HDPA (Greece) - 50/2022: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Greece |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoGR.jpg |DPA_Abbrevation=HDPA |DPA_With_Country=HDPA (Greece) |Case_Number_Name=Dec...") |
(Short summary: • When a fine is imposed, mention it in the short summary • Otherwise well written short summary that mentions the most important takeaways from the decision, however I made it focus more on the specific GDPR violations in this case. d Facts: • Added more details to the facts, such as what was the purpose of the surveillance system, what were the arguments submitted by the controller • Assign GDPR roles to the parties involved – who was the data subject/complainant and who is the) |
||
| Line 79: | Line 79: | ||
}} | }} | ||
The | The Greek DPA imposed a €15,000 fine on a private school for installing a video surveillance system which, among others, did not respect the purpose limitation and accountability principles. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The | A former teacher (the data subject) at a private primaryschool (the controller) submitted a complaint to the Greek DPA regarding a video surveillance system in the classrooms, which had been recording them without knowledge or consent. The DPA started proceedings to examine the legality of the operation of the system. | ||
The controller submitted that the video surveillance system had been operating since 2007 in order to provide direct visual contact with dangerous places for students (courtyard, balconies) and to discourage possible intruders. According to the controller, persons with access to the transmitted video were the principal, owner and president of the school, via a computer located in their office. Moreover, persons entering the site were informed by signs and verbally about the existence of the video cameras. Similarly, teachers were informed about it verbally, allegedly with no objections. The controller stated that the legal basis for the processing of personal data related to the video cameras was legitimate interest. | |||
In its decision, the DPA considered the legal basis for processing as well as compliance with general data processing principles and data subject rights. | |||
=== Holding === | === Holding === | ||
First, the DPA held that information to parents and employees on the operation of the system was incomplete because, according to the controller, it was given orally, in violation of [[Article 5 GDPR|Articles 5(1)(a) and (b)]] as well as [[Article 12 GDPR|Articles 12]] and [[Article 13 GDPR|13 GDPR]]. The controller was not able to prove that such information was given nor which categories of persons were informed. In particular, the DPA noted that children were not appropriately protected in this regard. | |||
Second, the DPA stated that the principle of purpose limitation ([[Article 5 GDPR|Article 5(1)(b) GDPR]]) was not respected, since the access to the transmitted image by the manager and employees, that is officially unauthorised parties, did not ensure that the purpose of the processing was exclusively the protection of persons and property. | |||
Thrid, the principle of accountability ([[Article 5 GDPR|Article 5(2) GDPR]]) was not respected because the controller did not keep activity records for the processing of personal data through the video surveillance system, but only provided them after the hearing. | |||
Fourth, with regards to the legal basis for processing, the DPA held that the controller had not ensured that there was an overriding legitimate interest for the installation of cameras to justify the interference with fundamental rights and freedoms of persons, as required by [[Article 6 GDPR|Article 6(1)(f) GDPR]]. The DPA reasoned that the controller's educational establishment was not so large as to justify the need to monitor remote points of the premises by using surveillance cameras instead of milder means. Hence, there was no valid legal basis for the operation of the system. | |||
Considering the above-mentioned violations, the DPA ordered the controller to uninstall the cameras within one month of the receipt of the notice. Furthemore, the DPA used its powers under [[Article 58 GDPR|Article 58(2)(i) GDPR]] and imposed a €15,000 fine on the controller. | |||
== Comment == | == Comment == | ||
Revision as of 14:41, 4 November 2022
| HDPA - Decision 50/2022 | |
|---|---|
 | |
| Authority: | HDPA (Greece) |
| Jurisdiction: | Greece |
| Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(a) GDPR Article 5(2) GDPR Article 6(1)(f) GDPR Article 12 GDPR Article 13 GDPR Article 30 GDPR Guidelines 3/2019 on processing of personal data through video devices Law 4624/2019 |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 09.09.2022 |
| Published: | 09.09.2022 |
| Fine: | 15.000 EUR |
| Parties: | Private school Individual-Ex-employee |
| National Case Number/Name: | Decision 50/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Greek |
| Original Source: | Hellenic DPA (in EL) |
| Initial Contributor: | Anastasia Tsermenidou |
The Greek DPA imposed a €15,000 fine on a private school for installing a video surveillance system which, among others, did not respect the purpose limitation and accountability principles.
English Summary
Facts
A former teacher (the data subject) at a private primaryschool (the controller) submitted a complaint to the Greek DPA regarding a video surveillance system in the classrooms, which had been recording them without knowledge or consent. The DPA started proceedings to examine the legality of the operation of the system.
The controller submitted that the video surveillance system had been operating since 2007 in order to provide direct visual contact with dangerous places for students (courtyard, balconies) and to discourage possible intruders. According to the controller, persons with access to the transmitted video were the principal, owner and president of the school, via a computer located in their office. Moreover, persons entering the site were informed by signs and verbally about the existence of the video cameras. Similarly, teachers were informed about it verbally, allegedly with no objections. The controller stated that the legal basis for the processing of personal data related to the video cameras was legitimate interest.
In its decision, the DPA considered the legal basis for processing as well as compliance with general data processing principles and data subject rights.
Holding
First, the DPA held that information to parents and employees on the operation of the system was incomplete because, according to the controller, it was given orally, in violation of Articles 5(1)(a) and (b) as well as Articles 12 and 13 GDPR. The controller was not able to prove that such information was given nor which categories of persons were informed. In particular, the DPA noted that children were not appropriately protected in this regard.
Second, the DPA stated that the principle of purpose limitation (Article 5(1)(b) GDPR) was not respected, since the access to the transmitted image by the manager and employees, that is officially unauthorised parties, did not ensure that the purpose of the processing was exclusively the protection of persons and property.
Thrid, the principle of accountability (Article 5(2) GDPR) was not respected because the controller did not keep activity records for the processing of personal data through the video surveillance system, but only provided them after the hearing.
Fourth, with regards to the legal basis for processing, the DPA held that the controller had not ensured that there was an overriding legitimate interest for the installation of cameras to justify the interference with fundamental rights and freedoms of persons, as required by Article 6(1)(f) GDPR. The DPA reasoned that the controller's educational establishment was not so large as to justify the need to monitor remote points of the premises by using surveillance cameras instead of milder means. Hence, there was no valid legal basis for the operation of the system.
Considering the above-mentioned violations, the DPA ordered the controller to uninstall the cameras within one month of the receipt of the notice. Furthemore, the DPA used its powers under Article 58(2)(i) GDPR and imposed a €15,000 fine on the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
