DSB - DSB-D550.038/0003-DSB/2018
|DSB - DSB-D550.038/0003-DSB/2018|
|Relevant Law:||Article 5(1)(a) GDPR|
Article 5(1)(c) GDPR
Article 6(1)(f) GDPR
§ 13 DSG
|National Case Number/Name:||DSB-D550.038/0003-DSB/2018|
|European Case Law Identifier:||n/a|
|Original Source:||dsb.gv.at (in DE)|
|Initial Contributor:||Max Schrems|
The DSB fined a betting store € 5.280 for video surveillance (CCTV) that was recording a wide area in front of the location, without protocols of the usage, without deletion within 72 hours and without public marking of the video surveillance.
English Summary[edit | edit source]
Facts[edit | edit source]
A betting company is running a video surveillance system with two cameras that are mounted next to the entrance of the location. The cameras are filing a wide area of more than 20 meters that goes beyond the immanent entry area, including a public parking facility. There was no marking of the camera system and the videos were not deleted after 72 hours (as required under § 13 of the Austria Data Protection Act, "Datenschutzgesetz"). No protocol of the video usage (as required under § 13(2) Austrian Data Protection Act) was made.
Dispute[edit | edit source]
Is the filming of public areas that go beyond the immanent entrance area of a location still covered as a "legitimate interest" in Article 6(1)(f) GDPR?
How are penalties under GDPR and the Austrian Data Protection Act ("DSG") to be calculated?
Holding[edit | edit source]
The legitimate interest for video surveillance under Article 6 GDPR has to take into account (1) the relationship between the data subject and the controller, (2) the expectation of the data subject that he may be under surveillance. People in the public space (including drivers of passing cars) do not have the expectation to be filmed by the owner of the location. Principles in Article 5(1)(a) and (c) and Article 6(1)(f) GDPR are therefore violated.
In addition there were violations against § 13 Austrian Data Proteciton Act ("DSG") by lacking a deletion period, processing protocols and warning signs.
As parts of the violations happened before 25. 5. 2018, parts of the penalties are based on the previous national law.
The maximum fine for the first count was € 20 Mio under GDPR, while the maximum fine for the other counts was € 50.000 under national law. The fines were calculated in the following way:
- € 2.400 under Article 6(1)(f) and 83(5)(a) GDPR (illegal surveillance)
- € 800 under §§ 52(2)(6), 62(1)(4) and 69(5) DSG 2000 (missing protocol)
- € 800 under §§ 52(2)(7), 62(1)(4) and 69(5) DSG 2000 (missing deletion)
- € 800 under §§ 52(2)(4), 62(1)(4) and 69(5) DSG 2000 (missing signage)
- +10% administrative fee
- € 5.280 TOTAL
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the German original. Please refer to the German original for more details.
knowledge of punishment The XY Handels- u. Betriebsgesellschaft mit beschränkter Haftung with registered office at XXX, XXXstraße 56, operates on at least from 22 March 2018 at (from - to o'clock) 0 - 24 o'clock in XXXX ZZZZ, XXXstraße XX (betting venue "XY" ) an image processing system (video surveillance) as the person responsible within the meaning of Art. 4 Z 7 of the Basic Data Protection Ordinance (DSGVO). 1) The video surveillance in question covers the public car parks and traffic areas located in front of the entrance area of the "XY" betting room, is therefore not appropriate to the purpose of the processing and is not limited to the necessary extent. 2) There is no logging of the processing procedures in connection with video surveillance. 3) The personal image data recorded by video surveillance shall not be deleted within 72 hours. There is no separate logging in this respect. There is no justification for an extended storage period. 4) Video surveillance is not suitably marked. XY Handels- u. Betriebsgesellschaft mit beschränkter Haftung has thereby violated the following legal provision(s): Regarding 1) - Article 5(1)(a) and (c) and Article 6(1) of the Data Protection Basic Regulation - DSGVO, OJ No L 119, 4.5.2016, p. 1. Re 2) (a) Section 50b(1) of the Data Protection Act 2000 - DSG 2000, BGBl. I No 165/1999 as amended by BGBl. I No 83/2013 (for the period before 25 May 2018) b) § 13 para. 2 of the Data Protection Act - DSG, BGBl. I No. 165/1999 as amended (for the period from 25 May 2018) To 3) a) § 50b para. 2 DSG 2000 (for the period prior to 25 May 2018) b) Article 13 para. 3 DSG (for the period from 25 May 2018) To 4) a) § 50d para. 1 DSG 2000 (for the period prior to 25 May 2018) b) Article 13 para. 5 DSG (for the period from 25 May 2018) For this administrative offence(s), the XY Handels- u. Betriebsgesellschaft mit beschränkter Haftung, as the responsible party pursuant to § 30 DSG, shall be subject to the following penalty: Fine of Euro If this is irrecoverable, substitute custodial sentence of custodial sentence of according to At 1) € 2.400,00 At 2) € 800,00 At 3) € 800,00 At 4) € 800,00 All in all, therefore: € 4.800,00 --------------------------- --------------------------- --------------------------- ------------------------------- - 1) Art. 83 Para. 5 lit. a DSGVO 2) a) Section 52 para. 2 no. 6 DSG 2000 in conjunction with § 69 (5) DSG b) Art. 62 Para. 1 No. 4 DSG 3) a) Section 52 para. 2 no. 7 DSG 2000 in conjunction with § 69 (5) DSG b) Art. 62 Para. 1 No. 4 DSG 4) a) Section 52 para. 2 no. 4 DSG 2000 in conjunction with § 69 (5) DSG b) Art. 62 Para. 1 No. 4 DSG Furthermore, Section 64 of the 1991 Administrative Criminal Code - VStG requires payment: 480,00 - Euro as a contribution to the costs of criminal proceedings, i.e. 10% of the penalty, but at least 10 Euro; Euro as compensation for cash expenses for The total amount to be paid (penalty/costs/cash expenses) is therefore as follows euro Payment term: If no appeal is lodged, this penalty shall be immediately enforceable. In this case, the total amount must be transferred within two weeks to BAWAG P.S.K., Georg-Coch-Platz 2, 1018 Vienna, IBAN: AT460100000005490031, BIC: BAWAATWW, in the name of from the data protection authority. The purpose of the payment should be the number of the transaction and the date of completion. If no payment is made within this period, the total amount can be dunned. In this case, a lump sum of five euros must be paid. If no payment is nevertheless made, the outstanding amount will be enforced. Justification: I. The following facts relevant to the decision have been established on the basis of the evidence procedure carried out: I.1 The XY Handels- u. Betriebsgesellschaft m.b.H., with its registered office in [...], is the operator of the betting venue. "XY" in [...]. I.2 Two clearly visible cameras are mounted above the entrance door to the business portal; the entrance door is usually locked and is opened from the inside after a doorbell is pressed; a screen (approx. 30 x 40 cm) is located in the interior of the shop behind the counter. This screen displays/transmits images of the restaurant and the parking lot in front of the main entrance. I.3 The monitored car park is a public transport area and the images transmitted can be used to perceive vehicles and their license plates as well as people. I.4 There is also another freely accessible room at the rear of the counter (a kind of warehouse and office), in which a slightly larger screen is set up, on which the photographs produced by the two cameras in the entrance area can also be transmitted and viewed. I.5 With the two cameras in front of the entrance area it is possible to film or monitor a large part of the car park (approx. five parking spaces for cars) within a range of approx. 20 metres as well as the immediate area in front of the main entrance. The generated image recordings are transmitted to the company headquarters at the headquarters of XY Handels- und Betriebsgesellschaft m.b.H. and stored there. In the past, employees of XY Handels- und Betriebsgesellschaft m.b.H. had access to the image material stored there in some cases. I.6 The video surveillance system in question is operated without suitable identification. I.7 The installation and operation of the two cameras was initiated by persons who acted either alone or as part of an organ of the legal entity and who held a management position within the legal entity on the basis of 1. the power to represent the legal person, 2. the power to take decisions on behalf of the legal person; or 3. a power of control within the legal person or has not been subject to surveillance or control by one of the aforementioned persons, has made possible the installation and operation of the two cameras by a person acting on behalf of the legal person. I.8 The two cameras have been in operation at least since 22.03.2018. I.9. In addition to the betting venue "[...], XY Handels- und Betriebsgesellschaft m.b.H. operates nineteen further branches in [...]. I.10. The request for justification issued on 17.07.2018 in the administrative criminal proceedings in question by means of RSa delivery was held ready for collection from 19.07.2018 according to the return receipt of Österreichische Post AG and finally returned to the data protection authority on 06.08.2018 with the note "not rectified". Therefore, the legal consequence of § 42 Para. 1 No. 2 VStG has occurred in the present case. Proof: Report by LPD [...], BPK [...], PI [...], dated 25.04.2018, GZ. PAD/[...]/VStV, commercial register query on FN [...] of 28.08.2018, online research on the freely accessible web portal at the Internet address: [...], last retrieved on 28.08.2018 at 11:39, return receipt of Österreichische Post AG dated 06.08.2018. II. The findings are based on the following assessment of evidence: II.1 The data protection authority shall submit the content of the notification contained in the file to LPD [...], BPK [...], PI [...], dated 25.04.2018 including photo inserts, GZ. PAD/[...]/VStV, an official company register query on FN [...] dated 28.08.2018, an official online search at the Internet address: [...], last retrieved on 28.08.2018, and the return receipt of Österreichische Post AG. II.2 The findings are based on subpoenas conducted by police officers on 22 March 2018 at 3:10 p.m.; there are no doubts as to their truthfulness - particularly in light of the responsibility of police officers under service and disciplinary law. The accused did not dispute the accused's allegations, the deadline set within the scope of the request for justification elapsed unused and no written justification was given by the accused until the sentence was pronounced. II.3 With regard to the installation and operation of the cameras in question in the proceedings, the following shall also be recorded in a manner worthy of evidence: On 22.03.2018 at 15:10 o'clock the following information will be given to the police officers in charge of the official action by the waitress, [...] Z, born on [...], who is present in the betting room at that time: "I am employed as a waitress in the guest or betting pub in question named "[...]". In front of the restaurant two cameras are mounted, which record pictures and transmit them to two screens, which are located in the restaurant. These pictures are also transmitted to the headquarters at [...] (XY Handels- und Betriebsges.m.b.H. "Firma [...]") and recorded there. This is known to me, because in the case of incidents, the stored records have often been checked there. The head of the company is Mr [...]. I can't give any more details." II.4 On the basis of the above statement by the waitress to the police officers on the occasion of their official action, the data protection authority had the impression that the police officers had completely realistically and perfectly logically understood the circumstances established under I. above. confirmed. Consequently, on the basis of general life experience, the data protection authority concludes that the installation and operation of the two cameras was carried out or initiated by persons acting either individually or as part of an organ of the legal person and that a leading position within the legal person was created, 1. the power to represent the legal person, 2. the power to take decisions on behalf of the legal person; or 3. a power of control within the legal person or that lack of surveillance or control by one of the aforementioned persons has made possible the installation and operation of the two cameras by a person acting on behalf of the legal person. This is to be seen in particular also against the background of the substantial costs connected with the acquisition, the installation and the operation of such a video surveillance system as well as the benefits they are confronted with - the latter can be located exclusively in the sphere of interest of XY Handels- und Betriebsgesellschaft m.b.H.. II.5 In the same measure, it is considered to be predominantly probable, on the basis of general life experience, that the cameras at issue in the proceedings have not been taken out of operation in the meantime; rather, the data protection authority assumes that the cameras will be permanently operated. As already explained, the procedural charge of an offence raised within the scope of the request for justification remained completely undisputed. III Legally follows from this: On administrative criminal liability: III.1 On the legal situation: Pursuant to § 62 para. 1 no. 4 DSG, a fine of up to EUR 50,000 is to be imposed on anyone who infringes the provisions of Section 3 of the German Data Protection Act on image processing. 1. operates the main section (§§ 12 and 13 DSG). Art. 83 para. 5 lit. a DSGVO stipulates that fines of up to EUR 20,000,000 or, in the case of a company, of up to 4% of its total annual worldwide turnover of the preceding financial year may be imposed in the event of violations of the provisions of Art. 5 and 6 DSGVO, whichever is the higher. Pursuant to § 69 (5) DSG, infringements of the DSG 2000 which were not yet pending at the time the DSG came into force are to be assessed according to the legal situation after the DSG came into force. A criminal offence that was committed before the DSG came into force must be assessed according to the legal situation that is more favourable to the offender in its overall effect; this also applies to appeal proceedings. Since the conduct in question began before 25 May 2018 - the effective date of the DSG - and the possible maximum penalty under Art. 62 (1) no. 4 DSG is higher than that under Art. 52 (2) DSG 2000, the provisions of the DSG 2000 apply with regard to the amount of the penalty - insofar as infringements of the DSG 2000 or the DSG are concerned - because the majority of the conduct accused took place in the period before 25 May 2018. As stated under item I.10. above, the data protection authority conducted the administrative criminal proceedings in question pursuant to § 42 para. 1 no. 2 VStG without hearing the accused. On point 1: III.2 In the present case, the operation of the cameras in front of the entrance area of the betting pub "[...]" in [...] undisputedly constitutes an image recording as defined by § 12 (1) DSG. Due to the The collection, storage and transmission of the image data in question opens up the material scope of Art. 2 DSGVO. In any case, the recorded image data constitute personal data as defined in Art. 4 No. 1 DSGVO and, due to the storage and transmission of the same, are also processed as defined in Art. 4 No. 2 DSGVO. The accused company is also undisputedly responsible for this image processing within the meaning of Art. 4 no. 7 DSGVO. III.3 Art. 5 DSGVO lays down the principles for the processing of personal data and stipulates in para. 1 lit. a that personal data must be processed in a lawful manner, in good faith and in a manner comprehensible to the data subject ("lawfulness, processing in good faith, transparency"); lit. c leg. cit. lays down as a further principle that any processing must be proportionate and relevant to the purpose and limited to what is necessary for the purposes of the processing ("minimisation of data"). According to Art. 6 DSGVO, processing is lawful only if at least one of the following conditions is fulfilled: (a) the data subject has given his consent to the processing of his personal data for one or more specific purposes; (b) the processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken at the request of the data subject; (c) processing is necessary to fulfil a legal obligation to which the controller is subject; (d) processing is necessary to protect the vital interests of the data subject or of another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. (f) processing is necessary to safeguard the legitimate interests of the controller or of a third party, except where the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, are overridden, in particular where the data subject is a child. As regards the lawfulness of processing operations, recital 47 states, inter alia, that such operations may be justified by the legitimate interests of a controller, including a controller to whom the personal data may be disclosed, or of a third party, provided that the interests or fundamental rights and freedoms of the data subject do not prevail, taking into account the reasonable expectations of the data subject based on his or her relationship with the controller. A legitimate interest could exist, for example, if there is a relevant and proportionate relationship between the data subject and the data controller, for example, if the data subject is a customer of the data controller or is in his service. In any event, the existence of a legitimate interest would have to be weighed with particular care, including whether a data subject could reasonably foresee, at the time of the collection of the personal data and in the light of the circumstances in which it takes place, that processing might take place for that purpose. In particular, where personal data are processed in situations where a data subject would not reasonably expect further processing, the interests and fundamental rights of the data subject could override the interest of the controller. III.4 As has been established, the recording area of the images taken by the cameras in question also extends - in addition to the immediate entrance area to the betting room "[...]" - to large areas of the public space in front of it, specifically to public traffic areas within a range of approx. 20 metres, whereby vehicles and their number plates as well as persons (passers-by) can be perceived on the images. Since the image recording covers a large area of the public space in front of the restaurant and road users who happen to pass by there - who naturally do not have to be exclusively customers of the betting pub - do not reasonably have to expect to be photographed, the operation of the image recording violates the principles standardized in Article 5. A legal basis within the meaning of Art. 6 (1) DSGVO supporting the lawfulness of data processing is not apparent and has not been put forward by the accused either. In particular, the data protection authority does not recognise any overriding legitimate interest on the part of the persons responsible in the operation of the image acquisition with regard to the geographical coverage of the image acquisition in question. Rather, in the present case, any interest in the operation of the image recording in question is outweighed by the constitutional right to the secrecy of road users who accidentally pass the betting booth. On point 2: III.5 According to § 13 para. 2 DSG, persons responsible for image acquisition must record every processing operation - except in cases of real-time monitoring. A similar order was also provided for in § 50b (1) DSG 2000. By failing to comply with the obligation to record, the accused violates the provision of § 13 (2) in conjunction with § 62 (1) 4 DSG and, for the period prior to 25 May 2018, § 52 (2) 6 in conjunction with § 50b (1) DSG 2000. On award point 3: III.6 Pursuant to § 13 para. 3 DSG, the person responsible shall delete personal data collected if they are no longer required for the purpose for which they were collected and if there is no other statutory obligation to retain them. Storage lasting longer than 72 hours must be proportionate and must be recorded and justified separately. A similar order was also provided for in § 50b (2) DSG 2000. Consequently, in the present case, the established failure to comply with this obligation violates § Article 13 (3) in conjunction with Article 62 (1) 4 DSG and for the period prior to 25 May 2018 against Article 52 Paragraph 2 no. 7 in conjunction with § 50b par. 2 DSG 2000. On point 4: III.7. According to § 13 para. 5 DSG, the person responsible for an image recording must mark it suitably. In any case, the person responsible must clearly emerge from the labelling, unless this person is already known to the persons concerned under the circumstances of the case. Labelling must be carried out locally in such a way that any potentially affected person approaching a monitored object has the opportunity to avoid video surveillance as far as possible. A similar order is proposed in § 50d para. 1 DSG 2000. This is not possible in the present case, as there are no signs at the car park or at the entrance to the car park. Consequently, the established non-fulfilment of this obligation in the present case violates § 13 (3) in conjunction with § 62 (1) 4 DSG and, for the period prior to 25 May 2018, § 52 (2) 4 in conjunction with § 50d DSG 2000. III.8 In applying the requirements and obligations of §§ 12f DSG to the facts at hand, the recognising authority comes to the conclusion that the person responsible could have carried out the image recording in the proceedings only in compliance with the conditions for admissibility and proportionality of § 12 DSG, Art. 5 and 6 DSGVO and in compliance with the obligations under § 13 DSG. III.9. Against the background of the facts established as proven, the defendant, as the person responsible pursuant to Art. 4 No. 7 DSGVO in conjunction with Art. 30 (1) and (2) DSG, has therefore determined the objective factual side of the administrative infringement of Art. 62 (1) No. 4 DSG or of the DSG alleged against him. § 52 (2) (4), (6) and (7) DSG 2000, whereby the imposition of fines on legal persons in the present case is based on Article 62 (3) DSG and Article 83 (5) DSGVO. III.10. In the case of administrative offences, the facts of which consist in a mere infringement of a prohibition or non-observance of a commandment and which do not provide for the occurrence of damage or danger (disobedience offences), criminal liability is assumed - unless intent is required - if the perpetrator within the meaning of § 5 (1) VStG does not credibly demonstrate that he is not at fault for the infringement of the administrative provision (cf. VwGH, 18.6.1990, 91/09/0132). The presumption of fault exists from the outset (e.g. VwGH, 18.6.1999, 89/10/0221). It is incumbent upon the accused to make it credible that compliance with the administrative regulations was impossible without his fault. In order to substantiate a lack of fault, it must be demonstrated that the accused has taken measures which, under the foreseeable circumstances, give reason to expect compliance with the statutory provisions. III.11. The defendants did not argue that they or one of the persons named in § 30 para. 1 DSG could not have complied with the provisions of the DSGVO and §§ 12 and 13 DSG or §§ 50a ff DSG 2000. With regard to the installation and operation of the incriminated cameras, the administrative violations in question are therefore also one of the persons who acted either alone or as part of an organ of the legal person and who held a management position within the legal person on the basis of 1. the power to represent the legal person, 2. the power to take decisions on behalf of the legal person; or 3. have the power to exercise control within the legal person. IV. The sentence shall be recorded: IV.1 Pursuant to § 19 para. 1 VStG, the basis for the assessment of the penalty is the significance of the legal interest protected under criminal law and the intensity of its impairment by the offence. In addition, in accordance with the purpose of the threat of punishment, the grounds for aggravation and mitigation that may be considered, insofar as they do not already determine the threat of punishment, must be weighed against each other. Particular attention must be paid to the extent of the fault. Taking into account the peculiar nature of administrative criminal law, the §§ 32 to 35 of the Criminal Code shall apply mutatis mutandis. The income and financial circumstances and any duties of care of the accused must be taken into account when calculating fines. In the case of punishment of legal persons pursuant to § 62 para. 3 in conjunction with § 30 DSG and Art. 83 DSGVO, the previous year's turnover of the same shall be taken into account. IV.2 The provisions of §§ 12f DSG and Art. 5 and 6 DSGVO are intended to protect legal positions protected by fundamental rights of affected parties against interference by photographs used for private purposes in public or non-public areas which do not meet the requirements with regard to admissibility and proportionality. The obligations imposed on the person responsible for taking an image in § 13 DSG are intended on the one hand to enable the data protection authority to monitor compliance with the legal requirements in the case of image processing and on the other hand to make it easier and possible for those affected to assert their rights or to avoid (unwanted) image taking as far as possible. IV.3 In the specific case, when determining the penalty, it had to be taken into account that the established unlawful operation of the image recording is potentially likely to cause a large number of Affected parties, here: both passers-by who accidentally pass by the outdoor area and guests of the betting restaurant, in their constitutionally protected rights - in particular in their right to secrecy as defined in § 1 DSG and their right to protection of private and family life as defined in Art. 8 ECHR - to violate. IV.4 The violation in question is to be regarded as serious due to the high level of injustice and the fact that it is a systematic violation of the responsible person's obligation. Finally, the image recording system in question is, as has been established, systematically used to evaluate image data in the "case of cause". IV.5 This was therefore to be considered as aggravating, whereby the intensity of the interference due to the operation of an impermissible and disproportionate image processing, which here covers large parts of the public space, in the present case was correspondingly reflected in the penalty imposed on award point 1 - in relation to the other award points. A waiver of the imposition is therefore out of the question. The duration of the infringement - the image acquisition has been in operation for at least several months - can also be regarded as aggravating. IV.6 Therefore, and in order to prevent the accused from committing further offences of the same kind, the imposition of a penalty was necessary in the specific case. The need for special prevention also arises from the fact that, in addition to the betting shop "[...]" in [...], which is the subject of the proceedings, the defendant operates numerous other betting shops in [...]. IV.7 As far as the degree of fault or the extent of fault of the legal person held liable is concerned, negligence was assumed in any case. Negligent behaviour is neither considered mitigating nor aggravating. IV.8 The actual economic circumstances of the accused legal person could not be taken into account due to lack of disclosure. IV.9 As a mitigating factor, it had to be taken into account that there were no relevant reservations against XY Handels- u. Betriebsgesellschaft mit beschränkter Haftung. Instructions on legal remedies: You have the right to appeal against this decision. An admissible appeal lodged in due time has a suspensive effect, i.e. the decision cannot be enforced until the final decision has been reached. The appeal must be lodged with us in writing within four weeks of notification of this decision. In proceedings before the Administrative Court, the defendant has the right to obtain an auxiliary procedural defender (within the meaning of Section 40 of the Administrative Court Procedure Act - VwGVG). If you apply for the appointment of a defence counsel within the appeal period, the appeal period shall not begin until the time at which the decision on the appointment of the lawyer as defence counsel and the decision to appeal have been served on the defence counsel. If the timely filed request for a defence counsel to be attached is rejected, the appeal period begins to run with the delivery of the rejecting decision to you. The appeal must specify the decision against which it is directed and the authority which issued the decision. Furthermore, the appeal shall contain the grounds on which the allegation is based. of illegality, to contain the request and the information necessary to assess whether the complaint has been lodged in time. They shall have the right to request in the complaint that a public hearing be held. Please note that if the authority refrains from issuing a preliminary decision on an appeal, you waive your right to hold a hearing if you do not make such a request in the appeal. The complaint may be transmitted in any technically possible form, but by e-mail only to the extent that no special forms of transmission are provided for electronic commerce. Technical requirements or organisational restrictions of electronic traffic are published on the following website: Please note that the sender bears the risks associated with each type of transmission (e.g. loss of transmission, loss of the document).