DSB (Austria) - 2022-0.858.901: Difference between revisions

From GDPRhub
No edit summary
 
(One intermediate revision by the same user not shown)
Line 68: Line 68:
A public middle school (the controller) had four cameras on its property: one in front of the school entrance, one in front of a computer space, one in front of the teacher’s lounge and management area, and one near the escape stairs. According to the controller, the purpose of the video surveillance was to protect persons from theft or attacks. The use of video cameras is signaled at the school's entrance. The controller maintained video records for 48 hours.  
A public middle school (the controller) had four cameras on its property: one in front of the school entrance, one in front of a computer space, one in front of the teacher’s lounge and management area, and one near the escape stairs. According to the controller, the purpose of the video surveillance was to protect persons from theft or attacks. The use of video cameras is signaled at the school's entrance. The controller maintained video records for 48 hours.  


In response to the DPA's investigation, the controller noted that preventing pupils from being endangered by other pupils during school is part of the duty of supervision assigned to teachers and schools. The controller cited Data Protection Commission rulings that video surveillance of public bodies in the context of private sector activities for the purpose of self-protection or responsibility may be permissible even without express legal authorisation if carried out in response to specific dangerous situations and consistent with the principle of proportionality. As such, it argued that the use of technical surveillance measures in this context were authorised under national law [https://www.ris.bka.gv.at/Dokumente/Erv/ERV_1999_1_165/ERV_1999_1_165.html (§ 1 para. 2 DSG]).
In response to the Austrian DPA's (DSB) investigation, the controller noted that preventing pupils from being endangered by other pupils during school is part of the duty of supervision assigned to teachers and schools. It relied on legitimate interests as a legal basis pursuant to [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] to process personal data via the video surveillance cameras. The controller cited a DSB ruling that video surveillance of public bodies in the context of private sector activities for the purpose of self-protection or responsibility may be permissible even without express legal authorisation if carried out in response to specific dangerous situations and consistent with the principle of proportionality. As such, it argued that the use of technical surveillance measures in this context were authorised under national law [https://www.ris.bka.gv.at/Dokumente/Erv/ERV_1999_1_165/ERV_1999_1_165.html (§ 1 para. 2 DSG]).


=== Holding ===
=== Holding ===
The DPA concluded that video surveillance in the school was impermissible during hours of operation, ordering a restriction on processing from all cameras during school hours.  
The DSB concluded that video surveillance in the school was impermissible during hours of operation, ordering a restriction on processing from all cameras during school hours.  


According to [https://www.ris.bka.gv.at/Dokumente/Erv/ERV_1999_1_165/ERV_1999_1_165.html § 1 para. 2 DSG], personal data that are not processed pursuant to [[Article 6 GDPR#1a|Articles 6(1)(a)]] or [[Article 6 GDPR#1d|(d) GDPR]] (consent or in the vital interest of the data subject) are permitted only to safeguard overriding legitimate interests of another person. Where the controller is a public authority, overriding legitimate interests can occur only on the basis of laws which are necessary in the interests of public safety, crime prevention, or other reasons stated in Article 8(2) of the ECHR.  
The DSB distinguished between the controller's behavior during school hours and outside of school hours. During school hours, the controller is behaving as a public entity. As a result, the controller cannot rely on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] for its usage of video surveillance during school hours. The DSB thus ordered that no recordings be taken by any of the cameras during school operations, or else that the cameras be decommissioned.


In this case, the controller relied on legitimate interests as a legal basis pursuant to [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] to process personal data via the video surveillance cameras. The DPA found this an impermissible legal basis because, pursuant to  [https://www.ris.bka.gv.at/Dokumente/Erv/ERV_1999_1_165/ERV_1999_1_165.html § 1 para. 2 DSG], the controller’s processing requires explicit statutory authorisation. In addition, the DPA noted that continuous monitoring of minors in corridors of a compulsory school would not be the ‘least intrusive’ means of processing under [https://www.ris.bka.gv.at/Dokumente/Erv/ERV_1999_1_165/ERV_1999_1_165.html § 1 para. 2 DSG]. The DPA thus ordered that no recordings may be taken by any of the cameras during school operations, or else that the cameras would be decommissioned.
On the other hand, the DSB considered that when the controller was using video surveillance outside of school hours for the purpose of protection of property, it was behaving in a private function. As a result, processing via video surveillance could be based on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] when limited to the period outside of school operations.  
 
The DPA noted, however, that video surveillance of public bodies for private sector activities, specifically for purposes of property protection, may be permitted when limited to the period outside of school operations.


== Comment ==
== Comment ==

Latest revision as of 12:53, 17 April 2024

DSB - 2022-0.858.901
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 6(1) GDPR
§ 1 Datenschutzgesetz (DSG)
Type: Investigation
Outcome: Violation Found
Started: 08.11.2022
Decided: 06.09.2023
Published: 05.04.2024
Fine: n/a
Parties: n/a
National Case Number/Name: 2022-0.858.901
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): German
Original Source: DSB (in DE)
Initial Contributor: lm

The DPA held that video surveillance in a school during hours of operation lacked a legal basis under Article 6(1) GDPR and ordered a restriction on processing from all cameras during school hours.

English Summary

Facts

A public middle school (the controller) had four cameras on its property: one in front of the school entrance, one in front of a computer space, one in front of the teacher’s lounge and management area, and one near the escape stairs. According to the controller, the purpose of the video surveillance was to protect persons from theft or attacks. The use of video cameras is signaled at the school's entrance. The controller maintained video records for 48 hours.

In response to the Austrian DPA's (DSB) investigation, the controller noted that preventing pupils from being endangered by other pupils during school is part of the duty of supervision assigned to teachers and schools. It relied on legitimate interests as a legal basis pursuant to Article 6(1)(f) GDPR to process personal data via the video surveillance cameras. The controller cited a DSB ruling that video surveillance of public bodies in the context of private sector activities for the purpose of self-protection or responsibility may be permissible even without express legal authorisation if carried out in response to specific dangerous situations and consistent with the principle of proportionality. As such, it argued that the use of technical surveillance measures in this context were authorised under national law (§ 1 para. 2 DSG).

Holding

The DSB concluded that video surveillance in the school was impermissible during hours of operation, ordering a restriction on processing from all cameras during school hours.

The DSB distinguished between the controller's behavior during school hours and outside of school hours. During school hours, the controller is behaving as a public entity. As a result, the controller cannot rely on Article 6(1)(f) GDPR for its usage of video surveillance during school hours. The DSB thus ordered that no recordings be taken by any of the cameras during school operations, or else that the cameras be decommissioned.

On the other hand, the DSB considered that when the controller was using video surveillance outside of school hours for the purpose of protection of property, it was behaving in a private function. As a result, processing via video surveillance could be based on Article 6(1)(f) GDPR when limited to the period outside of school operations.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Text

GZ: 2022-0.858.901 of September 6, 2023 (case number: DSB-D213.1508)

[Editor's note: Names and companies, legal forms and product names, addresses (including URLs, IP and email addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated and/or changed for pseudonymization reasons. Obvious spelling, grammatical and punctuation errors have been corrected.

DECISION

RULING

As part of the data protection review pursuant to Art. 58 Paragraph 1 Letter b of GDPR, the data protection authority has decided against the middle school NMS N***dorf, E***platz *3, **** N***dorf as follows:As part of the data protection review pursuant to Article 58, Paragraph 1, Letter b of GDPR, the data protection authority has decided against the middle school NMS N***dorf, E***platz *3, **** N***dorf as follows:

- The person responsible is violating the GDPR by carrying out image processing in the school premises of the middle school N***dorf at the address E***platz *3, **** N***dorf, whereby the processing of images from camera 1 "ground floor - corridor in front of IT rooms", camera 2 "2nd floor - corridor between teachers' room and management", camera 3 "3rd floor - corridor towards emergency stairs" and camera 4 "entrance area" during school operations is contrary to the provisions of Art. 6 Paragraph 1 of GDPR (legality). The person responsible is acting contrary to the provisions of Article 6, Paragraph 1, GDPR (legality). The person responsible is instructed to limit the image processing of cameras 1, 2, 3 and 4 within a period of two weeks in such a way that no recordings are made during school operations or the cameras are switched off during school operations.

Legal basis: Art. 4, Art. 5, Art. 6, Art. 51 Para. 1, Art. 57 Para. 1 lit. a and lit. h, Art. 58 Para. 1 lit. b and Para. 2 lit. d, lit. f, and Art. 77 Para. 1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ L 119, 4 May 2016, p. 1, Section 1 Para. 1 and 2 of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended: Article 4, Article 5, Article 6, Article 51, Paragraph 1, Article 57, Paragraph 1, Letters a and h, Article 58, Paragraph 1, Letter b and Paragraph 2, Letter d, Letter f,, as well as Article 77, paragraph one, of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ No. L 119 of 4 May 2016 p. 1, paragraphs one, paragraph one, and 2 of the Data Protection Act (DSG), Federal Law Gazette Part One, No. 165 of 1999, as amended.

JUSTIFICATION

A. Arguments of the parties and course of proceedings

1. With a decision dated 8 November 2022, the data protection authority initiated a data protection review pursuant to Art. 57 Para. 1 lit. h GDPR ("official review procedure") against the person responsible regarding the cameras in the school corridors.1. With its decision of November 8, 2022, the data protection authority initiated a data protection review pursuant to Article 57, paragraph one, letter h, GDPR ("official review procedure") against the controller regarding the cameras in the school corridors.

2. In its statement of November 25, 2022, the controller essentially stated that it operates four cameras. Two cameras are on the ground floor (corridor in front of the IT rooms and school entrance), one on the second floor (corridor in front of the teachers' room and the management) and one on the third floor (corridor towards the emergency stairs). The recordings are kept for 48 hours and are intended to protect people, protect against theft or robbery. The request to install the cameras came about because there had been break-ins and theft of valuables belonging to teaching staff in the past. The cameras are video devices from the manufacturer ***CAM.

Attached to the statement were photos of the cameras and screenshots of the recording areas.

B. Subject of the proceedings

Based on the statements of the responsible parties, the subject of the proceedings is the question of whether the image processing in the form of four video cameras in the school premises of the N***dorf Middle School, E***platz *3, **** N***dorf, is carried out lawfully.

C. Findings of fact

1. The person responsible for the image processing, the N***dorf Middle School, is a public compulsory school with the school code *4*2*9*, with the address E***platz *3, **** N***dorf.

2. The person responsible currently operates a total of four cameras in the school premises, two of which are on the ground floor (Camera 1 "Ground floor - corridor in front of the IT rooms, Camera 4 "Entrance area"), one camera on the 2nd floor (Camera 2 "2nd floor - corridor between the teachers' room and management") and one camera on the 3rd floor (Camera 3 "3rd floor - corridor towards the emergency stairs"). The purpose of processing the video recordings is to protect people and property.

The camera recording area is as follows:

[Editor's note: The image reproduced here as a graphic file with a representation of the four recording areas described above has been removed.]

3. The person responsible keeps the recordings for 48 hours. The video surveillance is marked in the school entrance area.

Evaluation of evidence: The findings are based on the statements of the person responsible and in particular the photographs from the cameras and the screenshots of the cameras' recording areas.

D. From a legal point of view, this means:

According to Section 1 Paragraph 1 of the Data Protection Act, everyone has the right to keep personal data concerning them confidential, in particular with regard to respect for their private and family life, provided there is a legitimate interest in doing so. Such an interest is excluded if data cannot be subject to a claim of confidentiality due to its general availability or because it cannot be traced back to the person concerned. According to paragraph one, subsection one of the DSG, everyone has the right to keep personal data concerning them confidential, in particular with regard to respect for their private and family life, provided that there is a legitimate interest in doing so. Such an interest is excluded if data cannot be subject to a claim of confidentiality due to its general availability or because it cannot be traced back to the person concerned.

According to section 1, subsection 2 of the DSG, restrictions on the claim of confidentiality are generally permissible if the use of personal data is in the vital interest of the person concerned or with their consent, if there are overriding legitimate interests of another or if there is a qualified legal basis. According to paragraph one, subsection 2 of the DSG, restrictions on the claim of confidentiality are generally permissible if the use of personal data is in the vital interest of the person concerned or with their consent, if there are overriding legitimate interests of another or if there is a qualified legal basis.

However, a restriction of the right to confidentiality pursuant to Section 1 Paragraph 2 DSG by a person responsible in the public sector within the framework of sovereign administration is only possible on a legal basis within the meaning of Article 6 Paragraph 1 Letter e of GDPR, whereby this also results from the legality principle of Article 18 Paragraph 1 B-VG. However, a restriction of the right to confidentiality pursuant to Paragraph 1, Paragraph 2, DSG by a person responsible in the public sector within the framework of sovereign administration is only possible on a legal basis within the meaning of Article 6 Paragraph 1 Letter e of GDPR, whereby this also results from the legality principle of Article 18 Paragraph 1 B-VG.

The subject matter of the proceedings concerns cameras of a public body, namely a compulsory school. The data processing is (continuously) designed. The purpose stated was the protection of persons, protection against theft or assault. In particular, there had been break-ins and theft of valuables belonging to teaching staff in the past.

The facts are similar to those that the Data Protection Commission had to deal with in its decision of June 20, 2008, K600.054-001/0002-DVR/2008 in connection with the notification of video surveillance in a public school. The video surveillance was to be operated in school corridors and in the entrance hall for the purpose of protecting property and people.

The excerpted justification for the rejection of the notification can also be used for the present proceedings:

"In its consistent decision-making practice, the Data Protection Commission assumes that video surveillance for sovereign purposes is only permissible on the basis of an express, sufficiently defined legal authorization. Video surveillance of public bodies in the context of private business activities for the purposes of self-protection or protection of responsibility may, however, also be permissible without express legal authorization if it is carried out in response to specific risk situations by the person entitled to control the school in compliance with the principle of proportionality. Preventing pupils from being put at risk by other pupils within the school is part of the duty of supervision assigned to teachers under Section 51 Paragraph 3 of the School Education Act (SchUG) and is part of the educational work to be carried out by schools. The use of technical surveillance measures as part of school teaching and educational work would be covered as a surveillance measure for the performance of statutory duties by the strict legal reservation in Section 1 Paragraph 2 of the Data Protection Act 2000 for “interventions by state authorities”. (…) Video surveillance in schools outside of teaching hours would of course be judged differently. Video surveillance to protect against vandalism or property crimes within the school building, for example during the night hours, would be considered an exercise of house rules and thus a private business activity, which would not raise any particular data protection problems if access to the school building is prohibited at all during the surveillance period, so that no legitimate data protection interests can be violated by the video surveillance (…) “Preventing pupils from being endangered by other pupils within the school is part of the duty of supervision assigned to teachers by Paragraph 51, Paragraph 3, School Education Act (SchUG) and is part of the educational work to be carried out by schools.The use of technical surveillance measures in the context of school teaching and educational work would be covered as a surveillance measure for the performance of statutory tasks by the strict legal reservation of paragraph one, subsection 2, DSG 2000 for "interventions by state authorities". (...) Of course, video surveillance in schools outside of teaching hours would be judged differently. Video surveillance to protect against vandalism or property crimes within the school building, for example during the night hours, would be considered an exercise of house rules and thus a private business activity, which does not raise any particular data protection problems if access to the school building is prohibited at all during the surveillance period, so that no legitimate data protection interests can be violated by the video surveillance (…)”

In essence, the controller relies on legitimate interests within the meaning of Art. 6 Paragraph 1 Letter f of GDPR (in particular protection of the property of the work equipment, as well as the property protection of the data subjects and protection of persons) for the processing of personal data. In essence, the controller relies on legitimate interests within the meaning of Article 6 Paragraph 1 Letter f of GDPR (in particular protection of the property of the work equipment, as well as the property protection of the data subjects and protection of persons) for the processing of personal data. However, a public body cannot rely on legitimate interests within the framework of sovereign administration - in this case the school operation - but requires an express, sufficiently determined legal authorization (cf. Section 1 Paragraph 2 DSG). compare paragraph one, paragraph 2, DSG).

There is still no such legal authorization for video surveillance in school corridors or school premises. Rather, Section 51 Paragraph 3 of the SchUG stipulates that supervision during recess is to be carried out by teaching staff.There is still no such legal authorization for video surveillance in school corridors or school premises. Rather, Paragraph 51 Paragraph 3 of the SchUG stipulates that supervision during recess is to be carried out by teaching staff.

Furthermore, continuous monitoring of minors in the corridors of a compulsory school (usually 10 to 14 year olds) would not be the mildest means within the meaning of Section 1 Paragraph 2 of the Data Protection Act, last sentence, especially since children enjoy special protection of their personal data (cf. Article 8 of the GDPR for the area of consent and Recital 38). Furthermore, continuous monitoring of minors in the corridors of a compulsory school (usually 10 to 14 year olds) would not be the mildest means within the meaning of Paragraph 1 Paragraph 2 of the Data Protection Act, last sentence, especially since children enjoy special protection of their personal data (cf. Article 8 of the GDPR for the area of consent and Recital 38).

However, video surveillance of public bodies in the context of private sector activities for the purposes of protecting property may be permissible within the framework of house rules if the requirements of Article 6, paragraph 1, letter f, GDPR are met (see EDPB Guidelines 3/2019 on the processing of personal data by video devices, p. 10 ff.), which is why the requested restriction on processing expressly refers to the period of school operation.

On the restriction of processing for cameras 1, 2, 3 and 4:

According to Article 58, Paragraph 2, Letter f, GDPR, the data protection authority can impose "[...] a temporary or permanent restriction on processing, including a ban" on the person responsible.According to Article 58, Paragraph 2, Letter f, GDPR, the data protection authority can impose "[...] a temporary or permanent restriction on processing, including a ban" on the person responsible.

The data protection authority has imposed a time limit to the effect that no recordings are made by cameras 1, 2, 3 and 4 during school operations, or that the cameras are switched off. Outside of school operations - and thus outside of sovereign activities - it is the responsibility of the school management to take preventive measures to protect the property within the framework of private sector administration, if necessary within the framework of house rules.

The controller is requested to provide appropriate evidence (e.g. confirmation) of the restriction of processing for cameras 1, 2, 3 and 4 within a period of six weeks.

The decision had to be made in accordance with the ruling.