AZOP (Croatia) - Decision 04-22-2024 (video surveillance)

From GDPRhub
AZOP - Decision 04-22-2024 (video surveillance)
LogoHR.png
Authority: AZOP (Croatia)
Jurisdiction: Croatia
Relevant Law: Article 13 GDPR
Article 27(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 22.04.2024
Fine: 16,000 EUR
Parties: n/a
National Case Number/Name: Decision 04-22-2024 (video surveillance)
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Croatian
Original Source: AZOP (in HR)
Initial Contributor: lm

The DPA imposed fines between €500 and €4,000 on seven controllers that failed to clearly notify data subjects of video surveillance.

English Summary

Facts

Seven hotels, catering services and shops used video surveillance without marking the area under surveillance in a manner that was visible when entering the recording perimeter.

Holding

The Croatian DPA (AZOP) found that the controllers failed to notify data subjects that the surveilled area was under video surveillance, to provide data subjects information about the data controller or to give data subjects contact information pertaining to the controller so that they could exercise their rights. As result, it found that the controllers violated Article 13 GDPR and imposed violations ranging between €500 and €4,000.

Comment

This is part of a larger decision. In a separate portion of the decision, the AZOP found that two gambling services violated Articles 5(1)(a), 6(1)(a) and 13 because their cookie banners failed to specify and obtain consent for distinct processing purposes. Due to the different controllers and violations, this decision has been split into two separate summaries on GDPRhub.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.

Nine new administrative fines totaling EUR 51,000

The Personal Data Protection Agency imposed nine new administrative fines in the total amount of 51,000 euros on data controllers for violating the provisions of the General Data Protection Regulation and the Law on the Implementation of the General Data Protection Regulation.

 

Administrative fines for violating the provisions of the General Data Protection Regulation

Two administrative fines in the amount of 15,000 and 20,000 euros were imposed on managers of gambling and betting activities due to illegal processing of personal data through cookies.

The data controllers collected and processed the personal data of the respondents through cookies without allowing the respondents to give or withdraw their informed and voluntary consent to the processing of personal data through cookies (eng. with which the respondent visited the Internet pages and in that way they remember and monitor his further actions on the Internet pages, and which processing also relates to aspects of personal data), thereby violating Article 6, Paragraph 1, Point a) and, in this connection, Article 7. General regulations on data protection.

In situations where the processing of personal data is based on consent and has multiple purposes, then the text of consent (in this particular case, the cookie banner) must be presented in such a way that it can be clearly distinguished from other purposes, in an understandable and easily accessible form with the use of a clear and simple language. Since in the specific case, the processing managers did not separate the so-called cookie banner and enabled respondents to clearly give their consent for different purposes (marketing, analytics/statistics), it is clear that the consent did not meet the legal prerequisites and is therefore not valid as a legal basis.

Upon inspection of the Privacy Policy of both processors, it was determined that the document in question does not contain information about the legal basis, groups/types of cookies, the function/purpose of each cookie, the cookie storage period, that is, the processors did not adequately inform the respondents about the processing of personal data, which Article 13, paragraph 1 and 2 of the General Data Protection Regulation has been violated. Therefore, the processing managers did not inform the respondents about the processing through cookies in accordance with the principle of transparency, and thus the respondents (visitors of the Internet pages) were deprived of information about the processing of their data.

In addition, the data controller, who was fined EUR 20,000, processed the respondents' personal data at the very moment of loading the website, while they had not yet given their consent to the collection of individual cookies, which was unfair, since the respondents did not even know that they already collect their personal data at the moment of accessing the website. This led to unfair processing of personal data of the respondents, which is against the principle of legal, fair and transparent processing of personal data from Article 5, Paragraph 1 of the General Data Protection Regulation.

Administrative fines for violation of the Law on the Implementation of the General Regulation on Data Protection

Seven administrative fines in the total amount of 16,000 euros were imposed on processing managers for not marking the object under video surveillance, i.e. the mark is not visible when entering the recording perimeter and/or the mark does not contain all relevant information. Individual fines from EUR 500 to EUR 4,000 were imposed on hotels, catering establishments and shops.

Namely, in accordance with Article 27, Paragraph 1 of the Act on the Implementation of the General Regulation on Data Protection, the data controller is obliged to mark that the object, i.e., a single room in it, and the external surface of the object are under video surveillance, and the mark must be visible when entering the recording perimeter at the latest.

Paragraph 2 of the aforementioned article stipulates that the notification should contain all relevant information in accordance with the provisions of Article 13 of the General Regulation on Data Protection, and in particular a simple and easy-to-understand image along with the text providing the respondents with the following information:

    that the space is under video surveillance
    information about the data controller
    contact information through which the respondent can exercise his rights

Find more about the processing of personal data through cookies and video surveillance at the link: https://azop.hr/vodici-i-promotivni-materijali-o-zastiti-osobnih-podataka/