AKI (Estonia) - 2.1.-4/22/2585
|AKI - 2.1.-4/22/2585|
|Relevant Law:||Article 5 GDPR|
Article 6(1) GDPR
|Parties:||OÜ Laidoneri KV|
|National Case Number/Name:||2.1.-4/22/2585|
|European Case Law Identifier:||n/a|
|Original Source:||AKI (Estonia) (in ET)|
|Initial Contributor:||Norman Aasma|
The Estonian DPA held that using CCTV cameras to monitor employees cannot be based on consent, but only on legitimate interest under Article 6(1)(f) GDPR provided that a valid interest assessment had been carried out.
English Summary[edit | edit source]
Facts[edit | edit source]
A hotel company, OÜ Laidoneri KV (the controller), installed CCTV cameras visible in three external corners of its Park Hotel Viljandi, the public spaces on the ground floor as well as in the kitchen and the basement floor. The cameras monitored the employees of the hotel (data subjects).
On its own initiative, the Estonian DPA started an investigation with the aim of finding out on what legal basis and for what purpose the CCTV cameras were used. During the proceedings, the controller explained that it used consent as a legal basis through the installation of information signs on the walls of the building, notifying data subjects that surveillance camera were active.
Holding[edit | edit source]
First, the DPA recalled that according to Article 5(1)(a) GDPR, personal data processing must have a valid legal basis under Article 6(1) GDPR. As a general rule, the processing of personal data in an employment relationship can be lawful if it is related to the performance of a contractual obligation or a legal duty owed to the employer, or if it is in the legitimate interest of the employer or a third party. In the present case, the DPA stated that the fulfilment of contractual obligations can only be invoked for processing operations which are actually necessary for the employer to perform the employment contract, which the use of cameras certainly was not.
The DPA also rejected the argument of the controller that the processing of personal data could be based on Article 6(1)(a) GDPR. The investigation revealed that the signs informing about the usage of CCTV cameras were not suitable as they lacked necessary information about the aim of the video surveillance, no legal basis was mentioned, and no information was provided about the controller.
Therefore, the only possible legal basis would be legitimate interest under Article 6(1)(f) GDPR. However, in order to invoke this legal basis, an assessment must be carried out, showing that the interest of the controller outweighs the interests, fundamental rights and freedoms of the data subjects. For example, cameras cannot be used because of a hypothetical threat. Additionally, according to Article 5(2) GDPR, the controller must be able to prove the lawfulness of processing.
The DPA concluded that the controller had no valid legal basis for the monitoring of its employees via CCTV cameras and ordered the controller, under Article 58(2)(d) GDPR, to discontinue the use of video surveillance.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details.