DSB (Austria) - 2021-0.024.862: Difference between revisions

From GDPRhub
No edit summary
 
(3 intermediate revisions by 2 users not shown)
Line 62: Line 62:
}}
}}


The Austrian DPA rejected a request for prior consultation under [[Article 36 GDPR#1|Article 36(1) GDPR]], because the unusually high risk to data subjects posed by the form of processing (video documentation) was sufficiently mitigated by measures proposed by the controller.  
Upon a request for prior consultation under [[Article 36 GDPR#1|Article 36(1) GDPR]], the Austrian DPA held that a high risk found in a data protection impact assessment was sufficiently mitigated by measures proposed by the controller.  


== English Summary ==
== English Summary ==

Latest revision as of 13:39, 12 May 2023

DSB (Austria) - DSB-D485.007 / 2021-0.024.862
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 6(1)(f) GDPR
Article 13(1) GDPR
Article 13(2) GDPR
Article 35(1) GDPR
Article 35(7)(d) GDPR
Article 36(1) GDPR
Article 36(3)(e) GDPR
GDPR Recital 89
Type: Other
Outcome: n/a
Started:
Decided: 02.02.2021
Published: 07.06.2021
Fine: None
Parties: n/a
National Case Number/Name: DSB-D485.007 / 2021-0.024.862
European Case Law Identifier: AT:DSB:2021:2021.0.024.862
Appeal: Unknown
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in DE)
Initial Contributor: n/a

Upon a request for prior consultation under Article 36(1) GDPR, the Austrian DPA held that a high risk found in a data protection impact assessment was sufficiently mitigated by measures proposed by the controller.

English Summary

Facts

The controller is a transport operating company which, among other things, operates railway bridges. Bridges that run over public traffic areas are occasionally damaged during passage by vehicles that exceed the vehicle height permitted for the respective bridge. The company planned occasion-related video documentations on selected bridges.

For this purpose, the company conducted a data protection impact assessment. It came to the conclusion that there was a high residual risk and that the consultation procedure pursuant to Article 36 of the GDPR should be carried out. On the details of the data protection impact assessment:

The company assumed that there was a sufficient legal basis for the data processing. It assumed that the data processing was necessary for the fulfilment of its maintenance and traffic safety obligations as well as for the initiation of criminal and civil (damages) proceedings and could therefore be based on Article 6(1)(f) GDPR.

However, it concluded that there was a high risk for the data subjects because reliable information of the data subjects about the data processing was not ensured, although the data controller provided for measures to inform them: In the area of the bridges, the recording activity should be marked by appropriate signs. Information signs should contain references to height control, a pictogram for video surveillance, a reference to the controller as well as a link including a QR code with a reference to further information in the data protection declaration of the controller. A detailed description of the processing activity should be included in the data protection declaration. It would be available at any time on the website of the controller and could be requested at the company's headquarters.

Holding

Conditions for the Prior Consultation

The DPA first states that Article 36(1) GDPR provides for a duty to consult if two conditions are met. First, a data protection impact assessment under Article 35 GDPR must show that the processing operation entails a high risk. Second, the controller must not have taken appropriate measures to mitigate the risk.

With regard to the definition of "high risk", which is not provided for in the GDPR, the data protection authority refers to recital 89 and states in summary that, in addition to "technical" risks, basically all provisions of the GDPR that serve to protect the data subjects must be examined.

For the mitigation of the risk, the GDPR gives three examples of remedial measures. According to the DPA, if the controller takes appropriate measures, the identified risk must be reassessed. If it is then no longer classified as "high", no obligation to consultation is established. The determination of a possible remaining high residual risk has to be made taking into account all mitigation measures foreseen for the desired processing. When assessing the remaining residual risk, all planned measures to ensure GDPR-compliant processing must be taken into account. This is justified by a reference to the wording of Article 35 GDPR, which refers the risk "to the rights and freedoms of the data subject". Accordingly, an overall view of all measures and precautions taken - in the sense of an all-encompassing balancing of interests in the sense of Article 5 in conjunction with Article 6 of the GDPR - must be carried out for the assessment of the remaining risk.

In the specific case, the DPO assumed that the first condition is met, so to speak, on the basis of the data controller's submission. In this respect, an abstract potential breach of the duty to inform under Article 13 GDPR constitutes a "high risk".

However, the DPO assumed that the measures proposed by the controller were sufficient to contain the risk. Taking together the measures set out in Article 35(7)(d) GDPR, the existing risk was sufficiently contained (see below).

Requirements for the Information Obligation in case of occasion-related Video Documentation

The information system proposed by the controller complies with the information requirements of Article 13 of the GDPR.

In order to determine the scale of image processing operations, the DPA uses the two-layer information model established in the European Data Protection Board's Guidelines 3/2019 on processing of personal data through video devices.

The first-layer information should be provided by a warning sign. This shall be placed in such a way that the data subject can easily recognise the circumstances of the surveillance before entering the monitored area (e.g. at eye level). The data subject must be able to assess which area is being covered by a camera so that he or she can avoid the surveillance or adjust his or her behaviour if necessary. The first level information should normally contain the most relevant information (e.g. purposes of the processing, identity of the controller, rights of the data subject and other information of high importance). They must also refer to the more detailed second level of information as well as where and how to find it.

The second stage information must also be made available in a location that is easily accessible to the data subject, e.g. as a complete information sheet in a central location (e.g. information desk, reception or checkout) or on an easily accessible poster. It is best if the first level information links to the second level digital source (e.g. QR code or web address). However, the information must also be easily available by non-digital means. It should be possible to access the second level information without going into the monitored area. Another suitable means could be a telephone number that can be called. The information must contain all the details that are mandatory under Article 13 GDPR.

The DPA decided that the controller’s planned actions met these requirements. The controller provided for "marking of the application". The monitored area would be marked in a clearly visible manner near the secured bridges by appropriate signs. In addition to a pictogram depicting a video camera, the sign contains a QR code that refers to the website - also indicated on the sign - where the data protection declaration of the controller can be accessed. If there is a corresponding reason on the part of the controller, the sign should be clearly visible to approaching traffic in front of the bridge.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

GZ: 2021-0.024.862 of February 2, 2021 (case number: DSB-D485.007)

[Note processor: names and companies, legal forms and product names,

Addresses (including URLs, IP and e-mail addresses), file numbers (and the like), etc., as well as
their initials and abbreviations can be abbreviated for reasons of pseudonymisation
and / or changed. Obvious spelling, grammar, and punctuation errors
have been corrected.]

                                   B E S C H E I D

                                     S P R U C H


The data protection authority decides on the basis of the A ** Verkehrsbetriebe GmbH
(Responsible), represented by N ** Rechtsanwälte GmbH, on December 10, 2020

initiated procedure according to Art. 36 GDPR concerning an intended

Data processing ("test mode impact detection on bridges") as follows:



   - The request for prior consultation in accordance with Art. 36 GDPR is rejected.


Legal basis: Articles 5, 6, 13, 14, 35 and 36 of Regulation (EU) 2016/679 (data protection

Basic Regulation, hereinafter: GDPR), OJ No. L 119 of 4.5.2016 p. 1;


                              REASON


A. Submissions of those responsible:

1. In a letter dated December 10, 2020, the controller initiated a procedure in accordance with

Art. 36 GDPR and stated as follows:

The person in charge intends to use "impact detection on bridges" for detection and

Video documentation of damage cases - those caused by the collision of a vehicle
to be caused with a bridge of those responsible - to build. The data protection

Impact assessment came to the conclusion that with regard to the assessed

Processing activity remains a high (residual) risk or cannot be ruled out
could. The application was the "data protection impact assessment test operation impact detection

in the case of bridges ”of the responsible persons.

2. The person responsible specified - at the request of the data protection authority - with

Opinion of January 7, 2021 their application to the effect that they are at high risk for

recognize the data protection rights of the data subjects in the fact that due to the specific
Circumstances of processing although a viable legal basis for data processing

exists, however, reliable information of the persons concerned about the

Data processing is not guaranteed. Because the person responsible has no direct one

Contact with the drivers and passengers of approaching vehicles, which can provide information. There is also no empirical evidence that the attached

Information signs can also be perceived by persons concerned “in passing”.

In addition, the person responsible is not the maintainer of the motorways concerned, but only
the overpassing railway bridges, which the available space for

Could restrict information signs.

The specific circumstances of the processing therefore result in the risk that the

data subjects affected by data processing in the form of video surveillance in their

private or professional life can be recorded without going beyond the fact of

Processing and / or the identity of the person responsible to be informed. Manifest therein
pose a high risk to the data subjects' data protection rights, especially for

the right, protected by Art. 5 Para. 1 lit. a GDPR, that personal data is only available in

processed in a way that is understandable for the data subjects.

The present data protection impact assessment therefore comes to the conclusion that the

planned technical and organizational measures alone cannot be sufficient,
to completely exclude these risks.



B. Factual Findings
The person responsible intends a video-based "impact detection in bridges", their

Conservation is their area of responsibility. The planned application is as

Test setup consisting of a sensor and video recording system designed in

Area of railway bridges of the responsible person is attached over public
Traffic areas run. The system is used for recognition and video documentation of

Damage caused by the collision of a vehicle with a bridge of the

Responsible.

Excerpts from the data protection declaration are as follows (formatting not

1: 1 reproduced):



       "1. SECTION: DESCRIPTION AND LIMITATION OF THE
       PROCESSING OPERATIONS

       [...]

       1.2 Functional description of the application
       [...]

       Detailed presentation of the planned processing operations

       In the area of selected railway bridges the responsible persons, which over
       public traffic areas become digital, permanently adjusted video cameras
       Installed. In addition, laser light barriers are installed in the area of the railway bridges
       installed as so-called "start-up triggers", which strike (trigger) as soon as a vehicle is reached
       happens that exceeds the permissible total height (cause of impact). Two different camera perspectives are provided for the camera system
each fulfill different recording purposes:

       (i) Recording of the structure's bottom view for the identification and documentation of
       any optical changes to the structure as well as more precise
       Analysis of the impact (nature of the vehicle part that is in contact with

       the bridge structure, speed at impact, etc.).
       The camera lens is aligned in such a way that no public
       Traffic areas (e.g. street, footpath, bike path) are recorded.

       (ii) Recording of the lane of the approaching road traffic in
       close proximity to the secured railway bridge for the purpose of
       Detection of impacting vehicles as well as their license plates and
       possibly the handlebars from the front.

Depending on the local conditions, the application is either as
"Cause recording system" or implemented as a "Cause storage system",
whereby, in terms of data minimization (Art 5 Para 1 lit c GDPR), priority is given to
The event recording system is to be implemented:

       (i) Event recording system: If the local conditions in the individual case
       a corresponding positioning of the laser light barriers on the bottom of the
       Responsible persons (not on third-party land) in the run-up to the secured bridge
       allow, no continuous recordings are made by the installed
       Cameras, but are only activated when an impact event is registered
       put into operation, thus when a vehicle which is permitted

       Exceeds the total height, one of the installed laser light barriers passes
       (Event recording).
       (ii) Occurrence memory system: In all other cases - ie where none

       suitable reason for those responsible for installing the laser light barriers
       is available in the run-up to the bridge - the laser light barriers are switched on
       the bridge installed itself. In this case it would be without a certain lead time
       Camera recording not possible, possible damaging parties and their vehicles
       to be identified through mere event recordings (the technically necessary
       Otherwise, the “lead time” for activating the camera system cannot be guaranteed
       become). It is therefore a permanent operation of the installed video cameras

       required.
       However, the continuously recorded image data are only temporary
       backed up in a ring memory and regularly overwritten. The

       specific storage duration depends on the maximum expected
       Approach speed and the concretely visible approach line
       from. The maximum storage period is 10 seconds. A
       Any additional storage of captured image data takes place only with
       Registration of a crash event, thus when a vehicle which
       exceeds the total allowable height, one of the installed
       Laser light barriers passed. In this case, the overwriting of image data

       suspended in the ring buffer until a corresponding
       Preservation of evidence has taken place (event storage).
       [...]

The image data saved as part of the recording or storage of the event
will be sent from there immediately - but in any case within 96 hours
authorized persons of the responsible person analyzed and evaluated. These operations
are logged. The further use and storage period of the image data in the

Individual cases are then derived from the documentation purposes shown below
Consideration of the principles of data minimization (Art 5 Para 1 lit c GDPR) and
Storage limitation (Art 5 Para 1 lit e GDPR). [...]

The pursued legitimate interests (if Art 6 para 1 lit f GDPR as
Legal basis is used)

The legitimate interests pursued by the person responsible through the application

can be summarized as follows:

       • Detection and analysis of crash incidents to ensure safety and security
       To be able to guarantee the functionality of the protected infrastructure and
       if necessary to take suitable remedial measures (e.g. necessary
       Repair work on parts of the bridge or barrier affected by an impact
       of tracks);

       • Gathering information on the ongoing fulfillment of maintenance
       and traffic safety obligations of those responsible with regard to their
       Railway bridges, in particular due to the better detection and
       Assessment of dangerous situations and their proactive elimination or

       Defusing;
       • Investigation of crash incidents including the identification of the
       Causer and appropriate evidence preservation, whereby in particular the

       Initiation of any (administrative) criminal proceedings enables and effective
       Enforcement of civil law claims of those responsible ensured
       shall be.
That the video documentation of damage cases in public road traffic via

se corresponds to a legitimate interest of the person responsible is undisputed (cf.
VwGH Ro 2015/04/0011).
The processing is also necessary to safeguard this legitimate interest,

because there is no more lenient means of avoiding the handlebars of a crashing vehicle
to identify or the license plate number and thus a conclusion about the
To determine the authorization holder. The capture by video recording is about this
Purpose therefore required, whereby the person responsible (as described overleaf)
Extensive measures are taken to reduce the level of processing on a
to limit the necessary minimum.

Finally, the processing does not have any overriding interests
affected persons against. Because initially the processing is limited to
a sequence lasting a few seconds in which affected persons as
Participants in public road traffic can be captured visually.

In particular, no highly personal areas of life are recorded or sensitive
Data processed within the meaning of Art 9 GDPR. Processing therefore takes place in the
Compared to other image processing systems, the intervention intensity is relatively low. The
Image recording captures a publicly perceptible behavior of those affected
People.

Above all, however, within the scope of this balancing of interests according to recital 47
GDPR based on the reasonable expectations of the data subjects (cf.
DSB-D550.084 / 0002-DSB / 2018). In this sense is for the representational
Application assume that the road users concerned
can reasonably foresee that in the area of critical infrastructures such as

image recordings may also be made to railway bridges. So are
Video surveillance in Austria already at dangerous intersections, in tunnels,
on motorways and open roads as well as rest areas, train stations, airports, etc.
widespread.

[…] According to the DSB, dashcams can therefore be permitted in particular if
the following parameters are observed:

       • The data processing takes place for the exclusive purpose of
       Documentation of the course of the accident. The application in question is fulfilled
       this criterion is flawless, since only those shown

       Documentation purposes are pursued.
       • The recording of the public space (= street) is based on the
       required extent limited. The ones described overleaf

       Data minimization measures taken by those responsible also ensure compliance
       this criterion for sure.
       • In the case of storage, data will only be unconditional

       required amount of time stored (the specific storage period
       depends on the maximum expected approach speed and the
       concretely visible approach line. The maximum storage period is 10
       seconds before the accident occurrence until a few seconds afterwards, cf.
       Sketch1). Data is continuously overwritten as far as there is none
       Accident happened. The combination envisaged by the person responsible
       from ring memory and start trigger by laser light barriers also fulfilled

       this requirement.
       • If the permanent storage of image data (= stop of the
       Overwriting in the ring buffer) by a deliberate act of the
       Is dependent on the person responsible (e.g. push of a button), in case of doubt the

       Inadmissibility of the processing must be assumed. On the other hand, the
       only automatic storage of image data (= stop of the
       Overwriting process) by predefined impulses, without possibility
       manual storage. In the context of the present application
       the overwrite process is only started by pressing the
       Exposed to the laser light barrier or, in the case of the event recording, the
       Video recording started in the first place.

       • Ensuring integrity and confidentiality through the use of
       Encryption techniques and access restrictions. Also this one
       Requirement is the objective application of those responsible

       fair (see point 5 below for the implemented measures).
Also taking into account those criteria that the DSB at least in the case of
Has considered image processing by dashcams to be decisive, is the permissibility of the

applicable application in accordance with Art 6 Paragraph 1 lit f GDPR must therefore be affirmed. There
It should also be taken into account that the use of dashcams is a
comparatively even has higher intervention intensity. Because in contrast to the
It just does not correspond to objective monitoring of critical infrastructure
the reasonable expectations of the data subjects that they will be able to do so using the Dashcam
be filmed by other road users (cf. in this sense DSB-
D550.084 / 0002-DSB / 2018). In addition, it is the representational

Processing activity around a stationary image recording, which is always the same
Area of a potential danger point in road traffic recorded and also in the
In contrast to a "movable" dashcam located in a vehicle, it is visible
can be marked.

[...]
SECTION 3: EVALUATION OF THE NEED AND
PROPORTIONALITY OF THE PROCESSING OPERATIONS IN RELATION TO

THE PURPOSE
[…] 3.2 Information on the measures taken or planned to comply with
GDPR, in particular those to ensure the necessity and

Proportionality
Purpose limitation principle (Art 5 Paragraph 1 lit b: Collection for specified, unambiguous and
legitimate purposes; Re-use?)

The data processing takes place exclusively for the designated
Documentation purposes. There is no data processing for other purposes
instead of. This is ensured through internal training courses and guidelines. Furthermore were

all employees of
Responsible by means of a separate declaration of compliance with the
Data secrecy according to § 6 DSG and the applicable internal regulations for
Committed to data protection and information security.

Principle of data minimization (Art 5 para 1 lit c: How is it ensured that only the
required data are processed?)
In order to minimize data, the camera is aligned with the

Road perspective such that only the vehicles on the lane of the
approaching traffic and also only the relevant areas of the approaching
Vehicles (driver and passenger seat and license plate number) are recorded.

The duration of the recorded sequence and camera angle is chosen so that at
average speed a crashing truck fills the picture and therefore
If possible, no other road users are recorded.

The orientation of the structure underside is carried out in such a way that through it
Camera recordings, no personal data are processed at all.
In particular, cycle or footpaths below the structure are not recorded.

In addition, recording areas that are not relevant for achieving the purpose are included
static blackening (digital masking) (e.g. the edge areas where
Pedestrians could be detected or the one moving away from the bridge
Two-way traffic). The blackening is fixed in the camera views
programmed so that the area covered by the mask is not recorded at all
is, ie no image pixels are processed in the relevant areas.

Through the use of laser light barriers, which, depending on the implementation, either the
The camera only starts up (event recording) or the continuous overwriting
suspends existing recordings in the ring memory (initial storage)
the period of inclusion becomes necessary to achieve the purpose
Reduced minimum size. Where the local conditions allow, this will always be the case

Event recording system implemented.
When an impact occurs, only those cameras are put into operation that are on
that lane on which the impacting vehicle is located are directed.

Principle of storage limitation (Art 5 Para 1 lit e: storage period only as long
than necessary for the purpose)

As part of the event recording system, data will only be used in the event of a
Impact event recorded and saved.

As part of the event storage system, the
Image data are temporarily saved in a ring buffer and already after expiry
overwritten by a few seconds and thus irreversibly deleted (the specific
Storage duration depends on the maximum expected approach speed
and the concretely visible approach line. The maximum storage period is
10 seconds provided). Any additional storage of recorded

Image data is only generated when a collision event is registered. The data storage following a collision event takes place as long as
how this is necessary for the stated processing purposes in individual cases (Art

5 para 1 lit e GDPR). There is no legitimate storage purpose - in particular
if there has not been a negative impact for those responsible - will
the data immediately, but in any case after 96 hours after the
Recording deleted. The same applies to irrelevant image sequences of a
stored recording (e.g. the recording of uninvolved road users).

Information on compliance with the requirements for data transfer to third countries (or
international organizations)

The image recordings are stored on a server in Germany. There is none
Transmission to third countries or international organizations.

[...]
3.3 Information on the measures taken or planned for
Consideration of the rights of the data subjects

Guarantee of transparency and information obligations (Art 12-14)

The recording activity is clearly visible in the area of the secured bridges
corresponding signs are marked. Where the local conditions this
allow, i.e. if the responsible person has a corresponding reason (not an external reason)
is present, the marking is clearly visible in the oncoming traffic
Attached to the apron of the bridge.

The information sign contains information on the height control, a pictogram for
Video surveillance, a reference to the person responsible and a link including QR
Code with reference to further information in the data protection declaration of
Responsible person. The marking essentially corresponds to sketch 2.

A detailed description is given in the data protection declaration of the person responsible
started processing activities in accordance with Art 13 GDPR. The
The data protection declaration can be accessed at any time on the website of the controller
can be requested at the company headquarters.

[...]

SECTION 4: IDENTIFICATION AND ASSESSMENT OF THE RISKS FOR THE
RIGHTS AND FREEDOMS OF AFFECTED PERSONS

[...]


















[...]

SECTION 5: IDENTIFICATION OF CORRECTIVE MEASURES 5.1 Control 1: Technical and organizational measures

       [...]

       Appropriate labeling of the application
       The recording activity is clearly visible in the area of the secured bridges

       corresponding signs are marked. Where the local conditions this
       allow, i.e. if the responsible person has a corresponding reason (not an external reason)
       is present, the marking is clearly visible in the oncoming traffic
       Attached to the apron of the bridge.

       Depending on the local conditions, this cannot be done in every case
       ensure that the information is communicated through these markings
       takes place in such a way that the persons potentially affected by the application can still use the
       Choose another route to avoid. But as a rule they still can
       stop in front of the bridge.

       However, this is not a mandatory legal requirement (cf.
       DSB-D550.084 / 0002-DSB / 2018, according to which the possibility of evading "if possible"
       should exist). For example, dashcams are also qualified as not per se inadmissible,
       although with these the possibilities of information sharing are even stronger resp.
       are restricted at least in a comparable way (see VwGH Ro 2015/04/0011

       or newsletter 1/2020 of the DSB).
       In addition, a detailed statement is made in the data protection declaration of the person responsible
       Description of the processing activity in accordance with Art 13 GDPR added. The

       The data protection declaration can be accessed at any time on the website of the person responsible.
       This control reduces the risk described, but cannot completely
       remove. There remains a residual risk.

       [...]

       SECTION 6: DOCUMENTATION OF THE SOLUTION AND THE RESIDUAL RISK
       [...]
















                                                                                    "




The sketch in Appendix 4 (SKETCH 2) is as follows (formatting not 1: 1
accepted):


[Editor's note: the one reproduced here as a graphic file (screenshot)
Figure cannot be pseudonymized with justifiable effort.] Evidence assessment: The determinations made result from the

procedural application, its attachment and supplementary statement.

C. From a legal point of view, it follows:


C.1. General

According to Art. 36 Para. 1 GDPR, the person responsible consults the

Supervisory authority, if from a data protection impact assessment according to Art. 35 leg. Cit.
it is clear that the processing would result in a high risk, provided that the controller

does not take any measures to contain the risk.

A final definition of the "high risk" cannot be found in the GDPR.

However, it follows from Recital 89 that processing operations that involve “high risks”

bring themselves, especially those that use new technologies
or that are new and for which the person responsible has not yet

Has carried out an impact assessment (König in Gantschacher † / Jelinek / Schmidl / Spanberger,

Comment on GDPR [2017], Art. 36 Note 1).

Both internal and external, potential and actual sources of risk come as sources of risk

Risks in question. When identifying all potential risks is no less than one type

"Foray through the requirements of data protection law" required (Trieb in Knyrim,
DatKomm Art 35 GDPR, margin no.113). In the course of the

In addition to purely “technical” risks, risk analysis includes all those risks

To pick up data processing, which may have negative effects on a
affected person and they are thus provided for in their by the GDPR

Impair the protection area. This also includes the lawfulness of the processing

within the meaning of Art. 6 GDPR as well as compliance with all principles according to Art. 5 GDPR.

To contain the risk, the GDPR names three different types of

Remedial measures, namely guarantees, safeguards, and procedures by which

the protection of personal data is ensured and proof of this is provided,
that the GDPR is complied with. Thus, technical, organizational such as

legal, in particular contractual measures intended to remedy the situation (instinct in

Knyrim, DatKomm Art 35 GDPR, margin no.116).

C.2. In the matter

1. The person in charge states that there is a high risk in relation to the issuance of the

reliable information to the data subjects about the data processing

is given to the effect that the data subjects affected by the data processing in the form
recorded by video surveillance in their private or professional life,

without being informed of the fact of the processing and / or the identity of the person responsible. Specifically, the person responsible defines the risk as part of their data protection

Impact assessment as a “risk [o] for the effectiveness of the fulfillment of the information obligations

by marking ". It is here - with regard to the previously recorded
Considerations - about a "risk" within the meaning of Art. 35 GDPR.


Since only those processing - which even after provision of the data protection
Impact assessment defined remedial measures remain high risks for natural

Rescue people - are to be subjected to the consultation mechanism (instinct in

Knyrim, Art 35, Rz 28 ff; Trieb in Knyrim, Art. 36 Rz 1), is to be checked in a next step,

whether the person responsible takes appropriate measures to contain the identified risk
has met.


2. As stated, the person responsible foresees a "marking of the application". The
The monitored area should be clearly visible in the vicinity of the secured bridges

appropriate signs (SKETCH 2) are marked. The information sign

contains a pictogram representing a video camera, a QR code,
which on the website - also listed on the sign - on which the

Data protection declaration of the person responsible is to be accessed, refers. If more appropriate

Reason the responsible person is present, the marking should be for the approaching

Traffic must be clearly visible in the apron of the bridge.

For image processing, see the guidelines 3/2019 of the European
Data protection committee for the processing of personal data by video devices

a two-stage model with regard to the information to be provided.

Accordingly, the information on the first level should be provided by a meaningful sign.

This information should be appropriate so that the data subject understands the circumstances of the

Surveillance can easily detect before it enters the monitored area (e.g. in

Eye level). The position of the camera itself does not have to be disclosed as long as no
There are doubts as to which areas are covered and the circumstances of the surveillance

clearly described. The person concerned must be able to assess

which area is covered by a camera so that they evade surveillance or
can adjust their behavior if necessary (see margin no. 113).


The information on the first level (sign) should usually be the most important
Contain information, e.g. B. Information on the purposes of processing, the identity of the

Responsible persons and the existence of the rights of the data subject as well as others

Information of great importance. For example, the legitimate interests

of the person responsible (or a third party) and (if applicable) the contact details of the
Data protection officers belong. They must also refer to the more detailed second level of information and point out where and how it can be found (ibid.

114).

Second level information also needs to be made easy for the data subject

be made available in an accessible location, e.g. B. as a complete information sheet

a central point (e.g. information desk, reception or cash register) or on an easy
accessible poster. As mentioned earlier, the first level warning must be clear

refer to the information on the second level. In addition, it is best when

the information of the first level on a digital source (e.g. QR code or

Internet address) of the second level. However, the information also needs to be on
not be readily available digitally. It should be possible to access the information of the

to access the second level without entering the monitored area, in particular

if the information is provided digitally (for example via a link). A
another suitable means could be a telephone number that can be called. The

However, information must contain all information that is mandatory according to Art. 13 GDPR

are (ibid. Rz 117).

3. The marking provided by the person responsible is both different from the one planned

local positioning as well as the content is a suitable measure to

to minimize identified risk. It corresponds to the model mentioned in the above
Guidelines is recommended. The argument of those responsible that it is not in every case -

due to local conditions - the selected measure is possible in the same way

implement and minimize the identified risk in the same way and therefore a high one
Residual risk remains, it must be countered that not only the - in the by the

Responsible in the course of the data protection impact assessment specifically the identified

Risk assigned - measure that also has to sufficiently minimize the specific risk.

Rather, the determination of a possibly remaining high residual risk has under
Consideration of all intended for the desired processing

Containment measures to be taken. When assessing the remaining residual risk

are therefore all planned measures to ensure GDPR-compliant
Include processing.


This can be justified by a reference to the wording of Art. 35 GDPR, which
refers to “the rights and freedoms of the data subject” in relation to risk.


Accordingly, there is also one for assessing the remaining risk
Overall view of all measures and precautions taken - in the sense of a

comprehensive weighing of interests within the meaning of Art. 5 in conjunction with Art. 6 GDPR - to

4. Based on the data controller in the data protection impact assessment

The assessment made is the admissibility of the data processing in question

and the data protection authority has weighed the interests of those responsible
nothing to oppose.


The “high residual risk” raised by the person responsible is in any case caused by the
planned recording, evaluation and deletion modalities so greatly reduced that in

Result no high residual risk for those affected can be recognized.

Contrary to the view of those responsible, it has therefore overall under review

of the measures set out in accordance with Article 35 (7) (d) GDPR, the existing risk

adequately contained.

The requirements for prior consultation in accordance with Art. 36 GDPR are therefore

not given due to the lack of high risk and the decision had to be made according to the ruling.