HDPA (Greece) - 50/2022: Difference between revisions

From GDPRhub
Line 84: Line 84:


=== Facts ===
=== Facts ===
A former teacher (the data subject) at a private primary school (the controller) submitted a complaint to the Greek DPA regarding a video surveillance system in the classrooms, which had been recording them without knowledge or consent. The DPA started proceedings to examine the legality of the operation of the system.
A former teacher (the data subject) at a private primary school (the controller) submitted a complaint to the Greek DPA regarding a video surveillance system in the classrooms, which had been recording them without knowledge or consent. The DPA started proceedings to examine the lawfulness of the processing.


The controller submitted that the video surveillance system had been operating since 2007 in order to provide direct visual contact with dangerous places for students (courtyard, balconies) and to discourage possible intruders. According to the controller, persons with access to the transmitted video were the principal, owner and president of the school, via a computer located in their office. Moreover, persons entering the site were informed by signs and verbally about the existence of the video cameras. Similarly, teachers were informed about it verbally, allegedly with no objections. The controller stated that the legal basis for the processing of personal data related to the video cameras was legitimate interest.  
The controller submitted that the video surveillance system had been operating since 2007 in order to provide direct visual contact with dangerous places for students (courtyard, balconies) and to discourage possible intruders. According to the controller, persons with access to the transmitted video were the principal, owner and president of the school, via a computer located in their office. Moreover, persons entering the site were informed by signs and verbally about the existence of the video cameras. Similarly, teachers were informed about it verbally, allegedly with no objections. The controller stated that the legal basis for the processing of personal data related to the video cameras was legitimate interest.  
Line 95: Line 95:
Second, the DPA stated that the principle of purpose limitation ([[Article 5 GDPR|Article 5(1)(b) GDPR]]) was not respected, since the access to the transmitted image by the manager and employees, that is officially unauthorised parties, did not ensure that the purpose of the processing was exclusively the protection of persons and property.
Second, the DPA stated that the principle of purpose limitation ([[Article 5 GDPR|Article 5(1)(b) GDPR]]) was not respected, since the access to the transmitted image by the manager and employees, that is officially unauthorised parties, did not ensure that the purpose of the processing was exclusively the protection of persons and property.


Thrid, the principle of accountability ([[Article 5 GDPR|Article 5(2) GDPR]]) was not respected because the controller did not keep activity records for the processing of personal data through the video surveillance system, but only provided them after the hearing.
Third, the principle of accountability ([[Article 5 GDPR|Article 5(2) GDPR]]) was not respected because the controller did not keep activity records for the processing of personal data through the video surveillance system, but only provided them after the hearing.


Fourth, with regards to the legal basis for processing, the DPA held that the controller had not ensured that there was an overriding legitimate interest for the installation of cameras to justify the interference with fundamental rights and freedoms of persons, as required by [[Article 6 GDPR|Article 6(1)(f) GDPR]]. The DPA reasoned that the controller's educational establishment was not so large as to justify the need to monitor remote points of the premises by using surveillance cameras instead of milder means. Hence, there was no valid legal basis for the operation of the system.  
Fourth, with regards to the legal basis for processing, the DPA held that the controller had not ensured that there was an overriding legitimate interest for the installation of cameras to justify the interference with fundamental rights and freedoms of persons, as required by [[Article 6 GDPR|Article 6(1)(f) GDPR]]. The DPA reasoned that the controller's educational establishment was not so large as to justify the need to monitor remote points of the premises by using surveillance cameras instead of milder means. Hence, there was no valid legal basis for the operation of the system.  

Revision as of 15:53, 8 November 2022

HDPA - Decision 50/2022
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1)(b) GDPR
Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 6(1)(f) GDPR
Article 12 GDPR
Article 13 GDPR
Article 58(2)(i) GDPR
Guidelines 3/2019 on processing of personal data through video devices
Law 4624/2019
Type: Complaint
Outcome: Upheld
Started:
Decided: 09.09.2022
Published: 09.09.2022
Fine: 15.000 EUR
Parties: Private school
Individual-Ex-employee
National Case Number/Name: Decision 50/2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: Hellenic DPA (in EL)
Initial Contributor: Anastasia Tsermenidou

The Greek DPA imposed a €15,000 fine on a private school for installing a video surveillance system which, among others, did not respect the purpose limitation and accountability principles.

English Summary

Facts

A former teacher (the data subject) at a private primary school (the controller) submitted a complaint to the Greek DPA regarding a video surveillance system in the classrooms, which had been recording them without knowledge or consent. The DPA started proceedings to examine the lawfulness of the processing.

The controller submitted that the video surveillance system had been operating since 2007 in order to provide direct visual contact with dangerous places for students (courtyard, balconies) and to discourage possible intruders. According to the controller, persons with access to the transmitted video were the principal, owner and president of the school, via a computer located in their office. Moreover, persons entering the site were informed by signs and verbally about the existence of the video cameras. Similarly, teachers were informed about it verbally, allegedly with no objections. The controller stated that the legal basis for the processing of personal data related to the video cameras was legitimate interest.

In its decision, the DPA considered the legal basis for processing as well as compliance with general data processing principles and data subject rights.

Holding

First, the DPA held that information to parents and employees on the operation of the system was incomplete because, according to the controller, it was given orally, in violation of Articles 5(1)(a) and (b) as well as Articles 12 and 13 GDPR. The controller was not able to prove that such information was given nor which categories of persons were informed. In particular, the DPA noted that children were not appropriately protected in this regard.

Second, the DPA stated that the principle of purpose limitation (Article 5(1)(b) GDPR) was not respected, since the access to the transmitted image by the manager and employees, that is officially unauthorised parties, did not ensure that the purpose of the processing was exclusively the protection of persons and property.

Third, the principle of accountability (Article 5(2) GDPR) was not respected because the controller did not keep activity records for the processing of personal data through the video surveillance system, but only provided them after the hearing.

Fourth, with regards to the legal basis for processing, the DPA held that the controller had not ensured that there was an overriding legitimate interest for the installation of cameras to justify the interference with fundamental rights and freedoms of persons, as required by Article 6(1)(f) GDPR. The DPA reasoned that the controller's educational establishment was not so large as to justify the need to monitor remote points of the premises by using surveillance cameras instead of milder means. Hence, there was no valid legal basis for the operation of the system.

Considering the above-mentioned violations, the DPA ordered the controller to uninstall the cameras within one month of the receipt of the notice. Furthemore, the DPA used its powers under Article 58(2)(i) GDPR and imposed a €15,000 fine on the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Ave. Kifissias 1-3, 11523 Athens, Greece, T: 210 6475 600 - E: contact@dpa.gr -
www.dpa.gr 2
"Iordanakeion Modern Schools SA" had surveillance cameras in the classrooms and
was recorded repeatedly without having knowledge of the existence of the cameras
and without its consent.
The Directorate of Primary Education D' Athens by document No.
G/EIS/8305/21-12-2021 also transmitted to the Authority a complaint of a ... teacher
with the same content.
The Authority sent a letter to the complainant company, No.G/EΞ/3/07-01-
2022, informing it about the applicable legal framework, namely Regulation (EU)
2016/679 on the protection of natural persons with regard to the processing of
personal data (hereinafter "GDPR"), Law No. 4624/2019, Directive 1/2011, and
Guideline 3/20191 of the EDPS on the processing of personal data through video
capture devices. A specific questionnaire was included in the document in order to
examine the accountability obligations of the GDPR with regard to the processing of
personal data through the operation of a video surveillance system.
The complainant company responded with the document No. G/EIS/1686/03-
02-2022 in which it states, among other things, that the video surveillance system
has been operating since 2007 in order to provide direct visual contact with
dangerous places for students (courtyard, balconies) and to discourage would-be
destroyers/intruders. These are fixed cameras, they do not transmit sound and the
transmitted image is not recorded. The locations and fields of view of the cameras
include the ground floor, exterior and courtyard areas and fields of the adjacent
sports facilities, the exterior corridors on the balconies of the three floors, the
exterior courtyard area of the 4ου floor, and the school auditorium. Access
1 https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32019-processing-
personal-data-through-video_el
Ave. Kifissias 1-3, 11523 Athens, Greece, T: 210 6475 600 - E: contact@dpa.gr -
www.dpa.gr 3
to the transmitted image has the principal, owner and president of the school, via a
computer located in his office. The owner and president of the school made the
decision to install the system.
Natural persons entering the site are informed by signs and verbally about
the existence of the video surveillance system. Teachers shall be informed at the
time of their recruitment. Attached are teachers' affidavits, dated 21-1-2022, in
which they certify that they are aware of and have no objection to the video
surveillance system and that there are no cameras in the classrooms. He finally
stated that he does not keep records of activities.
Subsequently, in order to complete its examination of the case, the Authority
invited the complainant company by letter No. C/EXE/434/15-02-2022 to the
meeting of the Department on 2-3-2022. Present at this meeting were, Millas
Dimitrios, with ID ..., A, ... ... and B, ... ... ...
Following the meeting, the complainant company submitted a request for a
hearing, ref. C/EIS/4348/15-3-2022, in which, in addition to the reference to the
mode of operation of the video surveillance system, the following additional
information was submitted: (a) a resolution of the Teachers' Association dated 04-
03-2022, which shows that the elementary - high school grades concerned by the
said system have been consulted with the owner, informed and accept the decision
of the owner - the competent representative body of the Company to operate a
video surveillance system without data recording; (b) a data protection impact
assessment (DIA), which assesses the use of the video surveillance system on the
legal basis of the overriding legitimate interest in the protection of property and
health and which documents the lawfulness of each camera; c) activity records in
accordance with the Authority's template, in electronic form; d) notification texts to
staff on the principles of GDPR in general, on the type of data processed by the
complainant company as a controller under the contract
Ave. Kifissias 1-3, 11523 Athens, Greece, T: 210 6475 600 - E: contact@dpa.gr -
www.dpa.gr 4
the specific legal basis for video surveillance without keeping an image file, the rights
of workers and how to exercise them.
The Authority, after considering the evidence on the file, after hearing the
rapporteur and clarifications from the co-rapporteur, who was present without the
right to vote, after an extensive discussion,
THOUGHT IN ACCORDANCE WITH THE LAW
1. The installation and operation of video surveillance systems with the capture
and/or recording of images and/or sound through the collection, preservation,
storage, access and transmission of personal data, constitute, as individual
processing operations, interference with the individual rights to respect for
privacy under Art. 9 S., 7 TFEU2 and 8 ECHR as well as the protection of personal
data pursuant to Articles 5 S., 7 CPC and 8 ECHR. 9A CP, 8 ECHR and 8 TFEU3, as
considered by the Authority in its Opinion No 3/2020.
2. In accordance with the CPCS Guidelines 3/2019 on the processing of personal
data through video devices4, in order to determine the lawfulness of the
installation and operation of the video surveillance system, the cumulative
requirements of Articles 5 and 6 para. 1 GDPR and the legality of the processing
must be documented internally at an earlier stage of the installation and
operation of the system and, in fact, when determining the purpose of the
processing, a relevant assessment may be required for each camera separately,
depending on its location. In particular, these Guidelines set out the following: "α
(...) 5. Video surveillance is by definition not necessary if other means are
available to achieve the
2 CJEU Digital Rights Ireland para. 29.
3 CJEU Digital Rights Ireland para. 38.
4 https://edpb.europa.eu/our-worktools/ourdocuments/guidelines/guidelines-32019-processing-
personal-data-through-video_el
Ave. Kifissias 1-3, 11523 Athens, Greece, T: 210 6475 600 - E: contact@dpa.gr -
www.dpa.gr 8
and 5 par. 2(b) of the GDPR, because the complainant is not able to prove that
such oral information was given and even if it is accepted that oral information
was given, it does not cover every category of subjects, in particular children,
employees and visitors to the premises, not meeting the requirements of
transparency and accountability.
8. The principle of purpose limitation is not respected, since the access to the
transmitted image by the manager and employer does not clearly show or
technically ensure that the purpose of the processing is exclusively the protection
of persons and property.
9. The principle of accountability was not respected with regard to documentation
through the keeping of activity records, in breach of Articles 5(5)(a) and (b) of the
EC Treaty. The controller did not keep activity records for the processing of
personal data through the video-surveillance system, but only provided them
after the hearing.
10. In the light of the above, the Authority considers that it is appropriate to exercise
the remedies provided for in Article 58(1) of the EEA Agreement. 2 of the GDPR
in relation to the infringements found. The Authority also considers that, in the
light of the circumstances found, it is appropriate to impose, in application of the
provision of Article 58(1) of the GGC, a fine in accordance with the provisions of
Article 58(1) of the GGC. 2(i) of the GDPR, the effective, proportionate and
dissuasive administrative fine provided for in Article 83 of the GDPR, both to
remedy compliance and to punish the unlawful conduct.
11. Furthermore, the Authority took into account the criteria for the calculation of
the fine set out in Article 83(1)(a) of the EEA Agreement. 2 of the GDPR,
paragraph 5(a) and (b) of the same article, which have
applicable in present case and the Guidelines on the
application and determination of administrative fines for the purposes of
Regulation 2016/679 adopted on 03- 10-2017 by the Article 29 Working Party (WP
253), as well as the facts of the case under consideration, in particular:
(a) the nature, gravity and duration of the infringement, in view of the nature,
gravity and duration of the infringement;
Ave. Kifissias 1-3, 11523 Athens, Greece, T: 210 6475 600 - E: contact@dpa.gr -
www.dpa.gr 9
the scope or purpose of the processing in question, as well as the number of data
subjects affected by the breach and the degree of damage suffered by them, and in
particular:
i. the fact that the controller has infringed the obligations laid down in Article
5(5)(a) and (b); 1(a) of the GDPR, the principles of legality, objectivity and
transparency and, in addition, the principle of purpose limitation under Article
5(1)(a) of the GDPR. 1(b) and the obligation (principle) of accountability under
Article 5(1)(b). 2 of the GDPR, that is to say, it has infringed the fundamental
principles of the GDPR on the protection of personal data,
ii. the fact that compliance with the principles laid down by the provisions of
Article 5(5)(a)(ii) of the Directive. 1(a) and (b). 2 of the GDPR are of fundamental
importance, first and foremost the principle of lawfulness, objectivity and
transparency, so that if that principle is lacking, the processing becomes unlawful
in principle, even if the other processing principles have been complied with.
Similarly, both the purpose limitation principle and the principle of accountability
in the context of the new compliance model introduced by the GDPR, where the
burden of compliance and responsibility lies with the controller, who has been
provided by the GDPR with the necessary compliance tools,
iii. the fact that the controller has failed to comply with the requirements of the
processing principles in Article 5(5); 1(a) and (b) of the GDPR and, in addition,
failed to document in the context of compliance the lawfulness of the video
surveillance system,
iv. the fact that the infringement of the above principles is subject to the
provisions of Article 83 para. 5(a) of the GDPR to the highest category provided
for in the system of graduated administrative fines,
v. the fact that, from the information brought to the attention of the Authority,
no material damage to the data subjects has occurred,
vi. the fact that the infringement of the principles of Article 5(5)(b) of the ECHR is
not justified. 1(a), (b) and (c). 2 of the GDPR did not apply, on the basis of the
evidence brought to the Authority's attention,
Ave. Kifissias 1-3, 11523 Athens, Greece, T: 210 6475 600 - E: contact@dpa.gr -
www.dpa.gr 10
personal data under Articles 9 and 10 of the GDPR, but concerns children, who
require specific protection with regard to personal data (recital 38 and Article
6(1)(f) of the GDPR).
vii. the fact that the system and the cameras in question had been installed and
operated illegally since 2007, while even after the application of the GDPR no
compliance action was found until the Authority's intervention; b) the degree of
fault of the controller. The installation and operation of the video surveillance
system in violation of the principles of legality, objectivity and transparency,
purpose limitation as well as accountability was the result of insufficient
knowledge and application of the provisions of the GDPR attributable to
negligence and therefore mitigating circumstances are taken into account in
relation to the possibility that it may have occurred fraudulently.
(c) any actions taken by the controller to mitigate the damage suffered by data
subjects and the extent of cooperation with the Authority to remedy the breach
and mitigate its possible adverse effects. The complainant took steps to document
the processing and comply with the GDPR after the hearing and its cooperation
with the Authority has been satisfactory.
(d) any relevant previous infringements by the controller. An audit shows that the
complainant company has not yet been subject to an administrative sanction by
the Authority.
(e) the categories of personal data affected by the breach. It is not personal data
within the meaning of Articles 9 and 10 of the GDPR, according to the information
brought to the attention of the Authority, but it concerns children, who require
specific protection with regard to personal data (recital 38 and Article 6(1)(f) of
the GDPR).
(f) the size of the company.
In the light of the above, the Authority unanimously considers that the following
should be imposed on
Ave. Kifissias 1-3, 11523 Athens, Greece, T: 210 6475 600 - E: contact@dpa.gr -
www.dpa.gr 11
the complainant company as controller, the administrative penalty referred to in the
operative part of the decision, which shall be proportionate to the gravity of the
infringement.
FOR THESE REASONS
The
Authori
ty
Α. Instructs the complainant company named "Iordanakeion Modern Schools SA" as
the controller, to uninstall the cameras within one (1) month from the receipt of this
notice and to inform the Authority in writing.
Β. Impose on the complainant company named "Iordanakion Modern Educational
Schools SA" the effective, proportionate and deterrent administrative fine
appropriate in this case, according to the specific circumstances of this, amounting to
fifteen thousand (15.000,00) euros for the above violations of Articles 5 par. 1(a), 5
par. 1(b) and 5(1)(b) and 5(b). 2, and Articles 6, 12, 13 and 30 of the GDPR.