HDPA (Greece) - 12/2021
|HDPA (Greece) - 12/2021|
|Relevant Law:||Article 5(1)(c) GDPR|
Article 6(1)(f) GDPR
Article 58(2)(g) GDPR
Article 83(2) GDPR
|Parties:||«Ιγνατιάδης Νικόλαος και ΣΙΑ Ε.Ε.»|
|National Case Number/Name:||12/2021|
|European Case Law Identifier:||n/a|
|Original Source:||HDPA (in EL)|
The Greek DPA fined a controller €2000 for violating employees' rights by using a surveillance camera at its premises without a legal basis, and in violation of the principle of data minimisation.
English Summary[edit | edit source]
Facts[edit | edit source]
The complainant made a complaint at the Greek DPA for the implementation of a security camera in his work place. The complainant stated that the camera was focused at his office and was used for surveillance purposes and not for security reasons. The company stated that the camera wasn't focused on the employee's office but was watching the all space especially the entrance of the premises. The DPA requested from the company to provide the documentation that could prove that the camera was not focuses on the complainant's office.
Dispute[edit | edit source]
Was the use of the camera lawful under articles 5 and 6 GDPR?
Holding[edit | edit source]
The DPA held that the use of the camera by the Company cannot be justified in the light of the principle of proportionality. The camera was not focused only on the entrance of the premises but instead it was watching as well the employee's offices, violating the principle of data minimization of the GDPR. Additionally the fact that the director of the company was able to watch in real time at any time the images taken form the camera, could not justify the necessity and emergence of having a surveillance camera for security reasons. based on these facts the DPA imposed a fine of 2000€ to the company for violating articles 5(1)(c) and 6(1) GDPR.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Athens, 07-04-2021 No. Prot.1023 DECISION 12/2021 (Department) The Personal Data Protection Authority met at Composition of the Department via video conference on 17-02-2021 at 10:00, after invitation of its President to consider the case refers to the history hereof. Presented by George Batzalexis, Deputy Chairman, disabled by the President of the Authority Konstantinos Menoudakou, and the alternate members Grigorios Tsolias and Evangelos Papakonstantinou, as rapporteur, replacing the regular members Charalambou Anthopoulos and Konstantinos Lambrinoudakis respectively, who, although they were legally summoned in writing, they did not attend due to obstruction. The regular member Spyridon Vlachopoulos, although legally summoned in writing, did not attend due to obstruction. The meeting was attended by George, chaired by the President Roussopoulos, Specialist Scientist-Auditor as Assistant Rapporteur and Irini Papageorgopoulou, employee of the Administrative Affairs Department of the Authority, as secretary. The Authority took into account the following: With the number prot. Γ / ΕΙΣ / 4943 / 12-07-2019the complaint of Support to the Authority that from July 2018, "Ignatiadis Nikolaos and SIAEE." (hereinafter and "Editor") installed a camera inside its offices 1 1-3 Kifissias Ave., 11523 Athens T: 210 6475 600 • E: email@example.com • www.dpa.gr business, which focused on his workplace. He even reports an incident from which it appears that said camera was used to control ki not for security purposes. The complainant claims that he objected first after installing the camera orally and then in writing with his out-of-court letter dated 22/02/2019. The complaining company was informed about the complaint with the no. prot. C / EX / 4943-1 / 09-08-2019 document of the Authority, with which it was exposed summarize the applicable institutional framework. With this document the company was invited to submit to the Authority its views on both its legitimacy operation of the video surveillance system as well as for the exercise of rights of the complainant as a data subject. The company responded with the document number G / EIS / 6706 / 04-10-2019 stating, among other things, that the camera has been positioned so that it has general view of the space focusing on the entrance of its offices so that it has knowledge of who enters its premises. He states that the camera has placed for safety reasons and not for employee surveillance, as in accounting work, payments of money and securities, while the area is burdened with property offenses. Its owner company is located in an office from which it has no visual contact with the entrance of the office. He also mentions that, in the past, he had an office associate fall victim to theft, but without providing evidence to that effect. As for him complainant, claims that he had not complained about the camera, which he knew, while he did so only after his appeals to the Labor Inspectorate for other issues did not work for him. The Authority with its latest document (with reference number C / EX / 6706-1 / 14-10-2019) asked the company to clarify its answer on the basics technical characteristics related to the operation of the system video surveillance. Specifically, it was requested: a) to determine in which space it has the control unit is installed, b) if there is a possibility of remote internet access and surveillance and for which users, c) and with whom thus ensuring that access to camera images is restricted only 2suitable for authorized persons. Finally, to clarify the scope of the camera, it was requested to provide a sample image, in electronic form and at the highest possible resolution based on the characteristics of the device, so that the supervised space emerges. The complaining company replied to the Authority with reference number. Γ / ΕΙΣ / 7347 / 28-10-2019 its document, while following the reference number Γ / ΕΞ / 7347- 1 / 15-11-2019 document of the Authority provided a detailed sample image from internal memory of the camera and from the mobile phone of its owner, meto document no. G / EIS / 8057 / 21-11-2019. With these documents states that the system does not have a logger, but transmits an image exclusively on the cell phone of the company owner, who is the only one can see the images via password. Access is also guaranteed due of the fact that a legal representative of the company is connected to the internet by separate internet supply line. The camera has minimal capability not used in internal memory. From the specifications of the equipment provided by the complainant company It turns out that an innovator HD smart WiFi camera is used, while the used memory card has a capacity of 16Gb. μο submitted camera manual, can capture video in resolution 720p, has a built-in microphone and speaker, has control software for both smartphones and PCs with Windows operating system. Following the above, the Authority proceeded to call the company for section meeting, initially with reference number C / EX / 1806 / 09-03-2020 its document for 18-03-2020 and after the postponement of the meeting, for 15- 07-2020, with its document no. G / EX / 4486 / 29-06-2020. company was informed that during the examination of the case the legality of the operation of the video surveillance system on the premises and that it must provide any document documenting the compliance with the principles governing the lawful processing of data personal. At the meeting of 15-07-2020, the complained company was present, through B. 3 and the attorney Konstantinos Vervesos, while after receiving deadline for submission by prot.pr / EIS / 5313 / 29-07-2020 memorandum. With this, the company confirms what it had stated in its previous documents. Briefly, in relation to the video surveillance system, it states that the system was placed for security reasons as in the area (Acharnes Attica) is crime is high. The camera was mounted on a wardrobe in order to control the entry of offices and not for the purpose of surveillance staff, and was never used for the latter purpose. The signal was transmitted on the mobile phone of the legal representative of the company for facility safety. Due to a malfunction, the camera has also been removed no longer works. The company considers that the complaint is false and was made to revenge by the complainant after his departure and its dissolution employment contract. The Authority, after examining the data in the file, after hearing him rapporteur and clarifications from the assistant rapporteur, who attended without and withdrew after the discussion of the case and before the conference and decision-making, after a thorough discussion, THOUGHT ACCORDING TO THE LAW 1. According to art. 4 items 1 of the General Regulation of Protection Data 2016/679 (hereinafter referred to as "GKPD"), the audio and video data, if refer to persons, constitute personal data. Further, the capture of a face image, which is collected by a system video surveillance, operating permanently, continuously or at regular intervals intervals, indoors or outdoors, recommends the processing of personal data in accordance with art. 4 item 2 of the GCC. 2. Article 5 of the GPA sets out the processing principles governing processing of personal data. Specifically, it is defined in 4paragraph 1 that personal data, including: '(a) are processed lawfully and lawfully in a transparent manner in relation to data subject ("legality, objectivity, transparency"), (…), c) are appropriate, relevant and limited to what is necessary for their purposes processed ("data minimization") (…), f) processed in such a way as to guarantee adequate safety of personal data, including their protection against non authorized or illegal processing and accidental loss, destruction or wear, using appropriate technical or organizational measures ("Integrity and Confidentiality"). " 3. Article 6 par. 1 GCP provides, inter alia, that: “H. processing is only legal if and when at least one of the the following conditions: (...) (f) processing is necessary for the purposes of the legal interests pursued by the controller or a third party, except if the interests or the fundamental ones prevail over these interests rights and freedoms of the data subject enforcing the protection of personal data (...) ". Further, according to the reporting authority (Article 6 (2) GCC) the controller responsibility and is able to demonstrate compliance with the above principles. 4. The Authority has issued on the issue of the use of systems video surveillance for the purpose of protecting persons and property No 1/2011 Directive of the Authority, the provisions of which shall apply to in combination with the new provisions of GKPD and law 4624/2019, by which measures for the implementation of the GPA are defined. It is pointed out in this case that in specific case, Law 4624/2019 does not apply, as the under consideration termination concerns a period before its implementation. The European The Data Protection Council issued guidelines No. 3/2019 lines 1 on the processing of personal data via video recorder.The text itself provides detailed guidance on how the GCP applies in relation to the use of cameras for various purposes.Basic 1 https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32019-processing- personal-data-through-video_el 5condition for the legality of processing through a system Video surveillance is the observance of the principle of proportionality, as it is specializes in articles 6 and 7 of the above Directive, but also in the Special Part her. In particular, Article 7 of the Directive states that the system video surveillance should not be used for surveillance employees, except in special exceptional cases such as these specified in the Directive. As an example it is mentioned that, in a typical space business offices, video surveillance should be limited to areas entry and exit, without supervising specific office rooms or corridors. Exceptions may be specific sites, such as cash registers or areas with safes, electromechanical equipment, etc., provided that cameras focus on the good they protect and not on their premises employees. Furthermore, in accordance with Article 19 (2) of the aforementioned Directive, which specifies the principle of proportionality in shopping malls and stores, cameras may be placed at their entry and exit points stores, cash registers and safes, warehouses goods, while, according to article 19 par. 4 of the same Directive, The operation of cameras in restaurants and leisure areas is prohibited laboratories, toilets and places where employees work store and are not accessible to the public. Furthermore, in Article 11 of Directive 1/2011 of the Authority states that the controller must, between among others, to take care to avoid irrational use of projection screens, and avoid disseminating the material to illegal recipients. 5. In this case, the use of the camera by Complained company can not be documented adheres to its principle proportionality. In particular, from the documents of the case file and especially photographs depicting the range of the camera it is found that a picture of the whole space is taken, without taking it is limited at the entrance. There is therefore a breach of the principle of minimization of the data, including a picture of employees leaving, who they are 6 office spaces, in which, as a rule, no money is made transactions, but accounting work. Further, it turned out to exist Ability to monitor the camera in real time by its director mobile company, even though he was absent from his facilities. This surveillance is not an appropriate means of protecting persons and goods, as it is practically impossible for the owner to intervene or preventively, either repressive while increasing the risk of using the material for another purpose, as for employee supervision. This processing, with the possibility supervision of the site by the business owner, at all times, and in fact without the existence of an incident that indicates an increased risk (e.g. alarm), infringes excessively on the rights of supervised persons, including "vulnerable" persons such as employees, therefore it is carried out in violation of article 6 par. 1 f of the GKPD. From the other components and specifications of the camera show that it does not there was the possibility of receiving audio, as claimed in the complaint, while no it turned out that there was recording, although there was the possibility of recording a few hours to a day, depending on the type of video image compression. 6. The Authority shall, without prejudice to the fact that it is responsible for processing did not submit evidence of the legality of the processing, while such information requested. As a mitigation it takes into account that it is very small company (as shown by the number of employees), that according to company statement the camera is no longer working, that it turned out to exist other kind of dispute which does not concern personal data, that is the first violation for this company and finally, the unfavorable one economic situation due to the Covid-19 pandemic. 7. Based on the above, the Authority unanimously agrees with Article 5 par. 1 c and article 6 par. 1f of the GCPD the conditions for enforcement are met to the detriment of the controller, based on article 58 par taking into account the criteria of article 83 par. 2 of the GCP, of the administrative ratification, referred to in the operative part of this, which is deemed appropriate with the gravity of the infringement. 7 FOR THESE REASONS The Authority imposes on "Ignatiadis Nikolaos and Co. EE" the effective, proportionate and dissuasive administrative fine appropriate to specific case according to its more specific circumstances, amounting to two thousands of euros (2,000.00) euros, for the above violations Article 5 (1) (c) and Article 6 (1) (f) of Regulation (EU) 2016/679. The Deputy Chairman The Secretary George Batzalexis Irini Papageorgopoulou 8