IMY (Sweden) - DI-2021-5774: Difference between revisions
No edit summary |
No edit summary |
||
| Line 76: | Line 76: | ||
The Board claimed a legal basis under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]] as Chapter 5 of the Education Act (2010:800) provides a right to a safe school environment for all pupils. | The Board claimed a legal basis under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]] as Chapter 5 of the Education Act (2010:800) provides a right to a safe school environment for all pupils. | ||
The Board also stated that, | The Board also stated that, in August 2021, new camera signs were put in place to better fulfil the data protection requirements of the General Data Protection Regulation. On the signs, which constitute the first layer, the Board informed the data subject that the Board conducts camera surveillance at the site, the purpose of the surveillance, that images without sound are recorded and the storage time for the recorded material. Furthermore, information is provided about the fact that the material may be handed over to the investigating authority in the event of a criminal investigation and that the data subject who is being monitored has the right to access their personal data and request that it be erased. The sign also contains contact details for the data controller and data protection officer. For further information information, the sign states to please refer to the City of Stockholm's website. On the City of Stockholm's website, which may be considered the second layer, the Board has information that camera surveillance that takes place in the school follows from a legal obligation, which constitutes the legal basis for the processing. The website contains further information on, among other things, who to contact in the event of questions about the camera surveillance and that you should contact the school or the the data protection officer with comments and complaints and the possibility of submitting a complaints to IMY. | ||
=== Holding === | === Holding === | ||
| Line 87: | Line 87: | ||
Since the processing concerned children who were obliged to be in school as part of their compulsory education, and school as well as employees are in a dependent relationship with their employer, the DPA assessed that the absence of a legal basis is such a violation of principle that the Board's processing has also been in violation of the principle of lawfulness in [[Article 5 GDPR|Article 5(1)(a) GDPR]]. The DPA also decided that the processing took place in contrary to the principle of data minimisation in [[Article 5 GDPR|Article 5(1)(c) GDPR]] because it included more personal data than necessary. | Since the processing concerned children who were obliged to be in school as part of their compulsory education, and school as well as employees are in a dependent relationship with their employer, the DPA assessed that the absence of a legal basis is such a violation of principle that the Board's processing has also been in violation of the principle of lawfulness in [[Article 5 GDPR|Article 5(1)(a) GDPR]]. The DPA also decided that the processing took place in contrary to the principle of data minimisation in [[Article 5 GDPR|Article 5(1)(c) GDPR]] because it included more personal data than necessary. | ||
The Swedish DPA decided that the first layer of information was adequate under [[Article 13 GDPR]]. <ref>DPA followed EDPB guidelines (Guidelines 3/2019) on Article 13 GDPR which state that the controller can use the controller can use a step-by-step approach to provide the information set out in the information set out in Article 13 of the GDPR. The information that is of most importance to the data subject should be presented even before the data subject enters the secure area, for example on a sign (the first layer of information). Other information can be presented in other ways, such as on a website or in a complete information sheet in a central location, such as an information desk or reception area (the second layer of information). </ref> However, the second layer on the city of Stockholm's website was not. For example, It is not clear from the information which provision in the Education Act | The Swedish DPA decided that the first layer of information was adequate under [[Article 13 GDPR]]. <ref>DPA followed EDPB guidelines (Guidelines 3/2019) on Article 13 GDPR which state that the controller can use the controller can use a step-by-step approach to provide the information set out in the information set out in Article 13 of the GDPR. The information that is of most importance to the data subject should be presented even before the data subject enters the secure area, for example on a sign (the first layer of information). Other information can be presented in other ways, such as on a website or in a complete information sheet in a central location, such as an information desk or reception area (the second layer of information). </ref> However, the second layer on the city of Stockholm's website was not. For example, It is not clear from the information which provision in the Education Act constituted the legal obligation. The DPA noted that incorrect information about the legal basis for processing can have consequences for the data subjects. For example, the right to object to the processing according to Article 21 of the the GDPR only applies to processing based on Article 6(1)(e) or (f) of the the GDPR and not when the processing is based on a legal obligation under Article 6(1)(c). | ||
basis for | |||
The Swedish DPA decided on the basis of [[Article 58 GDPR|Articles 58(2)]] and [[Article 83 GDPR|83 GDPR]] that the Education Board of the City of Stockholm violated [[Article 5 GDPR|Articles 5(1)(a),]] [[Article 5 GDPR|5(1)(c)]] and [[Article 6 GDPR|6(1)]] and shall pay an administrative penalty fee of 800 000 (eight hundred thousand Swedish kronor). | The Swedish DPA decided on the basis of [[Article 58 GDPR|Articles 58(2)]] and [[Article 83 GDPR|83 GDPR]] that the Education Board of the City of Stockholm violated [[Article 5 GDPR|Articles 5(1)(a),]] [[Article 5 GDPR|5(1)(c)]] and [[Article 6 GDPR|6(1)]] and shall pay an administrative penalty fee of 800 000 (eight hundred thousand Swedish kronor). | ||
Revision as of 11:19, 24 October 2023
| IMY - DI-2021-5774 | |
|---|---|
 | |
| Authority: | IMY (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 6(1) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | DI-2021-5774 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Swedish |
| Original Source: | DI-2021-5774 (in SV) |
| Initial Contributor: | sh |
The Swedish DPA fined the Education Board in the City of Stockholm 800,000 SEK (around €68,324) for processing personal data through camera surveillance at Aspudden's school in violation of Articles 5(1)(a), 5(1)(c), 6(1) and 13 GDPR.
English Summary
Facts
The Swedish DPA received complaints that that Aspudden's school belonging to the City of Stockholm conducts extensive camera surveillance in large parts of the school and that no information about the camera surveillance and the personal data processing that surveillance entails was provided to guardians and students. In addition, there was another anonymous tip claiming that staff at the school were not provided with information about the camera surveillance and that there were no signs about the camera surveillance either.
The DPA launched an investigation against the Education Board in the City of Stockholm (the Board) as they held themselves out as controllers for the processing of personal data at the that takes place at Aspudden School.
The Board explained to the DPA that camera surveillance was introduced in the school in 2014 and was prompted by a number of fires in the school premises, sometimes several fires per day. The school has about 50 permanently mounted cameras equipped with fixed optics. The cameras monitor corridors, stairwells and halls in connection with doors, toilets and student lockers and are set up in large parts of the school. There is no surveillance in areas of the school to which the public has access to. The cameras are activated in case of movement and surveillance takes place around the clock with image recording. The purpose of the surveillance is to prevent and follow up on vandalism, abusive treatment, fire, burglary and other intrusion or other damage on school premises. The Board submitted summaries of incidents of offensive treatment that occurred in the school during the years 2018-2021 as well as a compilation of crimes and other events that occurred at the school during the period October 2018 to May 2022.
The Board claimed a legal basis under Article 6(1)(c) GDPR as Chapter 5 of the Education Act (2010:800) provides a right to a safe school environment for all pupils.
The Board also stated that, in August 2021, new camera signs were put in place to better fulfil the data protection requirements of the General Data Protection Regulation. On the signs, which constitute the first layer, the Board informed the data subject that the Board conducts camera surveillance at the site, the purpose of the surveillance, that images without sound are recorded and the storage time for the recorded material. Furthermore, information is provided about the fact that the material may be handed over to the investigating authority in the event of a criminal investigation and that the data subject who is being monitored has the right to access their personal data and request that it be erased. The sign also contains contact details for the data controller and data protection officer. For further information information, the sign states to please refer to the City of Stockholm's website. On the City of Stockholm's website, which may be considered the second layer, the Board has information that camera surveillance that takes place in the school follows from a legal obligation, which constitutes the legal basis for the processing. The website contains further information on, among other things, who to contact in the event of questions about the camera surveillance and that you should contact the school or the the data protection officer with comments and complaints and the possibility of submitting a complaints to IMY.
Holding
While the camera surveillance had been in place since 2014, the General Data Protection Regulation only began to apply on 25 May 2018, The Swedish DPA’s, therefore, limited their assesment to the period from 25 May 2018 to 3 October 2023.
The Swedish DPA decided that the Board did not have a legal basis to process the surveillance data of the entire school. A legal obligation cannot constitute a legal basis for the processing of personal data if the obligation is too far-reaching and gives the controller too much freedom of discretion as to how to fulfil it, which the DPA considered to be the case with Chapter 5 of the Education Act.
The DPA distinguished the complete surveillance of the school with the limited surveillance outside the toilets in premises belonging to the secondary school. The IMY decided that the Board had a legal basis under Article 6(1)(e) GDPR. This is because the surveillance covered a limited area just outside the door or entrance to the toilet area, which fulfilled the requirements of necessity and proportionality. However, the camera surveillance that took place beyond this area was more extensive than necessary, which is why there was no legal basis under Article 6(1)(e) GDPR for the rest of the processing.
Since the processing concerned children who were obliged to be in school as part of their compulsory education, and school as well as employees are in a dependent relationship with their employer, the DPA assessed that the absence of a legal basis is such a violation of principle that the Board's processing has also been in violation of the principle of lawfulness in Article 5(1)(a) GDPR. The DPA also decided that the processing took place in contrary to the principle of data minimisation in Article 5(1)(c) GDPR because it included more personal data than necessary.
The Swedish DPA decided that the first layer of information was adequate under Article 13 GDPR. [1] However, the second layer on the city of Stockholm's website was not. For example, It is not clear from the information which provision in the Education Act constituted the legal obligation. The DPA noted that incorrect information about the legal basis for processing can have consequences for the data subjects. For example, the right to object to the processing according to Article 21 of the the GDPR only applies to processing based on Article 6(1)(e) or (f) of the the GDPR and not when the processing is based on a legal obligation under Article 6(1)(c).
The Swedish DPA decided on the basis of Articles 58(2) and 83 GDPR that the Education Board of the City of Stockholm violated Articles 5(1)(a), 5(1)(c) and 6(1) and shall pay an administrative penalty fee of 800 000 (eight hundred thousand Swedish kronor).
Pursuant to Article 58(2)(d) of the GDPR, the Swedish Data Protection Authority orders the Education Board of the City of Stockholm to take measures in order ensure that the second information layer on the City of Stockholm's website contains information on the correct legal basis for the processing as well as information on the rights referred to in Article 13(2)(b) of the GDPR. The measures must be taken no later than four weeks after this decision has entered into force
Comment
Note that the Administrative Court of Appeal in Stockholm ruled that it is not Article 13 of the Data Protection Regulation but rather Article 14 that should be applicable to the processing of personal data through camera surveillance. IMY has appealed against that judgement to the Supreme Administrative Court (Case No 870-23). The judgment of the Administrative Court of Appeal has thus not gained legal force and is not applicable to this decision.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
- ↑ DPA followed EDPB guidelines (Guidelines 3/2019) on Article 13 GDPR which state that the controller can use the controller can use a step-by-step approach to provide the information set out in the information set out in Article 13 of the GDPR. The information that is of most importance to the data subject should be presented even before the data subject enters the secure area, for example on a sign (the first layer of information). Other information can be presented in other ways, such as on a website or in a complete information sheet in a central location, such as an information desk or reception area (the second layer of information).
