DSB (Austria) - DSB-D485.007 / 2021-0.024.862
|DSB (Austria) - DSB-D485.007 / 2021-0.024.862|
|Relevant Law:||Article 6(1)(f) GDPR|
Article 13(1) GDPR
Article 13(2) GDPR
Article 35(1) GDPR
Article 35(7)(d) GDPR
Article 36(1) GDPR
Article 36(3)(e) GDPR
GDPR Recital 89
|National Case Number/Name:||DSB-D485.007 / 2021-0.024.862|
|European Case Law Identifier:||AT:DSB:2021:2021.0.024.862|
|Original Source:||Rechtsinformationssystem des Bundes (RIS) (in DE)|
Upon a request for prior consultation under Article 36(1) GDPR, the Austrian DPA held that a high risk found in a data protection impact assessment was sufficiently mitigated by measures proposed by the controller.
English Summary[edit | edit source]
Facts[edit | edit source]
The controller is a transport operating company which, among other things, operates railway bridges. Bridges that run over public traffic areas are occasionally damaged during passage by vehicles that exceed the vehicle height permitted for the respective bridge. The company planned occasion-related video documentations on selected bridges.
For this purpose, the company conducted a data protection impact assessment. It came to the conclusion that there was a high residual risk and that the consultation procedure pursuant to Article 36 of the GDPR should be carried out. On the details of the data protection impact assessment:
The company assumed that there was a sufficient legal basis for the data processing. It assumed that the data processing was necessary for the fulfilment of its maintenance and traffic safety obligations as well as for the initiation of criminal and civil (damages) proceedings and could therefore be based on Article 6(1)(f) GDPR.
However, it concluded that there was a high risk for the data subjects because reliable information of the data subjects about the data processing was not ensured, although the data controller provided for measures to inform them: In the area of the bridges, the recording activity should be marked by appropriate signs. Information signs should contain references to height control, a pictogram for video surveillance, a reference to the controller as well as a link including a QR code with a reference to further information in the data protection declaration of the controller. A detailed description of the processing activity should be included in the data protection declaration. It would be available at any time on the website of the controller and could be requested at the company's headquarters.
Holding[edit | edit source]
Conditions for the Prior Consultation[edit | edit source]
The DPA first states that Article 36(1) GDPR provides for a duty to consult if two conditions are met. First, a data protection impact assessment under Article 35 GDPR must show that the processing operation entails a high risk. Second, the controller must not have taken appropriate measures to mitigate the risk.
With regard to the definition of "high risk", which is not provided for in the GDPR, the data protection authority refers to recital 89 and states in summary that, in addition to "technical" risks, basically all provisions of the GDPR that serve to protect the data subjects must be examined.
For the mitigation of the risk, the GDPR gives three examples of remedial measures. According to the DPA, if the controller takes appropriate measures, the identified risk must be reassessed. If it is then no longer classified as "high", no obligation to consultation is established. The determination of a possible remaining high residual risk has to be made taking into account all mitigation measures foreseen for the desired processing. When assessing the remaining residual risk, all planned measures to ensure GDPR-compliant processing must be taken into account. This is justified by a reference to the wording of Article 35 GDPR, which refers the risk "to the rights and freedoms of the data subject". Accordingly, an overall view of all measures and precautions taken - in the sense of an all-encompassing balancing of interests in the sense of Article 5 in conjunction with Article 6 of the GDPR - must be carried out for the assessment of the remaining risk.
In the specific case, the DPO assumed that the first condition is met, so to speak, on the basis of the data controller's submission. In this respect, an abstract potential breach of the duty to inform under Article 13 GDPR constitutes a "high risk".
However, the DPO assumed that the measures proposed by the controller were sufficient to contain the risk. Taking together the measures set out in Article 35(7)(d) GDPR, the existing risk was sufficiently contained (see below).
[edit | edit source]
The information system proposed by the controller complies with the information requirements of Article 13 of the GDPR.
In order to determine the scale of image processing operations, the DPA uses the two-layer information model established in the European Data Protection Board's Guidelines 3/2019 on processing of personal data through video devices.
The first-layer information should be provided by a warning sign. This shall be placed in such a way that the data subject can easily recognise the circumstances of the surveillance before entering the monitored area (e.g. at eye level). The data subject must be able to assess which area is being covered by a camera so that he or she can avoid the surveillance or adjust his or her behaviour if necessary. The first level information should normally contain the most relevant information (e.g. purposes of the processing, identity of the controller, rights of the data subject and other information of high importance). They must also refer to the more detailed second level of information as well as where and how to find it.
The second stage information must also be made available in a location that is easily accessible to the data subject, e.g. as a complete information sheet in a central location (e.g. information desk, reception or checkout) or on an easily accessible poster. It is best if the first level information links to the second level digital source (e.g. QR code or web address). However, the information must also be easily available by non-digital means. It should be possible to access the second level information without going into the monitored area. Another suitable means could be a telephone number that can be called. The information must contain all the details that are mandatory under Article 13 GDPR.
The DPA decided that the controller’s planned actions met these requirements. The controller provided for "marking of the application". The monitored area would be marked in a clearly visible manner near the secured bridges by appropriate signs. In addition to a pictogram depicting a video camera, the sign contains a QR code that refers to the website - also indicated on the sign - where the data protection declaration of the controller can be accessed. If there is a corresponding reason on the part of the controller, the sign should be clearly visible to approaching traffic in front of the bridge.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the German original. Please refer to the German original for more details.
GZ: 2021-0.024.862 of February 2, 2021 (case number: DSB-D485.007) [Note processor: names and companies, legal forms and product names, Addresses (including URLs, IP and e-mail addresses), file numbers (and the like), etc., as well as their initials and abbreviations can be abbreviated for reasons of pseudonymisation and / or changed. Obvious spelling, grammar, and punctuation errors have been corrected.] B E S C H E I D S P R U C H The data protection authority decides on the basis of the A ** Verkehrsbetriebe GmbH (Responsible), represented by N ** Rechtsanwälte GmbH, on December 10, 2020 initiated procedure according to Art. 36 GDPR concerning an intended Data processing ("test mode impact detection on bridges") as follows: - The request for prior consultation in accordance with Art. 36 GDPR is rejected. Legal basis: Articles 5, 6, 13, 14, 35 and 36 of Regulation (EU) 2016/679 (data protection Basic Regulation, hereinafter: GDPR), OJ No. L 119 of 4.5.2016 p. 1; REASON A. Submissions of those responsible: 1. In a letter dated December 10, 2020, the controller initiated a procedure in accordance with Art. 36 GDPR and stated as follows: The person in charge intends to use "impact detection on bridges" for detection and Video documentation of damage cases - those caused by the collision of a vehicle to be caused with a bridge of those responsible - to build. The data protection Impact assessment came to the conclusion that with regard to the assessed Processing activity remains a high (residual) risk or cannot be ruled out could. The application was the "data protection impact assessment test operation impact detection in the case of bridges ”of the responsible persons. 2. The person responsible specified - at the request of the data protection authority - with Opinion of January 7, 2021 their application to the effect that they are at high risk for recognize the data protection rights of the data subjects in the fact that due to the specific Circumstances of processing although a viable legal basis for data processing exists, however, reliable information of the persons concerned about the Data processing is not guaranteed. Because the person responsible has no direct one Contact with the drivers and passengers of approaching vehicles, which can provide information. There is also no empirical evidence that the attached Information signs can also be perceived by persons concerned “in passing”. In addition, the person responsible is not the maintainer of the motorways concerned, but only the overpassing railway bridges, which the available space for Could restrict information signs. The specific circumstances of the processing therefore result in the risk that the data subjects affected by data processing in the form of video surveillance in their private or professional life can be recorded without going beyond the fact of Processing and / or the identity of the person responsible to be informed. Manifest therein pose a high risk to the data subjects' data protection rights, especially for the right, protected by Art. 5 Para. 1 lit. a GDPR, that personal data is only available in processed in a way that is understandable for the data subjects. The present data protection impact assessment therefore comes to the conclusion that the planned technical and organizational measures alone cannot be sufficient, to completely exclude these risks. B. Factual Findings The person responsible intends a video-based "impact detection in bridges", their Conservation is their area of responsibility. The planned application is as Test setup consisting of a sensor and video recording system designed in Area of railway bridges of the responsible person is attached over public Traffic areas run. The system is used for recognition and video documentation of Damage caused by the collision of a vehicle with a bridge of the Responsible. Excerpts from the data protection declaration are as follows (formatting not 1: 1 reproduced): "1. SECTION: DESCRIPTION AND LIMITATION OF THE PROCESSING OPERATIONS [...] 1.2 Functional description of the application [...] Detailed presentation of the planned processing operations In the area of selected railway bridges the responsible persons, which over public traffic areas become digital, permanently adjusted video cameras Installed. In addition, laser light barriers are installed in the area of the railway bridges installed as so-called "start-up triggers", which strike (trigger) as soon as a vehicle is reached happens that exceeds the permissible total height (cause of impact). Two different camera perspectives are provided for the camera system each fulfill different recording purposes: (i) Recording of the structure's bottom view for the identification and documentation of any optical changes to the structure as well as more precise Analysis of the impact (nature of the vehicle part that is in contact with the bridge structure, speed at impact, etc.). The camera lens is aligned in such a way that no public Traffic areas (e.g. street, footpath, bike path) are recorded. (ii) Recording of the lane of the approaching road traffic in close proximity to the secured railway bridge for the purpose of Detection of impacting vehicles as well as their license plates and possibly the handlebars from the front. Depending on the local conditions, the application is either as "Cause recording system" or implemented as a "Cause storage system", whereby, in terms of data minimization (Art 5 Para 1 lit c GDPR), priority is given to The event recording system is to be implemented: (i) Event recording system: If the local conditions in the individual case a corresponding positioning of the laser light barriers on the bottom of the Responsible persons (not on third-party land) in the run-up to the secured bridge allow, no continuous recordings are made by the installed Cameras, but are only activated when an impact event is registered put into operation, thus when a vehicle which is permitted Exceeds the total height, one of the installed laser light barriers passes (Event recording). (ii) Occurrence memory system: In all other cases - ie where none suitable reason for those responsible for installing the laser light barriers is available in the run-up to the bridge - the laser light barriers are switched on the bridge installed itself. In this case it would be without a certain lead time Camera recording not possible, possible damaging parties and their vehicles to be identified through mere event recordings (the technically necessary Otherwise, the “lead time” for activating the camera system cannot be guaranteed become). It is therefore a permanent operation of the installed video cameras required. However, the continuously recorded image data are only temporary backed up in a ring memory and regularly overwritten. The specific storage duration depends on the maximum expected Approach speed and the concretely visible approach line from. The maximum storage period is 10 seconds. A Any additional storage of captured image data takes place only with Registration of a crash event, thus when a vehicle which exceeds the total allowable height, one of the installed Laser light barriers passed. In this case, the overwriting of image data suspended in the ring buffer until a corresponding Preservation of evidence has taken place (event storage). [...] The image data saved as part of the recording or storage of the event will be sent from there immediately - but in any case within 96 hours authorized persons of the responsible person analyzed and evaluated. These operations are logged. The further use and storage period of the image data in the Individual cases are then derived from the documentation purposes shown below Consideration of the principles of data minimization (Art 5 Para 1 lit c GDPR) and Storage limitation (Art 5 Para 1 lit e GDPR). [...] The pursued legitimate interests (if Art 6 para 1 lit f GDPR as Legal basis is used) The legitimate interests pursued by the person responsible through the application can be summarized as follows: • Detection and analysis of crash incidents to ensure safety and security To be able to guarantee the functionality of the protected infrastructure and if necessary to take suitable remedial measures (e.g. necessary Repair work on parts of the bridge or barrier affected by an impact of tracks); • Gathering information on the ongoing fulfillment of maintenance and traffic safety obligations of those responsible with regard to their Railway bridges, in particular due to the better detection and Assessment of dangerous situations and their proactive elimination or Defusing; • Investigation of crash incidents including the identification of the Causer and appropriate evidence preservation, whereby in particular the Initiation of any (administrative) criminal proceedings enables and effective Enforcement of civil law claims of those responsible ensured shall be. That the video documentation of damage cases in public road traffic via se corresponds to a legitimate interest of the person responsible is undisputed (cf. VwGH Ro 2015/04/0011). The processing is also necessary to safeguard this legitimate interest, because there is no more lenient means of avoiding the handlebars of a crashing vehicle to identify or the license plate number and thus a conclusion about the To determine the authorization holder. The capture by video recording is about this Purpose therefore required, whereby the person responsible (as described overleaf) Extensive measures are taken to reduce the level of processing on a to limit the necessary minimum. Finally, the processing does not have any overriding interests affected persons against. Because initially the processing is limited to a sequence lasting a few seconds in which affected persons as Participants in public road traffic can be captured visually. In particular, no highly personal areas of life are recorded or sensitive Data processed within the meaning of Art 9 GDPR. Processing therefore takes place in the Compared to other image processing systems, the intervention intensity is relatively low. The Image recording captures a publicly perceptible behavior of those affected People. Above all, however, within the scope of this balancing of interests according to recital 47 GDPR based on the reasonable expectations of the data subjects (cf. DSB-D550.084 / 0002-DSB / 2018). In this sense is for the representational Application assume that the road users concerned can reasonably foresee that in the area of critical infrastructures such as image recordings may also be made to railway bridges. So are Video surveillance in Austria already at dangerous intersections, in tunnels, on motorways and open roads as well as rest areas, train stations, airports, etc. widespread. […] According to the DSB, dashcams can therefore be permitted in particular if the following parameters are observed: • The data processing takes place for the exclusive purpose of Documentation of the course of the accident. The application in question is fulfilled this criterion is flawless, since only those shown Documentation purposes are pursued. • The recording of the public space (= street) is based on the required extent limited. The ones described overleaf Data minimization measures taken by those responsible also ensure compliance this criterion for sure. • In the case of storage, data will only be unconditional required amount of time stored (the specific storage period depends on the maximum expected approach speed and the concretely visible approach line. The maximum storage period is 10 seconds before the accident occurrence until a few seconds afterwards, cf. Sketch1). Data is continuously overwritten as far as there is none Accident happened. The combination envisaged by the person responsible from ring memory and start trigger by laser light barriers also fulfilled this requirement. • If the permanent storage of image data (= stop of the Overwriting in the ring buffer) by a deliberate act of the Is dependent on the person responsible (e.g. push of a button), in case of doubt the Inadmissibility of the processing must be assumed. On the other hand, the only automatic storage of image data (= stop of the Overwriting process) by predefined impulses, without possibility manual storage. In the context of the present application the overwrite process is only started by pressing the Exposed to the laser light barrier or, in the case of the event recording, the Video recording started in the first place. • Ensuring integrity and confidentiality through the use of Encryption techniques and access restrictions. Also this one Requirement is the objective application of those responsible fair (see point 5 below for the implemented measures). Also taking into account those criteria that the DSB at least in the case of Has considered image processing by dashcams to be decisive, is the permissibility of the applicable application in accordance with Art 6 Paragraph 1 lit f GDPR must therefore be affirmed. There It should also be taken into account that the use of dashcams is a comparatively even has higher intervention intensity. Because in contrast to the It just does not correspond to objective monitoring of critical infrastructure the reasonable expectations of the data subjects that they will be able to do so using the Dashcam be filmed by other road users (cf. in this sense DSB- D550.084 / 0002-DSB / 2018). In addition, it is the representational Processing activity around a stationary image recording, which is always the same Area of a potential danger point in road traffic recorded and also in the In contrast to a "movable" dashcam located in a vehicle, it is visible can be marked. [...] SECTION 3: EVALUATION OF THE NEED AND PROPORTIONALITY OF THE PROCESSING OPERATIONS IN RELATION TO THE PURPOSE […] 3.2 Information on the measures taken or planned to comply with GDPR, in particular those to ensure the necessity and Proportionality Purpose limitation principle (Art 5 Paragraph 1 lit b: Collection for specified, unambiguous and legitimate purposes; Re-use?) The data processing takes place exclusively for the designated Documentation purposes. There is no data processing for other purposes instead of. This is ensured through internal training courses and guidelines. Furthermore were all employees of Responsible by means of a separate declaration of compliance with the Data secrecy according to § 6 DSG and the applicable internal regulations for Committed to data protection and information security. Principle of data minimization (Art 5 para 1 lit c: How is it ensured that only the required data are processed?) In order to minimize data, the camera is aligned with the Road perspective such that only the vehicles on the lane of the approaching traffic and also only the relevant areas of the approaching Vehicles (driver and passenger seat and license plate number) are recorded. The duration of the recorded sequence and camera angle is chosen so that at average speed a crashing truck fills the picture and therefore If possible, no other road users are recorded. The orientation of the structure underside is carried out in such a way that through it Camera recordings, no personal data are processed at all. In particular, cycle or footpaths below the structure are not recorded. In addition, recording areas that are not relevant for achieving the purpose are included static blackening (digital masking) (e.g. the edge areas where Pedestrians could be detected or the one moving away from the bridge Two-way traffic). The blackening is fixed in the camera views programmed so that the area covered by the mask is not recorded at all is, ie no image pixels are processed in the relevant areas. Through the use of laser light barriers, which, depending on the implementation, either the The camera only starts up (event recording) or the continuous overwriting suspends existing recordings in the ring memory (initial storage) the period of inclusion becomes necessary to achieve the purpose Reduced minimum size. Where the local conditions allow, this will always be the case Event recording system implemented. When an impact occurs, only those cameras are put into operation that are on that lane on which the impacting vehicle is located are directed. Principle of storage limitation (Art 5 Para 1 lit e: storage period only as long than necessary for the purpose) As part of the event recording system, data will only be used in the event of a Impact event recorded and saved. As part of the event storage system, the Image data are temporarily saved in a ring buffer and already after expiry overwritten by a few seconds and thus irreversibly deleted (the specific Storage duration depends on the maximum expected approach speed and the concretely visible approach line. The maximum storage period is 10 seconds provided). Any additional storage of recorded Image data is only generated when a collision event is registered. The data storage following a collision event takes place as long as how this is necessary for the stated processing purposes in individual cases (Art 5 para 1 lit e GDPR). There is no legitimate storage purpose - in particular if there has not been a negative impact for those responsible - will the data immediately, but in any case after 96 hours after the Recording deleted. The same applies to irrelevant image sequences of a stored recording (e.g. the recording of uninvolved road users). Information on compliance with the requirements for data transfer to third countries (or international organizations) The image recordings are stored on a server in Germany. There is none Transmission to third countries or international organizations. [...] 3.3 Information on the measures taken or planned for Consideration of the rights of the data subjects Guarantee of transparency and information obligations (Art 12-14) The recording activity is clearly visible in the area of the secured bridges corresponding signs are marked. Where the local conditions this allow, i.e. if the responsible person has a corresponding reason (not an external reason) is present, the marking is clearly visible in the oncoming traffic Attached to the apron of the bridge. The information sign contains information on the height control, a pictogram for Video surveillance, a reference to the person responsible and a link including QR Code with reference to further information in the data protection declaration of Responsible person. The marking essentially corresponds to sketch 2. A detailed description is given in the data protection declaration of the person responsible started processing activities in accordance with Art 13 GDPR. The The data protection declaration can be accessed at any time on the website of the controller can be requested at the company headquarters. [...] SECTION 4: IDENTIFICATION AND ASSESSMENT OF THE RISKS FOR THE RIGHTS AND FREEDOMS OF AFFECTED PERSONS [...] [...] SECTION 5: IDENTIFICATION OF CORRECTIVE MEASURES 5.1 Control 1: Technical and organizational measures [...] Appropriate labeling of the application The recording activity is clearly visible in the area of the secured bridges corresponding signs are marked. Where the local conditions this allow, i.e. if the responsible person has a corresponding reason (not an external reason) is present, the marking is clearly visible in the oncoming traffic Attached to the apron of the bridge. Depending on the local conditions, this cannot be done in every case ensure that the information is communicated through these markings takes place in such a way that the persons potentially affected by the application can still use the Choose another route to avoid. But as a rule they still can stop in front of the bridge. However, this is not a mandatory legal requirement (cf. DSB-D550.084 / 0002-DSB / 2018, according to which the possibility of evading "if possible" should exist). For example, dashcams are also qualified as not per se inadmissible, although with these the possibilities of information sharing are even stronger resp. are restricted at least in a comparable way (see VwGH Ro 2015/04/0011 or newsletter 1/2020 of the DSB). In addition, a detailed statement is made in the data protection declaration of the person responsible Description of the processing activity in accordance with Art 13 GDPR added. The The data protection declaration can be accessed at any time on the website of the person responsible. This control reduces the risk described, but cannot completely remove. There remains a residual risk. [...] SECTION 6: DOCUMENTATION OF THE SOLUTION AND THE RESIDUAL RISK [...] " The sketch in Appendix 4 (SKETCH 2) is as follows (formatting not 1: 1 accepted): [Editor's note: the one reproduced here as a graphic file (screenshot) Figure cannot be pseudonymized with justifiable effort.] Evidence assessment: The determinations made result from the procedural application, its attachment and supplementary statement. C. From a legal point of view, it follows: C.1. General According to Art. 36 Para. 1 GDPR, the person responsible consults the Supervisory authority, if from a data protection impact assessment according to Art. 35 leg. Cit. it is clear that the processing would result in a high risk, provided that the controller does not take any measures to contain the risk. A final definition of the "high risk" cannot be found in the GDPR. However, it follows from Recital 89 that processing operations that involve “high risks” bring themselves, especially those that use new technologies or that are new and for which the person responsible has not yet Has carried out an impact assessment (König in Gantschacher † / Jelinek / Schmidl / Spanberger, Comment on GDPR , Art. 36 Note 1). Both internal and external, potential and actual sources of risk come as sources of risk Risks in question. When identifying all potential risks is no less than one type "Foray through the requirements of data protection law" required (Trieb in Knyrim, DatKomm Art 35 GDPR, margin no.113). In the course of the In addition to purely “technical” risks, risk analysis includes all those risks To pick up data processing, which may have negative effects on a affected person and they are thus provided for in their by the GDPR Impair the protection area. This also includes the lawfulness of the processing within the meaning of Art. 6 GDPR as well as compliance with all principles according to Art. 5 GDPR. To contain the risk, the GDPR names three different types of Remedial measures, namely guarantees, safeguards, and procedures by which the protection of personal data is ensured and proof of this is provided, that the GDPR is complied with. Thus, technical, organizational such as legal, in particular contractual measures intended to remedy the situation (instinct in Knyrim, DatKomm Art 35 GDPR, margin no.116). C.2. In the matter 1. The person in charge states that there is a high risk in relation to the issuance of the reliable information to the data subjects about the data processing is given to the effect that the data subjects affected by the data processing in the form recorded by video surveillance in their private or professional life, without being informed of the fact of the processing and / or the identity of the person responsible. Specifically, the person responsible defines the risk as part of their data protection Impact assessment as a “risk [o] for the effectiveness of the fulfillment of the information obligations by marking ". It is here - with regard to the previously recorded Considerations - about a "risk" within the meaning of Art. 35 GDPR. Since only those processing - which even after provision of the data protection Impact assessment defined remedial measures remain high risks for natural Rescue people - are to be subjected to the consultation mechanism (instinct in Knyrim, Art 35, Rz 28 ff; Trieb in Knyrim, Art. 36 Rz 1), is to be checked in a next step, whether the person responsible takes appropriate measures to contain the identified risk has met. 2. As stated, the person responsible foresees a "marking of the application". The The monitored area should be clearly visible in the vicinity of the secured bridges appropriate signs (SKETCH 2) are marked. The information sign contains a pictogram representing a video camera, a QR code, which on the website - also listed on the sign - on which the Data protection declaration of the person responsible is to be accessed, refers. If more appropriate Reason the responsible person is present, the marking should be for the approaching Traffic must be clearly visible in the apron of the bridge. For image processing, see the guidelines 3/2019 of the European Data protection committee for the processing of personal data by video devices a two-stage model with regard to the information to be provided. Accordingly, the information on the first level should be provided by a meaningful sign. This information should be appropriate so that the data subject understands the circumstances of the Surveillance can easily detect before it enters the monitored area (e.g. in Eye level). The position of the camera itself does not have to be disclosed as long as no There are doubts as to which areas are covered and the circumstances of the surveillance clearly described. The person concerned must be able to assess which area is covered by a camera so that they evade surveillance or can adjust their behavior if necessary (see margin no. 113). The information on the first level (sign) should usually be the most important Contain information, e.g. B. Information on the purposes of processing, the identity of the Responsible persons and the existence of the rights of the data subject as well as others Information of great importance. For example, the legitimate interests of the person responsible (or a third party) and (if applicable) the contact details of the Data protection officers belong. They must also refer to the more detailed second level of information and point out where and how it can be found (ibid. 114). Second level information also needs to be made easy for the data subject be made available in an accessible location, e.g. B. as a complete information sheet a central point (e.g. information desk, reception or cash register) or on an easy accessible poster. As mentioned earlier, the first level warning must be clear refer to the information on the second level. In addition, it is best when the information of the first level on a digital source (e.g. QR code or Internet address) of the second level. However, the information also needs to be on not be readily available digitally. It should be possible to access the information of the to access the second level without entering the monitored area, in particular if the information is provided digitally (for example via a link). A another suitable means could be a telephone number that can be called. The However, information must contain all information that is mandatory according to Art. 13 GDPR are (ibid. Rz 117). 3. The marking provided by the person responsible is both different from the one planned local positioning as well as the content is a suitable measure to to minimize identified risk. It corresponds to the model mentioned in the above Guidelines is recommended. The argument of those responsible that it is not in every case - due to local conditions - the selected measure is possible in the same way implement and minimize the identified risk in the same way and therefore a high one Residual risk remains, it must be countered that not only the - in the by the Responsible in the course of the data protection impact assessment specifically the identified Risk assigned - measure that also has to sufficiently minimize the specific risk. Rather, the determination of a possibly remaining high residual risk has under Consideration of all intended for the desired processing Containment measures to be taken. When assessing the remaining residual risk are therefore all planned measures to ensure GDPR-compliant Include processing. This can be justified by a reference to the wording of Art. 35 GDPR, which refers to “the rights and freedoms of the data subject” in relation to risk. Accordingly, there is also one for assessing the remaining risk Overall view of all measures and precautions taken - in the sense of a comprehensive weighing of interests within the meaning of Art. 5 in conjunction with Art. 6 GDPR - to 4. Based on the data controller in the data protection impact assessment The assessment made is the admissibility of the data processing in question and the data protection authority has weighed the interests of those responsible nothing to oppose. The “high residual risk” raised by the person responsible is in any case caused by the planned recording, evaluation and deletion modalities so greatly reduced that in Result no high residual risk for those affected can be recognized. Contrary to the view of those responsible, it has therefore overall under review of the measures set out in accordance with Article 35 (7) (d) GDPR, the existing risk adequately contained. The requirements for prior consultation in accordance with Art. 36 GDPR are therefore not given due to the lack of high risk and the decision had to be made according to the ruling.