IMY (Sweden) - DI-2021-5774: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Sweden |DPA-BG-Color= |DPAlogo=LogoSE.png |DPA_Abbrevation=IMY |DPA_With_Country=IMY (Sweden) |Case_Number_Name=DI-2021-5774 |ECLI= |Original_Source_Name_1=DI-2021-5774 |Original_Source_Link_1=https://www.imy.se/globalassets/dokument/beslut/2023/beslut-tillsyn-aspuddens-skola.pdf |Original_Source_Language_1=Swedish |Original_Source_Language__Code_1=SV |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Origina...")
 
No edit summary
Line 63: Line 63:
}}
}}


The Swedish DPA fined the Education Board in the City of Stockholm 800,000 SEK (around €68,324) for processing personal data through camera surveillance at Aspudden's school in violation of Article 5(1)(a), 5(1)(c), 6(1) and 13 GDPR.
The Swedish DPA fined the Education Board in the City of Stockholm 800,000 SEK (around €68,324) for processing personal data through camera surveillance at Aspudden's school in violation of Articles [[Article 5 GDPR|5(1)(a)]], [[Article 5 GDPR|5(1)(c)]], [[Article 6 GDPR|6(1)]] and [[Article 13 GDPR|13 GDPR.]]


== English Summary ==
== English Summary ==
Line 81: Line 81:
The Swedish DPA decided that the Board did not have a legal basis to process the surveillance data of the entire school. A legal obligation cannot constitute a legal basis for the processing of personal data if the obligation is too far-reaching and gives the controller too much freedom of discretion as to how to fulfil it, which the DPA considered to be the case with Chapter 5 of the Education Act.  
The Swedish DPA decided that the Board did not have a legal basis to process the surveillance data of the entire school. A legal obligation cannot constitute a legal basis for the processing of personal data if the obligation is too far-reaching and gives the controller too much freedom of discretion as to how to fulfil it, which the DPA considered to be the case with Chapter 5 of the Education Act.  


The DPA distinguished the complete surveillance of the school with the limited surveillance outside the toilets in premises belonging to the secondary school. The IMY decided that the Board had a legal basis under Article 6(1)(e) of the General Data Protection Regulation. This is because the surveillance covered a limited area just outside the door or entrance to the toilet area, which fulfilled the requirements of necessity and proportionality. However, the camera surveillance that took place beyond this area was more extensive than necessary, which is why there was no legal basis under [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]] for the rest of the processing.
The DPA distinguished the complete surveillance of the school with the limited surveillance outside the toilets in premises belonging to the secondary school. The IMY decided that the Board had a legal basis under [[Article 6 GDPR|Article 6(1)(e)]] GDPR. This is because the surveillance covered a limited area just outside the door or entrance to the toilet area, which fulfilled the requirements of necessity and proportionality. However, the camera surveillance that took place beyond this area was more extensive than necessary, which is why there was no legal basis under [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]] for the rest of the processing.


Since the processing concerned children who were obliged to be in school as part of their compulsory education, and school as well as employees are in a dependent relationship with their employer, the DPA assessed that the absence of a legal basis is such a violation of principle that the Board's processing has also been in violation of the principle of lawfulness in Article 5(1)(a) of the General Data Protection Regulation. IMY also assesses that the processing has taken place in contrary to the principle of data minimisation in Article 5(1)(c) of the GDPR because it included more personal data than necessary.
Since the processing concerned children who were obliged to be in school as part of their compulsory education, and school as well as employees are in a dependent relationship with their employer, the DPA assessed that the absence of a legal basis is such a violation of principle that the Board's processing has also been in violation of the principle of lawfulness in [[Article 5 GDPR|Article 5(1)(a) GDPR]]. The DPA also decided that the processing took place in contrary to the principle of data minimisation in [[Article 5 GDPR|Article 5(1)(c) GDPR]] because it included more personal data than necessary.


The Swedish DPA decided on the basis of Articles 58(2) and 83 GDPR that the Education Board of the City of Stockholm violated Articles 5(1)(a), 5(1)(c) and 6(1) and shall pay an administrative penalty fee of 800 000 (eight hundred thousand Swedish kronor).
The Swedish DPA decided on the basis of [[Article 58 GDPR|Articles 58(2)]] and [[Article 83 GDPR|83 GDPR]] that the Education Board of the City of Stockholm violated [[Article 5 GDPR|Articles 5(1)(a),]] [[Article 5 GDPR|5(1)(c)]] and [[Article 6 GDPR|6(1)]] and shall pay an administrative penalty fee of 800 000 (eight hundred thousand Swedish kronor).


Pursuant to Article 58(2)(d) of the GDPR, the Swedish Data Protection Authority orders
Pursuant to [[Article 58 GDPR|Article 58(2)(d)]] of the GDPR, the Swedish Data Protection Authority orders
the Education Board of the City of Stockholm to take measures in order ensure that the second information layer on the City of Stockholm's website contains information on the correct legal basis for the processing as well as information on the rights referred to in Article 13(2)(b) of the GDPR. The measures must be taken no later than four weeks after this decision has entered into force
the Education Board of the City of Stockholm to take measures in order ensure that the second information layer on the City of Stockholm's website contains information on the correct legal basis for the processing as well as information on the rights referred to in Article 13(2)(b) of the GDPR. The measures must be taken no later than four weeks after this decision has entered into force



Revision as of 10:14, 24 October 2023

IMY - DI-2021-5774
LogoSE.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: DI-2021-5774
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Swedish
Original Source: DI-2021-5774 (in SV)
Initial Contributor: sh

The Swedish DPA fined the Education Board in the City of Stockholm 800,000 SEK (around €68,324) for processing personal data through camera surveillance at Aspudden's school in violation of Articles 5(1)(a), 5(1)(c), 6(1) and 13 GDPR.

English Summary

Facts

The Swedish DPA received complaints that that Aspudden's school belonging to the City of Stockholm conducts extensive camera surveillance in large parts of the school and that no information about the camera surveillance and the personal data processing that surveillance entails was provided to guardians and students. In addition, there was another anonymous tip claiming that staff at the school were not provided with information about the camera surveillance and that there were no signs about the camera surveillance either.

The DPA launched an investigation against the Education Board in the City of Stockholm (the Board) as they held themselves out as controllers for the processing of personal data at the that takes place at Aspudden School.

The Board explained to the DPA that camera surveillance was introduced in the school in 2014 and was prompted by a number of fires in the school premises, sometimes several fires per day. The school has about 50 permanently mounted cameras equipped with fixed optics. The cameras monitor corridors, stairwells and halls in connection with doors, toilets and student lockers and are set up in large parts of the school. There is no surveillance in areas of the school to which the public has access to. The cameras are activated in case of movement and surveillance takes place around the clock with image recording. The purpose of the surveillance is to prevent and follow up on vandalism, abusive treatment, fire, burglary and other intrusion or other damage on school premises. The Board submitted summaries of incidents of offensive treatment that occurred in the school during the years 2018-2021 as well as a compilation of crimes and other events that occurred at the school during the period October 2018 to May 2022.

The Board claimed a legal basis under Article 6(1)(c) GDPR as Chapter 5 of the Education Act (2010:800) provides a right to a safe school environment for all pupils.

Holding

While the camera surveillance has been in place since 2014, the General Data Protection Regulation began to apply on 25 May 2018, The Swedish DPA’s assessment is, therefore, limited to the period from 25 May 2018 to 3 October 2023.

The Swedish DPA decided that the Board did not have a legal basis to process the surveillance data of the entire school. A legal obligation cannot constitute a legal basis for the processing of personal data if the obligation is too far-reaching and gives the controller too much freedom of discretion as to how to fulfil it, which the DPA considered to be the case with Chapter 5 of the Education Act.

The DPA distinguished the complete surveillance of the school with the limited surveillance outside the toilets in premises belonging to the secondary school. The IMY decided that the Board had a legal basis under Article 6(1)(e) GDPR. This is because the surveillance covered a limited area just outside the door or entrance to the toilet area, which fulfilled the requirements of necessity and proportionality. However, the camera surveillance that took place beyond this area was more extensive than necessary, which is why there was no legal basis under Article 6(1)(e) GDPR for the rest of the processing.

Since the processing concerned children who were obliged to be in school as part of their compulsory education, and school as well as employees are in a dependent relationship with their employer, the DPA assessed that the absence of a legal basis is such a violation of principle that the Board's processing has also been in violation of the principle of lawfulness in Article 5(1)(a) GDPR. The DPA also decided that the processing took place in contrary to the principle of data minimisation in Article 5(1)(c) GDPR because it included more personal data than necessary.

The Swedish DPA decided on the basis of Articles 58(2) and 83 GDPR that the Education Board of the City of Stockholm violated Articles 5(1)(a), 5(1)(c) and 6(1) and shall pay an administrative penalty fee of 800 000 (eight hundred thousand Swedish kronor).

Pursuant to Article 58(2)(d) of the GDPR, the Swedish Data Protection Authority orders the Education Board of the City of Stockholm to take measures in order ensure that the second information layer on the City of Stockholm's website contains information on the correct legal basis for the processing as well as information on the rights referred to in Article 13(2)(b) of the GDPR. The measures must be taken no later than four weeks after this decision has entered into force

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.