AEPD - PS/00369/2019
|AEPD - PS/00369/2019|
|Relevant Law:||Article 5(1)(c) GDPR
Article 22 of the LOPDGDD
|Published:||26. 2. 2020|
|Parties:||COMUNIDAD DE PROPIETARIOS R.R.R.
CASA Gracio OPERATION
|National Case Number:||PS/00369/2019|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
EUR 6,000 fine was imposed on hotel owner for the placement of video surveillance system which recorded public spaces. The AEPD found that the collection of data was not limited to what was necessary for the purpose of security of the hotel, hence the hotel owner violated the principle of data minimisation as foreseen in Article 5(1)(c) GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
Dispute[edit | edit source]
Holding[edit | edit source]
The AEPD first confirmed that the image of natural persons is personal data and the processing carried out through the video surveillance system should be in line with the GDPR. It recalled the principle of data minimisation according to Article 5(1)(c) GDPR, which has to be followed both during the data collection and the subsequent processing.
It stressed that such systems may capture public spaces when it cannot be avoided or when this is necessary for the intended security purposes. There is always the duty to inform the affected parties as provided for in Article 12 GDPR and Article 13 GDPR. According to Article 30(1) GDPR a record must be kept by the responsible person. According to the national law in the video-surveiled areas, at least an information sign must be placed in a sufficiently visible place, both in open and closed spaces, which shall identify at least the existence of processing, the identity of the person responsible and the possibility of exercising the rights provided. The cameras should not obtain images of private and/or public space without a justified cause duly accredited, nor can they affect the privacy of passers-by. It is not permitted to place cameras on the private property of neighbors in order to intimidate them or affect their private sphere without justified cause.
In this case the AEPD found that the capture of images from the public space was excessive and the data controller acted with serious lack of diligence. The data controller had also not adopted any measures to mitigate the effects of the infringement. However, it noted that the damage to those affected by the processing of their data was not significant, the processing was carried out only by the data controller at a local level and no benefit was obtained from this processing.
Finally, after having considered all the mentioned factors, the AEPD imposed a reduced fine of EUR 6,000.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the original. Please refer to the Spanish original for more details.