IMY (Sweden) - DI-2018-22697: Difference between revisions

From GDPRhub
 
(5 intermediate revisions by 2 users not shown)
Line 58: Line 58:
}}
}}


The Swedish DPA fined a fire department €34 555 (SEK 350 000) for installing CCTV cameras that monitored firefighters in a way that was more intrusive than necessary.
The Swedish DPA fined a fire department €34,555 (SEK 350 000) for installing CCTV cameras that monitored firefighters in a way that was more intrusive than necessary.
 
== English Summary ==


== Facts ==
== Facts ==
The firefighting Rescue Service of Eastern Skaraborg (Räddningstjänsten Östra Skaraborg) started CCTV monitoring of 8 fire stations in March-April 2015 until May 6, 2021. The CCTV cameras monitored the fire trucks' storage hall where employees change into firefighters' clothes when responding to an emergency.
The firefighting, Rescue Service of Eastern Skaraborg (Räddningstjänsten Östra Skaraborg) started using CCTV cameras to monitor 8 fire stations from March/April 2015 to May 6th, 2021. The CCTV cameras monitored the fire trucks' storage hall, where employees change into firefighters' clothes when responding to an emergency.


The CCTV surveillance was in operation around the clock. The video stream was not recorded, but the operator in the command center could maneuver the camera and also activate the microphone to interact with the firefighters. Each time the microphone was activated, a light came on.
The CCTV surveillance was in operation around the clock. The video stream was not recorded, but the operator in the command center could maneuver the camera and also activate the microphone to interact with the firefighters. Each time the microphone was activated, a light came on.
Line 74: Line 72:


=== Did the CCTV require a permit? ===
=== Did the CCTV require a permit? ===
First, the DPA examined whether the CC -TV required a permit. [https://www.riksdagen.se/sv/dokument-lagar/dokument/svensk-forfattningssamling/kamerabevakningslag-20181200_sfs-2018-1200 The Swedish Camera Surveillance Act (kamerabevakningslagen)], which contains supplementary rules to the GDPR, sometimes requires a permit for the use of CCTV. [https://www.riksdagen.se/sv/dokument-lagar/dokument/svensk-forfattningssamling/kamerabevakningslag-20181200_sfs-2018-1200#P7 7 § of the Camera Surveillance Act] requires a permit if the surveillance is carried out by a public authority and if the surveillance is of a "place to which the public has access". The DPA concluded that a fire station is not a place to which the public has access and that the Rescue Service did not need a permit for CCTV.
First, the DPA examined whether the CCTV cameras required a permit. [https://www.riksdagen.se/sv/dokument-lagar/dokument/svensk-forfattningssamling/kamerabevakningslag-20181200_sfs-2018-1200 The Swedish Camera Surveillance Act (kamerabevakningslagen)], which contains supplementary rules to the GDPR, sometimes requires a permit for the use of CCTV. [https://www.riksdagen.se/sv/dokument-lagar/dokument/svensk-forfattningssamling/kamerabevakningslag-20181200_sfs-2018-1200#P7 7 § of the Camera Surveillance Act] requires a permit if the surveillance is carried out by a public authority and if the surveillance is of a "place to which the public has access". The DPA concluded that a fire station is not a place to which the public has access and that the Rescue Service did not need a permit for CCTV.


=== Was there a legal basis? ===
=== Was there a legal basis? ===
The DPA considered whether there was a legal basis in [[Article 6(1)(e) GDPR]] for processing data for the performance of a task carried out in the public interest. On the one hand, the DPA found that the monitoring of staff who are in a vulnerable position is intimate, intrusive, and constant. However, given the particular role that society has given to the Rescue Service and the need for the command center to be able to effectively manage and organize a response to an emergency, the DPA found that there was a legal basis for the processing
The DPA considered whether there was a legal basis in [[Article 6 GDPR|Article 6(1)(e) GDPR]] for processing data for the performance of a task carried out in the public interest. On the one hand, the DPA found that the monitoring of the staff who are in a vulnerable position, in this case was constant, intimate, and intrusive. However, given the particular role that society has given to the Rescue Service and the need for the command center to be able to effectively manage and organize a response to an emergency, the DPA found that there was a legal basis for the processing.


=== Fairness and data minimization ===
=== Fairness and data minimization ===
Next, the DPA considered whether the monitoring complied with the principle of lawfulness, fairness and transparency under [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]. The DPA referred to the preparatory work of the Swedish GDPR Implementation Act when it noted that the legislator intended that the proportionality of the monitoring must be assessed by balancing the conflicting interests, even if a legal basis exists. The DPA recognised that the employer had very strong reasons justifying the surveillance. Nevertheless, the DPA considered that the surveillance was too wide-ranging. Firefighters were monitored in places where they changed, without censorship or demarcation.
Next, the DPA considered whether the monitoring complied with the principle of lawfulness, fairness and transparency under [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]. The DPA referred to the preparatory work of the Swedish GDPR Implementation Act when it noted that the legislator intended that the proportionality of the monitoring must be assessed by balancing the conflicting interests, even if a legal basis exists. The DPA recognised that the employer had very strong reasons justifying the surveillance. Nevertheless, the DPA considered that the surveillance was too wide-ranging. Firefighters were monitored in places where they changed clothes, without censorship or demarcation.


The DPA also investigated whether the Rescue Service had practiced data minimisation under [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. The DPA found that the purposes of the monitoring were legitimate, but that the means chosen were too intrusive and breached the principle of data minimisation.
The DPA also investigated whether the Rescue Service had practiced data minimisation under [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. The DPA found that the purposes of the monitoring were legitimate, but that the means chosen were too intrusive and breached the principle of data minimisation.
Line 89: Line 87:
Finally, the DPA assessed whether the monitoring data was adequately protected. The CCTV were monitored live from the command center. The command center had 29 staff, 6 of whom held the position of inner command and were authorized to view the camera stream. The Rescue Service stated that it was possible for any employee present in the command center to view the camera stream and witness what was going on at a particular fire station. The Rescue Service had also not issued any guidelines regarding the monitoring of the CCTV.
Finally, the DPA assessed whether the monitoring data was adequately protected. The CCTV were monitored live from the command center. The command center had 29 staff, 6 of whom held the position of inner command and were authorized to view the camera stream. The Rescue Service stated that it was possible for any employee present in the command center to view the camera stream and witness what was going on at a particular fire station. The Rescue Service had also not issued any guidelines regarding the monitoring of the CCTV.


The DPA acknowledged that it is sometimes warranted to allow a wider range of command staff to view the CCTV. However, given the nature, scope, and intrusiveness of the monitoring of the CCTV, the DPA held that the Rescue Service was at fault for not issuing guidance. The DPA stated that the more sensitive the processing, the higher the data protection requirements. The lack of policies could have led the staff of command center to monitor firefighters more than was necessary and lawful. The DPA found that the Rescue Service had breached [[Article 32 GDPR#1|Article 32(1) GDPR]] and [[Article 32 GDPR#4|Article 32(4) GDPR]] by failing to take the necessary organizational measures. For this, the DPA imposed a fine of SEK 50 000.
The DPA acknowledged that it is sometimes warranted to allow a wider range of command center staff to view the CCTV. However, given the nature, scope, and intrusiveness of the monitoring of the CCTV, the DPA held that the Rescue Service was at fault for not issuing guidance. The DPA stated that the more sensitive the processing, the higher the data protection requirements. The lack of policies could have led the staff of command center to monitor firefighters more than was necessary and lawful. The DPA found that the Rescue Service had breached [[Article 32 GDPR#1|Article 32(1) GDPR]] and [[Article 32 GDPR#4|Article 32(4) GDPR]] by failing to take the necessary organizational measures. For this, the DPA imposed a fine of SEK 50 000.


=== Fines overview ===
=== Fines overview ===

Latest revision as of 12:01, 15 September 2021

IMY (Sweden) - DI-2018-22697
LogoSE.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 6(1)(e) GDPR
Article 32(1) GDPR
Article 32(4) GDPR
§ 7 Camera Surveillance Act
Type: Complaint
Outcome: Upheld
Started:
Decided: 09.06.2021
Published: 09.06.2021
Fine: 350000 SEK
Parties: Räddningstjänsten Östra Skaraborg
National Case Number/Name: DI-2018-22697
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Swedish
Original Source: Decision (in SV)
Initial Contributor: Kave Noori

The Swedish DPA fined a fire department €34,555 (SEK 350 000) for installing CCTV cameras that monitored firefighters in a way that was more intrusive than necessary.

Facts

The firefighting, Rescue Service of Eastern Skaraborg (Räddningstjänsten Östra Skaraborg) started using CCTV cameras to monitor 8 fire stations from March/April 2015 to May 6th, 2021. The CCTV cameras monitored the fire trucks' storage hall, where employees change into firefighters' clothes when responding to an emergency.

The CCTV surveillance was in operation around the clock. The video stream was not recorded, but the operator in the command center could maneuver the camera and also activate the microphone to interact with the firefighters. Each time the microphone was activated, a light came on.

The Swedish DPA Integrietsskyddsmyndigheten (IMY) opened an investigation following a complaint it received. The complaint stated that it had happened that firefighters who had been called in at night time had only appeared in their nightgowns. Therefore, the complaint said, it had occurred that firefighters had changed clothes while naked or in their underwear under the surveillance of the camera.

The introduction of CCTV in 2015 was not without controversy. Firefighters placed a piece of cardboard in the camera's field of view, covering the area where equipment is stored. After someone broke into the fire station, the Rescue Service removed the piece of cardboard after negotiations with a local union representative. The Rescue Service claimed to have received no complaints since 2015 but decided to end CCTV surveillance on May 6, 2021, pending a decision from the regulator IMY.

Holding

Did the CCTV require a permit?

First, the DPA examined whether the CCTV cameras required a permit. The Swedish Camera Surveillance Act (kamerabevakningslagen), which contains supplementary rules to the GDPR, sometimes requires a permit for the use of CCTV. 7 § of the Camera Surveillance Act requires a permit if the surveillance is carried out by a public authority and if the surveillance is of a "place to which the public has access". The DPA concluded that a fire station is not a place to which the public has access and that the Rescue Service did not need a permit for CCTV.

Was there a legal basis?

The DPA considered whether there was a legal basis in Article 6(1)(e) GDPR for processing data for the performance of a task carried out in the public interest. On the one hand, the DPA found that the monitoring of the staff who are in a vulnerable position, in this case was constant, intimate, and intrusive. However, given the particular role that society has given to the Rescue Service and the need for the command center to be able to effectively manage and organize a response to an emergency, the DPA found that there was a legal basis for the processing.

Fairness and data minimization

Next, the DPA considered whether the monitoring complied with the principle of lawfulness, fairness and transparency under Article 5(1)(a) GDPR. The DPA referred to the preparatory work of the Swedish GDPR Implementation Act when it noted that the legislator intended that the proportionality of the monitoring must be assessed by balancing the conflicting interests, even if a legal basis exists. The DPA recognised that the employer had very strong reasons justifying the surveillance. Nevertheless, the DPA considered that the surveillance was too wide-ranging. Firefighters were monitored in places where they changed clothes, without censorship or demarcation.

The DPA also investigated whether the Rescue Service had practiced data minimisation under Article 5(1)(c) GDPR. The DPA found that the purposes of the monitoring were legitimate, but that the means chosen were too intrusive and breached the principle of data minimisation.

The DPA considered that the monitoring was unfair and breached Article 5(1)(a) GDPR, as well as the lack of data minimisation practice to breach Article 5(1)(c) GDPR. For these two violations, the DPA imposed a fine of SEK 300 000.

Was the data sufficiently protected?

Finally, the DPA assessed whether the monitoring data was adequately protected. The CCTV were monitored live from the command center. The command center had 29 staff, 6 of whom held the position of inner command and were authorized to view the camera stream. The Rescue Service stated that it was possible for any employee present in the command center to view the camera stream and witness what was going on at a particular fire station. The Rescue Service had also not issued any guidelines regarding the monitoring of the CCTV.

The DPA acknowledged that it is sometimes warranted to allow a wider range of command center staff to view the CCTV. However, given the nature, scope, and intrusiveness of the monitoring of the CCTV, the DPA held that the Rescue Service was at fault for not issuing guidance. The DPA stated that the more sensitive the processing, the higher the data protection requirements. The lack of policies could have led the staff of command center to monitor firefighters more than was necessary and lawful. The DPA found that the Rescue Service had breached Article 32(1) GDPR and Article 32(4) GDPR by failing to take the necessary organizational measures. For this, the DPA imposed a fine of SEK 50 000.

Fines overview

Violation Fine in SEK
Article 5(1)(a) GDPR – principle of lawfulness, fairness and transparency and Article 5(1)(c) GDPR – principle of data minimization 300 000
Article 32(1) GDPR and Article 32(4) GDPR –  organizational measures 50 000
Total 350 000

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

                                                                                                                 1 (17)






                                                                   The Executive Board of the Rescue Service Östra Skaraborg

                                                                   Majorsgatan 1

                                                                   54141 Skövde

                                                                   By e-mail: raddningstjansten@rtos.se



Record number:
DI-2018-22697 Decision after supervision according to

Your registration number: the Data Protection Regulation -
2019–000014
                              camera surveillance within
Date:
2021-06-09
                              The rescue service Östra Skaraborg





                              Content

                              The Integrity Protection Authority's decision ................................................ ........................... 2

                              Report on the supervisory matter ............................................... ....................................... 2

                              Grounds for the decision ............................................... .................................................. ... 4

                                     Personal data controller ................................................. ...................................... 4

                                     The time of the trial ............................................... .............................................. 4
                                     Rules for the Rescue Service's camera surveillance .............................................. 4

                                            The Camera Surveillance Act ................................................. .......................... 4

                                            Data Protection Ordinance ................................................. .......................... 5

                                     Is the Rescue Service's camera surveillance allowed according to
                                     the Data Protection Regulation? ................................................ ..................................... 5

                                            Legal basis for the processing of personal data (Article 6) ................... 5

                                            Basic principles for the processing of personal data (Article 5) .... 7
                                            Principles of legality and regularity (Article 5 (1) (a)) ............................. 8

                                            The principle of data minimization (Article 5 (1) (c)) ...................................... 11

                                            Safety in connection with the treatment (Article 32) ............................... 12

                                     Choice of intervention ............................................... ........................................... 14

                                            Legal regulation ................................................ ..................................... 14
                                            Penalty fee ................................................. ...................................... 14

Postal address: How to appeal ............................................. .................................................. ....... 17
Box 8114
104 20 Stockholm

Website:
www.imy.se
E-mail:
imy@imy.se

Phone:
08-657 61 00Integrittsskyddsmyndigheten Record number: DI-2018-22697 2 (17)

                                Date: 2021-06-09






                                The decision of the Privacy Protection Authority


                                The Privacy Protection Authority states that the Executive Board of the Eastern Rescue Service

                                Skaraborg, with organization number 222000-1115, from 25 May 2018 until
                                on May 6, 2021 by having camera surveillance in the car park at eight fire stations

                                processed personal data in violation of

                                                                                 1
                                     - Article 5 (1) (a) of the Data Protection Regulation by employing camera surveillance
                                         place for replacement in case of alarm in violation of the principle of correctness,
                                     Article 5 (1) (c) of the Data Protection Regulation by processing more personal data

                                         than has been necessary for the purposes contrary to the principle of
                                         task minimization, and

                                     Article 32 (1) and (4) of the Data Protection Regulation as instructions from it
                                         personal data controller has been missing for how the personal data has been received

                                         be used and the requirement for appropriate organizational measures, to ensure
                                         a level of safety that is appropriate in relation to the risk, thus is not
                                         fulfilled.


                                The Privacy Protection Authority decides on the basis of ch. Section 2 of the Data Protection Act and 2

                                Articles 58 (2) and 83 of the Data Protection Ordinance to the Executive Board of the Emergency Services
                                Östra Skaraborg must pay an administrative sanction fee of 350,000

                                (three hundred and fifty thousand) kronor, of which 300,000 (three hundred thousand) kronor refers
                                infringements of Article 5 (1) (a) and 5.1 c and SEK 50,000 (fifty thousand)
                                infringements of Article 32 (1) and Article 32 (4) of the Data Protection Regulation.



                                Report on the supervisory matter


                                The Privacy Protection Agency (IMY) has received complaints alleging that
                                The Executive Board of the Rescue Service Östra Skaraborg (Rescue Service) conducts

                                camera surveillance in the fire station's car park with space for replacement in the event of an alarm and has
                                initiated supervision of the Rescue Service.


                                The inspection has been initiated for the purpose of reviewing the Rescue Service's
                                personal data processing in the form of camera surveillance has taken place in accordance with

                                the principles of legality and regularity set out in Article 5 (1) (a) of the Data Protection Regulation;
                                the principle of data minimization in Article 5 (1) (c), the legal basis requirement in Article 6 and

                                the requirements for organizational security in Article 32.

                                When reviewing the processing of personal data in the form of camera surveillance of

                                the carriage halls have mainly emerged the following.


                                Camera surveillance has been conducted from March – April 2015 until 6 May 2021
                                stations in Skövde, Mariestad, Hjo, Tibro, Karlsborg, Hova, Gullspång and Töreboda.

                                A camera has been mounted on each station. All cameras have been placed in
                                carriages at the fire stations and has guarded a space used as
                                garage for rescue vehicles. The staff hall also stores the staff's emergency clothing,






                                REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of
                                natural persons with regard to the processing of personal data and on the free movement of such data and on
                                repeal of Directive 95/46 / EC (General Data Protection Regulation).
                                2 Act (2018: 218) with supplementary provisions to the EU Data Protection Regulation. Integrity Protection Authority Record number: DI-2018-22697 3 (17)
                               Date: 2021-06-09







                               alarm stand, which must be able to be put on quickly before expression in the event of an alarm. For other types of
                               exchanges there are special changing rooms that are not monitored by cameras.


                               The camera surveillance of the car parks has been conducted around the clock in real time without
                               image recording. The cameras have been movably mounted and have shown a number of views accordingly

                               a predetermined movement pattern. The cameras have also been able to be controlled manually and have
                               optics that can zoom.


                               The film material has been examined in real time by internal officers from the command center in Skövde when
                               alarm has been activated at a fire station. The control center that the cameras are

                               connected to staff in emergency situations. Examination of what was captured by
                               the camera's shooting range has only occurred in these situations. Sound has been able
                               recorded in real time after the internal commander has activated a microphone to be able to talk

                               with the intrusive force. A light has been lit in the car park when the microphone has been on
                               activated.


                               The camera-monitored fire stations are staffed by staff who are as well
                               full-time employee (Skövde and Mariestad) as a part-time employee (all audited

                               stations). When part-time staff move in, firefighters should normally be within five
                               minutes from the alarm goes off, switch left the fire station in a vehicle. Then shall

                               the firefighters have gone to the fire station, often in a private car, changed and ha
                               placed in the correct vehicle. Full-time staff are usually at the fire station when
                               alarms go and change from station uniform. Firefighters are on it

                               guarded the place in the carriage hall for about a minute.

                               The complaint has stated that it has happened to intruding staff in the event of an alarm in the middle of the night

                               has arrived at the fire station in a bathrobe with underwear or nothing at all underneath,
                               which has meant that staff have been camera-monitored naked or only in

                               underwear when changing to an alarm stand. The rescue service has in an opinion received
                               on 31 May 2021 stated that it does not occur at all that
                               rescue personnel on standby arrive at the respective station in the event of an alarm only wearing

                               bathrobe with only underwear or nothing at all underneath. Opinion received on 22
                               May 2019, it is stated that no employee will be staying in the Rescue Service's premises

                               naked, except in changing rooms intended for this, as it can be experienced as troublesome
                               and offensive to other employees. Furthermore, it has been stated that the alarm place is designed as such
                               that its function is maintained regardless of whether the employee chooses to dress only in

                               alarm stand or chooses to have undergarments under the alarm stand. The employees who choose to
                               do not use e.g. underwear can choose to only wear underwear underneath

                               the alarm place and will thus in such cases only wear underwear under one
                               shorter time when dressing and undressing the alarm place.


                               Furthermore, it has emerged that the employees at one of the fire stations protested
                               against the camera surveillance in connection with the introduction in 2015 by covering for some

                               of the surface where alarm places hang with a cardboard board. The rescue service has in the opinion
                               which came in on May 22, 2019, with completion on May 28, 2019, stated that
                               the cardboard board was removed after collaboration with a local union representative after a burglary. At

                               collaboration with employee organizations in 2015, views emerged as among
                               another argued that camera surveillance should not include a place where replacement takes place,

                               that it would be an advantage to activate the camera only in the event of an alarm, that it was perceived as offensive
                               to be monitored and that the information about the camera surveillance has been broken. Infront of
                               collaboration in August 2015, it was stated that the employer's focus was that measures would

                               taken so that areas where staff change could not be monitored by cameras. At
                               the collaboration meeting was decided to ensure that each station would be adapted so that the Privacy Protection Agency Record number: DI-2018-22697 4 (17)
                              Date: 2021-06-09






                              camera surveillance of changing rooms would not take place. The rescue service has stated
                              that since August 2015 there have been no complaints against the camera surveillance or

                              that the issue is raised on collaboration again.


                              As for the information about the camera surveillance that is provided
                              The rescue service stated that it is now on the checklist at the time of introduction that
                              inform new employees about the camera surveillance, that a written information has been taken

                              to ensure this information and that it is signposted on the premises
                              camera surveillance.


                              To its final opinion in May 2021, the rescue service attached a decision made on 6
                              May 2021 where it appears that the camera surveillance that is examined will end with
                              immediate effect. Furthermore, the need for camera surveillance must be reassessed accordingly

                              that the IMY has made a decision in the current case.


                              Grounds for the decision


                              Personal data manager

                              The Executive Board of the Rescue Service Östra Skaraborg is stated to be

                              personal data manager for the Rescue Service's personal data processing. IMY shares
                              this view.


                              The time for the trial


                              The audited camera surveillance has been going on from March-April 2015 until 6 May
                              2021. When the Data Protection Ordinance first came into force on 25 May 2018, IMY's
                              review, which takes place on the basis of the said regulation, limited to circumstances that have

                              existed during the period thereafter. Circumstances in connection with the introduction of
                              The camera surveillance in 2015 is thus outside the IMY's supervision.


                              Rules for the Rescue Service's camera surveillance

                              Camera surveillance is a form of personal data processing. How and in which

                              to the extent that it is permitted to camera surveillance in the case in question is regulated in
                              the Data Protection Ordinance and the Camera Surveillance Act (2018: 1200) which supplement
                              the Data Protection Regulation.


                              The Camera Surveillance Act

                              Section 4 of the Camera Surveillance Act states that the Act applies to camera surveillance in accordance with section 3.
                              takes place with equipment located in Sweden. Of § 3 point 1 of the Camera Surveillance Act
                              It appears that camera surveillance includes a television camera, another optical-electronic

                              instruments or comparable equipment, without being operated on site
                              used in such a way as to involve permanent or regular repetition
                              personal surveillance. The camera surveillance that the Rescue Service has conducted has not

                              maneuvered on site and has involved a permanent monitoring of the employees as well
                              other visitors. The Camera Surveillance Act therefore applies to the Rescue Service
                              coverage.


                              The Camera Surveillance Act contains provisions on when a permit is required to
                              camera surveillance. It follows from section 7 of the Camera Surveillance Act that a permit is required for surveillance

                              of a place to which the public has access if the surveillance is carried out by an authority or
                              someone other than an authority when performing a task of general interest as the Privacy Protection Authority Record number: DI-2018-22697 5 (17)
                               Date: 2021-06-09






                               follows from law or other statute, collective agreement or decision issued with support

                               by law or other statute.


                               The rescue service Östra Skaraborg is a municipal association and thus one
                               authority, and is basically subject to a permit for camera surveillance. The question is
                               then if the public is considered to have access to the place provided by the Rescue Service

                               camera guards. Practice shows that the concept of "place to which the public has access"
                               shall be interpreted broadly (see the Supreme Administrative Court's decision RÅ 2000 ref. 52). Many
                               workplaces are, however, considered to be a place to which the public does not have access (Bill.

                               2017/18: 23 p.22).


                               In the light of what has emerged about the location of the surveillance, IMY assesses that
                               it is not a question of a place to which the public has access. Some requirement to apply
                               permission does not exist. However, the fact that the camera surveillance is unlicensed does not mean that

                               surveillance is allowed. In addition to the provision on permits, there are other rules in
                               the Camera Surveillance Act, e.g. on the obligation of professional secrecy regarding the recorded material,

                               obligation to negotiate with workers' organizations and information requirements, which
                               may be relevant to follow during camera surveillance. In addition, the rules in
                               the Data Protection Regulation.


                               Data Protection Regulation
                               According to Article 2 (1), the Data Protection Regulation shall apply, inter alia, to the processing of

                               personal data in a completely automatic way. Of Article 4 (1) of the Data Protection Regulation
                               it appears that any information relating to an identified or identifiable natural person

                               is a personal information. According to Article 4 (2), "treatment" means a measure concerning:
                               personal data, such as collection, registration, reading and deletion. About one
                               surveillance camera captures an identifiable person or other personal data in

                               image, the rules in the Data Protection Regulation must therefore be followed. Since
                               The rescue service has filmed, and recorded sounds from, identifiable people with theirs

                               cameras apply to the Data Protection Regulation.

                               The Data Protection Regulation contains a large number of rules that must be followed

                               Processing of personal data. Within the framework of this supervisory matter is the IMY's review
                               limited to whether the Rescue Service has a legal basis under Article 6 i
                               the Data Protection Ordinance to conduct the current camera surveillance, if

                               The rescue service has lived up to the basic principles of treatment of
                               personal data in Article 5 (1) (a) on legality and regularity and in Article 5 (1) (c) on

                               data minimization, and whether the Rescue Service has met the requirements for security in
                               Article 32 by taking appropriate organizational measures.


                               Is the Rescue Service's camera surveillance allowed according to
                               the Data Protection Regulation?


                               Legal basis for the processing of personal data (Article 6)

                               Article 6 of the Data Protection Regulation states that processing is only legal if at least
                               one of the conditions set out in the article is met, that is, there is a legal basis
                               for the treatment.


                               The processing is necessary to perform a task of general interest, 6.1 e


                               The rescue service has stated that the legal basis for the surveillance is that
                               the surveillance is necessary to perform a task of general interest under Article

                               6.1 e in the Data Protection Ordinance. Integrity Protection Authority Record number: DI-2018-22697 6 (17)
                                 Date: 2021-06-09







                                 Of the preparatory work for a law (2018: 218) with supplementary provisions to the EU
                                 The Data Protection Ordinance (hereinafter the Data Protection Act) states the following in Bill. 2017/18: 105
                                 (p. 60).


                                                 In order for the processing of personal data to be permitted according to the article

                                                 6.1 e of the Data Protection Regulation requires the purpose of the processing
                                                 is necessary to perform the task. This is according to the government
                                                 assessment is not interpreted as meaning that the task must be of general interest

                                                 delimited so that it can only be performed in one way. The method as it
                                                 personal data controller chooses to perform his task must, however -

                                                 like all public administration - be efficient, effective and
                                                 proportionate and must therefore not unnecessarily infringe
                                                 individuals' privacy. The more detailed a particular task has been regulated, the more

                                                 there should be less space for the person responsible for personal data to
                                                 choose different approaches. This in turn leads to a larger

                                                 predictability in terms of what personal data processing can
                                                 updated. If an assignment has instead been settled on one more
                                                 overall and results-oriented level, it can probably be performed at

                                                 many different ways, which in relation to each other can be more or
                                                 less necessary within the meaning of the Data Protection Regulation.


                                 In addition, pursuant to Article 6 (3), treatment pursuant to Article 6 (1) (e) shall be determined in accordance with
                                 with Union law or the national law of a Member State.


                                 The rescue service's activities are regulated nationally in the Act (2003: 778) on protection against
                                 accidents. By rescue service is meant according to ch. § 2 the rescue efforts by the state

                                 or the municipalities shall be responsible for in the event of accidents and imminent danger of accidents, for
                                 to prevent and limit damage to people, property or the environment. Of ch. § 3

                                 states that the rescue service must be planned and organized so that the rescue efforts
                                 can be started within an acceptable time and implemented in an efficient manner. Although
                                 detailed provisions for how the Rescue Service is to process personal data

                                 missing, the regulation needs to be specific enough to be used as a basis for
                                 the assessment of legal basis in Article 6 of the Data Protection Regulation. That the legislation is

                                 overall can provide a greater opportunity for the Rescue Service to choose how their
                                 assignments must be carried out than if the regulation had been more specific.


                                 The rescue service has stated that the purposes that have been established for the surveillance are
                                 following.


                                     - To facilitate leadership and efficiency during a rescue operation
                                     - To facilitate the presence control of firefighters who step in after alarms

                                     - To facilitate vehicle selection
                                     - To make it possible to ensure that the force leader feels good and can handle

                                          the task
                                     To secure the shell protection and
                                     - To assess the correctness of any alarm connected to the key cabinets on

                                          the stations


                                 IMY assesses that the purposes can be divided into two categories. The initial four
                                 the purposes are intended to enable work management and efficiency in the event of an alarm situation. The
                                 the latter two purposes relate to physical security at the fire station.Integritetsskyddsmyndigheten Record number: DI-2018-22697 7 (17)
                                Date: 2021-06-09







                                The rescue service has stated that the camera surveillance at all fire stations
                                except at Tibro station with automatic has also taken place of the space there
                                the expression clothes are stored. This means that at other fire stations have

                                the surveillance includes the place where the staff changes to alarm stands. The reason for
                                the camera at Tibro station has not monitored the place for replacement in case of alarm is one

                                incorrect programming which has meant that the camera's movement pattern has not covered the location
                                for replacement, if the camera has not been manually controlled to monitor it. According to
                                However, the rescue service has intended to remedy this so that also

                                the camera surveillance at Tibro station would include a place for replacement. Compared to those
                                stations where the place for replacement has been guarded, the Rescue Service has stated that it is on

                                Tibro station has been worse conditions for the management capacity and efficiency at
                                emergency. It has been more difficult to ensure attendance control and to ensure that
                                the force leader feels good in the event of an alarm. Through camera surveillance, the purposes can

                                the surveillance relating to the alarm situation is achieved at the same time as the staff
                                ready to go on alarm, that is, the working method is cost and

                                execution efficient.

                                IMY's assessment - legal basis


                                IMY states that the camera surveillance conducted by the Rescue Service refers to

                                monitoring of employees at their workplace where the staff must be under
                                working hours. The registered are in a position of dependence and are guarded in their
                                everyday environment. The monitoring has involved round-the-clock monitoring in real time and

                                the catchment area has also included space for replacement. There is information
                                that it has happened that employees for efficiency reasons during the change have stayed on
                                the exchange site completely without clothes, which, however, has been rejected by the Rescue Service.

                                Both the scope of surveillance and what is captured by the cameras has increased
                                the intrusion of the individual.


                                The camera surveillance, which among other things has included the employees in underwear, means
                                that the Rescue Service has camera-monitored the employees in privacy-sensitive situations.

                                The processing, however, has not included specific categories of personal data, so
                                sensitive personal data, in accordance with Article 9 of the Data Protection Regulation. The

                                national law which, in accordance with Article 6 (3), is to lay down the legal basis
                                therefore need not be more precise than in the law on protection against accidents, but can be
                                generally held.


                                In the light of the above and with regard to the Rescue Service's special

                                assignments and requirements for efficiency, IMY makes the assessment that the treatment has been
                                necessary to perform a task of general interest and that the Rescue Service has
                                had a legal basis in accordance with Article 6 (1) (e) of the Data Protection Regulation for the person in question

                                the treatment.


                                The question then becomes whether the current treatment has lived up to some of them
                                basic principles for the processing of personal data in Article 5.


                                Basic principles for the processing of personal data (Article 5)
                                Article 5 of the Data Protection Regulation contains a number of basic principles such as that

                                personal data controllers must take into account when processing personal data.

                                It follows from Article 5 (1) (a), inter alia, that all personal data processing, in addition to being

                                legal, must also be correct (the principles of legality and correctness). By article
                                5.1 c follows that personal data that is processed must be adequate, relevant and not the Privacy Protection Agency Record number: DI-2018-22697 8 (17)

                                 Date: 2021-06-09






                                 too extensive in relation to the purposes for which they are dealt with (the principle of
                                 task minimization).


                                 Finally, it follows from Article 5 (2) that the personal data controller shall be responsible for and

                                 be able to demonstrate compliance with the principles set out in Article 5 (1) (the principle of
                                 liability).


                                 Principles of legality and regularity (Article 5 (1) (a))
                                 The fact that the processing must be lawful means that there must be a legal basis in Article 6. IMY

                                 has assessed above that the Rescue Service fulfills the requirement of a legal basis in Article 6 (1) (e),
                                 task of general interest. The treatment is therefore judged to be compatible with the principle

                                 on legality in Article 5 (1) (a).

                                 With regard to the treatment being correct, the following is stated in the preparatory work for

                                 the Data Protection Act (Bill 2017/18: 105 p. 47).


                                                 As far as the principle of correctness is concerned, in a comparison with
                                                 other language versions are questioned about the Swedish term correctly

                                                 corresponds to the purpose of the provision. In the Danish language version
                                                 states instead that the data should be processed reasonably. On the equivalent
                                                 way is used in the English language version the term fairly, which

                                                 means fair, reasonable or reasonable. In the French language version
                                                 the term loyale is used, which has the same meaning as

                                                 English fairly. In the German language version, the term Treu is used
                                                 und Glauben, which is usually translated as good faith or faith and honor.

                                                 All these terms indicate, in the Government's opinion, more clearly than that
                                                 Swedish term correctly, that a balance of interests must be struck. In it
                                                 In the individual case, it can thus e.g. be incompatible with the principle of

                                                 correctness to take a particular treatment measure, even if this in and for
                                                 could be considered legally established under Article 6, namely

                                                 if the processing is unreasonable in relation to the data subject.


                                 The legislator has stated here that even if there is a legal basis, it should at a
                                 assessment of whether the treatment lives up to the principle of correctness is still made one
                                 balancing of interests to determine whether the treatment is unreasonable in relation to it

                                 registered, in this case the employees.


                                 In the statement received on 22 May 2019, the rescue service stated that it did not
                                 there are some other, less privacy violating solutions to do the same thing without

                                 that the rescue effort is negatively affected. However, it has also been stated that it is not
                                 it is necessary for camera surveillance to take place around the clock to conduct rescue services, but
                                 that it only needs to happen in the event of an alarm to the current station. Furthermore, the Rescue Service has

                                 stated that the cameras are technically connected to the application they are shown on a daily basis
                                 around.


                                 To the balance of interests that the legislator believes should be made in an examination of

                                 the principle of correctness lacks further guidance. European Data Protection Board,
                                 EDPB, however, has in EU guidelines on built-in data protection and data protection as standard
                                 stated that, inter alia, the following circumstances shall be taken into account in the examination of whether
                                                                    3
                                 the principle of correctness is complied with. It states, for example, that the treatment should
                                 comply with the reasonable expectations of the data subjects. Furthermore, the balance of power should


                                 3EDPB Guidelines 4/2019 on Article 25, Built-in data protection and data protection as standard, version 2.0, p. 18 et seq.
                                Date: 2021-06-09







                                be a central goal for the relationship between the personal data controller and the
                                registered. The data controller must also respect the data subjects
                                fundamental rights and take appropriate measures and safeguards. The

                                The person responsible for personal data must also ensure the impact of the processing on the individual
                                rights and dignity.


                                IMY's assessment - the principle of correctness


                                Regarding the balance of interests to be made, IMY makes the following assessment of the
                                different interests.


                                IMY initially states that the Rescue Service through the law on protection against
                                Accidents have a requirement for their business that it must be conducted efficiently with regard to both time

                                and execution, to prevent and limit damage in the event of accidents and danger of accidents
                                people, property or environment.


                                The rescue service has stated that, among other things, they are prepared for people
                                which end up in distress at sea and other life-threatening situations, toxic substances released into

                                nature, traffic accidents, fires that occur in buildings and terrain as well as people
                                and property threatened by extreme weather. It is not uncommon for life to be endangered by them

                                events The rescue service is alerted and then both seconds and minutes can
                                make a difference.


                                The purpose of the Rescue Service's camera surveillance, which is now being examined, is described in detail
                                above and can be summarized to enable workflow and alarm efficiency
                                respectively to ensure the physical safety of the fire station.

                                The rescue service has stated that there are no other less privacy-sensitive ways
                                to achieve the same efficiency. At Tibro fire station, where surveillance of place for replacement

                                has not taken place automatically, the conditions for conductivity and
                                emergency response has been worse compared to other stations. The staff
                                do not stay at the station for more than the time they put on the alarm stand, which means

                                that if communication with them is to take place without delaying the rescue operation, it must
                                it takes place at the same time as the exchange takes place.


                                Overall, IMY assesses that the Rescue Service's need for camera surveillance is on
                                the place weighs heavily, especially in case of alarms.


                                One of the purposes of the surveillance is to check the presence of firefighters who enter

                                after noise. IMY notes that camera surveillance to perform presence check on one
                                workplace is in principle not allowed. In the current case, the interest in surveillance has been judged to weigh
                                heavy, especially in case of alarm. IMY makes the assessment that the Rescue Service's surveillance is one

                                such a case where camera surveillance as presence control can be considered permissible. At it
                                In the assessment, special consideration has been given to the requirement for efficiency in the event of an alarm

                                The rescue service, where seconds and minutes can make a difference for life and health.

                                As regards the interests of the data subjects, it can be stated that the places as

                                camera-monitored are workplaces where the employees, who are dependent on their
                                employer, must be present during their working hours. The employees stay in the car park

                                both in the event of an alarm but also in the performance of other tasks. The character of the place
                                means that the employees are there in their everyday environment and can not opt out
                                be monitored by cameras. The interest in integrity therefore weighs heavily as a starting point. The Privacy Protection Agency Record number: DI-2018-22697 10 (17)
                                Date: 2021-06-09







                                When it comes to listening and recording sound in connection with camera surveillance is
                                this is particularly sensitive to privacy and is only exceptionally allowed. As
                                privacy enhancing action, however, a light comes on when the microphone enables oral

                                communication between the control center and the car park is activated. IMY notes
                                that audio listening is thus limited to situations that require communication

                                and that the microphone has been used in sharp situations in case of alarm, when the need to monitor
                                weighs particularly heavily. Furthermore, the sound that is listened to is mainly a conversation with them
                                which is monitored. That the staff is part of the conversation in combination with lamp activation does

                                that they are aware that eavesdropping is taking place. The measure reduces the intrusion somewhat
                                applies to listening and recording of sound. IMY therefore makes the assessment that

                                sound recording in the event of an alarm as it has been conducted is permitted.

                                Furthermore, it appears that the surveillance area also includes a place for change during pick-up

                                and undressing of alarm stands, where the camera surveillance in case of alarm for a short time has
                                caught the employees in underwear or underwear when they change into expression clothing.

                                If the staff in some cases has been monitored completely without clothing has not been clarified in
                                the case. The rescue service believes that the employees are extremely used to handling
                                privacy-sensitive situations both in the performance of their duties in rescue operations

                                towards third parties, but also at the station work and internally in the organization then it
                                exchanges take place in front of each other at each alarm situation, but also at regular practice

                                and education. The rescue service believes that the internal commander who has access to
                                real-time surveillance has a management responsibility regardless of whether it takes place in the physical space
                                or via technical equipment, for the best possible management. According to the Rescue Service

                                assessment, the exchange in front of colleagues and officers fits well in a proportionality perspective.

                                IMY assesses that the interest in privacy at the place where the exchange takes place is significantly more

                                prominent than in the rest of the carriage hall. However, it should be considered that the solution with replacement
                                to the alarm stand in the car park and the camera surveillance of this is deemed necessary

                                for the efficiency of the business, which reduces the intrusion somewhat. IMY does though
                                overall assessment that the integrity interest in the site as a whole weighs
                                very heavy, as the guarding has been conducted. This also applies if the staff in

                                the change situation has underwear or underwear on.


                                In assessing the two sides of the balance of interests, IMY has thus assessed that
                                the need for surveillance weighs heavily, especially in the event of alarms, and that it was recorded, they
                                employees, interests in terms of camera surveillance of the place of exchange weigh a lot

                                heavy.


                                When balancing between the needs of the Rescue Service and the interests of the employees do
                                IMY further the following assessment. As for whether the data subjects can expect it
                                current camera surveillance, the Rescue Service has stated that it currently has

                                informed about the surveillance in several ways, including through signs in the premises.
                                However, it has emerged that there are no guidelines for the situations in which the competent person

                                staff have had the right to access real-time surveillance, which may mean that they
                                employees have had difficulty assessing the extent to which the material has been used. In question
                                on the balance of power between the Rescue Service and the employees, it has been established that

                                the employees are in a dependent relationship with their employer, which means that
                                the balance of power is uneven.


                                As the monitoring of exchanges includes privacy-sensitive information, higher requirements are set
                                than otherwise on protective measures to reduce the invasion of privacy. IMY thinks it is

                                necessary with privacy-enhancing measures, such as a partial shielding of
                                the place of exchange. The rescue service has stated as integrity-enhancing measures that the Privacy Protection Agency Record number: DI-2018-22697 11 (17)
                                Date: 2021-06-09







                                in addition to the fact that a lamp is lit when the microphone is activated, the sound can only be heard from
                                the car park in a headset in the control center and that there is access restriction to
                                the control center. As for, for example, masking or demarcating parts of the site

                                for replacement to minimize the collection of this data, have any such action
                                not emerged during the IMY review.


                                Regarding masking the place for replacement, the Rescue Service has in an opinion on 22
                                May 2019, stated the following (p.7).


                                                Given that most stations have alarm points hanging in

                                                the carriage hall, the purpose of the cameras on these surfaces completely disappeared
                                                was screened off, that is, the carriage hall would not be seen in the cameras.


                                Of images from the camera surveillance that the Rescue Service has sent in an opinion on it
                                January 16, 2019, however, it seems in the IMY's opinion that it is clear that without much

                                difficulty should be able to partially delimit the uptake of the place of exchange from
                                respective camera, so that no more than, for example, heads are captured by the surveillance.
                                This can be done, for example, either by a mask on the camera views that show

                                the place for replacement or through a physical screen in each carriage hall.


                                With regard to the impact of camera surveillance on employees' rights and
                                dignity, the IMY notes that it has not emerged that it has been possible to avoid that
                                be camera-monitored during the change to alarm stand. To have camera surveillance when changing

                                occurs in the event of an alarm, could have meant that the employees have repeatedly stayed in their underwear
                                short periods in the guarded area. In an objective assessment, it can be considered
                                go beyond what is proper treatment on the part of an employer.


                                Overall, IMY states that the purposes of the Rescue Service are justified.

                                The rescue service's interest in surveillance has been judged to weigh heavily, especially in the event of an alarm.
                                However, the interests of the data subjects have been judged to weigh very heavily, especially as regards
                                place for switching to alarm stands, which have been camera-monitored without masking or

                                demarcation. Even when the special circumstances and requirements have been taken into account
                                effectiveness that prevails in the Rescue Service's efforts, IMY states that they

                                the interests of employees weigh more heavily in the question of the place of exchange in the event of an alarm and that
                                the surveillance in this situation, as it has been carried out, is unreasonable in relation to
                                employees. The monitoring of the exchange situation in the event of an alarm without delimitation has therefore

                                contrary to the principle of correctness in Article 5 (1) (a) of the Data Protection Regulation.


                                The principle of data minimization (Article 5 (1) (c))
                                Article 5 (1) (c) of the Data Protection Regulation states that personal data processed
                                shall be adequate, relevant and not too extensive in relation to the purposes for which

                                which they are processed, which is the principle of data minimization.


                                The camera surveillance that is now being examined has been conducted around the clock in real time in the car hall
                                at eight fire stations and has included space for replacement without any masking or
                                demarcation. Internal officers at the command center have examined the camera surveillance at

                                alarm.


                                The rescue service has stated that it is not necessary to monitor the car park with cameras
                                around the clock, without it only having to take place in the event of an alarm to the relevant station. The cameras have
                                however, have been connected to the technical solution where the camera image is displayed around the clock

                                around.Integritetsskyddsmyndigheten Record number: DI-2018-22697 12 (17)
                               Date: 2021-06-09







                               As for the surveillance of the place for replacement, the Rescue Service has stated that it does not
                               there are other less privacy-sensitive ways to achieve the same efficiency. The surveillance
                               of the place for replacement is necessary as the staff does not stay at the station anymore

                               than the time when they put on alarm racks. This means that communication with them must
                               take place at the same time as they change, so that the rescue effort is not delayed.


                               IMY's assessment - the principle of data minimization


                               IMY has stated above that monitoring employees who change involves treatment
                               of privacy-sensitive information that goes beyond what the individual should need

                               accept. The surveillance of the fire stations has included employees, who are in
                               dependency on their employer. It places special demands on the employer to
                               take measures to reduce the invasion of privacy for employees. Any adaptation of

                               the surveillance has not been carried out, in addition to access restriction, and place for replacement
                               has been monitored by a camera without masking or delimitation. The monitoring has been ongoing

                               around the clock in real time, even though it has been stated to be necessary only in the event of an alarm.

                               Against this background, the IMY states that the Rescue Service's camera surveillance has

                               entailed an excessive processing of personal data in relation to
                               purposes. The treatment has thus taken place in violation of the principle of

                               data minimization in Article 5 (1) (c) of the Data Protection Regulation.

                               The purpose of the rescue service which has been intended for physical safety

                               fire stations, ie to ensure shell protection and to assess the correctness of
                               alarms connected to the key cabinets at the stations do not have, according to the Rescue Service
                               including preventing and investigating crime. IMY states that the purposes are

                               justified, but that camera surveillance around the clock is too far-reaching for specified
                               purposes. It should be possible to achieve the said objectives with less far-reaching measures, to

                               example through another access solution or an activated alarm in case of alarm
                               from the key cabinet.


                               This treatment has also taken place in violation of the principle of data minimization in
                               Article 5 (1) (c) of the Data Protection Regulation.


                               Security of processing (Article 32)
                               As far as the rescue service's safety in connection with the camera surveillance is concerned, IMY has

                               reviewed the organizational security in terms of authorization management and guidelines
                               for the handling of the monitoring material.


                               Article 32 of the Data Protection Regulation regulates security in connection with the processing.


                               According to paragraph 1, the personal data controller and the personal data assistant shall among
                               other taking into account recent developments, implementation costs and

                               the nature, scope, context and purpose of the treatment and the risks, of
                               varying degrees of probability and seriousness, for the rights and freedoms of natural persons
                               take appropriate technical and organizational measures to ensure a

                               level of safety appropriate to the risk.


                               According to paragraph 2, special consideration shall be given to the assessment of the appropriate level of safety
                               risks posed by the treatment, in particular accidental or unlawful destruction;
                               loss or alteration or to unauthorized disclosure of or unauthorized access to the

                               personal data that has been transferred, stored or otherwise processed.Integritetsskyddsmyndigheten Record number: DI-2018-22697 13 (17)
                                Date: 2021-06-09







                                Point 4 states that the person responsible for personal data and the personal data assistant shall
                                take measures to ensure that every natural person performing work under it
                                oversight of the personal data controller or personal data assistant, and who may

                                access to personal data, only processes these on instructions from it
                                personal data controllers.


                                Recital 39 of the Data Protection Ordinance states, among other things, that personal data should
                                treated in a manner that ensures appropriate security and confidentiality for

                                personal data and prevents unauthorized access to and unauthorized use of
                                personal data and the equipment used for the processing.


                                The rescue service has stated that 29 people have had access to the command center
                                where the camera surveillance in the event of an alarm has been taken up to full screen view, of which 6 internal officers as

                                has its workplace in the command center, 16 other officers and managers who have tasks in
                                the control center in the event of an alarm or staff work and 7 operating technicians for maintenance of premises

                                and technology. Not all employees stay there at the same time, but the employee who has
                                taken note of the camera material is on-duty internal officer in case of alarm. Every
                                however, employees who have access to the management center have had the opportunity to see

                                the camera image and what is going on at a fire station in real time. In cases where the effort is
                                complicated or several parallel operations in progress may be several internal commanders or others

                                management functions are in the management center at the same time and have then been able to see
                                the camera image.


                                The rescue service has stated that there have been no guidelines for when a competent
                                person has been allowed to look at the camera image. The approach, however, has been to the camera image
                                manually recorded in full screen view in the event of an alarm at the current station.


                                IMY's assessment - safety of treatment


                                As for who has access to the footage from the camera surveillance
                                IMY states that the Rescue Service has stated that a number of people have access to

                                the room where the camera surveillance is displayed in real time, the control center. Even if it is not
                                it is clear how the full screen view showing the camera surveillance is delimited,

                                IMY states that at different times and situations there may be a need for more
                                people have access to real-time surveillance in the event of an alarm, as the Rescue Service has
                                described the handling. The business also runs around the clock, which means that more than

                                otherwise need to have access to the material. IMY therefore finds that it may be justified to
                                a larger number of employees are authorized to access information from

                                the camera surveillance. However, it is central that the person responsible for personal data then has
                                organizational measures in place to ensure the security of the data. Among
                                otherwise clear guidelines are needed for who should have access to the material, under which

                                conditions and whether the competence is surrounded by special restrictions for
                                the handling of the image material.


                                The IMY states that a data controller in accordance with Article 32 (1) shall take appropriate action
                                technical and organizational measures to ensure a level of security that is

                                appropriate in relation to the risk. When assessing the appropriate level of security, special
                                account is taken of the risks posed by the treatment, including unauthorized access

                                the personal data processed. The person responsible for personal data must, according to the article
                                32.4 of the Data Protection Regulation also take measures to ensure that a physical
                                person only processes personal data according to instructions from it

                                personal data controller.Integritetsskyddsmyndigheten Record number: DI-2018-22697 14 (17)
                               Date: 2021-06-09






                               The more sensitive the information that is processed, the higher the security requirements for it

                               it shall be considered appropriate in relation to the treatment carried out. That guidelines
                               has been missing for when and how the camera surveillance may be used may mean that those who

                               has handled the camera surveillance has gone beyond what is necessary and thus
                               allowed. It also means that there may be uncertainty for those who have
                               camera surveillance, in which situations the camera surveillance has been used and

                               whether it has been limited to situations where surveillance has been necessary.

                               As the monitoring has been conducted, it has included systematic monitoring of

                               employees and privacy-sensitive processing of personal data with regard to surveillance
                               of employees changing. The requirements for security are thus raised for it to be considered

                               have an appropriate level. As guidelines are said to have been completely missing, IMY states that
                               The rescue service has breached the requirement to ensure that personal data only
                               handled according to instructions from the person responsible for personal data and that the requirement for appropriate

                               organizational measures to ensure an appropriate level of security in
                               relation to the risk is thus not met. IMY therefore notes that

                               The civil protection service has processed personal data in violation of Article 32 (1) and (4) of
                               the Data Protection Regulation.


                               Choice of intervention


                               Legal regulation
                               If there has been a violation of the Data Protection Regulation, IMY has a number
                               corrective powers under Article 58 (2) of the Data Protection Regulation.

                               The supervisory authority may, among other things, order the person responsible for personal data to ensure this
                               that the processing takes place in accordance with the Regulation and if required in a specific way

                               and within a specific period.

                               It follows from Article 58 (2) of the Data Protection Regulation that in accordance with Article 83, the IMY shall:

                               impose penalty fees in addition to or instead of other corrective measures such as
                               referred to in Article 58 (2), depending on the circumstances of each individual case.


                               For authorities, Article 83 (7) of the Data Protection Regulation may specify national rules
                               that authorities may be subject to administrative penalty fees. According to ch. 6 § 2

                               Under the Data Protection Act, penalty fees can be decided for authorities, but up to a maximum
                               SEK 5,000,000 or SEK 10,000,000 depending on whether the violation relates
                               articles covered by Article 83 (4) or 83 (5) of the Data Protection Regulation.


                               Article 83 (2) sets out the factors to be taken into account when deciding on an administrative
                               sanction fee shall be imposed, but also what shall affect the penalty fee

                               size. Of central importance for the assessment of the seriousness of the infringement is its
                               character, severity and duration. In the case of a minor infringement

                               may, in accordance with recital 148 of the Data Protection Regulation, issue a reprimand
                               instead of imposing a penalty fee.


                               Penalty fee
                               The inspections carried out by IMY have shown that the Rescue Service has processed personal data

                               in violation of Article 5 (1) (a) and (c) and Article 32 (1) and (4) of the Data Protection Regulation.

                               In assessing whether the violations are so serious that an administrative

                               sanction fee is to be imposed, IMY has taken into account that the processing of personal data has been intended
                               camera surveillance of employees in a position of dependence, in their everyday environment that has
                               including privacy-sensitive situations. The monitoring has taken place systematically under the Integrity Protection Authority. Record number: DI-2018-22697 15 (17)
                                Date: 2021-06-09







                                long time. The monitoring has meant that more information than necessary has been processed then
                                on the other hand, it has taken place around the clock in real time, despite the fact that there is only a need for alarms, and
                                partly without any masking or demarcation having taken place of the area where the employees

                                changes. The scope of the surveillance has been relatively large as it has taken place around the clock
                                around in real time in the car park at eight fire stations, which means a not insignificant

                                number of registrants has been affected. Furthermore, it has not emerged that the Rescue Service,
                                while the camera surveillance is in progress, in addition to a light indicating activated
                                microphone as well as certain access restrictions, have taken some measures to reduce

                                the intrusion on the employees. IMY's assessment is that the treatment did not involve one
                                minor infringement. The violations must therefore lead to an administrative

                                penalty fee.

                                The provisions of the Data Protection Ordinance that the Rescue Service has violated

                                covered by both Article 83 (4) of the Data Protection Regulation and Article 83 (5). The
                                the maximum amount of the penalty fee is according to Article 83.4 and 83.5 and ch. 6 § 2

                                second paragraph of the Data Protection Act SEK 5 million regarding the violations of the article
                                SEK 32 and 10 million in respect of the infringements of Article 5.


                                The administrative penalty fee shall be effective, proportionate and
                                deterrent. This means that the amount must be determined so that the administrative

                                the penalty fee leads to correction, that it has a preventive effect and that it
                                moreover, is proportionate in relation to both current infringements and to
                                the supervisee's ability to pay.


                                In determining an amount that is effective, proportionate and dissuasive can
                                IMY note that the Rescue Service has camera-monitored employees who are in

                                dependent relationship with their employer, in a privacy-sensitive situation when switching to
                                alarm stand, which has meant that they have been systematically filmed in underwear or

                                underwear at their workplace. Surveillance has been going on around the clock in real time despite that
                                need has only existed in the event of an alarm. The rescue service has in these respects not
                                have taken the necessary measures to limit the collection of data. The surveillance

                                has taken place systematically for a long time and included eight fire stations. It has been
                                the question of a relatively large number of people in the command center who have been able to take

                                part of the surveillance. Although these have been authorized to take part in the surveillance has
                                there was a complete lack of guidelines and instructions for the situations of competent persons
                                had the right to access the camera surveillance. These circumstances are seen as

                                aggravating.


                                In its assessment, IMY has taken into account the Rescue Service's weighty need for
                                the camera surveillance and the requirement for efficiency that is the responsibility of the Rescue Service, as well
                                the socially important task of preventing and limiting accidents in the event of accidents and danger

                                damage to people, property or the environment where seconds and minutes can be
                                crucial. Account has also been taken of the fact that the current rules only began to be applied in

                                May 2018. The trial has thus been limited to the time thereafter. It has also emerged
                                that the camera surveillance has now ceased. It is clear that the decision in the case has dragged on
                                not the Rescue Service to blame for the assessment of the violations.


                                After an overall assessment, IMY finds that the Executive Board of the Rescue Service East

                                Skaraborg must pay an administrative sanction fee of SEK 350,000, of which
                                SEK 300,000 refers to the violations of Article 5 (1) (a) and 5.1 (c), respectively, and SEK 50,000 refers to
                                infringements of Article 32 (1) and Article 32 (4) of the Data Protection Regulation. Integrity Protection Authority Record number: DI-2018-22697 16 (17)

                               Date: 2021-06-09









                               This decision was made by the Director General Lena Lindgren Schelin after the presentation
                               by lawyer Jenny Bård. At the final processing, the unit manager also has

                               Charlotte Waller Dahlberg and lawyer Jeanette Bladh Gustafson participated. During
                               David Törngren, Chief Justice, also participated in the proceedings.


                               Lena Lindgren Schelin, 2021-06-09 (This is an electronic signature)


                               Appendix
                               Information on payment of penalty fee


                               Copy to
                               The Executive Board of the Rescue Service Östra Skaraborg's data protection representative:

                               dataskyddsombud@skovde.seIntegritetsskyddsmyndigheten Record number: DI-2018-22697 17 (17)
                              Date: 2021-06-09







                              How to appeal

                              If you want to appeal the decision, you must write to the Privacy Protection Authority. Enter i

                              the letter which decision you are appealing and the change you are requesting. The appeal shall
                              have been received by the Privacy Protection Authority no later than three weeks from the date of the decision

                              was announced. If the appeal has been received in time, send
                              The Integrity Protection Authority forwards it to the Administrative Court in Stockholm
                              examination.


                              You can e-mail the appeal to the Privacy Protection Authority if it does not contain
                              any privacy-sensitive personal data or data that may be covered by

                              secrecy. The authority's contact information can be found on the first page of the decision.