DPC (Ireland) - DPC Case Reference: 03/SIU/2018

From GDPRhub
Revision as of 23:29, 28 February 2022 by Czapla (talk | contribs) (changed punctuation)
DPC (Ireland) - DPC Case Reference: 03/SIU/2018
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 6 GDPR
Article 12 GDPR
Article 13 GDPR
Article 15 GDPR
38(3) of the Garda Síochána Act 2005
Type: Investigation
Outcome: Violation Found
Started:
Decided: 09.12.2021
Published:
Fine: None
Parties: n/a
National Case Number/Name: DPC Case Reference: 03/SIU/2018
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: Irish DPC (in EN)
Initial Contributor: czapla

The Irish DPC imposed an administrative fine of €110,000, against Limerick City and County Council (Council). The fine was imposed for Council’s numerous failings in meeting the data protection obligations in some of the Limerick smart city initiatives, such as data collection using innovative technologies and smart CCTV. The decision was announced on Linkedin on the 12th of January 2022.

English Summary

Facts

In June 2018, the DPC initiated a connected series of own-volition inquiries under sections 110 and 123 of the 2018 Irish Data Protection Act. Their subject was around surveillance technologies deployed by state and local authorities and An Garda Síochána (the Irish Police) for law enforcement purposes. The DPC inquiries were to establish whether any data processing was in compliance with the data protection laws and to ensure that sufficient accountability measures were in place before further investment into new technologies.

The DPC investigation unveiled the inventory of 401 CCTV cameras that were deployed in various locations across Limerick City and County, including bicycle and walkway routes, housing estates, traveller accommodation sites and public spaces. The cameras were subject to constant real time surveillance Separately, Limerick City and County Council had two drones in operation. The DPC identified a total of 48 issues in the course of the inquiry. The most important issues determined that the Council:

a) had no lawful basis for the processing of personal data by CCTV cameras for traffic management purposes

b) lacked a lawful basis for a number of CCTV cameras used for the purposes of countering crime

c) lacked a lawful basis to carry out surveillance with CCTV cameras which employed Automatic Number Plate Recognition technology

d) infringed Article 15 of the GDPR by rejecting subject access requests in respect of CCTV cameras used for traffic management purposes

e) did not fulfil its transparency obligations under Article 13 by failing to erect signage in respect of its CCTV processing operations

f) infringed Article 12 of the GDPR by failing to make its CCTV Policy more easily accessible and transparent.

Holding

The DPC exercised the following corrective powers:

a) A temporary ban on the processing of personal data with CCTV cameras at a number of locations used for the purposes of criminal law enforcement until a legal basis can be identified.

b) A temporary ban on the processing of personal data with CCTV cameras used for traffic management purposes until a legal basis can be identified.

c) An order to Limerick City and County Council to bring its processing of personal data into compliance taking certain actions specified in the decision.

d) A reprimand in respect of a number of Limerick City and County Council’s infringements.

e) An administrative fine of €110,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.