant must comply with data protection law if they install the system. This includes limiting the recording to what is necessary, applying the principle of proportionality pursuant to Article 22(4) of the Spanish Law on Personal Data Protection and Digital Rights Guarantee (LOPDGDD).

Additionally, the Spanish DPA found that the lack of information of provided to clients of the person responsible for the video surveillance system was a violation of Article 12 GDPR. Similarly, Article 12 was violated as the defendant failed to provide information to the clients about how the possibility to exercise their rights under articles 15-22 GDPR.

In light of the violations, the Spanish DPA imposed a 1,000 euros fine in the defendant.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. 

Procedure Nº: PS / 00030/2020

938-300320

RESOLUTION OF SANCTIONING PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on the following

ACTS

FIRST: CIVIL GUARD - POSITION *** LOCALIDAD.1 (* hereinafter, the claimant) on December 17, 2019 filed a claim with the Spanish Agency for Data Protection. The claim is directed against Don AAA with NIF

*** NIF. 1 (hereinafter, the claimed one).

The grounds on which the claim is based are "installation of a video surveillance camera system, without having the mandatory information poster indicating the person responsible" (folio no. 1).

“The bar called *** BAR.1 in the town of *** LOCALIDAD.1 has a video surveillance system that taxes the parking lot of the aforementioned premises, lacking authorization for the installation… as well as posters for cancellation and rectification of personal data ”- Official Letter 09/12 / 19--

SECOND: In view of the facts reported in the claim and the documents provided by the claimant, the General Sub-Directorate for Data Inspection proceeded to carry out preliminary investigative actions to clarify the facts in question, by virtue of the Investigative powers granted to the control authorities in article 57.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I, Second Section , of Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD).

As a result of the investigative actions carried out, it is found that the person responsible for the treatment is the one claimed.

THIRD: On March 19, 2020, the Director of the Spanish Data Protection Agency agreed to initiate a sanctioning procedure for the complained party, in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged violation of article 12 of the RGPD, typified in Article 83.5

of the RGPD.

FOURTH: Once the aforementioned starting agreement was notified, the defendant submitted a brief of allegations in which, in summary, he stated the following: C / Jorge Juan, 6

www.aepd.es

28001 - Madrid

sedeagpd.gob.es

2/7

“… The only cameras that exist are those of the SECURITAS DIRECT security system. Cameras that only take pictures in the event of an alarm going off and the presence of intruders is detected.

The establishment does not have a video surveillance system but rather an intruder detection system connected to a reception center ... with remote access to the image in case of alarm ...

The service is provided by this security company and with the or, the implications in terms of data protection, in this case by the installation and / or maintenance of the equipment and intrusion detection systems with use of the equipment or access to the images.

Ultimately, the security company determines the purposes and means of processing said personal data for the provision of the service to which it undertakes.

In accordance with what has been stated and taking into account that in the establishment that I run, there are two cameras capable of shooting and capturing images of a person, including an informative poster of the system with all the requirements and the system being implemented, in terms of the character data Personnel, responsible for the treatment of the security company, would be the one in charge of implementing everything related to data protection (…).

Therefore, I understand that I have not violated any provision of the RGPD

(…).

FIFTH: A list of documents in the procedure is attached as an annex, recalling the full availability of the administrative file.

Of the actions carried out in the present procedure and of the documentation in the file, the following have been accredited: PROVEN FACTS

First: On 12/17/19, this AEPD receives a complaint from the State Security Forces and Bodies, through which the following is transferred as the main event:

“Installation of a video surveillance camera system, without having the mandatory information poster indicating the person responsible” (folio nº 1).

Second. Don AAA is accredited as the main responsible

Third. In the informational poster provided, the only thing that appears is that it is a video-monitored area, embodying "Recording of images" and the Securitas Direct website.

Room. In the contract provided dated 04/21/17 signed between the parties, it states the following: “The activity of video-surveillance and / or photopetition services is assumed by the CLIENT, being therefore the treatments images and / or C / Jorge John, 6

www.aepd.es

28001 - Madrid

sedeagpd.gob.es

3/7

sounds of his sole and exclusive responsibility as he is responsible for the video surveillance file ”.

In the clauses of the same (Number 9 Rights on the installation) “It is necessary to list the following obligations regarding the protection of Data: Locate informational signs that contain the following legend“ Organic Law 15/1999, Data Protection. VIDEO SECURED area and an express mention of the identification of the person responsible for the treatment before whom to exercise the rights of access, rectification, cancellation and opposition "

"The CUSTOMER will have at the disposal of the interested / s forms in which the information provided for in article 5.1 of the LOPD (15/1999) is detailed" (* the boldface belongs to this AEPD).

Fifth. The defendant does not have an information form (s) available to clients in case of exercising the rights recognized in articles 15 to 22

GDPR

FOUNDATIONS OF LAW

I

By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority, and as established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Agency for Data Protection is competent to initiate and resolve this process

II

In the present case, the Complaint sent by the State Security Forces and Bodies (Civil Guard-Sanabria Post) is examined by means of which the main fact is transferred:

“Installation of a video surveillance camera system, without having the mandatory information poster indicating the person responsible” (folio nº 1).

“The bar called *** BAR.1 of the town *** LOCALIDAD.1, has a video surveillance system that taxes the parking lot of the aforementioned premises, lacking authorization for the installation of these cameras as well as of posters for the cancellation and rectification of personal data "

It should be noted that individuals can install video surveillance systems, although they are responsible for ensuring that they comply with current legislation.

Surveillance cameras may make recordings limited to what is necessary, the perimeter and some reasonable points, applying the principle of proportionality, that is, only the truly relevant areas for the purpose sought will be recorded.

C / Jorge Juan, 6

www.aepd.es

28001 - Madrid

sedeagpd.gob.es

4/7

Article 22 section 4 LOPDGDD (LO 3/2018, December 5) provides the following:

“The duty of information provided for in article 12 of Regulation (EU) 2016/679 will be understood to have been fulfilled by placing an information device in a sufficiently visible place identifying, at least, the existence of the treatment, the identity of the person in charge and the possibility of exercise the rights provided for in articles 15 to 22 of Regulation (EU) 2016/679.

A connection code or internet address to this information may also be included in the information device. In any case, the data controller must keep the information referred to in the aforementioned regulation at the disposal of those affected ”.

The events described above may affect the content of article 12 RGPD, since it does not inform the clients of the establishment that runs the purpose (s) of the treatment, nor the person responsible for it or the way to exercise the rights recognized in the articles 15-22 GDPR.

“The person responsible for the treatment will take the appropriate measures to provide the interested party with all the information indicated in articles 13 and 14, as well as any communication in accordance with articles 15 to 22 and 34 regarding the treatment, in a concise, transparent, intelligible way and easily accessible, with clear and simple language or, in particular, any information directed specifically to a child. The information will be provided in writing or by other means, including, if applicable, by electronic means.

unique. When requested by the interested party, the information may be provided verbally provided that the identity of the interested party is proven by other means "

III

In accordance with the evidence available in this sanctioning procedure, it is considered that the complainant has a video surveillance system, which lacks the mandatory information poster indicating the person responsible for the treatment for the appropriate legal purposes.

Contrary to what was stated by the defendant, the installed system obtains “images”, that is, it is in a position to process personal data of third parties, both with the external cameras and those installed inside the establishment that it runs.

Therefore, the defendant must foresee that obtaining images of the cameras

Outdoor maras must be proportionate to the intended purpose, as well as have an informative poster (s) assuming responsibility as the person responsible for the treatment of the images, an aspect whose responsibility is made clear by the contract provided.

"SECURITAS Direct acquires the status of manager of the management of security systems with access to the images of the CLIENT"

C / Jorge Juan, 6

www.aepd.es

28001 - Madrid

sedeagpd.gob.es

5/7

“From the treatment of images and / or sounds (such as personal data) indicated in point 15.C, responsibilities and obligations towards the

CLIENT as responsible for the treatment in accordance with the provisions of the Organic Law

Data Protection Regulation and its Development Regulations, as well as Instruction 1/2006 on video surveillance. The following obligations should be listed (…) ”.

The known facts are constitutive of an infringement, attributable to the complainant, for violation of the content of article 12 of the RGPD, by failing to inform the duty of information, lacking the establishment that runs the mandatory posters informing that it is a video-monitored area.

Furthermore, you must have an information form (s) available to customers who may require it, informing them of all their rights within the framework of the protection of personal data.

You can obtain an indicative model on the website of this organization www.aepd.es in the Video-surveillance section.

IV

The art. 83.5 RGPD provides the following: "Violations of the following provisions will be sanctioned, in accordance with section 2, with administrative fines of 20

EUR 000,000 maximum or, in the case of a company, an amount equivalent to a maximum of 4% of the total global annual turnover of the previous financial year, opting for the higher amount:

b) the rights of the interested parties in accordance with articles 12 to 22; In the present case, the following is taken into account when motivating the sanction:

-the nature of the infraction, as there is no informational poster informing the person responsible for the treatment (art. 83.2 a) RGPD).

- the way in which the supervisory authority learned of the infringement, when the facts were transferred by the acting force (art. 83.2 h) RGPD).

The foregoing justifies the imposition of a penalty in the amount of 1,000

€, a sanction located on the lowest scale for this type of infraction, as it lacks the mandatory informational poster for the video-monitored area, and the accused is responsible for the legal purposes of the "treatment" thereof.

All or without prejudice to accredit before this body, the change in the informational poster, indicating the person responsible for the treatment, as well as the way in which clients can exercise their rights within the framework of articles 15 to 22 RGPD.

C / Jorge Juan, 6

www.aepd.es

28001 - Madrid

sedeagpd.gob.es

6/7

Therefore, in accordance with the applicable legislation and the criteria for graduation of the sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO IMPOSE Mr. AAA, with NIF *** NIF .1, for a violation of article 12 of the RGPD, typified in Article 83.5 of the RGPD, a fine of € 1,000 (one thousand Euros), being punishable in accordance with article 58.2 RGPD.

SECOND: NOTIFY this resolution to Mr. AAA and REPORT the result of the actions to GUARDIA CIVIL - POST OF *** LOCALITY

THIRD: Warn the sanctioned person that the sanction imposed must be made effective once this resolution is enforceable, in accordance with the provisions of art. 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the voluntary payment period established in art. 68 of the General Collection Regulation, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by entering, indicating the NIF of the sanctioned person and the procedure number that appears in the heading of this document, in the restricted account No. ES00 0000 0000 0000 0000 0000, open to name of the Spanish Data Protection Agency in the bank CAIXABANK, SA. Otherwise, it will be collected in the executive period.

Once the notification has been received and once it is executed, if the date of execution is between the 1st and the 15th of each month, both inclusive, the deadline for making the voluntary payment will be until the 20th of the following month or immediately thereafter, and if It is between the 16th and last days of each month, both inclusive, the payment term will be until the 5th of the second following or immediate business month.

In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art.

48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a period of one month from the day following notification of this resolution or directly administrative contentious appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29 / 1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within two months from the day following notification of this act, as provided in article 46.1 of the aforementioned Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final administrative resolution may be suspended provisionally if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this C / Jorge Juan, 6

www.aepd.es

28001 - Madrid

sedeagpd.gob.es

7/7

made by writing to the Spanish Agency for Data Protection, presenting it through the Electronic Registry of the Agency

[https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. The documentation that proves the effective filing of the contentious-administrative appeal must also be transmitted to the Agency. If the Agency was not aware of the filing of the contentious-administrative appeal within a period of two months from the day following the notification of this resolution, it would terminate the precautionary suspension.

Mar Spain Martí

Director of the Spanish Agency for Data Protection C / Jorge Juan, 6

www.aepd.es

28001 - Madrid

sedeagpd.gob.es
Retrieved from "https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_PS/00030/2020&oldid=11659"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki