Garante per la protezione dei dati personali (Italy) - 9920578
From GDPRhub
| Garante per la protezione dei dati personali - 9920578 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 5(1)(e) GDPR Article 5(1)(c) GDPR Article 5(2) GDPR Article 12 GDPR Article 13 GDPR Article 24 GDPR Article 25 GDPR Article 28 GDPR Article 37(1) GDPR Article 37(7) GDPR Article 83(2) GDPR Article 83(3) GDPR Article 83(5)(a) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 18.07.2023 |
| Published: | |
| Fine: | 45,000 EUR |
| Parties: | Municipality of Modica |
| National Case Number/Name: | 9920578 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Italian |
| Original Source: | Garante per la Protezione dei Dati Personali (in IT) |
| Initial Contributor: | AR |
The Italian DPA fined an Italian city council €45,000 for multiple data breaches over its video-surveillance systems of waste collection. The video recordings had been used to fine an individual for mistakenly disposing of undifferentiated waste.
English Summary
Facts
A citizen (data subject) of the city council of Modica (the controller) submitted a complaint over a dispute report received for having mistakenly disposed of undifferentiated waste, as would appear from the videos recorded by the cameras placed near the waste collection bins.
The applicant complained that the controller had discovered the violation by reviewing the video footage more than a month after it had been recorded. He further claimed that a proper information notice on the processing of personal data of the video footage was missing since an information sign was placed directly on the bin, which was not easily visible and did not indicate the data controller and the purposes pursued.
Holding
The DPA concluded the following.
It found a violation of the right of information, meaning of Article 12 GDPR and Article 13 GDPR, because where video-surveillance systems are used, in addition to placing warning signs in the vicinity of the area under surveillance, data subjects must also be given all information under Article 13 GDPR. Such information must be easily accessible to the data subject. However, in the present case, the sign was on the bin, in the vicinity of other signs – causing confusion and poor visibility, therefore, not making the persons concerned aware of the presence of the video surveillance system before entering its shooting range. Additionally, on the sign, the controller only mentioned generic ‘security reasons’ underlying the video surveillance.
The DPA also found a violation of the principle of minimization, storage limitation, accountability and data protection by design and by default, under Article 5(1)(c) GDPR and Article 5(1)(e) GDPR, Article 5(2) GDPR together with Article 24 GDPR and Article 25 GDPR. The DPA stated that the data controller needs to identify the retention periods for the images, taking into account the purposes of the processing. In this case, the controller used the cameras for two purposes: preventing and detecting administrative offences and preventing and detecting urban security. However, it did not specify the data retention period for the former purpose and simply used the same data retention period used for the second purpose, seven days, without justification. Moreover, the administrative violation of the applicant was ascertained more than one month after the date on which the images were recorded, meaning that the controller had retained those images beyond the seven-day period.
Additionally, the DPA ruled a breach of Article 28 GDPR on the processing operations considering that the controller entrusted the task to the company CAT S.r.l. of Ragusa and, subsequently, to the company Ermeslink without properly defining their roles via a data protection agreement.
Finally, on the designation of the DPO and publication of contact details, the DPA ruled a violation of Article 37(1) GDPR and Article 37(7) GDPR. Indeed, the controller appointed a DPO well after the GDPR became effective, with the excuse that the delay had been due to the SARS-CoV-2 epidemiological emergency and the recruitment process. However, the DPA stated that the GDPR entered into force before the SARS-CoV-2 pandemic and that, pending the assignment of a DPO, the data controller is required to designate a DPO, even temporarily. The DPA also criticized the one-month delay in publishing the DPO's contact details on the controller's website once the DPO was chosen.
The DPA fined the controller €45,000 under Article 83(2) GDPR, Article 83(3) GDPR and Article 83(5)(a) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
SEE ALSO Newsletter of 11 September 2023
[doc. web no. 9920578]
Provision of 18 July 2023
Register of measures
n. 312 of 18 July 2023
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary;
HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter “Regulation”);
HAVING REGARD TO Legislative Decree 30 June 2003, n. 196, “Personal data protection code”, as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of the national law to the Regulation (hereinafter "Code");
GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Gazette. n. 106 of 8 May 2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);
HAVING SEEN the documentation in the documents;
GIVEN the observations of the Office formulated by the Secretary General pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web no. 1098801;
SPEAKER Dr. Agostino Ghiglia;
1. Introduction
With a report submitted to the Authority pursuant to art. 144 of the Code, a citizen of the Municipality of Modica (hereinafter, the "Municipality") complained that he had received some reports contesting the administrative violation of a union ordinance for having mistakenly disposed of undifferentiated waste, as would appear from viewing the videos recorded using video devices placed near the bins used for waste collection. Based on the reports received, the whistleblower complained that the investigations of the violation, through viewing of the videos, took place more than a month after the date on which the videos themselves were recorded.
The reporting party also complained about the absence of adequate information on the processing of personal data, as an information sign had been placed directly on the bin, which was not easily visible and without any indication of the data controller and the purposes pursued.
2. The preliminary investigation activity
In response to a request for information from the Authority (prot. n. XX of the XX), the Municipality, with note prot. n. XX of the XX, declared, in particular, that:
“in order to combat the widespread phenomenon of waste abandonment and the incorrect disposal of solid urban waste, with its own decisions, at different times, it has entrusted the companies CAT Srl of Ragusa and Ermeslink […], for purchase, installation and maintenance of fixed cameras, and collection and analysis of videos relating to environmental violations, both of an administrative and criminal nature";
“following the aforementioned decisions [the Municipality] appointed the owners of the aforementioned companies responsible for the collection, analysis and delivery of the aforementioned films for the periods indicated in the aforementioned decisions” as judicial police auxiliaries;
"after receiving the videos, the staff of the Local Police, Judicial Police section, proceeded, pursuant to art. 13 law n. 689/81, to view [the same], drawing up a specific service note, for the purposes of applying the relevant administrative sanctions in cases of confirmed violation, archiving the files as evidence and for any requests for viewing and/or issuing a copy from party of the infringer entitled and subsequent appeals. […] The remaining part of the videos, where no violations were found, [was] eliminated”;
"scattered throughout the area there are various information signs indicating that the areas are subject to video surveillance", without, however, having provided any documentary evidence regarding this declaration.
In response to a further request for information from the Authority (prot. XX of the XX), the Municipality, with note prot. n. XX of the XX, represented, in particular, that:
“it was necessary to install a video surveillance system near the waste bins in the urban and extra-urban area to […] monitor the storage of waste and the illicit abandonment of the same in order to counteract the degradation of the territory […] ] and avoid the emergence of dangers for hygiene and public health and/or the development of fires due to the presence of piles of abandoned waste";
the Municipality "has [defined] retention times equal to "seven days following the detection of the information and images collected through the use of video surveillance systems", without prejudice to special needs for further conservation";
"the images can only be viewed by Municipal Police personnel [...] Judicial Police officers view the images delivered within two days of the recordings taken and delivered by the "Ermeslink" supplier, appointed Judicial Police Auxiliary. Only in the event where a crime on the part of the citizen is evident, the image is kept to prepare the report and the sanction by the Judicial Police itself as proof [...] of the contested offense";
"the current installation company is appointed by the Municipality as the external manager in charge of the treatment [...] [with] appointment resolution no. XX";
“Citizens are informed of the presence of video cameras by placing an information sign in the immediate vicinity of the cameras pursuant to articles. 13 and 14 of EU Reg. 679/2016”;
"adequate information is published on the institutional website of the Municipality, Section "Acts" - Subsection "Data Protection". The locations where the cameras have been installed are also published."
Lastly, with note prot. n. XX of the XX, the Municipality declared, in particular, that:
“the company “Cat srl” in the context of video surveillance activities, played the role of auxiliary of the judicial police, [having been] appointed by the Local Police Command [of] the Municipality. The company "Cat srl" had the task [...] of carrying out an initial analysis and selection of the videos in which a violation or crime was highlighted. The stipulated agreement is the report of appointment by the Local Police Command";
“the companies “Cat srl” and “Ermeslink” have started to provide their services to this Municipality [...] respectively, as indicated below: - XX; - XX;
“the Municipality […] has stipulated an agreement on the processing of personal data with the company “Ermeslink” […] pursuant to art. 28 of Regulation (EU) no. 679/2016, with resolution n.XX of the XX and delivery of guidelines. An agreement had previously been stipulated with a judicial auxiliary report by the Local Police";
"the retention times of the videos collected through the video surveillance system in use and adopted [by] the Municipality were seven days following the collection of the images, [and] only in the period July-December 2019, which includes the period to which they refer the minutes, corresponding to the last assignment of the task to the company “Cat srl', as per the determination of the Manager of the IX sector of the Municipality of Modica n. XX of the XX, the conservation times of the images were extended to fifteen days. This decision was taken following the fact that in the period from March to November 2019, criminal acts occurred in the area referred to in the reports, [including] a serious act of intimidation against the "Ecology and Environment Sector ", on the night of 18 March 2019 when the car used by Office officials to identify illegal landfills and sanction violators was set on fire"; “in the areas referred to in the said reports, in the period March - November 2019, repeated violations of Legislative Decree no. occurred. 152/2006 and subsequent amendments. characterized by phenomena of uncontrolled abandonment of waste, including dangerous ones (asbestos), which is why [...] it was decided to extend in the last assignment given to the company "Cat srl", which ran from June to December 2019, only in those months, the image retention period of up to 15 days”;
"the date from which this Municipality set the conservation time for the images at "seven days following the collection of the information", dates back to the first assignment to the company "Cat srl" with the determination of the Manager of the IX sector n. XX of the XX”;
“information signs had [been] placed in the areas subjected to video surveillance, in the period July-November 2019, including those in the areas mentioned in the said reports”;
“the [several] information signs attached to the XX note were placed in February 2020 […]”;
"the complete information on the processing of personal data in the context of video surveillance was published on the Institution's institutional website on the XX";
"in the period July-November 2019 the interested parties (citizens) were made aware of the video surveillance system, installed by the Municipality of Modica with the aim of limiting the proliferation of illegal landfills, through information signs placed near the bins, on the electricity poles, placed in the immediate vicinity or on the front side of the bins themselves [...]";
“the Municipality of Modica designated the Data Protection Officer DPO/RPD on XX”;
“the contact details of the Data Protection Officer (Gruppo Consulting Soc. Coop. Stp) were published on the official website of the Municipality of Modica on XX”.
With note dated XX (prot. n. XX), the Office, on the basis of the elements acquired, notified the Municipality, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in the art. 58, par. 2 of the Regulation, inviting the aforementioned owner to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of law no. 689 of 11/24/1981). With the note mentioned above, the Office found that the Municipality has implemented processing of personal data using video devices in a manner that does not comply with the legislation on the protection of personal data, in violation of the articles. 5, par. 1, letter. a), c) and e), and par. 2, 12, 13, 14, 24, 25, 28 and 37 of the Regulation.
With note dated XX (Protocol Guarantor no. XX), the Municipality sent its defense writings to the Authority in relation to the violations notified, declaring, in particular, that:
“[the Municipality] decided to install video cameras in strategic areas of its territory (at the time of the facts, five fixed and four mobile) for reasons of prevention and dissuasion of crimes [in environmental matters...] [and] administrative [ both] contraventions punished with the penalty of arrest (such as that provided for in art. 256 of Legislative Decree 152/2006 when the abandonment of waste occurs by owners of businesses or entities) or [...] to prevent real and own acts of vandalism [...] through damage, theft and/or fires of bins that have occurred in the area [...]. The aforementioned purpose can therefore be considered legitimate to allow the conservation for seven days provided for by paragraph 8 of article 6 of the Legislative Decree. n°11 of 02.23.09 which, as in the present case, allows this option for "public safety" purposes;
with regard to the "temporary extension arranged to allow a retention period of 15 days [...], [which has] only been of an exceptional and urgent nature [...] [due to] investigative needs arising from the aforementioned acts of vandalism", [it is considered applicable] in the present case, [...] the provision referred to in art.8 of the Presidential Decree. 15.01.18 n°15. If it is true, in fact, that paragraph 8 of article 6 of the Legislative Decree 11/09 determines the maximum conservation period at seven days and it is true that the same regulation is without prejudice to "special needs for further conservation". Furthermore, it does not even appear that the exceptional and temporary period of fifteen days, established for the aforementioned purposes, can in itself be considered "excessive" or "incongruous";
"Although video surveillance systems were installed in several points of the city, there were only five fixed cameras in use in the reference period (four of which were functioning) whose management was certainly to be considered compatible with manual and unscheduled deletion of recordings acquired. To date, however, the entire system present in several points of the city (with 12 fixed cameras and 4 mobile cameras) is currently not operational while awaiting the adaptation already started which will allow its compliant use in the future";
“[…] the information signs […] displayed at the sites of the confirmed violations were not only those applied on the bins […] but also those placed autonomously and independently on posts adjacent to the areas concerned [, which] warned eloquently and before the range of coverage of the presence of video surveillance, [...] [also bearing] the Municipality's logo [...] and the precise telephone contact details [, although they did not acknowledge] either the temporary extension arranged, or the new purposes underlying the extension itself, [which had been] arranged only for a temporary purpose linked to an exceptional event and remained in force for only a few days";
“the appointment as Judicial Police Auxiliary is equivalent to being responsible for data processing”;
“the delay in the appointment [of the DPO] was largely dependent on the COVID 19 pandemic which emerged and is still in force which […] has also paralyzed a large part of the administrative activities of the Public Bodies which have been grappling, over the last year, with much more serious problems imminent and binding. In any case, it is also important that resolution no. on the part of the participants. It follows that the delay of only a few months with respect to the entry into force of the legal obligation must be considered not to depend on the will of the Institution".
3. Outcome of the preliminary investigation
3.1 Video surveillance in public areas
The processing of personal data using video surveillance systems by public entities is generally permitted if it is necessary to fulfill a legal obligation to which the data controller is subject or for the execution of a task of public interest or connected to the exercise of public powers with which he is invested (art. 6, par. 1, letters c) and e), and 3, of the Regulation, as well as 2-ter of the Code; see par. 41 of the “Guidelines 3/2019 on the processing of personal data through video devices”, adopted by the European Data Protection Committee on 29 January 2020). In this context, it is noted that waste management is one of the institutional activities entrusted to local authorities.
The data controller is, in any case, required to respect the principles regarding data protection referred to in art. 5 of the Regulation, including that of "lawfulness, correctness and transparency" (art. 5, par. 1, letter a), of the Regulation), according to which the data controller must adopt appropriate measures to provide the interested in all the information referred to in the articles. 13 and 14 of the Regulation in a concise, transparent, intelligible and easily accessible form, with simple and clear language (see art. 12 of the Regulation).
The Municipalities, in exercising their powers - as in the case of ascertaining administrative offenses provided for by environmental legislation (see, in particular, articles 192, "prohibition on abandonment", and 255, "abandonment of waste", of Legislative Decree no. 152 of 3 April 2006; art. 13, law of 24 November 1981, no. 689) or by trade union ordinances on the management and disposal of urban waste - are required, as owners of the processing, in accordance with the principle of accountability (articles 5, paragraph 2, and 24 of the Regulation), to evaluate whether, taking into account the specific local context, the processing of personal data using video devices, for the purposes of ascertaining such violations, is actually necessary and proportionate (see FAQ of the Guarantor on video surveillance of 3 December 2020, web doc. no. 9496574, in particular FAQ no. 13, where it is clarified that the use of video surveillance for the purposes, in the sense side, of environmental protection, it is permitted "only if it is not possible, or proves ineffective, the use of alternative control tools and systems and in any case in compliance with the principle of data minimization", referred to in art. 5, par. 1, letter. c) of the Regulation).
3.2 Information on the processing of personal data
When video surveillance systems are used, the data controller, in addition to providing first level information by affixing warning signs near the area subjected to video surveillance, must also provide interested parties with "second level information", which must “contain all the mandatory elements pursuant to Article 13 of the [Regulation]” and “be easily accessible to the interested party” (“Guidelines 3/2019 on the processing of personal data through video devices”, cit., in particular par 7; but see already the "Provision on video surveillance" of the Guarantor of 8 April 2010, web document no. 1712680, in particular par. 3.1; see FAQ no. 4 of the Guarantor on video surveillance, cit .).
The first level information (warning sign) “should communicate the most important data, for example the purposes of the processing, the identity of the data controller and the existence of the data subject's rights, together with information on the most significant impacts of the processing” (“Guidelines 3/2019 on the processing of personal data through video devices”, cit., par. 114). Furthermore, the signs must also contain information that may be unexpected for the interested party. This could, for example, concern the transmission of data to third parties, in particular if located outside the European Union, and the retention period. If such information is not indicated, the interested party should be able to trust that there is only real-time surveillance (without any data recording or transmission to third parties) (ibidem, cit., par. 115). The first level warning signs must also contain a clear reference to the second level of information, for example indicating a website on which it is possible to consult the text of the extended information.
Furthermore, the first level information should be positioned in a way that allows the interested party to easily recognize the circumstances of the surveillance, before entering the monitored area. It is not necessary to reveal the location of the camera, as long as there is no doubt about which areas are subject to surveillance and the context of the surveillance is unequivocally clarified (ibidem, cit., par. 113; see, also, provisions 20 October 2022, no. 341, web doc. no. 9831369; 28 April 2022, no. 162, web doc. no. 9777974, 7 April 2022, no. 119, web doc. no. 9773950, 16 September 2021, no. . 327, web doc. no. 9705650 and 11 March 2021, no. 90, web doc. no. 9582791).
In the present case, the Municipality, in the period in which the reportable assessment reports were issued, used an information sign (see Annex 6 note of the XX) which does not fully comply with the legislation on the protection of personal data. In addition to mentioning generic "security reasons" underlying video surveillance, it does not indicate, in fact, the ways in which the interested parties (i.e. not only the subjects who are accused of an administrative violation, but all the natural persons who enter within the of action of the cameras) can receive complete information on second level processing, nor does it emerge from the documents that the Municipality, in that period, took steps to draw up such complete information and bring it to the attention of the interested parties, for example through publication on the own institutional website. In this regard, the Municipality has, in fact, declared that the complete information on the processing of personal data in the context of video surveillance was published on its institutional website only on XX.
For the sake of completeness, it is specified that from the investigations carried out by the Office (see service report of the XX) it also emerged that on the institutional website of the Municipality an information relating to the "XII-ecology" sector was found, in which, with regard to the legal basis of the processing, it was stated that "the processing of personal data carried out through the use of video surveillance systems has the intention of pursuing a legitimate interest of the Data Controller to guarantee public safety and the public interest, in when the processing is necessary for the execution of a task of public interest or connected to the exercise of public powers vested in the data controller. […] In this case the processing is carried out for the protection of public hygiene and public safety”; “the […] processing [of the images] responds to the need to pursue the interest of protecting people and property from illicit acts (assaults, thefts and robberies) and to collect evidence”.
This information, therefore, was also inadequate, not making reference to the aim pursued in the case in question, which falls within the competence of the Municipality, concerning the verification of conduct sanctioned administratively (see articles 192, "ban on abandonment", and 255 "abandonment of waste", of Legislative Decree no. 152 of 3 April 2006; art. 13, law of 24 November 1981, no. 689) and which must be distinguished from the different areas of "public security" and "public safety" .
It should also be noted that the simplified sign, used by the Municipality, was posted directly on the bin, even in proximity to other signs, thus generating confusion and poor visibility of the same and, therefore, not allowing interested parties to be aware of the presence of the video surveillance system before entering its recording range. In this regard, it is noted that the Municipality's statement regarding the circumstance that "the information signs that were displayed in the places of the ascertained violations were not only those applied to the bins set up for waste collection [...] but also those placed in such a way autonomous and independent on posts adjacent to the areas concerned" (note of the XX) is not reflected in the documentation in the documents, as the Municipality has not produced any element to support this declaration.
Furthermore, it appears from the documents that for the period of November-July 2019 the retention time of the images had been increased from seven to fifteen days, although the interested parties were not informed of this circumstance. On this point, in fact, it was declared (see note of the XX) that "the conservation methods and purposes [...] indicated did not take into account either the temporary extension arranged, or the new purposes underlying the extension itself".
Lastly, with regards to the sign used by the Municipality starting from the month of XX (see Annex 7 note of XX), the existence of an automatic data deletion mechanism is also declared which, on the basis of the documentation in documents, it does not appear to have actually been adopted by the Municipality. Furthermore, as regards the indication of the methods with which interested parties can obtain complete information on the processing of personal data, only the possibility of physically going to an "information desk" at the Municipality headquarters is mentioned, with this having been the possibility for them to easily acquire complete information on the processing of personal data in question is effectively hindered.
For these reasons, the processing of personal data using video devices was carried out by the Municipality in a manner that did not comply with the principle of "lawfulness, correctness and transparency" referred to in art. 5, par. 1, letter. a) and in violation of the obligations set out in articles. 12 and 13 of the Regulation (it is necessary, however, to archive the contested violation of art. 14, considering that the personal data, subject to processing through these video systems, were not acquired from third parties).
3.3 The principles of data minimisation, retention limitation, accountability and protection by design and by default
Pursuant to art. 5, par. 1, letter. c) and e), of the Regulation, personal data must be "adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed" ("data minimization") and "stored in a form that allows identification of the interested parties for a period of time not exceeding the achievement of the purposes for which they are processed" ("limitation of conservation").
Based on the principle of accountability (articles 5, paragraph 2, and 24 of the Regulation), it is up to the data controller to identify the retention times of the images, taking into account the context and purposes of the processing, as well as the risk for rights and the freedoms of natural persons; this unless specific legal provisions expressly provide for certain data retention times (see FAQ no. 5 of the Guarantor regarding video surveillance, cit.). In most cases “taking into account the principles set out in Article 5(1)(c) and (e) of the GDPR, i.e. data minimization and limitation of data retention, personal data should be [ …] deleted after a few days, preferably via automatic mechanisms. The longer the expected retention period is (especially if it exceeds 72 hours), the more well-argued the analysis must be regarding the legitimacy of the purpose and the necessity of conservation" (para. 8, point 121, of the Committee's Guidelines European Data Protection Authority, cit.; see also FAQ n. 5 of the Guarantor, cit.).
In accordance with the principle of data protection by default (pursuant to art. 25, par. 2, of the Regulation), the data controller must implement appropriate technical and organizational measures to ensure that the images taken by video devices are processed, by default, only for the retention period previously defined by it.
Having said this, it is noted, first of all, that, from what was declared by the Municipality, it emerged that the video surveillance system in question was not installed for the sole purpose of preventing and ascertaining so-called illicit acts. administrative by citizens, but also for so-called urban security, or for reasons of prevention and dissuasion of crimes (acts of vandalism, theft, etc.).
Precisely following some acts of vandalism, the Municipality, in the period March - November 2019, increased the retention period of the images taken by the video surveillance system from seven to fifteen days (see note of the XX), in violation of the art. 6, paragraph 8, of the legislative decree. 23 February 2009, n. 11, pursuant to which "the retention of data, information and images collected through the use of video surveillance systems is limited to seven days following the detection, without prejudice to special needs for further conservation".
In this regard, it must be noted that the reference by the Municipality to art. 6, paragraph 8, of the legislative decree. 23 February 2009, n. 11, for the purposes of defining the retention times of videos acquired using video devices, is not entirely coherent, given that, in the context in question, the Municipality was not pursuing purposes related to the so-called urban safety, which is governed by a specific regulatory framework for the sector (see art. 5, paragraph 2, letter a), of the legislative decree. 20 February 2017, n. 14, pursuant to which Municipalities can install video surveillance systems to pursue objectives of "prevention and combating the phenomena of widespread and predatory crime", subject to the stipulation of an agreement for the implementation of urban security with the territorially competent Prefecture). Furthermore, the occurrence of "criminal facts [including] a serious act of intimidation", consisting in the burning of a car belonging to the "Ecology and Environment Sector" of the Municipality, cannot however in itself give rise to a special need to extend the deadline of seven days provided for by the legislative decree 23 February 2009, n. 11, given that in relation to any consequences deriving from conduct of the same nature, as immediately or promptly identifiable, the seven-day deadline provided for by law is certainly adequate in order to be able to ascertain any responsibilities and acquire in the documents of this specific proceeding the necessary images, for investigation purposes, by the competent investigative bodies.
Given that the aforementioned seven-day deadline, defined by the legislative decree 23 February 2009, n. 11, is not applicable in the context of the case, the Municipality, in compliance with the principles of accountability, limitation of conservation and data protection by default, should have defined the maximum retention period for images collected using video devices for the purposes of verification of administrative violations in environmental matters, adequately justifying the choices made.
Furthermore, it emerges from the complaint that the administrative violations were in any case ascertained more than one month after the date on which the images were recorded, with the Municipality having, therefore, retained said images beyond the aforementioned seven-day deadline.
In light of the above, the violation of the principles of "minimization", "limitation of conservation" (art. 5, par. 1, letters c) and e)), "responsibilization" (art. 5, par. 2) is ascertained , of the Regulation, in conjunction with art. 24 of the Regulation) and data protection by design and by default (art. 25 of the Regulation).
3.4 Relationships with data controllers
Pursuant to art. 28, par. 3, of the Regulation, "processing by a data controller must be governed by a contract or other legal act pursuant to 26 Union or Member State law, which binds the data controller to the data controller, which stipulates the subject matter regulated and the duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of interested parties, the obligations and rights of the data controller", and which provides for all the commitments provided for by the same art. . 28, par. 3, of the Regulation (see cons. no. 81 of the Regulation; provision no. 81 of 7 March 2019, web doc. 9121890; provision no. 160 of 17 September 2020, web doc. 9461168, provision no. 294 of 22 July 2021, web doc. 9698724, provision no. 351 of 29 September 2021, web doc. 9716256; provision no. 270 of 21 July 2022, web doc. 9811732).
Having said this, it is noted that, following the outcome of the investigation, it emerged that the Municipality entrusted the task to the company CAT S.r.l. of Ragusa (starting from the XX) and, subsequently, to the individual company Ermeslink of Giovanni Di Stefano (starting from the XX), having as its object specific personal data processing operations, such as the collection and analysis of videos relating to environmental violations, both of an administrative and criminal nature, appointing for this purpose auxiliaries of the Judicial Police the owners of the aforementioned appointed companies.
In the present case, the company CAT Srl of Ragusa participated in the processing in question from 8 August 2017 until December 2019, without its role being defined for the purposes of data protection legislation. In relation to the company Ermeslink, however, which has been entrusted with the service in question since XX, there was a late act of appointment as data protection manager pursuant to art. 28 of the Regulation (determination n. XX of XX).
Nor does it note that the aforementioned companies had been assigned "judicial police" functions, taking into account that the acts adopted for this purpose by the Municipality cannot be considered "agreements" on data protection stipulated between the data controller and data controller, lacking the mandatory elements provided for by the art. 28 of the Regulation.
In light of the foregoing considerations, it is noted that the aforementioned companies participated in the processing of the data in question without their role, before the start of the processing, being correctly defined by the Municipality through the stipulation of a data protection agreement, with consequent violation by the Municipality of the art. 28 of the Regulation.
3.5 Designation of the DPO and publication of contact details
Pursuant to art. 37, par. 1 and 7 of the Regulation, "the data controller and the data processor systematically designate a data protection officer whenever: a) the processing is carried out by a public authority or a public body [...]", and " the data controller or processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority”.
During the investigation, the Municipality declared that it had designated the Data Protection Officer ("DPO") on XX, therefore well after the date on which the Regulation became effective (25 May 2018), attributing the delay to the epidemiological emergency from SARS-CoV-2 and to the circumstance that determined the approval of the tender for the assignment of the task, which was already adopted on 13 August 2019 but "that two tenders were unsuccessful due to lack of of the requirements of the participants".
In this regard, it is specified that the date on which the Regulation became effective precedes the SARS-CoV-2 pandemic and that, pending the conclusion of the procedure for assigning the role of DPO, the holder is in any case required to designate, even temporarily, a DPO possibly also among internal staff (see also the guidance document on the designation, position and duties of the Data Protection Officer (DPO) in the public sector, attached to the provision of 29 April 2021, no. 186, doc. web no. 9589104).
It is also established that the Municipality published the contact details of the DPO on its institutional website on XX, or approximately one month after the date of his designation.
In light of the preceding considerations, the Municipality acted in violation of the art. 37, par. 1 and 7 of the Regulation.
4. Conclusions
In light of the assessments mentioned above, it is noted that the declarations made by the data controller in the defense writings ˗ the truthfulness of which can be called upon to respond pursuant to art. 168 of the Code ˗ although worthy of consideration, do not allow us to overcome the findings notified by the Office with the act of initiating the proceedings and are insufficient to allow the dismissal of the present proceedings, as, moreover, none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019.
It is also stated that for the determination of the applicable rule, from a temporal point of view, the principle of legality referred to in the art. must be referred to in particular. 1, paragraph 2, of the law. n. 689/1981, pursuant to which "laws providing for administrative sanctions apply only in the cases and times considered therein". This determines the obligation to take into consideration the provisions in force at the time of the violation committed, which in the case in question - given the permanent nature of the contested offense - must be identified in the act of cessation of the illicit conduct, which occurred after 25 May 2018, the date on which the Regulation became applicable.
In fact, from the preliminary investigation documents it emerged that the data processing using the video devices in question took place in a manner that did not comply with the regulations on the protection of personal data starting from 8 August 2017 (the date on which it began to the company Cat s.r.l. to provide this service) and appears to have continued until the month of May 2021 as, with the note of the XX the Municipality declared that "it is not [currently] operational precisely awaiting the adaptation already started which will allow it in future compliant use".
The preliminary assessments of the Office are therefore confirmed and the illegality of the processing of personal data carried out by the Municipality is noted, for not having provided the interested parties with adequate information on the processing of personal data, for having acted in a manner that does not comply with the principles of data minimization, limitation of storage, responsibility and protection of data from the design stage and for definitive setting, for not having promptly defined the relationships with CAT S.r.l. of Ragusa (starting from the XX) and, subsequently, with the individual company Ermeslink of Giovanni Di Stefano, the data controllers, and for having delayed the designation of the DPO and the publication of the contact details relating to the same, in violation of the articles. 5, par. 1, letter. a), c) and e), and par. 2 (in conjunction with art. 24), 12, par. 1, 13, 25, 28 and 37, pars. 1 and 7 of the Regulation.
Violation of the aforementioned provisions makes the administrative sanction applicable pursuant to the articles. 58, par. 2, letter. i), and 83, pars. 4 and 5 of the Regulation itself, as also referred to in the art. 166, paragraph 3, of the Code.
5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letters i and 83 of the Regulation; article 166, paragraph 7, of the Code).
The Guarantor, pursuant to articles. 58, par. 2, letter. i), and 83 of the Regulation as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" and, in this framework, "the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the additional administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code” (art. 16, paragraph 1, of the Guarantor Regulation no. 1/2019).
In this regard, taking into account the art. 83, par. 3, of the Regulation, in this case the violation of the cited provisions is subject to the application of the same pecuniary administrative sanction provided for by the art. 83, par. 5, of the Regulation.
The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in amount, taking due account of the elements provided for by the art. 83, par. 2, of the Regulation.
For the purposes of applying the sanction, it was considered that the processing of personal data in question was carried out in a public place, for a long period of time (from August 2017 to May 2021) and involved a large number of interested parties.
On the other hand, the non-intentional behavior of the violation and the collaboration with the Authority by the Municipality during the investigation are considered. Furthermore, there are no previous relevant violations committed or previous measures referred to in the art. 58 of the Regulation.
Due to the aforementioned elements, evaluated as a whole, it is deemed necessary to determine pursuant to art. 83, par. 2 and 3 of the Regulation the amount of the pecuniary sanction, provided for by the art. 83, par. 5, letter. a) of the Regulation, in the amount of €45,000 for the violation of the articles. 5, par. 1, letter. a), c) and e), and par. 2 (in conjunction with art. 24), 12, par. 1, 13, 25, 28 and 37, pars. 1 and 7 of the Regulation, as a pecuniary administrative sanction deemed effective, proportionate and dissuasive pursuant to art. 83, par. 1, of the same Regulation.
Taking into account that the use of the video devices in question involved public places, implementing a processing of personal data that "allows [to detect] the presence and behavior of people in the space considered" ("Guidelines 3/2019 on the processing of personal data through video devices", par. 2.1, cit.), without the subjects filmed having been fully informed of the processing of personal data carried out, it is believed that the accessory sanction of publication on the Guarantor's website of this document should be applied provision, provided for by art. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019.
Finally, it is believed that the conditions set out in art. 17 of Regulation no. 1/2019.
ALL THIS CONSIDERING THE GUARANTOR
pursuant to art. 57, par. 1, letter. a) and f) of the Regulation, notes the illegality of the processing carried out by the Municipality of Modica, due to the violation of the articles. 5, par. 1, letter. a) c) and e), and par. 2 (in conjunction with art. 24), 12, par. 1, 13, 25, 28 and 37, pars. 1 and 7 of the Regulation, within the terms set out in the justification
ORDER
to the Municipality of Modica, in the person of the pro-tempore legal representative, with registered office in Piazza Principe Di Napoli, 17 - 97015 Modica (RG) – CF 00175500883 – to pay the sum of 45,000 euros as a pecuniary administrative sanction for violations of the articles 5, par. 1, letter. a), c) and e), and par. 2 (in conjunction with art. 24), 12, par. 1, 13, 25, 28 and 37, pars. 1 and 7 of the Regulation, it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;
ORDERS
to the Municipality of Modica to pay the sum of 45,000 euros - in case of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, according to the methods indicated in the annex, within thirty days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law. n. 689/1981;
HAS
the publication of this provision on the Guarantor's website, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019;
the annotation of this provision in the internal register of the Authority, provided for by the art. 57, par. 1, letter. u), of the Regulation, of violations and measures adopted in compliance with the art. 58, par. 2, of the Regulation.
Pursuant to art. 78 of the Regulation, of the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.
Rome, 18 July 2023
PRESIDENT
Stantion
THE SPEAKER
Ghiglia
THE GENERAL SECRETARY
Mattei
SEE ALSO Newsletter of 11 September 2023
[doc. web no. 9920578]
Provision of 18 July 2023
Register of measures
n. 312 of 18 July 2023
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary;
HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter “Regulation”);
HAVING REGARD TO Legislative Decree 30 June 2003, n. 196, “Personal data protection code”, as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of the national law to the Regulation (hereinafter "Code");
GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Gazette. n. 106 of 8 May 2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);
HAVING SEEN the documentation in the documents;
GIVEN the observations of the Office formulated by the Secretary General pursuant to art. 15 of the Guarantor's Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web no. 1098801;
SPEAKER Dr. Agostino Ghiglia;
1. Introduction
With a report submitted to the Authority pursuant to art. 144 of the Code, a citizen of the Municipality of Modica (hereinafter, the "Municipality") complained that he had received some reports contesting the administrative violation of a union ordinance for having mistakenly disposed of undifferentiated waste, as would appear from viewing the videos recorded using video devices placed near the bins used for waste collection. Based on the reports received, the whistleblower complained that the investigations of the violation, through viewing of the videos, took place more than a month after the date on which the videos themselves were recorded.
The reporting party also complained about the absence of adequate information on the processing of personal data, as an information sign had been placed directly on the bin, which was not easily visible and without any indication of the data controller and the purposes pursued.
2. The preliminary investigation activity
In response to a request for information from the Authority (prot. n. XX of the XX), the Municipality, with note prot. n. XX of the XX, declared, in particular, that:
“in order to combat the widespread phenomenon of waste abandonment and the incorrect disposal of solid urban waste, with its own decisions, at different times, it has entrusted the companies CAT Srl of Ragusa and Ermeslink […], for purchase, installation and maintenance of fixed cameras, and collection and analysis of videos relating to environmental violations, both of an administrative and criminal nature";
“following the aforementioned decisions [the Municipality] appointed the owners of the aforementioned companies responsible for the collection, analysis and delivery of the aforementioned films for the periods indicated in the aforementioned decisions” as judicial police auxiliaries;
"after receiving the videos, the staff of the Local Police, Judicial Police section, proceeded, pursuant to art. 13 law n. 689/81, to view [the same], drawing up a specific service note, for the purposes of applying the relevant administrative sanctions in cases of confirmed violation, archiving the files as evidence and for any requests for viewing and/or issuing a copy from party of the infringer entitled and subsequent appeals. […] The remaining part of the videos, where no violations were found, [was] eliminated”;
"scattered throughout the area there are various information signs indicating that the areas are subject to video surveillance", without, however, having provided any documentary evidence regarding this declaration.
In response to a further request for information from the Authority (prot. XX of the XX), the Municipality, with note prot. n. XX of the XX, represented, in particular, that:
“it was necessary to install a video surveillance system near the waste bins in the urban and extra-urban area to […] monitor the storage of waste and the illicit abandonment of the same in order to counteract the degradation of the territory […] ] and avoid the emergence of dangers for hygiene and public health and/or the development of fires due to the presence of piles of abandoned waste";
the Municipality "has [defined] retention times equal to "seven days following the detection of the information and images collected through the use of video surveillance systems", without prejudice to special needs for further conservation";
"the images can only be viewed by Municipal Police personnel [...] Judicial Police officers view the images delivered within two days of the recordings taken and delivered by the "Ermeslink" supplier, appointed Judicial Police Auxiliary. Only in the event where a crime on the part of the citizen is evident, the image is kept to prepare the report and the sanction by the Judicial Police itself as proof [...] of the contested offense";
"the current installation company is appointed by the Municipality as the external manager in charge of the treatment [...] [with] appointment resolution no. XX";
“Citizens are informed of the presence of video cameras by placing an information sign in the immediate vicinity of the cameras pursuant to articles. 13 and 14 of EU Reg. 679/2016”;
"adequate information is published on the institutional website of the Municipality, Section "Acts" - Subsection "Data Protection". The locations where the cameras have been installed are also published."
Lastly, with note prot. n. XX of the XX, the Municipality declared, in particular, that:
“the company “Cat srl” in the context of video surveillance activities, played the role of auxiliary of the judicial police, [having been] appointed by the Local Police Command [of] the Municipality. The company "Cat srl" had the task [...] of carrying out an initial analysis and selection of the videos in which a violation or crime was highlighted. The stipulated agreement is the report of appointment by the Local Police Command";
“the companies “Cat srl” and “Ermeslink” have started to provide their services to this Municipality [...] respectively, as indicated below: - XX; - XX;
“the Municipality […] has stipulated an agreement on the processing of personal data with the company “Ermeslink” […] pursuant to art. 28 of Regulation (EU) no. 679/2016, with resolution n.XX of the XX and delivery of guidelines. An agreement had previously been stipulated with a judicial auxiliary report by the Local Police";
"the retention times of the videos collected through the video surveillance system in use and adopted [by] the Municipality were seven days following the collection of the images, [and] only in the period July-December 2019, which includes the period to which they refer the minutes, corresponding to the last assignment of the task to the company “Cat srl', as per the determination of the Manager of the IX sector of the Municipality of Modica n. XX of the XX, the conservation times of the images were extended to fifteen days. This decision was taken following the fact that in the period from March to November 2019, criminal acts occurred in the area referred to in the reports, [including] a serious act of intimidation against the "Ecology and Environment Sector ", on the night of 18 March 2019 when the car used by Office officials to identify illegal landfills and sanction violators was set on fire"; “in the areas referred to in the said reports, in the period March - November 2019, repeated violations of Legislative Decree no. occurred. 152/2006 and subsequent amendments. characterized by phenomena of uncontrolled abandonment of waste, including dangerous ones (asbestos), which is why [...] it was decided to extend in the last assignment given to the company "Cat srl", which ran from June to December 2019, only in those months, the image retention period of up to 15 days”;
"the date from which this Municipality set the conservation time for the images at "seven days following the collection of the information", dates back to the first assignment to the company "Cat srl" with the determination of the Manager of the IX sector n. XX of the XX”;
“information signs had [been] placed in the areas subjected to video surveillance, in the period July-November 2019, including those in the areas mentioned in the said reports”;
“the [several] information signs attached to the XX note were placed in February 2020 […]”;
"the complete information on the processing of personal data in the context of video surveillance was published on the Institution's institutional website on the XX";
"in the period July-November 2019 the interested parties (citizens) were made aware of the video surveillance system, installed by the Municipality of Modica with the aim of limiting the proliferation of illegal landfills, through information signs placed near the bins, on the electricity poles, placed in the immediate vicinity or on the front side of the bins themselves [...]";
“the Municipality of Modica designated the Data Protection Officer DPO/RPD on XX”;
“the contact details of the Data Protection Officer (Gruppo Consulting Soc. Coop. Stp) were published on the official website of the Municipality of Modica on XX”.
With note dated XX (prot. n. XX), the Office, on the basis of the elements acquired, notified the Municipality, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in the art. 58, par. 2 of the Regulation, inviting the aforementioned owner to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of law no. 689 of 11/24/1981). With the note mentioned above, the Office found that the Municipality has implemented processing of personal data using video devices in a manner that does not comply with the legislation on the protection of personal data, in violation of the articles. 5, par. 1, letter. a), c) and e), and par. 2, 12, 13, 14, 24, 25, 28 and 37 of the Regulation.
With note dated XX (Protocol Guarantor no. XX), the Municipality sent its defense writings to the Authority in relation to the violations notified, declaring, in particular, that:
“[the Municipality] decided to install video cameras in strategic areas of its territory (at the time of the facts, five fixed and four mobile) for reasons of prevention and dissuasion of crimes [in environmental matters...] [and] administrative [ both] contraventions punished with the penalty of arrest (such as that provided for in art. 256 of Legislative Decree 152/2006 when the abandonment of waste occurs by owners of businesses or entities) or [...] to prevent real and own acts of vandalism [...] through damage, theft and/or fires of bins that have occurred in the area [...]. The aforementioned purpose can therefore be considered legitimate to allow the conservation for seven days provided for by paragraph 8 of article 6 of the Legislative Decree. n°11 of 02.23.09 which, as in the present case, allows this option for "public safety" purposes;
with regard to the "temporary extension arranged to allow a retention period of 15 days [...], [which has] only been of an exceptional and urgent nature [...] [due to] investigative needs arising from the aforementioned acts of vandalism", [it is considered applicable] in the present case, [...] the provision referred to in art.8 of the Presidential Decree. 15.01.18 n°15. If it is true, in fact, that paragraph 8 of article 6 of the Legislative Decree 11/09 determines the maximum conservation period at seven days and it is true that the same regulation is without prejudice to "special needs for further conservation". Furthermore, it does not even appear that the exceptional and temporary period of fifteen days, established for the aforementioned purposes, can in itself be considered "excessive" or "incongruous";
"Although video surveillance systems were installed in several points of the city, there were only five fixed cameras in use in the reference period (four of which were functioning) whose management was certainly to be considered compatible with manual and unscheduled deletion of recordings acquired. To date, however, the entire system present in several points of the city (with 12 fixed cameras and 4 mobile cameras) is currently not operational while awaiting the adaptation already started which will allow its compliant use in the future";
“[…] the information signs […] displayed at the sites of the confirmed violations were not only those applied on the bins […] but also those placed autonomously and independently on posts adjacent to the areas concerned [, which] warned eloquently and before the range of coverage of the presence of video surveillance, [...] [also bearing] the Municipality's logo [...] and the precise telephone contact details [, although they did not acknowledge] either the temporary extension arranged, or the new purposes underlying the extension itself, [which had been] arranged only for a temporary purpose linked to an exceptional event and remained in force for only a few days";
“the appointment as Judicial Police Auxiliary is equivalent to being responsible for data processing”;
“the delay in the appointment [of the DPO] was largely dependent on the COVID 19 pandemic which emerged and is still in force which […] has also paralyzed a large part of the administrative activities of the Public Bodies which have been grappling, over the last year, with much more serious problems imminent and binding. In any case, it is also important that resolution no. on the part of the participants. It follows that the delay of only a few months with respect to the entry into force of the legal obligation must be considered not to depend on the will of the Institution".
3. Outcome of the preliminary investigation
3.1 Video surveillance in public areas
The processing of personal data using video surveillance systems by public entities is generally permitted if it is necessary to fulfill a legal obligation to which the data controller is subject or for the execution of a task of public interest or connected to the exercise of public powers with which he is invested (art. 6, par. 1, letters c) and e), and 3, of the Regulation, as well as 2-ter of the Code; see par. 41 of the “Guidelines 3/2019 on the processing of personal data through video devices”, adopted by the European Data Protection Committee on 29 January 2020). In this context, it is noted that waste management is one of the institutional activities entrusted to local authorities.
The data controller is, in any case, required to respect the principles regarding data protection referred to in art. 5 of the Regulation, including that of "lawfulness, correctness and transparency" (art. 5, par. 1, letter a), of the Regulation), according to which the data controller must adopt appropriate measures to provide the interested in all the information referred to in the articles. 13 and 14 of the Regulation in a concise, transparent, intelligible and easily accessible form, with simple and clear language (see art. 12 of the Regulation).
The Municipalities, in exercising their powers - as in the case of ascertaining administrative offenses provided for by environmental legislation (see, in particular, articles 192, "prohibition on abandonment", and 255, "abandonment of waste", of Legislative Decree 3 April 2006, no. 152; art. 13, Law 24 November 1981, no. 689) or by trade union ordinances on the management and disposal of urban waste - are required, as owners of the processing, in accordance with the principle of accountability (articles 5, paragraph 2, and 24 of the Regulation), to evaluate whether, taking into account the specific local context, the processing of personal data using video devices, for the purposes of ascertaining such violations, is actually necessary and proportionate (see FAQ of the Guarantor on video surveillance of 3 December 2020, web doc. no. 9496574, in particular FAQ no. 13, where it is clarified that the use of video surveillance for the purposes, in the sense side, of environmental protection, it is permitted "only if it is not possible, or proves ineffective, the use of alternative control tools and systems and in any case in compliance with the principle of data minimization", referred to in art. 5, par. 1, letter. c) of the Regulation).
3.2 Information on the processing of personal data
When video surveillance systems are used, the data controller, in addition to providing first level information by affixing warning signs near the area subjected to video surveillance, must also provide interested parties with "second level information", which must “contain all the mandatory elements pursuant to Article 13 of the [Regulation]” and “be easily accessible to the interested party” (“Guidelines 3/2019 on the processing of personal data through video devices”, cit., in particular par 7; but see already the "Provision on video surveillance" of the Guarantor of 8 April 2010, web document no. 1712680, in particular par. 3.1; see FAQ no. 4 of the Guarantor on video surveillance, cit .).
The first level information (warning sign) “should communicate the most important data, for example the purposes of the processing, the identity of the data controller and the existence of the data subject's rights, together with information on the most significant impacts of the processing” (“Guidelines 3/2019 on the processing of personal data through video devices”, cit., par. 114). Furthermore, the signs must also contain information that may be unexpected for the interested party. This could, for example, concern the transmission of data to third parties, in particular if located outside the European Union, and the retention period. If such information is not indicated, the interested party should be able to trust that there is only real-time surveillance (without any data recording or transmission to third parties) (ibidem, cit., par. 115). The first level warning signs must also contain a clear reference to the second level of information, for example indicating a website on which it is possible to consult the text of the extended information.
Furthermore, the first level information should be positioned in a way that allows the interested party to easily recognize the circumstances of the surveillance, before entering the monitored area. It is not necessary to reveal the location of the camera, as long as there is no doubt about which areas are subject to surveillance and the context of the surveillance is unequivocally clarified (ibidem, cit., par. 113; see, also, provisions 20 October 2022, no. 341, web doc. no. 9831369; 28 April 2022, no. 162, web doc. no. 9777974, 7 April 2022, no. 119, web doc. no. 9773950, 16 September 2021, no. . 327, web doc. no. 9705650 and 11 March 2021, no. 90, web doc. no. 9582791).
In the present case, the Municipality, in the period in which the reportable inspection reports were issued, used an information sign (see Annex 6 note of the XX) which does not fully comply with the legislation on the protection of personal data. In addition to mentioning generic "security reasons" underlying video surveillance, it does not indicate, in fact, the ways in which the interested parties (i.e. not only the subjects who are accused of an administrative violation, but all the natural persons who enter within the of action of the cameras) can receive complete information on second level processing, nor does it emerge from the documents that the Municipality, in that period, took steps to draw up such complete information and bring it to the attention of the interested parties, for example through publication on the own institutional website. In this regard, the Municipality has, in fact, declared that the complete information on the processing of personal data in the context of video surveillance was published on its institutional website only on XX.
For the sake of completeness, it is specified that from the investigations carried out by the Office (see service report of the XX) it also emerged that on the institutional website of the Municipality an information relating to the "XII-ecology" sector was found, in which, with regard to the legal basis of the processing, it was stated that "the processing of personal data carried out through the use of video surveillance systems has the intention of pursuing a legitimate interest of the Data Controller to guarantee public safety and the public interest, in when the processing is necessary for the execution of a task of public interest or connected to the exercise of public powers vested in the data controller. […] In this case the processing is carried out for the protection of public hygiene and public safety”; “the […] processing [of the images] responds to the need to pursue the interest of protecting people and property from illicit acts (assaults, thefts and robberies) and to collect evidence”.
This information, therefore, was also inadequate, not making reference to the aim pursued in the case in question, which falls within the competence of the Municipality, concerning the verification of conduct sanctioned administratively (see articles 192, "ban on abandonment", and 255 "abandonment of waste", of Legislative Decree no. 152 of 3 April 2006; art. 13, law of 24 November 1981, no. 689) and which must be distinguished from the different areas of "public security" and "public safety" .
It should also be noted that the simplified sign, used by the Municipality, was posted directly on the bin, even in proximity to other signs, thus generating confusion and poor visibility of the same and, therefore, not allowing interested parties to be aware of the presence of the video surveillance system before entering its recording range. In this regard, it is noted that the Municipality's statement regarding the circumstance that "the information signs that were displayed in the places of the ascertained violations were not only those applied to the bins set up for waste collection [...] but also those placed in such a way autonomous and independent on posts adjacent to the areas concerned" (note of the XX) is not reflected in the documentation in the documents, as the Municipality has not produced any element to support this declaration.
Furthermore, it appears from the documents that for the period of November-July 2019 the retention time of the images had been increased from seven to fifteen days, although the interested parties were not informed of this circumstance. On this point, in fact, it was declared (see note of the XX) that "the conservation methods and purposes [...] indicated did not take into account either the temporary extension arranged, or the new purposes underlying the extension itself".
Lastly, with regards to the sign used by the Municipality starting from the month of XX (see Annex 7 note of XX), the existence of an automatic data deletion mechanism is also declared which, on the basis of the documentation in documents, it does not appear to have actually been adopted by the Municipality. Furthermore, as regards the indication of the methods with which interested parties can obtain complete information on the processing of personal data, only the possibility of physically going to an "information desk" at the Municipality headquarters is mentioned, with this having been the possibility for them to easily acquire complete information on the processing of personal data in question is effectively hindered.
For these reasons, the processing of personal data using video devices was carried out by the Municipality in a manner that did not comply with the principle of "lawfulness, correctness and transparency" referred to in art. 5, par. 1, letter. a) and in violation of the obligations set out in articles. 12 and 13 of the Regulation (it is necessary, however, to archive the contested violation of art. 14, considering that the personal data, subject to processing through these video systems, were not acquired from third parties).
3.3 The principles of data minimisation, retention limitation, accountability and protection by design and by default
Pursuant to art. 5, par. 1, letter. c) and e), of the Regulation, personal data must be "adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed" ("data minimization") and "stored in a form that allows identification of the interested parties for a period of time not exceeding the achievement of the purposes for which they are processed" ("limitation of conservation").
Based on the principle of accountability (articles 5, paragraph 2, and 24 of the Regulation), it is up to the data controller to identify the retention times of the images, taking into account the context and purposes of the processing, as well as the risk for rights and the freedoms of natural persons; this unless specific legal provisions expressly provide for certain data retention times (see FAQ no. 5 of the Guarantor regarding video surveillance, cit.). In most cases “taking into account the principles set out in Article 5(1)(c) and (e) of the GDPR, i.e. data minimization and limitation of data retention, personal data should be [ …] deleted after a few days, preferably via automatic mechanisms. The longer the expected retention period is (especially if it exceeds 72 hours), the more well-argued the analysis must be regarding the legitimacy of the purpose and the necessity of conservation" (para. 8, point 121, of the Committee's Guidelines European Data Protection Authority, cit.; see also FAQ n. 5 of the Guarantor, cit.).
In accordance with the principle of data protection by default (pursuant to art. 25, par. 2, of the Regulation), the data controller must implement appropriate technical and organizational measures to ensure that the images taken by video devices are processed, by default, only for the retention period previously defined by it.
Having said this, it is noted, first of all, that, from what was declared by the Municipality, it emerged that the video surveillance system in question was not installed for the sole purpose of preventing and ascertaining so-called illicit acts. administrative by citizens, but also for so-called urban security, or for reasons of prevention and dissuasion of crimes (acts of vandalism, theft, etc.).
Precisely following some acts of vandalism, the Municipality, in the period March - November 2019, increased the retention period of the images taken by the video surveillance system from seven to fifteen days (see note of the XX), in violation of the art. 6, paragraph 8, of the legislative decree. 23 February 2009, n. 11, pursuant to which "the retention of data, information and images collected through the use of video surveillance systems is limited to seven days following the detection, without prejudice to special needs for further conservation".
In this regard, it must be noted that the reference by the Municipality to art. 6, paragraph 8, of the legislative decree. 23 February 2009, n. 11, for the purposes of defining the retention times of videos acquired using video devices, is not entirely coherent, given that, in the context in question, the Municipality was not pursuing purposes related to the so-called urban safety, which is governed by a specific regulatory framework for the sector (see art. 5, paragraph 2, letter a), of the legislative decree. 20 February 2017, n. 14, pursuant to which Municipalities can install video surveillance systems to pursue objectives of "prevention and combating the phenomena of widespread and predatory crime", subject to the stipulation of an agreement for the implementation of urban security with the territorially competent Prefecture). Furthermore, the occurrence of "criminal facts [including] a serious act of intimidation", consisting in the burning of a car belonging to the "Ecology and Environment Sector" of the Municipality, cannot however in itself give rise to a special need to extend the deadline of seven days provided for by the legislative decree 23 February 2009, n. 11, given that in relation to any consequences deriving from conduct of the same nature, as immediately or promptly identifiable, the seven-day deadline provided for by law is certainly adequate in order to be able to ascertain any responsibilities and acquire in the documents of this specific proceeding the necessary images, for investigation purposes, by the competent investigative bodies.
Given that the aforementioned seven-day deadline, defined by the legislative decree 23 February 2009, n. 11, is not applicable in the context of the case, the Municipality, in compliance with the principles of accountability, limitation of conservation and data protection by default, should have defined the maximum retention period for images collected using video devices for the purposes of verification of administrative violations in environmental matters, adequately justifying the choices made.
Furthermore, it emerges from the complaint that the administrative violations were in any case ascertained more than one month after the date on which the images were recorded, therefore the Municipality had in any case retained said images beyond the aforementioned seven-day deadline.
In light of the above, the violation of the principles of "minimization", "limitation of conservation" (art. 5, par. 1, letters c) and e)), "responsibilization" (art. 5, par. 2) is ascertained , of the Regulation, in conjunction with art. 24 of the Regulation) and data protection by design and by default (art. 25 of the Regulation).
3.4 Relationships with data controllers
Pursuant to art. 28, par. 3 of the Regulation, "processing by a data controller must be governed by a contract or other legal act pursuant to 26 Union or Member State law, which binds the data controller to the data controller, which stipulates the subject matter regulated and the duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of interested parties, the obligations and rights of the data controller", and which provides for all the commitments provided for by the same art. . 28, par. 3 of the Regulation (see cons. no. 81 of the Regulation; provision no. 81 of 7 March 2019, web doc. 9121890; provision no. 160 of 17 September 2020, web doc. 9461168, provision no. 294 of 22 July 2021, web doc. 9698724, provision no. 351 of 29 September 2021, web doc. 9716256; provision no. 270 of 21 July 2022, web doc. 9811732).
Having said this, it is noted that, following the outcome of the investigation, it emerged that the Municipality entrusted the task to the company CAT S.r.l. of Ragusa (starting from the XX) and, subsequently, to the individual company Ermeslink of Giovanni Di Stefano (starting from the XX), having as its object specific personal data processing operations, such as the collection and analysis of videos relating to environmental violations, both of an administrative and criminal nature, appointing for this purpose auxiliaries of the Judicial Police the owners of the aforementioned appointed companies.
In the present case, the company CAT Srl of Ragusa participated in the processing in question from 8 August 2017 until December 2019, without its role being defined for the purposes of data protection legislation. In relation to the company Ermeslink, however, which has been entrusted with the service in question since XX, there was a late act of appointment as data protection manager pursuant to art. 28 of the Regulation (determination n. XX of XX).
Nor does it note that the aforementioned companies had been assigned "judicial police" functions, taking into account that the acts adopted for this purpose by the Municipality cannot be considered "agreements" on data protection stipulated between the data controller and data controller, lacking the mandatory elements provided for by the art. 28 of the Regulation.
In light of the foregoing considerations, it is noted that the aforementioned companies participated in the processing of the data in question without their role, before the start of the processing, being correctly defined by the Municipality through the stipulation of a data protection agreement, with consequent violation by the Municipality of the art. 28 of the Regulation.
3.5 Designation of the DPO and publication of contact details
Pursuant to art. 37, par. 1 and 7 of the Regulation, "the data controller and the data processor systematically designate a data protection officer whenever: a) the processing is carried out by a public authority or a public body [...]", and " the data controller or processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority”.
During the investigation, the Municipality declared that it had designated the Data Protection Officer ("DPO") on XX, therefore well after the date on which the Regulation became effective (25 May 2018), attributing the delay to the epidemiological emergency from SARS-CoV-2 and to the circumstance that determined the approval of the tender for the assignment of the task, which was already adopted on 13 August 2019 but "that two tenders were unsuccessful due to lack of of the requirements of the participants".
In this regard, it is specified that the date on which the Regulation became effective precedes the SARS-CoV-2 pandemic and that, pending the conclusion of the procedure for assigning the role of DPO, the holder is in any case required to designate, even temporarily, a DPO possibly also among internal staff (see also the guidance document on the designation, position and duties of the Data Protection Officer (DPO) in the public sector, attached to the provision of 29 April 2021, no. 186, doc. web no. 9589104).
It is also established that the Municipality published the contact details of the DPO on its institutional website on XX, or approximately one month after the date of his designation.
In light of the preceding considerations, the Municipality acted in violation of the art. 37, par. 1 and 7 of the Regulation.
4. Conclusions
In light of the assessments mentioned above, it is noted that the declarations made by the data controller in the defense writings ˗ the truthfulness of which can be called upon to respond pursuant to art. 168 of the Code ˗ although worthy of consideration, do not allow us to overcome the findings notified by the Office with the act of initiating the proceedings and are insufficient to allow the dismissal of the present proceedings, as, moreover, none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019.
It is also stated that for the determination of the applicable rule, from a temporal point of view, the principle of legality referred to in the art. must be referred to in particular. 1, paragraph 2, of the law. n. 689/1981, pursuant to which "laws providing for administrative sanctions apply only in the cases and times considered therein". This determines the obligation to take into consideration the provisions in force at the time of the violation committed, which in the case in question - given the permanent nature of the contested offense - must be identified in the act of cessation of the illicit conduct, which occurred after 25 May 2018, the date on which the Regulation became applicable.
In fact, from the preliminary investigation documents it emerged that the data processing using the video devices in question took place in a manner that did not comply with the regulations on the protection of personal data starting from 8 August 2017 (the date on which it began to the company Cat s.r.l. to provide this service) and appears to have continued until May 2021 as, with the note dated XX the Municipality declared that "it is not currently operational precisely awaiting the adaptation already started which will allow it to be future compliant use".
The preliminary assessments of the Office are therefore confirmed and the illegality of the processing of personal data carried out by the Municipality is noted, for not having provided the interested parties with adequate information on the processing of personal data, for having acted in a manner that does not comply with the principles of data minimization, limitation of storage, responsibility and protection of data from the design stage and for definitive setting, for not having promptly defined the relationships with CAT S.r.l. of Ragusa (starting from the XX) and, subsequently, with the individual company Ermeslink of Giovanni Di Stefano, the data controllers, and for having late designated the DPO and published the contact details relating to the same, in violation of the articles. 5, par. 1, letter. a), c) and e), and par. 2 (in conjunction with art. 24), 12, par. 1, 13, 25, 28 and 37, pars. 1 and 7 of the Regulation.
Violation of the aforementioned provisions makes the administrative sanction applicable pursuant to the articles. 58, par. 2, letter. i), and 83, pars. 4 and 5 of the Regulation itself, as also referred to in the art. 166, paragraph 3, of the Code.
5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letters i and 83 of the Regulation; article 166, paragraph 7, of the Code).
The Guarantor, pursuant to articles. 58, par. 2, letter. i), and 83 of the Regulation as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" and, in this framework, "the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the additional administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code” (art. 16, paragraph 1, of the Guarantor Regulation no. 1/2019).
In this regard, taking into account the art. 83, par. 3, of the Regulation, in this case the violation of the cited provisions is subject to the application of the same pecuniary administrative sanction provided for by the art. 83, par. 5, of the Regulation.
The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in amount, taking due account of the elements provided for by the art. 83, par. 2, of the Regulation.
For the purposes of applying the sanction, it was considered that the processing of personal data in question was carried out in a public place, for a long period of time (from August 2017 to May 2021) and involved a large number of interested parties.
On the other hand, the non-intentional behavior of the violation and the collaboration with the Authority by the Municipality during the investigation are considered. Furthermore, there are no previous relevant violations committed or previous measures referred to in the art. 58 of the Regulation.
Due to the aforementioned elements, evaluated as a whole, it is deemed necessary to determine pursuant to art. 83, par. 2 and 3 of the Regulation the amount of the pecuniary sanction, provided for by the art. 83, par. 5, letter. a) of the Regulation, in the amount of €45,000 for the violation of the articles. 5, par. 1, letter. a), c) and e), and par. 2 (in conjunction with art. 24), 12, par. 1, 13, 25, 28 and 37, pars. 1 and 7 of the Regulation, as a pecuniary administrative sanction deemed effective, proportionate and dissuasive pursuant to art. 83, par. 1, of the same Regulation.
Taking into account that the use of the video devices in question involved public places, implementing a processing of personal data that "allows [to detect] the presence and behavior of people in the space considered" ("Guidelines 3/2019 on the processing of personal data through video devices", par. 2.1, cit.), without the subjects filmed having been fully informed of the processing of personal data carried out, it is believed that the accessory sanction of publication on the Guarantor's website of this document should be applied provision, provided for by art. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019.
Finally, it is believed that the conditions set out in art. 17 of Regulation no. 1/2019.
ALL THIS CONSIDERING THE GUARANTOR
pursuant to art. 57, par. 1, letter. a) and f) of the Regulation, notes the illegality of the processing carried out by the Municipality of Modica, due to the violation of the articles. 5, par. 1, letter. a) c) and e), and par. 2 (in conjunction with art. 24), 12, par. 1, 13, 25, 28 and 37, pars. 1 and 7 of the Regulation, within the terms set out in the justification
ORDER
to the Municipality of Modica, in the person of the pro-tempore legal representative, with registered office in Piazza Principe Di Napoli, 17 - 97015 Modica (RG) – CF 00175500883 – to pay the sum of 45,000 euros as a pecuniary administrative sanction for violations of the articles 5, par. 1, letter. a), c) and e), and par. 2 (in conjunction with art. 24), 12, par. 1, 13, 25, 28 and 37, pars. 1 and 7 of the Regulation, it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;
ORDERS
to the Municipality of Modica to pay the sum of 45,000 euros - in case of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, according to the methods indicated in the annex, within thirty days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law. n. 689/1981;
HAS
the publication of this provision on the Guarantor's website, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019;
the annotation of this provision in the internal register of the Authority, provided for by the art. 57, par. 1, letter. u), of the Regulation, of violations and measures adopted in compliance with the art. 58, par. 2, of the Regulation.
Pursuant to art. 78 of the Regulation, of the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.
Rome, 18 July 2023
PRESIDENT
Stantion
THE SPEAKER
Ghiglia
THE GENERAL SECRETARY
Mattei
