Commissioner (Cyprus) - 11.17.001.010.201

The Cyprus Hairdressers and Barbers Registration Board violated Article 5 and 6 of the GDPR due to the unlawful installation of a closed circuit video surveillance system in the workplace.

English Summary

Facts

The Cyprus Hairdressers and Barbers Registration Board (controller) installed a closed circuit video surveillance system in its entire office, which recorded office employees, as well as various people entering the office on a daily basis. The controller stated that these cameras were installed for the purpose of financial control and transparency.

A data subject complained on this matter to the Cyprus Commissioner. They stated among other things that the controller did not have signs to inform about the surveillance. In its defence, the controller argued that it had warning signs in place in the past (which were removed for renovation work) and that it obtained data subject's consent to use surveillance cameras.

Holding

On the basis of the information presented by the controller, the Cyprus Commissioner considered that the legal basis should be consent, under Article 6(1)(a) GDPR.

However, according to the EDPB Guidelines 5/2020 on consent, taking into account the existence of an imbalance of power between the controller and the employees, the Commissioner found that it was unlikely that employees were able to freely consent to the CCTV facility without fear of possible consequences of their refusal (see also Recitals 32 and 42 of the GDPR).

The Commissioner therefore held that, the operation of CCTV cameras failed to comply with the principles of the GDPR, in particular that of lawfulness, by violating the provisions of Articles 6 and 5(1)(a) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

No. Fax: 11.17.001.010.201 BY HAND March 16, 2023 DECISION Installation of closed-circuit video surveillance in the workplace Based on the duties and powers conferred on me by Article 57(1)(f) of Regulation (EU) 2016/679 on the protection of natural persons against the processing of personal data and for the free circulation of such data (hereinafter, "the GDPR"), I examined a complaint submitted to my Office on September 26, 2022, regarding the installation of Closed Circuit Video Surveillance in office of the building of the Council of Registration of Hairdressers and Barbers of Cyprus. Based on the investigation of the complaint, I have found a violation of the GDPR by the Cyprus Hairdressers and Barbers Registration Board and, therefore, issue this Decision. 1. Facts of the Case 1.1 Allegations included in the complaint 1.1.1 On 26/09/2022, a complaint was submitted to my Office, against the Council of Registration of Hairdressers and Barbers of Cyprus (hereinafter, "the Complainant"), regarding with the installation of Closed Circuit Video Surveillance (CCV). 1.1.2 In the complaint in question, it is stated that, inside the office of the Complainant's building, there is a CCTV installed, which, according to information I have received by telephone, records the entire office, as well as the corridor outside office. Furthermore, as I have been informed, the KKBP records not only the workers in the office, but also a lot of people, who enter it every day, without any warning signs, to inform the use of the particular system. 1.1.3 During the investigation of the complaint, I contacted the Complainant in writing, on 07/11/2022, stating the allegations, related to the complaint and asking for his positions on them, as well as answers to the following questions: 2 a) The legal basis on which the installation and use of the CCTV is based b) The exact installation points of the camera(s) c) The recording range of the camera(s), attaching screenshots with images taken from the CCTV d) The duration of recording of the camera(s) and whether said recording is carried out on a continuous or occasional basis e) The person(s) who have access to the content received by the CCTV and the manner in which which he/they obtain said access f) To what extent the PPE also records sound, in addition to image 1.1.4 Furthermore, I referred the Defendant to refer to the Guidelines 3/2019 of the European Data Protection Board (EDPB) regarding the processing of personal data through video devices: https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201903_video_devices_en.pdf 1.1.5 Based on the information I had received, until that moment, the installation of this GDPR did not seem, at least at first sight, to be in accordance with the provisions of the GDPR. Therefore, in accordance with the powers granted to me by Article 58 of the Regulation and, among other things, to impose a temporary or definitive restriction, including the prohibition of the processing, I addressed an Order to the Defendant in the complaint, to stop the operation of the KKBP, until my Office's investigation of the incident is completed. 1.2 Interim correspondence with the Complainant 1.2.1 On 17/11/2022, I received an email from the law firm XXXXX (hereinafter, "the law firm"), by which I was informed that they themselves would act part of the Defendant the complaint and requested an extension of time, for one month, for the registration of the positions of their clients. They also requested that they be allowed to inspect the complaint file, so that they have before them all the witness material of the case. 1.2.2 In an electronic message, from the Complainant, dated 22/11/2022, an authorization was sent to my Office for the above-mentioned law firm to represent the Complainant in this case. On 11/23/2023, I sent an email to the law office approving the request for an extension of time. 1.2.3 Regarding the request to inspect the administrative file, I mentioned that they have every right to inspect the file in question. However, I cited Article 43 of the General Principles of the Administrative Law Law of 1999 (158(I)/1999), which concerns the right to be heard, according to which "(6) Any person who has the right to be heard may, after his written request, to take cognizance of the details of the 3 relevant administrative file. The competent administrative body can, with its reasoned decision, reject all or part of the request, if its satisfaction harms the official interest or the interest of a third party". 1.2.4 I pointed out that, when I had initially informed the Defendant of the complaint, about the submission of the complaint to my Office, he had not mentioned the identity of the person(s) who had submitted the said complaint. The specific person(s) had/had declared his/her wish not to disclose his/her details. 1.2.5 Having, therefore, weighed the right of the person(s) to remain anonymous, with the right to inspect the relevant administrative file and, also taking into account that: (a) the complaint can be investigated, by my Office, without the disclosure of the details of the person(s) who submitted it and, without there being any obstacle to said investigation and (b) no question of transparency arises, as all the allegations contained in the complaint form have been raised against the Complainant, which will be taken into account by my Office and may affect the outcome of the case, I deemed it necessary and proportionate as the file in question, for purposes inspection, undergo the necessary processing to ensure that there will be no possibility of identifying the person(s), as requested. 1.2.6 On 19/12/2022, I received a request from the law firm to grant another extension of time, until 10/01/2023, for the submission of the Defendant's positions in the complaint, as it was not possible to preparation of the answer, due to workload. In addition, they requested an inspection of the complaint file, on 12/28/2023 at 9 a.m. 1.2.7 On 12/30/2022, I re-approved the requested extension of time and informed that the meeting for the review of the file will not take place, in the end, which we had reached, following a telephone communication I had earlier with the legal office. 1.3 Allegations of the Complainant 1.3.1 On 09/01/2023, I received a letter from the law firm, with the positions of the Complainant and by which I was informed that, at the building of the Complainant, there is only one camera, inside an office, which records image (continuous recording inside the office and in the corridor outside the office) and not sound. Attached screenshot with the recording range of the camera. 1.3.2 I was also informed that the only person who has access to the camera is the President of the Complainant. 4 1.3.3 Regarding the warning signs, the Defendant states that there were two signs, one outside the office and one on the entrance door of the office. It is the Defendant's position that, during the disputed period, renovation work was being carried out inside the building and the signage, above the office door, was removed and not re-placed on the new door. 1.3.4 Staff consents (forms signed by each of the employees) were sent, regarding the placement of the PPE, which, according to the Complainant, "speak for themselves". 1.3.5 The Complainant claims that the purpose of the installation of the camera was to control the collections made for the annual subscriptions of the Complainant's Members, for the purpose of renewing their licenses, registering new Membership and various other monetary transactions. Therefore, as he states, the installation and use of CCTV mainly serves financial control and not staff monitoring, since the staff knew about the existence of the camera. As the Defendant in the complaint points out, the camera was not installed with the purpose of violating the human rights of the staff, but to serve the purpose of financial control and transparency. That is why, after all, as he mentions, the camera does not record sound, since the purpose was not to monitor conversations or movements of the staff. 1.3.6 The Defendant has informed me that he has promptly complied with my Order and therefore, as of 07/11/2023, the camera is out of order, pending the final investigation of the incident by my Office. 2. Legal Aspect 2.1 The following are the Articles and Rationale of the GDPR, which constitute the legal background for the complaint in question: 2.1.1 Article 4 of the GDPR "1) "personal data": any information concerning an identified or identifiable natural person ('data subject'); an identifiable natural person is one whose identity can be ascertained, directly or indirectly, in particular by reference to an identifier such as a name, an identity number, location data, an online identifier or to one or more factors that characterize the physical, physiological, genetic, psychological, economic, cultural or social identity of the natural person in question, 2) "processing": any act or series of acts carried out with or without the use of automated means, in personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, information retrieval, use, disclosure by transmission, dissemination or any other form of disposal, association or combination, limitation, erasure or destruction, 5 7) "controller": the natural or legal person, public authority, agency or other body which, alone or jointly with otherwise, determine the purposes and manner of processing personal data; where the purposes and manner of such processing are determined by Union law or the law of a Member State, the controller or the specific criteria for his appointment may be provided by the law of the Union or the law of a Member State'.  2.1.2 Article 5 of the GDPR "1. Personal data: a) are processed lawfully and legitimately in a transparent manner in relation to the data subject ("legality, objectivity and transparency"), [...] 2. The controller bears the responsibility and is able to prove compliance with paragraph 1 (``accountability''). 2.1.3 Article 6 of the GDPR "1. The processing is lawful only if and as long as at least one of the following conditions applies: a) the data subject has consented to the processing of his personal data for one or more specific purposes, b) the processing is necessary for the performance of a contract whose the data subject is a contracting party or to take measures at the request of the data subject prior to the conclusion of a contract, c) the processing is necessary to comply with a legal obligation of the controller, d) the processing is necessary to preserve vital interest of the data subject or other natural person, e) the processing is necessary for the fulfillment of a task performed in the public interest or in the exercise of public authority delegated to the controller, f) the processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, unless these interests are overridden by the interest or the fundamental rights and freedoms of the data subject that require the protection of personal data, in particular if the data subject is a child [...] ». 2.1.4 Article 7 of the GDPR "1. When the processing is based on consent, the controller is able to prove that the data subject consented to the processing of the personal data. […] 6 3. The data subject has the right to withdraw his consent at any time. Withdrawal of consent does not affect the lawfulness of processing that was based on consent prior to its withdrawal. Before giving consent, the data subject is informed accordingly. Withdrawing consent is as easy as giving it. 4. When assessing whether consent is given freely, particular consideration is given to whether, among other things, for the performance of a contract, including the provision of a service, consent to the processing of personal data that is not necessary for the performance of the said contract". 2.1.5 Rationale 32 of the GDPR "Consent should be provided with a clear positive action which constitutes a free, specific, explicit and fully informed indication of the agreement of the data subject in favor of the processing of the data concerning him [...] ». 2.1.6 GDPR Recital 42 "[…] Consent should not be considered freely given if the data subject does not have a genuine or free choice or is unable to refuse or withdraw consent without prejudice" . 2.1.7 Article 58 of the GDPR "1. Each supervisory authority shall have all of the following investigative powers: a) to order the controller and the processor and, where applicable, the controller's or the processor's representative to provide any information it requires in order to carry out the of its duties, b) to carry out investigations in the form of data protection audits, [...] d) to notify the controller or processor of an alleged violation of this regulation, e) to obtain, from the controller and the processor, access to all personal data and all information required for the performance of its duties, f) to have access to the facilities of the controller and the processor, including any equipment and means of data processing, in accordance with the procedural law of the Union or a Member State. 2. Each control authority has all the following remedial powers: […] 7 f) to impose a temporary or definitive restriction, including the prohibition of processing, g) to order the correction or deletion of personal data or the restriction of processing pursuant to articles 16 , 17 and 18 and an order to notify these actions to recipients to whom the personal data was disclosed pursuant to article 17 paragraph 2 and article 19, [...]". 2.2 According to the Guidelines 5/2020 of the ESPD regarding consent, “21. A power imbalance also exists in the context of employment. Given the dependency inherent in the employer/employee relationship, it is unlikely that the data subject will be able to refuse to provide his employer with consent to the processing of his data without fear or without running a real risk of suffering negative consequences due to of his refusal. It is unlikely that an employee will be able to freely respond to their employer's request for consent in relation to, for example, the activation of monitoring systems such as workplace camera observation, or the completion of assessment forms, without feeling pressured to provide consent of. Therefore, the EDPS considers it problematic for employers to process personal data of their existing or future employees based on consent, as it is unlikely to be freely given. For most of this data processing at work, the legal basis cannot and should not be employee consent [Article 6(1)(a)], due to the nature of the employer-employee relationship.' 3. Rationale 3.1 Definitions 3.1.1 According to Articles 4(1) and 4(2) of the GDPR, the use and operation of the GDPR by the Complainant constitutes processing of personal data, the latter being the responsible for this processing, in the sense attributed to Article 4(7) of the GDPR, since the GDPR was established to achieve the purposes it had set. As "data subjects", are considered both the employees, in whose office the camera is placed (three in number, as shown by the screenshot, with the recording image of the camera, which the Complainant has attached in the reply letter to my Office), as well as the rest of the staff of the Complainant, as well as citizens who enter the office. 3.2 Legality of the processing 3.2.1 It is observed that, while the Defendant of the complaint had been asked to state the legal basis on which the installation and use of the KKBP was based, no response was given. Although the reasons why the Complainant had installed the camera were explained, there was no reference to Article 6(1) 8 of the GDPR, which provides the legal basis on which an act of personal data processing may to be supported, so that it is considered legitimate. 3.2.2 Based on the data I have in front of me and, taking into account the position of the Defendant in the complaint, regarding obtaining the consent of the employees, for the placement of the KKKP, I conclude that the legal basis that the Defendant complaint is invoked, is that of consent, referred to in Article 6(1)(a) of the GDPR: "a) the data subject has consented to the processing of his personal data for one or more specific purposes". 3.2.3 Based on Recital 32 of the GDPR, "consent should be provided with a clear positive action that constitutes a free, specific, explicit and fully informed indication of the data subject's agreement in favor of the processing of the data that the concern". For consent to be considered freely given, the data subject should have a genuine or free choice and be able to refuse or withdraw consent without prejudice (GDPR Recital 42). 3.2.4 However, according to the EDPS Guidelines 5/2020 on consent, taking into account the existence of a power imbalance between the Complainant and the employees, it is unlikely that the latter would have been able to state their refusal , at the KKKP facility, without fear of possible consequences, due to their refusal to do so. It therefore follows that the Complainant's staff is unlikely to have freely responded to his employer's request for consent, without feeling pressured to provide his consent. 3.2.5 Based on this, "[…] the EDPS considers it problematic for employers to process personal data of their existing or future employees based on consent, as it is not likely to be freely provided". Therefore, the legal basis cannot and should not be the consent of the employees, due to the nature of the unequal relationship between the latter and their employer, i.e. the Complainant and, therefore, the consent forms in question they cannot be sufficient evidence of employees' consent to the processing of their personal data. 3.2.6 In light of the above, I conclude that the specific processing, i.e. the operation of the GDPR, lacks legality and, therefore, I find a violation of Article 6, as well as Article 5(1)(a) of the GDPR. In the absence of legality, I would not be able to consider the other Principles that should govern the processing of personal data (Article 5 GDPR). 9 4. Conclusion 4.1 Having regard to all the above facts, as stated and, based on the powers granted to me by Article 58 of the GDPR, I judge that there is a violation of Articles 5(1)(a) and 6 of the GDPR. 4.2 In light of the following mitigating (a-b) and aggravating (c) factors: (a) the cooperation of the Complainant with my Office, (b) the absence of a previous incident by the Complainant , (c) the installation of the CCCP without the existence of an appropriate legal basis, I exercise the remedial powers conferred on me by Article 58(2) of the GDPR, under which "Each supervisory authority has all the following remedial powers: […] f) to impose a temporary or definitive restriction, including the prohibition of processing [...] g) to order the correction or deletion of personal data or the restriction of processing pursuant to articles 16, 17 and 18 and an order to notify such actions to recipients to whom the data of a personal nature were disclosed pursuant to article 17 paragraph 2 and article 19, [...]'. 4.3 I have decided to address the following Orders to the Cyprus Hairdressers and Barbers Registration Council, such as: Order 1st: Permanently stop the operation of the KKBP and uninstall the camera or, in the event that the cost of its uninstallation is disproportionate, to cover it, so that the impression that it does not work, Order 2nd: Immediately delete any recordings received from the CCCP, in the event that this applies and send me relevant proof, Order 3rd: Notify my Office, within an exclusive period of 2 weeks from the receipt of this, of all actions to implement the Orders. Irini Loizidou Nikolaidou Commissioner for Personal Data Protection