IMY (Sweden) - DI-2021-5774

IMY - DI-2021-5774

Authority:	IMY (Sweden)
Jurisdiction:	Sweden
Relevant Law:	Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 6(1) GDPR Article 13 GDPR
Type:	Complaint
Outcome:	Upheld
Started:
Decided:
Published:
Fine:	n/a
Parties:	n/a
National Case Number/Name:	DI-2021-5774
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Swedish
Original Source:	DI-2021-5774 (in SV)
Initial Contributor:	sh

The Swedish DPA fined the Education Board in the City of Stockholm 800,000 SEK (around €68,324) for processing personal data through camera surveillance at a school, in violation of Articles 5(1)(a), 5(1)(c), 6(1) and 13 GDPR.

English Summary

Facts

The Swedish DPA received complaints that Aspudden's school, belonging to the City of Stockholm, conducts extensive camera surveillance in large parts of the school and that no information about the camera surveillance and the consequent personal data processing was provided to guardians and students. In addition, there was another anonymous tip claiming that staff at the school were not provided with information about the camera surveillance and that there were no signs about the camera surveillance either.

The DPA launched an investigation against the Education Board in the City of Stockholm (the Board) as they held themselves out as controllers for the processing of personal data at the that takes place at Aspudden School.

The Board explained to the DPA that camera surveillance was introduced in the school in 2014 and was prompted by a number of fires in the school premises, sometimes several fires per day. The school has about 50 permanently mounted cameras equipped with fixed optics. The cameras monitor corridors, stairwells and halls in connection with doors, toilets and student lockers and are set up in large parts of the school. There is no surveillance in areas of the school to which the public has access to. The cameras are activated in case of movement and surveillance takes place around the clock with image recording.

The Board claimed a legal basis under Article 6(1)(c) GDPR as Chapter 5 of the Education Act (2010:800) provides a right to a safe school environment for all pupils.

The Board also stated that, in August 2021, new camera signs were put in place to better fulfil the data protection requirements of the GDPR. On the signs, which constitute the first layer, the Board informed the data subject that the Board conducts camera surveillance at the site, the purpose of the surveillance, that images without sound are recorded and the storage time for the recorded material. Furthermore, information is provided about the fact that the material may be handed over to the investigating authority in the event of a criminal investigation and that the data subject who is being monitored has the right to access their personal data and request that it be erased. The sign also contains contact details for the data controller and data protection officer. For further information information, the sign states to please refer to the City of Stockholm's website. On the City of Stockholm's website, which may be considered the second layer, the Board has information that camera surveillance that takes place in the school follows from a legal obligation, which constitutes the legal basis for the processing. The website contains further information on, among other things, who to contact in the event of questions about the camera surveillance and that you should contact the school or the the data protection officer with comments and complaints and the possibility of submitting a complaints to the Swedish DPA.

Holding

While the camera surveillance had been in place since 2014, the General Data Protection Regulation only began to apply on 25 May 2018, The Swedish DPA’s, therefore, limited their assesment to the period from 25 May 2018 to 3 October 2023.

The Swedish DPA decided that the Board did not have a legal basis to process the surveillance data of the entire school under Article 6(1)(c) GDPR. A legal obligation cannot constitute a legal basis for the processing of personal data if the obligation is too far-reaching and gives the controller too much freedom of discretion as to how to fulfil it, which the DPA considered to be the case with Chapter 5 of the Education Act. The DPA distinguished the complete surveillance of the school with the limited surveillance outside the toilets in premises belonging to the secondary school. The IMY decided that the Board had a legal basis under Article 6(1)(e) GDPR. This is because the surveillance covered a limited area just outside the door or entrance to the toilet area, which fulfilled the requirements of necessity and proportionality. However, the camera surveillance that took place beyond this area was more extensive than necessary, which is why there was no legal basis under Article 6(1)(e) GDPR for the rest of the processing.

Since the processing concerned children who were obliged to be in school as part of their compulsory education, as well as employees who are in a dependent relationship with their employer, the DPA assessed that the absence of a legal basis is such a violation of principle that the Board's processing had also been in violation of the principle of lawfulness in Article 5(1)(a) GDPR. The DPA also decided that the processing took place in contrary to the principle of data minimisation in Article 5(1)(c) GDPR because it included more personal data than necessary.

The Swedish DPA decided that the both the first and second layer of information was inadequate under Article 13 GDPR. ^[1] For example, It is not clear from the information which provision in the Education Act constituted the legal obligation.^[2] The DPA concluded that the incorrectly stating legal basis constitutes a deficiency in relation to Article 13(1)(c) GDPR. The DPA further notes that in both the first and the second information layer there is lack information about the data subjects' right to request restriction of processing and information about the right to object to processing (which should have been provided under Article 13(2) GDPR). the lack of information constitutes a deficiency in relation to Article 13(2)(b) GDPR.

The Swedish DPA decided on the basis of Articles 58(2) and 83 GDPR that the Education Board of the City of Stockholm violated Articles 5(1)(a), 5(1)(c) and 6(1) and should pay an administrative penalty fee of 800 000 SEK (eight hundred thousand Swedish Kronor). The DPA also ordered the Education Board of the City of Stockholm to take measures in order ensure that the second information layer on the City of Stockholm's website contains information on the correct legal basis for the processing as well as information on the rights referred to in Article 13(2)(b) of the GDPR. The measures must be taken no later than four weeks after this decision has entered into force

Comment

Note that the Administrative Court of Appeal in Stockholm ruled that it is not Article 13 of the Data Protection Regulation but rather Article 14 that should be applicable to the processing of personal data through camera surveillance. IMY has appealed against that judgement to the Supreme Administrative Court (Case No 870-23). The judgment of the Administrative Court of Appeal has thus not gained legal force and is not applicable to this decision.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

↑ DPA followed EDPB guidelines (Guidelines 3/2019) on Article 13 GDPR which state that the controller can use the controller can use a step-by-step approach to provide the information set out in the information set out in Article 13 of the GDPR. The information that is of most importance to the data subject should be presented even before the data subject enters the secure area, for example on a sign (the first layer of information). Other information can be presented in other ways, such as on a website or in a complete information sheet in a central location, such as an information desk or reception area (the second layer of information).
↑ The DPA noted that incorrect information about the legal basis for processing can have consequences for the data subjects. For example, the right to object to the processing according to Article 21 GDPR only applies to processing based on Article 6(1)(e) or (f) of the the GDPR and not when the processing is based on a legal obligation under Article 6(1)(c).

[1] DPA followed EDPB guidelines (Guidelines 3/2019) on Article 13 GDPR which state that the controller can use the controller can use a step-by-step approach to provide the information set out in the information set out in Article 13 of the GDPR. The information that is of most importance to the data subject should be presented even before the data subject enters the secure area, for example on a sign (the first layer of information). Other information can be presented in other ways, such as on a website or in a complete information sheet in a central location, such as an information desk or reception area (the second layer of information).

[2] The DPA noted that incorrect information about the legal basis for processing can have consequences for the data subjects. For example, the right to object to the processing according to Article 21 GDPR only applies to processing based on Article 6(1)(e) or (f) of the the GDPR and not when the processing is based on a legal obligation under Article 6(1)(c).

[1]

[2]