AEPD - PS/00369/2019
|AEPD - PS/00369/2019|
|Relevant Law:||Article 5(1)(c) GDPR
Article 22 of the LOPDGDD
|Published:||26. 2. 2020|
|Parties:||COMUNIDAD DE PROPIETARIOS R.R.R.
CASA Gracio OPERATION
|National Case Number:||PS/00369/2019|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
EUR 6,000 fine was imposed on hotel owner for the placement of video surveillance system which recorded public spaces. The AEPD found that the collection of data was not limited to what was necessary for the purpose of security of the hotel, hence the hotel owner violated the principle of data minimisation as foreseen in
The AEPD first confirmed that the image of natural persons is personal data and the processing carried out through the video surveillance system should be in line with the GDPR. It recalled the principle of data minimisation according to Article 5(1)(c) GDPR, which has to be followed both during the data collection and the subsequent processing.
The cameras may capture some of the outside space if it cannot be avoided or if this is necessary for the intended security purpose. There is the duty to inform the affected parties as provided for in Article 12 GDPR and Article 13 GDPR. According to Article 30(1) GDPR a record must be kept by the responsible person. According to the national law in the video-surveillance areas, at least an information sign must be placed in a sufficiently visible place, both in open and closed spaces, which shall identify, at least, the existence of a treatment, the identity of the person responsible and the possibility of exercising the rights provided. The cameras should not obtain images of private and/or public space without a justified cause duly accredited, nor can they affect the privacy of passers-by. It is not permitted to place cameras on the private property of neighbors in order to intimidate them or affect their private sphere without justified cause.
In this case it found that the capture of images from the public space was excessive and the data controller acted with serious lack of diligence. The data controller has also not adopted any measures to mitigate the effects of the infringement. However, the damage to those affected by the processing of their data is not significant, the processing is carried out only by the data controller at a local level and no benefit is obtained.
Finally, the AEPD imposed a reduced fine of EUR. 6,000.
Share your comments here!
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the original. Please refer to the Spanish original for more details.