Garante per la protezione dei dati personali (Italy) - 9960920

From GDPRhub
Garante per la protezione dei dati personali - 9960920
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 6 GDPR
Article 13 GDPR
Article 1122-ter Italian Civil Code
Article 157 Codice Privacy
Article 168 Codice Privacy
Type: Complaint
Outcome: Upheld
Started:
Decided: 26.10.2023
Published:
Fine: 1000 EUR
Parties: n/a
National Case Number/Name: 9960920
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: GARANTE PER LA PROTEZIONE DEI DATI PERSONALI (in IT)
Initial Contributor: Luca Brocca

The Italian DPA found the controller, a condominium manager, in violation of Articles 5(1)(a) and 6 GDPR for unlawfully installing a video surveillance system without a required assembly resolution. The DPA imposed a €1,000 fine and a processing ban.

English Summary

Facts

The complaint, lodged on 29 January 2021, alleged unauthorised processing of personal data through a video surveillance system implemented without condominium assembly resolution by the controller, acting as the condominium manager. This video surveillance system, operational since November 2020, covered external areas, including the parking facility and access gate, with partial views of the public road.

The controller neglected to respond to the DPA's request for information under Article 157 of the Italian Privacy Code, raising concerns regarding the lack of transparency in the data processing activities. Subsequent investigations revealed the absence of a condominium resolution authorising the installation of the video surveillance system. An inspection on 17 November 2021 confirmed the absence of proper authorisation. Following a subsequent information request by the DPA to the controller on 2 December 2021, the controller replied justifying the installation based on perceived community needs. However, this justification raised questions about the legal basis for data processing under Article 6 GDPR.

Holding

The Italian DPA concluded that the controller violated the GDPR.

Firstly, the DPA noted that the controller's decision to install the surveillance system underscored the significance of a condominium resolution, mandated by Article 1122-ter of the Italian Civil Code, as an essential prerequisite for lawful data processing in common areas. Thus, the controller acted outside the tasks assigned to him by law.

Secondly, it follows from the absence of a condominium resolution authorising the video surveillance system installation that the processing of the personal data in question was carried out by the manager in the absence of an appropriate legal basis, as required by Article 6 GDPR. Therefore, the processing also infringed on the general principles of lawfulness, correctness, and transparency, as outlined in Article 5(1)(a) GDPR.

In the exercise of its authority under Article 58(2)(f) GDPR, the DPA imposed a ban on the processing in question and a €1,000 fine on the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

SEE Newsletter of 15 December 2023

 

[doc. web no. 9960920]

Provision of 26 October 2023

Register of measures
n. 502 of 26 October 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, the lawyer. Guido Scorza, member, and the councilor. Fabio Mattei general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 (Code regarding the protection of personal data, hereinafter “Code”) as amended by Legislative Decree 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679";

GIVEN the complaint presented by Mr. XX pursuant to art. 77 of the Regulation, with which the installation of a video surveillance system at the XX in XX condominium was complained about, in the absence of suitable legitimacy conditions;

EXAMINED the documentation in the documents;

GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation no. 1/2000;

SPEAKER the lawyer. Guido Scorza;

PREMISE

1. The complaint, the preliminary investigation and the start of the procedure.

With the complaint presented to this Authority on 01/29/2021, regularized on 05/28/2021, Mr. XX complained about the unlawful processing of personal data by Mr. XX, pro tempore administrator of the Via della XX Condominium, located in XX, who had installed a video surveillance system in the absence of the meeting resolution.

The Office, therefore, formulated a request for information from the condominium administrator, pursuant to art. 157 of the Code, in order to acquire useful evaluation elements. This request, dated 08/30/2021 and sent to the Administrator's email address, remained unanswered.
Therefore, the Privacy and Technological Fraud Protection Unit of the Financial Police was delegated to notify the administrator of the initiation of the sanctioning procedure for the violation of the art. 157 of the Code (protocol act no. 53712 of 10/26/2021) as well as to acquire the information already covered by the previous note.

At the outcome of the inspection, carried out on 11/17/2021, it appeared that, at the Condominium, there was a video surveillance system consisting of two cameras, positioned outside the building, active and functioning, whose visual angle it extended to the parking area and the access gate, with a partial view of the public road. Furthermore, it appeared that this system had been installed in November 2020 in the absence of the condominium assembly's resolution.

The condominium owners had been notified of the installation of the cameras with an email dated 06/11/2020. The images could be viewed on the administrator's mobile phone by entering a code and password. Furthermore, the presence of signs bearing the information referred to in the art. 13 of the Regulation, even without the indication of the data controller.

With a subsequent note dated 02/12/2021, in addition to what was represented during the inspection, the administrator, through his lawyer, declared, first of all, that he had not responded to the request for information formulated by the Guarantor to the pursuant to the art. 157 of the Code, as it was not delivered to his email inbox.

On the merits of the matter, the administrator highlighted how all the condominiums were in agreement in the need to install a video surveillance system, to deal with the continuous damage that occurred in the area in front of the condominium, and that the system in question had been installed urgently, reserving the right to adopt the condominium resolution at the first available opportunity.

The Office, on the basis of the checks carried out as per the aforementioned report as well as the subsequent additions received, notified Mr. XX, identified as the owner of the processing of personal data, with note dated 03/04/2022 (protocol no. 13810) the initiation of the procedure for the adoption of the measures referred to in the articles. 58, par. 2, and 83 of the Regulation, in compliance with the provisions of the art. 166, paragraph 5, of the Code, in relation to the violation of articles. 5, par. 1, letter. a), and 6 of the Regulation.

The party, with a note dated 03/15/2022, limited itself to recalling the observations already presented during the procedure.

2. The legal framework of the processing carried out.

Given that the use of video surveillance systems determines the processing of personal data pursuant to art. 4, par. 1, no. 2 of the Regulation, it is noted that this processing must be carried out in compliance with the general principles contained in the art. 5 of the Regulation and, in particular, the principle of lawfulness and transparency (art. 5, par. 1, letter a) and the principle of purpose limitation (art. 5, par. 2, letter b).

From this aspect, it is necessary to recall Guidelines n. 3/2019 on the processing of personal data using video devices, adopted by the European Data Protection Committee on 01/29/2020, according to which, before proceeding with the processing of personal data using video surveillance systems, it is necessary that the purposes of the processing are specified in detail, which must be documented in writing and specified for each camera in use.
Furthermore, interested parties must always be informed that they are about to access a video-surveillance area as well as of the purposes of the processing itself, pursuant to art. 13 of the Regulation (par. 3, n. 15 Guidelines cited).

For this purpose, therefore, the data controller must prepare suitable information signs according to the indications contained in point 3.1. of the provision on video surveillance - 8 April 2010 [1712680] (in this sense also the FAQs on video surveillance, published on the Authority's website) so that interested parties are made "aware of the fact that a video surveillance system is in operation ”.

Similarly, the aforementioned Guidelines clarify that "the most important information must be indicated [by the owner] on the warning sign itself (first level) while further mandatory details can be provided by other means (second level)" (para. 7, n . 111). The Guidelines also provide that “Such information may be provided in combination with an icon to give, in a prominent, intelligible and clearly legible manner, an overview of the intended processing (Article 12, paragraph 7, of the GDPR) . The format of the information will have to adapt to the various locations." The information should be positioned in a way that allows the data subject to easily recognize the circumstances of the surveillance, before entering the monitored area (approximately at eye level) “to enable the data subject to estimate which area is covered by a camera in way to avoid surveillance or adapt one's behavior, where necessary” (par. 7.1.1, n. 113).

With reference to the conditions of lawfulness of the processing, the Guidelines on video surveillance provide that "In principle, any legal basis pursuant to Article 6, paragraph 1, can provide a legal basis for the processing of video surveillance data (…). However, in practice, the provisions most likely to be used are: Article 6(1)(f) (legitimate interest); Article 6, paragraph 1, letter e) (necessity in order to carry out a task in the public interest)” (para. 3). In particular, “video surveillance is lawful if it is necessary to achieve the purpose of a legitimate interest pursued by a data controller or a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the interested party (article 6, paragraph 1, letter f)".

Finally, it should be noted that the installation of video surveillance systems in condominium areas has been regulated by art. 1122-ter of the Civil Code (introduced by the condominium reform law with law 11 December 2012 n. 220) which provides that "The resolutions concerning the installation on the common parts of the building aimed at allowing video surveillance on them are approved by the assembly with the majority referred to in the second paragraph of the art. 1136” (i.e. a number of votes representing the majority of those present and at least half the value of the building).

The condominium resolution represents the instrument that allows the administrator to execute the decisions taken by the condominiums during the meeting (art. 1130, 1 co, point 1, c.c.), by virtue of the mandate received.

The administrator, in his capacity as agent, is in fact subject to the general rules dictated by the Civil Code for this type of contract, to which the art expressly refers. 1129, co. 15, civil code (provision containing "Appointment, revocation and obligations of the administrator").

From another perspective, it is noted that the condominium resolution represents, in this context, the necessary prerequisite for the lawfulness of the processing carried out, through video surveillance, in the condominium context. In fact, through this act, the condominium owners contribute to defining the main characteristics of the processing, identifying the methods and purposes of the processing itself, the retention times of the images taken, the identification of the subjects authorized to view the images.

The Condominium as a whole, therefore, thus assumes the status of data controller, as results from the definition provided by the art. 4, no. 7, of the Regulation.

3. The outcome of the investigation and the procedure for the adoption of corrective and sanctioning measures.

Given that, unless the fact constitutes a more serious crime, anyone who, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor", based on the elements acquired during the preliminary investigation (referred to in the previous paragraph 1) as well as the subsequent evaluations of this Department, it is established that the following.

With respect to the violation relating to the failure to respond to the request for information formulated during the investigation by the Authority, pursuant to art. 157 of the Code, having taken note of the findings provided by the party during the procedure and, in particular, of the fact that the note from the Office, dated 08/30/2021 and sent to the administrator's personal email address, does not appear having been received by the recipient, in the absence of proof to the contrary, as the communication was sent to an ordinary (uncertified) email address, the proceedings initiated with the deed of 10/26/2021 protocol are ordered to be archived. n. 53712, pursuant to art. 11, paragraph 1, letter. b) and art. 14 of the Guarantor's regulation no. 1/2019 of 4 April 2019.

With reference instead to the processing carried out by means of the video surveillance system, it is noted that, from the overall examination of the documentation acquired during the procedure, it emerged that the installation of the cameras at the Condominium was ordered directly by the administrator (Mr. XX), in the absence of the condominium resolution provided for by art. 1122-ter of the Civil Code, having limited himself, on the occasion of the meeting of 12/12/2019, "to inviting condominiums to produce estimates for the installation of cameras suitable for the protection of the condominium external space" (annex 2 to report of operations carried out).

The absence of a condominium resolution, in relation to the specific issue, meant that the administrator operated outside the tasks assigned to him by the law (art. 1130 of the Civil Code, in fact, in listing the duties of the The administrator identifies, in the first point, precisely the execution of the assembly resolutions, recognizing a certain autonomy, only for what concerns ordinary management, the regulation of the use of common things and the provision of services in the common interest).

Added to this is how the documents show that the condominium administrator took care of installing the cameras, also defining the viewing angle, and equipped himself with an application to view the images active on his smartphone, after inserting authentication credentials known only to him.

These circumstances, examined as a whole, take on particular importance for the purposes of the correct identification of the data controller and the related imputability of the responsibilities deriving from the failure to comply with the regulations on the protection of personal data, contributing to qualifying, in this case, the administrator (and not the Condominium) as data controller.

Having said this, it follows that the processing of the personal data in question was carried out by the administrator in the absence of a suitable basis for lawfulness, pursuant to art. 6 of the Regulation.
If, in fact, the pursuit of a legitimate interest of the owner in protecting the property from theft or vandalism could be pursued by the Condominium through the installation of the video surveillance system in response to the need for the measure, related to a situation of real risk and on the basis of an adequate balance with the fundamental rights and freedoms of the interested parties, it is instead observed that the processing carried out by the administrator, on the contrary, is not supported by any of these circumstances.

In fact, the administrator does not have a legitimate interest, effective and current, as well as linked to a situation of real difficulty, which would allow him to lawfully carry out the processing using video cameras.

Having said this, it is noted that the processing in question is unlawful because it is carried out in violation of the general principles of lawfulness, correctness and transparency (art. 5, par. 1, letter a) of the Regulation) towards all interested parties (condominiums and not) as well as in the absence of a suitable legitimacy requirement pursuant to art. 6 of the Regulation.

As regards further violations, it is noted that the declarations made by the party during the proceedings do not allow the findings notified by the Office to be overcome with the act of initiation of the sanctioning proceedings dated 03/04/2022 (protocol no. 13810 ) and are insufficient to allow archiving, for the reasons set out below.

4. Conclusions: declaration of unlawfulness of the processing. Corrective measures pursuant to art. 58, par. 2, Regulations.

The processing of personal data carried out by the administrator through the video surveillance system, with respect to which a proceeding was initiated with communication no. 13810 of 4/3/2022, is therefore illicit, in the terms set out above, in relation to the articles. 5, par. 1, letter. a) and 6 of the Regulation.

The violation, ascertained within the terms set out in the justification, cannot be considered "minor", taking into account the nature, severity and duration of the violation itself, the degree of responsibility and the way in which the supervisory authority became aware of of the violation (cons. 148 of the Regulation).

Therefore, given the corrective powers attributed by art. 58, par. 2 of the Regulation, in light of the specific case and in the absence of communications subsequent to the start of the procedure from which the adoption of the condominium resolution required by the art. 1122-ter concerning the installation of systems in the common parts of the building aimed at allowing video surveillance on them, processing is prohibited (art. 58, par. 2, letter f), Regulation).

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The Guarantor, pursuant to art. 58, par. 2, letter. i) of the Regulation and of the art. 166 of the Code, has the power to inflict a pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation, through the adoption of an injunction order (art. 18. law 24 November 1981 n. 689), in relation to the processing of personal data carried out by the party by means of the video surveillance system, in violation of the general principles referred to in the art. 5, par. 1, letter. a) and in the absence of suitable conditions of lawfulness pursuant to art. 6 of the Regulation.

Considered necessary to apply paragraph 3 of the art. 83 of the Regulation where it provides that "If, in relation to the same treatment or related treatments, a data controller [...] violates, with intent or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation", the total amount of the sanction is calculated so as not to exceed the legal maximum envisaged by the same art. 83, par. 5.

With reference to the elements listed in the art. 83, par. 2 of the Regulation for the purposes of applying the pecuniary administrative sanction and its quantification, taking into account that the sanction must be "effective, proportionate and dissuasive in each individual case" (art. 83, paragraph 1 of the Regulation), it is represented that, in the specific case, the circumstances reported below were taken into consideration:

with regard to the nature, severity and duration of the violation, the conduct of the condominium administrator was taken into consideration who, in the absence of the requested meeting resolution, started the processing of data by means of a video surveillance system. The circumstance that this requirement is expressly provided for by the civil code in art. 1122-ter, in the part dedicated to the rules for the management of condominiums;

also notes the fact that, although in the violation notification it was expressly requested to communicate the measures adopted to bring the processing into compliance with the Regulation, with particular reference to the adoption of a specific condominium resolution, as a condition of lawfulness of the processing in question, the party has not sent any document in this regard, nor communicated the reasons that may have led to such failure;

the absence of specific precedents relating to violations of the regulations regarding the protection of personal data.

On the basis of the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction in the amount of 1,000.00 (one thousand) euros for the violation of the articles. 5, par. 1, letter. a) and 6 of the Regulation.

In this framework, also in consideration of the type of violation ascertained, it is believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's regulation no. 1/2019, this provision must be published on the Guarantor's website.

Finally, it is noted that the conditions set out in art. 17 of regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THE WHEREAS, THE GUARANTOR

declares, pursuant to articles. 57, par. 1, letter. f) and 83 of the Regulation, the unlawfulness of the processing carried out by Mr. XX, resident in XX, XX, C.F. XX, through the use of the video surveillance system installed at the XX Condominium in XX, in the terms set out in the motivation, for the violation of the articles. 5, par. 1, letter. a) and 6 of the Regulation;

HAS

pursuant to art. 58, par. 2, letter. f) of the Regulation, the prohibition of processing through the video surveillance system carried out by Mr. XX within the terms indicated in the justification, without prejudice to the possibility that the same treatment can be carried out by the condominium, following the adoption of the condominium resolution required by the art. 1122-ter of the civil code;

ORDER

to Mr. XX to pay the sum of 1,000.00 (one thousand) euros as a pecuniary administrative sanction for the violation of the articles. 5, par. 1, letter. a) and 6 of the Regulation, as indicated in the justification;

ORDERS

to pay the sum of 1,000.00 (one thousand) euros, according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of law no. 689/1981. We represent that pursuant to art. 166, paragraph 8 of the Code, the right remains for the violator to settle the dispute through the payment - always according to the methods indicated in the annex - of an amount equal to half of the sanction imposed within the deadline referred to in the art. 10, paragraph 3, of the legislative decree. lgs. n. 150 of 1 September 2011 provided for the filing of the appeal as indicated below.

HAS

pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's regulation no. 1/2019, the publication of this provision on the Guarantor's website and believes that the conditions set out in the art. 17 of regulation no. 1/2019.

Furthermore, it is ordered that the initiatives undertaken in order to implement the provisions of this provision and to provide adequately documented feedback pursuant to art. 157 of the Code, within 30 days from the date of notification of this provision; any failure to respond may result in the application of the administrative sanction provided for by the art. 83, par. 5, letter. e) of the Regulation.

Pursuant to art. 78 of the Regulation, of the articles. 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 26 October 2023

PRESIDENT
Stanzione

THE SPEAKER
Zest

THE GENERAL SECRETARY
Mattei