DPC (Ireland) - DPC Case Reference: 03/SIU/2018
| DPC (Ireland) - DPC Case Reference: 03/SIU/2018 | |
|---|---|
 | |
| Authority: | DPC (Ireland) |
| Jurisdiction: | Ireland |
| Relevant Law: | Article 6 GDPR Article 12 GDPR Article 13 GDPR Article 15 GDPR Section 38(3) Garda Síochána Act 2005 |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 09.12.2021 |
| Published: | 12.01.2022 |
| Fine: | €110,000 |
| Parties: | n/a |
| National Case Number/Name: | DPC Case Reference: 03/SIU/2018 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | English |
| Original Source: | Irish DPC (in EN) |
| Initial Contributor: | czapla |
The Irish DPC imposed an administrative fine of €110,000 against a city council due to numerous failings in meeting data protection obligations in some of its smart city initiatives.
English Summary
Facts
In June 2018, the DPC initiated a connected series of own-volition inquiries under sections 110 and 123 of the 2018 Irish Data Protection Act. They concerned surveillance technologies deployed by state and local authorities and An Garda Síochána (the Irish Police) for law enforcement purposes. The DPC inquiries were to establish whether any data processing was in compliance with the data protection laws and to ensure that sufficient accountability measures were in place before further investment into new technologies.
The DPC investigation unveiled the inventory of 401 CCTV cameras that were deployed in various locations across Limerick City and County, including bicycle and walkway routes, housing estates, traveller accommodation sites and public spaces. The cameras were subject to constant real time surveillance. Separately, the Limerick City and County Council (Council) had two drones in operation.
Holding
The DPC identified a total of 48 issues in the course of the inquiry. The most important issues determined that the Council:
a) had no lawful basis for the processing of personal data by CCTV cameras for traffic management purposes;
b) lacked a lawful basis for a number of CCTV cameras used for the purposes of countering crime;
c) lacked a lawful basis to carry out surveillance with CCTV cameras which employed Automatic Number Plate Recognition technology;
d) infringed Article 15 GDPR by rejecting subject access requests in respect of CCTV cameras used for traffic management purposes;
e) did not fulfil its transparency obligations under Article 13 GDPR by failing to erect signage in respect of its CCTV processing operations;
f) infringed Article 12 GDPR by failing to make its CCTV Policy more easily accessible and transparent.
The DPC exercised the following corrective powers:
a) A temporary ban on the processing of personal data with CCTV cameras at a number of locations used for the purposes of criminal law enforcement until a legal basis can be identified.
b) A temporary ban on the processing of personal data with CCTV cameras used for traffic management purposes until a legal basis can be identified.
c) An order to the Council to bring its processing of personal data into compliance taking certain actions specified in the decision.
d) A reprimand in respect of a number the Council’s infringements.
e) An administrative fine of €110,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
