IP (Slovenia) - 0611-10/2021/11

From GDPRhub
IP (Slovenia) - 0611-10/2021/11
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 6(1)(f) GDPR
Personal Data Protection Act (ZVOP-1)
Type: Investigation
Outcome: Violation Found
Decided: 21.05.2021
Published: 15.06.2021
Fine: None
Parties: n/a
National Case Number/Name: 0611-10/2021/11
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Slovenian
Original Source: GDPR planet (via iP) (in SL)
Initial Contributor: GDPR+

The Slovenian DPA held that a bar owner does not have a legitimate interest in monitoring the various rooms and outdoor terrace of the bar with video surveillance, but does have a have a legitimate interest in monitoring the bar counter and bar entrance. Accordingly, the DPA gave the bar fifteen days to adjust the viewing angles of its surveillance cameras to record only the counter and entrance.

English Summary[edit | edit source]

Facts[edit | edit source]

During the inspection procedure, the IP established that the controller was carrying out video surveillance at a bar. An outdoor camera recorded the entrance and the outdoor terrace. The first indoor camera captured the server rooms and the bar counter and the right side of the building. The second indoor camera captured the server rooms and the left side of the facility.

Holding[edit | edit source]

The Slovenian DPA (IP) held that a bar owner does not have a legitimate interest in monitoring the various server rooms and outdoor terrace of the bar with video surveillance, but does have a have a legitimate interest in monitoring the bar counter (where bottles of higher value and the cash register are contained) and the bar entrance. Accordingly, the DPA gave the bar fifteen days to adjust the viewing angles of its surveillance cameras to record only the counter and entrance.

The DPA explained that video surveillance is the processing of personal data (Article 4(2) GDPR) and the operator of video surveillance is responsible for complying with the principles set out in Article 5 GDPR, including data minimization, purpose limitation and storage limitation. In assessing the adequacy of procedures and measures to ensure an adequate level of security of personal data, the bar must also comply with Article 32 GDPR, which provides that controllers and processors shall ensure a level of data security appropriate to risks to the rights and freedoms of individuals by, for example, endeavoring to maintain the confidentiality of data subjects.

According to national law (ZVOP-1), video surveillance of a business premises may be carried out for the safety of people or property, to ensure control of entry into or exit from or from business or business premises, or if, due to the nature of the work, there is a possibility of endangering employees. Thus, the bar has a legitimate interest, as recognized in Article6(1)(f) GDPR, in processing data limited to those purposes. In contrast, there is no provision allowing for the general surveillance of employee workplaces, such as server rooms, if the protection of people in these workplaces can be achieved by milder means. The interest of the bar manager in securing the bar rooms also does not outweigh the interests and freedoms of bar guests. The IP thus concluded that there is no legitimate interest, based in a need for data processing, for video surveillance of spaces where guests are located and where employees work.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.

Number: 0611-10 / 2021/11

Date: May 21, 2021


Information Commissioner (hereinafter: IP) by an authorized official, State Supervisor for Personal Data Protection…, pursuant to Articles 2 and 8 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/2205, 51/2007 – ZUstS- Hereinafter: ZInfP), Article 54 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07-UPB1, 177/20, hereinafter: ZVOP-1), Articles 29 and 32 of the Inspection Act supervision (Official Gazette of the Republic of Slovenia, No. 43/07 - UPB1, hereinafter: ZIN) and Article 58 (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (the General Data Protection Regulation, hereinafter "the General Regulation"), in the case of inspections of the implementation of the provisions of ZVOP-1 and the General Regulation in… (Registration number:…, hereinafter: the liable party) is issued ex officio



DECISION



1.The liable party… must , within fifteen (15) days of service of this decision:

adjust the viewing angle of the outdoor camera, which records the entrance and the outdoor terrace - garden, so that it will record only the entrance to the building;

adjust the viewing angle of the first indoor camera, which records the server rooms and the bar counter, and the right side of the building so that it will record only the cash register or the narrowest part of the bar counter, where the property has a higher value;

stop recording with another internal camera with which it records server rooms and covers the left side of the building and the room where it is located… .

2.The liable party must notify the Information Commissioner in writing of the implemented measures referred to in point 1 of the operative part of this decision no later than five (5) days after the elimination of the irregularity . The notification must also contain statements and evidence that the liable party has implemented the measures referred to in point 1 of the operative part of this decision and in what manner they have implemented them.

3.The body did not incur any special costs in this procedure, and the liable party itself bears its own costs of the inspection procedure.


Explanation



I. Indication of the provisions on which the decision is based:


The IP initiated an ex officio inspection procedure against the taxpayer over the implementation of the provisions of ZVOP-1 and the General Regulation due to the implementation of video surveillance at the taxpayer's premises at


Article 4 (1) of the General Regulation defines personal data as “ any information relating to an identified or identifiable individual; an identifiable individual is one who can be identified directly or indirectly, in particular by indicating an identifier such as name, identification number, location data, web identifier, or by indicating one or more factors specific to the physical, physiological, genetic , the mental, economic, cultural or social identity of that individual ”and defines health data as“ personal data relating to an individual’s physical or mental health, including the provision of health services, and disclosing information about his or her health status ”.


Article 4 (2) of the General Regulation defines the processing of personal data as “ any act or series of acts carried out in relation to personal data or sets of personal data with or without automated means, such as the collection, recording, editing, structuring, storing, adapting or modifying, retrieving, viewing, using, disclosing through mediation, disseminating or otherwise making available, adapting or combining, restricting, deleting or destroying ” .


Not all personal data in themselves enjoy protection under ZVOP-1 and the General Regulation, but they receive this protection only in the case of the processing of personal data in whole or in part by automated means and for processing other than automated means in the case of for personal data which form part of a personal data file or are intended to form part of a personal data file (Article 2 (1) of the General Regulation).


The processing of personal data is lawful only if the conditions set out in Article 6 of the General Regulation are met and when it is in accordance with the purpose of the collection of personal data. The personal data controller must therefore have an appropriate legal basis for the lawful processing of personal data. These are set out in Article 6 (1) of the General Regulation, which provides that processing is lawful only in so far as at least one of the following conditions is met:


(a)the data subject has consented to the processing of his or her personal data for one or more specific purposes;
(b)processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of measures at the request of such data subject before the conclusion of the contract;
(c)processing is necessary to fulfill the legal obligation applicable to the controller;
(d)processing is necessary to protect the vital interests of the data subject or other natural persons;
(e)processing is necessary for the performance of a task in the public interest or in the exercise of public authority conferred on the controller;
(f)processing is necessary for legitimate interests pursued by the controller or a third party, except where such interests are outweighed by the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data, in particular where the data subject personal data relating to the child.

Point (f) of the first subparagraph shall not apply to processing by public authorities in the performance of their tasks.


Such processing of personal data occurs in the case of the introduced video surveillance system, as the video surveillance system represents the processing of personal data of individuals.


Video surveillance is thus the processing of personal data as provided for in point (2) of Article 4 of the General Regulation .


Article 5 (2) of the General Regulation emphasizes the principle of operator responsibility.


The operator is responsible for compliance with all the principles set out in the first paragraph of Article 5 of the General Regulation and is also able to demonstrate this compliance (principle of liability). The principles relating to the processing of personal data deriving from the first paragraph are: legality, fairness and transparency, purpose limitation, minimum amount of data, accuracy, retention limitation, integrity and confidentiality.


Personal data collected for specified, explicit and legitimate purposes may not be further processed in a way incompatible with those purposes (Article 5 (1) (b) of the General Regulation). In accordance with the principle of liability (Article 5 (2) of the General Regulation), the data subject, who is the controller of personal data generated by video surveillance, must respect all the principles set out in Article 5 (1) of the General Regulation, in particular the minimum data  principle and the storage restrictions and to ensure that the personal data it processes are relevant, relevant and limited to what is necessary for the purposes for which they are processed.


Regarding the implementation of video surveillance by an individual, it should also be clarified that according to the first paragraph of Article 7 of ZVOP-1, the provisions of this Act do not apply to personal data processing performed by individuals exclusively for personal use, family life or other domestic needs. A similar provision is contained in point (c) of Article 2 (2) of the General Regulation. Video surveillance performed by an individual on his real estate is thus generally considered to be the processing of personal data for personal use and domestic needs, except in the case when it also records public areas, space not owned by the individual performing video surveillance, common areas of a multi-apartment building or performs video surveillance over the areas at the address where the performance of business activity is also registered.


Regarding the video surveillance notification :


Whoever performs video surveillance must publish a notice to this effect (Article 74 of ZVOP-1) . The notice must be published in a visible and distinct manner in a way that enables the individual to become acquainted with its implementation at the latest when video surveillance is carried out on it. Such notification must therefore contain the following information:


1.that video surveillance is carried out;
2.the name of the private sector entity performing it;
3.telephone number to obtain information on where and for how long the recordings from the video surveillance system are stored.

In addition to this information, the taxpayer must provide the information from which he collects personal data, including those under video surveillance, as provided in Article 13 of the General Regulation.


Regarding personal data protection :


In the field of personal data protection, ZVOP-1 still applies, which in Article 24 determines the subject of personal data protection , namely that personal data protection includes organizational, technical and logical-technical procedures and measures to protect personal data. accidental or intentional unauthorized destruction, alteration or loss of data and unauthorized processing of such data by:


1.protect premises, equipment and system software, including input-output units;
2.protects the application software with which personal data is processed;
3.prevents unauthorized access to personal data during their transfer, including transmission via telecommunications and networks;
4.provides an effective way to block, destroy, delete or anonymize personal data;
5.enables later determination of when individual personal data were entered into the personal data file, used or otherwise processed and who did so, for the period when legal protection of the individual's right due to inadmissible transmission or processing of personal data is possible.

Pursuant to point 5 of the first paragraph of Article 24 of ZVOP - 1, personal data protection thus comprises organizational, technical and logical-technical procedures and measures by which personal data are protected, prevents accidental or intentional unauthorized destruction of data, their alteration or loss and unauthorized processing of such data in such a way as to enable it to be established at a later stage when individual personal data were entered into the personal data file, used or otherwise processed and who did so, for a period when legal protection of the individual's rights due to inadmissible transmission or processing personal data.


In the case of the processing of personal data accessible via a telecommunication means or network, the hardware, system and application software must ensure that the processing of personal data in personal data files is within the limits of the authorization of the user of personal data.


Procedures and measures for the protection of personal data must be appropriate to the risk posed by the processing and the nature of certain personal data being processed.


In addition to the provision on the subject of insurance, ZVOP-1 in the first paragraph of Article 25 also stipulates the duty to protect personal data, namely that personal data controllers and contractual processors are obliged to provide personal data protection in the manner referred to in Article 24 ZVOP-1 .


In assessing the adequacy of procedures and measures to ensure an adequate level of security of personal data, the provision of Article 32 of the General Regulation , which provides that, taking into account the latest technological developments and implementation costs and the nature, scope, circumstances and purposes of processing, as well as risks to the rights and freedoms of individuals that vary in likelihood and severity, the controller and the processor shall ensure an appropriate level of security in relation to the risk by implementing appropriate technical and organizational measures, including, inter alia, the following measures:


a)pseudonymization and encryption of personal data;
b)the ability to ensure the continued confidentiality, integrity, accessibility and resilience of processing systems and services;
c)the ability to recover in a timely manner the availability and access to personal data in the event of a physical or technical incident;
d)the process of regular testing, evaluation and evaluation of the effectiveness of technical and organizational measures to ensure the security of processing.

In determining the appropriate level of security, particular account shall be taken of the risks posed by processing, in particular as a result of accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed.


According to point 5 of the first paragraph of Article 24 of ZVOP-1, a legal or natural person performing video surveillance must provide records of video surveillance,on the basis of which it will be possible to later determine when individual personal data (videos) from the records of the video surveillance system were used or otherwise processed and who did so, for the period when legal protection of individual rights due to inadmissible transmission or processing of personal data . The video review records must show the following for each video review: the date and time of the review, the name of the persons who reviewed the recordings, the name of the company or the authority where those persons are employed and the reason for the inspection. Viewing videos can be recorded by a computer program, so it is run automatically, but it can also be run manually.


In accordance with the above-cited article, the liable party is also obliged to keep records of video reviews.


According to the third paragraph of Article 22 of ZVOP-1 , the personal data controller must ensure for each transfer of personal data that it is possible to later determine which personal data were transferred, to whom, when and on what basis, for a period when possible legal protection of the right of the individual due to inadmissible transmission of personal data .


The video surveillance system must be secured against access by unauthorized persons (fifth paragraph of Article 74 of ZVOP-1). The controller must also ensure the traceability of the processing, ie be able to prove that the processing of personal data takes place in accordance with the General Regulation and ZVOP-1 (eg viewing, transmission of videos) and designate authorized persons to manage the video surveillance system and video collection. Articles 24 and 25 of ZVOP-1, Articles 32 and 24 of the General Regulation).



II. IP findings and explanations and positions of the obligor:


As a preliminary point, IP emphasizes that in the inspection procedure in question it establishes the legality of the processing of personal data generated by the introduced video surveillance system at the debtor's business unit, namely … . In accordance with the above, all official documents are served at the address where the debtor's business unit is located and where the inspection is carried out.


In the inspection procedure, the liable party was reminded that he was obliged to state the truth in the procedure before the IP. The taxpayer explained that:


does not currently carry out any activities at…, as operations against COVID-19 have been closed since…;
… Otherwise operates from…;
video surveillance is carried out from… for the safety of employees, customers and for the protection of property;
the control system operator is an undertaking…, which is also written on the sticker on the door, has access to the video surveillance system and recordings exclusively…,…;
the video surveillance system was installed…;
there is no external security service;
the video surveillance system is implemented with… cameras:

a) the outdoor is a garden for which we pay an annual rent…. It is installed for vandalism, protection of staff and customers;

b) an internal camera recording…. It is installed to protect assets, control cash flow, and protect staff and customers;

c) an indoor camera covering the space where… is located. It is installed due to vandalism over…, to protect customers and staff;


the public area is not filmed, the pavement is filmed, for which the taxpayer also pays the annual rent and on which chairs and tables are placed for performing… activities;
camcorders do not transmit sound, nor do they rotate and are fixed;
the recordings are available exclusively in the warehouse…. The recordings can only be accessed using a computer when it is connected to the recorder. This is only possible in the warehouse… at the address…. The image cannot be monitored outside our premises, nor can the image be monitored without a connected computer.
access to videos is protected by username and password;
the recordings are kept for… days, then deleted automatically;
the recordings of the video surveillance system are inspected in case of theft, damage to property, quarrels, fights, etc. This has happened only once since the introduction of the video surveillance system, which is recorded in the log of insights into the video surveillance system;
the recordings are transmitted only to an official person, the event is recorded in the records of the transmission of recordings;
external visitors are informed about the implementation of video surveillance by a notification about the implementation of video surveillance.

During the inspection procedure, the liable party submitted:


camera photos and camera screenshots;
Notice on the implementation of video surveillance;
Account no. … Dated… for lease… for the year… from…;
Logbook of insights into the video surveillance system;
Recording log;
Rules on the protection of personal data in the implementation of video surveillance of…;
List of camera locations.

To inform the liable party of the findings in the inspection procedure and to request clarification before decision no. … Dated… the obligor further clarified that he had informed the employees about video surveillance from the first day of implementation, ie from… onwards, that the introduction of video surveillance was also based on the request of employees for their safety and that he informed employees in writing on… or the latter confirmed in writing, with their signature on… the acquaintance with the video surveillance system, on the statement submitted by the liable party during this procedure.


He went on to explain that… has been operating since… as a place where alcoholic beverages are also served. In the course of their operations, after… years, they found that they needed additional solutions to prevent violent riots by guests for the safety of employees and property. In the past, the taxpayer has suffered damage to the inventory several times, even several times a year. The taxpayer also stated that on… he forwarded a video surveillance camera recording to the police station due to…. He cannot hire a security service due to high costs. It considers that, for those reasons, there is a legal basis for the introduction of video surveillance in indoor areas… pursuant to Article 6 (1) (d) and Article 6 (1) (f) of the General Regulation. However, on entering…, guests shall, in accordance with the video surveillance notification, give their consent pursuant to Article 6 (1) (a) of the General Regulation, as


The taxpayer explained that he had additionally adjusted the angle of view of the outdoor camera, which records the entrance and the outdoor terrace - the garden in such a way that it covers only the entrance and the terrace, and the part where vehicles or sidewalks can be parked is completely excluded. which passers-by also walk on. The camera is thus focused only on the tables and chairs that are in use by the bar. Also, outside obvesti, in order to access the outdoor terrace, he installed additional notices on the implementation of video surveillance, so that the guest by entering the terrace or bar gives the appropriate consent. The taxpayer also submitted a screen image of the external camera with a blackened part of the screen image, a list of employees who signed a statement of acquaintance with the introduced video surveillance system and a photo… from left and right with a notice warning guests about the introduced video surveillance.


The IP thus established the following facts during the inspection procedure :


from the inspection of the Business Register at the Agency of the Republic of Slovenia for Public Legal Records and Related Services it follows that the liable party has…, at the address…, where the inspection procedure in question is performed;
the liable party carries out video surveillance from… for the safety of employees, customers and for the protection of property on the basis of Articles 75 and 77 of ZVOP-1 and the legitimate interest of the operator (Article 6 (1) (f) of the General Regulation);
the control system operator is the undertaking…, has exclusive access to the video surveillance system and recordings pos;
the video surveillance system mounted…;
the taxpayer does not have an external security service;
the video surveillance system is carried out at the address… with… cameras, it follows from the List of camera locations that:

a) an outdoor camera records the entrance and the outdoor terrace - garden;

b) the first indoor camera captures the server rooms and the bar counter and the right side of the building;

c) another indoor camera captures the server rooms and covers the left side of the facility; and…;


the taxpayer removes the sidewalk rented from…, which is derived from Invoice no. … Of… for the lease of public spaces for the year… from…;
camcorders do not transmit sound, nor do they rotate and are fixed;
access to videos is protected by a username and password;
recordings are stored for… days, then deleted automatically;
recordings of the video surveillance system are inspected in case of theft, damage to property, quarrels, fights;
the notice on the implementation of video surveillance “ … ” is located before entering the facility of the liable party where the video surveillance is performed. The following information can be seen from the video surveillance warning: information that video surveillance is being carried out; the name of the private sector person performing the video surveillance (() and the telephone number for obtaining information on where and for how long the recordings from the video surveillance system (…) are stored;
the liable party keeps the Records of the use of the video surveillance system and the Records of the transmission of recordings of the video surveillance system;
it follows from the Record of Insights that the inspection was carried out once, on… at… uri, and from the Record of the transmission of video surveillance recordings it follows that the recordings were transmitted on… at… uri…;
access to the review of recordings retrospectively and the transmission of recordings of the video surveillance system is provided only… with a username and password;
the taxpayer has adopted the Rules on the protection of personal data in the implementation of video surveillance of…


I.Regarding the recording of premises that enable access to official office or business premises (Article 75 of ZVOP-1):

The taxpayer is explained that Article 75 of ZVOP-1 regulates the conditions for the introduction of video surveillance of access to business premises, and Article 77 regulates the control of the premises themselves. In the latter case, the conditions for the introduction of such control are significantly stricter due to a greater invasion of employee privacy.


Video surveillance of access to business premises (Article 75 of ZVOP-1) may be carried out for the safety of people and property, ensuring control of entry and exit or if there is a possibility of endangering employees. The competent or authorized person shall make a written decision on the introduction of video surveillance with explained reasons, and must inform all employees who perform work in the supervised area in writing. Personal data collected through videos may be kept for a maximum of one year after creation.


In accordance with the provisions of Article 75 of ZVOP-1, video surveillance of access to official office or business premises may be carried out if necessary:


for the safety of people or property,
to ensure control of entry into or exit from or from business or business premises, or
if, due to the nature of the work, there is a possibility of endangering employees.

The decision to introduce video surveillance shall be made by a competent official, head, director or other competent or authorized individual of a public sector person or a private sector person. In its decision, which must be made in writing, it must properly explain the reasons for the introduction of video surveillance for each installed video camera separately. Cameras which, by reason of their position, are clearly not already intended for access control cannot be placed on this basis, but if they are, they must be removed. The need to protect people and property must be demonstrated, in particular by placing cameras in front of parts of the building where large assets are located (eg a warehouse) or which otherwise need to be protected (eg due to the discovery of classified information). It is also not permitted to install such video surveillance solely for the purpose of controlling the use of working time,



II.Regarding the recording of the remaining premises, which are also working premises:

Article 77 of ZVOP-1 allows the implementation of video surveillance of workplaces only in exceptional cases when it is absolutely necessary for the safety of people or property or for the protection of classified information and business secrets, and this purpose cannot be achieved by milder means . The provision therefore allows the introduction and implementation of video surveillance in private sector workplaces, but only if it is necessary to protect specific subjects and objects of protection : human security, security of property, protection of classified information and protection of business secrets. the second condition set out in Article 77 of ZVOP-1 is met, ie that the insurance of these specific subjects and facilitiescannot be achieved by milder measures . The law therefore explicitly lists who and what and why can be protected, so other purposes are not permissible, such as the implementation of video surveillance to check the work of employees.


The purpose of the strict provision of Article 77 of ZVOP-1 is the protection of an individual's privacy , which must also exist in the workplace and must not be interfered with excessively or disproportionately. In the present case, the liable party stated that by ensuring video surveillance of the interior of the premises, it ensures the safety of employees, customers and property.


In this sense, ZVOP - 1 separated Articles 75 and 77 from the point of view of expected privacy, as the average individual expects a higher level of privacy inside the bar than at the door of the bar or at the very entrance. Video surveillance inside the work premises, in this case video surveillance of tables in the bar, means a significantly greater encroachment on the privacy of employees (and at the same time guests) than video surveillance, which is carried out only at the front door.



III.Legitimate interest as a legal basis for the lawful processing of personal data
(Article 6 (1) (f) of the General Regulation):


In assessing the adequacy of a legitimate interest as a legal basis (point (f) of Article 6 (1) of the General Regulation), a three-stage test must be carried out , taking into account the criteria of reasonable expectation of data subjects in relation to their controller :


1.The existence of a legitimate interest (legal, economic, immaterial), whereby its existence must be realistic and must exist at the time of the assessment of the legality of the purpose.

2.Necessity of processing; the processing and personal data collected must be relevant and limited in relation to the achievement of the purpose - video surveillance should be the last resort; this also includes the decision on the method of video surveillance, which depends on the purpose.

Before installing a video surveillance system, the operator must always critically examine whether this measure is first appropriate to achieve the legitimate aim and whether it is appropriate and necessary to achieve the purposes. The implementation of video surveillance should be chosen only if the purpose of the processing could not reasonably be achieved by other means that less infringe on the fundamental rights and freedoms of the data subject.


In cases where the operator wishes to prevent offenses related to the protection of his property, he may, instead of installing a video surveillance system, take alternative security measures, such as engaging a security service, providing better lighting, installing security locks, security windows and doors… These measures can be just as effective as video surveillance systems against burglary, theft and vandalism.


3.Weighing the interests of the manager and the individual - the manager must demonstrate that his legitimate interest prevails over the interests or. fundamental rights and freedoms of the individual or employee.

It should be borne in mind that this assessment is different from case to case, the impact of interference with the fundamental human rights and freedoms of individuals is decisive, and it is also necessary to take into account reasonable expectations of the privacy of data subjects. manager - an objective view or criterion on reasonable expectations from the point of view of a third party.


It should be borne in mind that this assessment varies from case to case, the impact of interference with the fundamental human rights and freedoms of individuals is decisive, while also taking into account “reasonable expectations of the privacy of data subjects in relation to their relationship. to the operator ”- an objective view or criterion on reasonable expectations from the point of view of a third party. The criterion of balancing the interests of the controller / third party and the individual is assessed together with recital 47 of the General Regulation, which defines the reasonable expectation of data subjects in relation to their relationship with the controller .


A reasonable expectation of an individual's privacy is that there is no video surveillance over him when he is in public places , especially if they are typically used for regeneration or leisure activities in places where individuals gather and / or communicate, e.g. behind a table in restaurants , parks, cinemas, gyms, etc. [1]



IV.IP assessment regarding the demonstrated legal basis for lawful processing of personal data:

In assessing the criterion of legitimate interest, IP decided that video surveillance of guests at the taxpayer, which the taxpayer carries out with both internal cameras and an external camera with which he records the terrace, does not pass the above three-stage test, as in this case the existence of legitimate interest. where guests are located does not exist (eg behind tables where guests sit in… or on the terrace).


The taxpayer justified the video surveillance of guests in the premises… and in the garden with an outdoor camera with a legitimate interest in the safety of people and property, but it should be borne in mind that it is partly also work premises, at least in the immediate area. while the legitimate interest of the taxpayer (protection of property) in relation to the above explained in this section prevails over the expected privacy of employees in the workplace person, in so far as person with a video surveillance system to protect property, located in the immediate vicinity of the dispensing counter (drink more value , cash register, etc.).


Regarding the allegations of the taxpayer that he performs video surveillance in… and on the terrace also on the basis of the consent of individuals (both guests and employees), as guests by entering so or on the terrace and notification of video surveillance give their consent, consent of…, the following should be emphasized.


The legislation in question does not require the consent of employees for the lawful implementation of video surveillance, but their written acquaintance with the introduced video surveillance, and the taxpayer must demonstrate that video surveillance was introduced on the basis of ZVOP-1 and the principles of the General Regulation. regardless of the possible consents of the employees, they cannot provide a legal basis for the introduced video surveillance, which is not in accordance with the purpose envisaged by the legislator as permissible and legal.


The consents of employees, from which it would explicitly follow that they also agree with the recording of workplaces or jobs, cannot have such legal validity that the recording of jobs that do not meet all the conditions from Article 77 of ZVOP-1 would be admissible or pursued. admissible purpose and have a legal basis, would be contrary to the cogent provisions of the legislator, as the implementation of video surveillance of workplaces is permissible only in exceptional cases, when it is absolutely necessary to insure specific subjects and objects of protection, with more lenient measures to achieve the same purpose are not possible.


Mere notice of the implementation of video surveillance before entering the facility or the area where video surveillance is performed, the purpose of which is to acquaint individuals with the implementation of video surveillance and provide them with contact information on which personal data controller (video surveillance provider) and how (phone number) however, the information which the controller must provide in accordance with Article 13 of the General Regulation cannot be sufficient for the purpose of informing the individual of all the elements of the processing of his personal data which the controller must give for the individual's valid consent.


It should also be noted that the legal basis for the " consent of the individual " as set out in Article 6 (1) (a) of the General Regulation, according to which the data subject consents to the processing of his or her personal data for one or more specific purposes, it must be given in accordance with the conditions laid down in Article 7 of the General Regulation. Consent should be given by clear affirmative action, which means that the data subject has voluntarily, specifically, knowingly and unambiguously given his or her consent to the processing of personal data concerning him or her, such as in writing, also by electronic means. means, or an oral statement. [2]Consent should cover all processing activities carried out for the same purpose or purposes. Where processing is multipurpose, consent should be given for all processing purposes. If the consent of the data subject is given on the basis of a request by electronic means, the request must be clear and precise, and must not unnecessarily impede the use of the service for which it is provided. The burden of proving that consent has been given is on the personal data controller, who must be able to prove that the data subject has consented to the processing of his or her personal data.


Article 7 of the General Regulation further provides that the data subject has the right to withdraw his or her consent at any time. Withdrawal of consent does not affect the lawfulness of processing on the basis of consent prior to its withdrawal. The data subject shall be informed of this prior to consent. Consent must be as easy to revoke as to give. In determining whether consent has been given voluntarily, account shall be taken, inter alia, of whether the performance of the contract, including the provision of the service, is conditional on consent to the processing of personal data which is not necessary for the performance of the contract in question.


In addition, according to the data subject, it should be noted that Article 6 (1) (d) of the General Regulation provides as a reason for lawful processing of personal data cases where the processing is necessary to protect the vital interests of the data subject, or other natural persons, which means to protect the interest which is essential for the life of the data subject or for the life of another natural person. The processing of personal data on the basis of the vital interests of another natural person could in principle only be carried out where the processing cannot manifestly be carried out on another legal basis. Certain types of processing may serve both important reasons in the public interest and the vital interests of the data subject, for example when the processing is necessary for humanitarian purposes,


It follows that the purpose of this reason as one of the possible reasons or legal grounds for lawful processing of personal data stated by the taxpayer is not to protect the lives of individuals who are employees and guests… as business units of the taxpayer, where the taxpayer performs as main activity … The latter cannot be considered as a dangerous activity for individuals in which the vital interests of individuals should be protected, and in the private sector there is a legal basis for lawful processing of personal data in the implementation of video surveillance, namely the legitimate interest of the controller. the reasons already mentioned above.


However, the liable party has not demonstrated the justification of the reasons set out in Article 77 of ZVOP-1 for recording workplaces, ie the condition that the introduction of such video surveillance outside the specific place of recording… and cash register would be necessary for the safety of people or property. or for the protection of classified information and business secrets, and this purpose cannot be achieved by milder means, nor is there a legitimate interest (Article 6 (1) (f) of the General Regulation) as a legal basis for the lawful processing of personal data inside… and terraces according to the above three-stage test.


The taxpayer's allegations that the introduced video surveillance protects the lives of employees and guests must be explained that video surveillance as such cannot provide a sufficient preventive effect in preventing violent riots and acts, at least not to the extent that it could be considered the only effective way to prevent riots or other acts of violence.


If the taxpayer deems that such acts are frequent and in such a form as to endanger the lives of individuals, he must introduce other, preventive and protective measures, such as the presence of a security service, etc., which he himself stated, whereby the economic reason for the cost such security services or other appropriate measures is not sufficient to introduce a video surveillance system on the basis of a legitimate interest as a legal basis for the lawful processing of personal data generated by the introduced video surveillance system.


In accordance with the provisions of Article 75 of ZVOP-1, the liable party has demonstrated the conditions for the introduction of video surveillance regarding access to official office or business premises , namely regarding the recording of:


with an external camera that records the entrance to the facility to ensure the safety of people or property and to ensure control of entry or exit to or from business or business premises, the taxpayer during the inspection procedure adjusted the angle of this camera by recording the entrance to building and outdoor terrace - garden and no longer records the sidewalk and passers-by, but IP notes that according to the three-stage test of legitimate interest has not shown a legal basis (Article 6 (1) (f) of the General Regulation) for the recording of outdoor terrace - garden , becausedid not demonstrate a legal basis for the recording of the public space, even if it rents it, as it also records guests by recording chairs and tables on the outdoor terrace, with a legitimate interest as provided for in point (f) of Article 6 (1) of the General Regulation. (protection of the lives of employees and guests) has not been demonstrated to such an extent that it would prevail over the interest of individuals or the expected privacy of guests in…

The liable party will thus have to adjust the viewing angle of the outdoor camera, which records the entrance and the outdoor terrace - garden, so that it will only record the entrance to the building, as follows from point 1 of the operative part of this decision.


The liable party informed the employees (…,… and…) in writing about the recording in accordance with the provision of the third paragraph of Article 75 of ZVOP-1 by a letter “ … ” dated…. The taxpayer explained that he informed the employees about the implementation of video surveillance, which was introduced on… when the video surveillance system was introduced, which he also introduced at the request of employees, and informed employees in writing of the letter " … " dated … And the signatures of all employees (…,…,…), explaining that the date on the letter " … " dated na and received by IP on… is incorrectly dated and reads correctly …


In accordance with the above and based on the explanations provided by the taxpayer, the taxpayer is informed that the reasons for the introduced video surveillance system by which the taxpayer also records jobs inside… and consequently employees and guests, in accordance with the provisions of 77 Article ZVOP-1, otherwise proved for the protection of property, but not to such an extent that the angles of both internal cameras cover the entire area… in a way that interferes with the expected privacy of employees at work and guests.


These are two cameras, namely:


the first internal camera, which records server rooms and a bar counter, and the right side of the building, in respect of which the taxpayer will have to adjust the viewing angle of this camera so that he will record only the cash register or the narrowest part of the bar counter where the property is of greater value;

another internal camera that records the server rooms and covers the left side of the building and the room where it is located… in respect of which the liable party will have to stop recording, as the IP found that during the inspection procedure it did not show a legal basis for legal recording.

The taxpayer informed the employees (…,… and…) in writing about the recording of work premises in accordance with the provision of the fourth paragraph of Article 77 of ZVOP-1 by letter " … ", dated…. The taxpayer explained that he informed the employees about the implementation of video surveillance, which was introduced on… when the video surveillance system was introduced, which he also introduced at the request of employees, and informed employees in writing of the letter " … " dated … And the signatures of all employees (…,…,…), explaining that the date on the letter " … " dated na and received by IP on… is incorrectly dated and reads correctly ….


III. Conclusion:


Point (d) of Article 58 (2) of the General Regulation provides that the supervisory authority shall order the controller to bring the processing operations, where appropriate, in a specified manner and within a specified period to comply with the provisions of the General Regulation.


According to the reasons, the taxpayer had to, on the basis of Articles 2 and 8 of the ZInfP, point 1 of the first paragraph of Article 54 of ZVOP-1, the first paragraph of Article 32 of the ZIN and point (d) of Article 58 (2) of the General Regulation, order the elimination of the identified irregularities.


The liable party… must , within fifteen (15) days of service of this decision:


adjust the viewing angle of the outdoor camera, which records the entrance and the outdoor terrace - garden, so that it will record only the entrance to the building;

adjust the viewing angle of the first indoor camera, which records the server rooms and the bar counter, and the right side of the building so that it will record only the cash register or the narrowest part of the bar counter, where the property has a higher value;

stop recording with another internal camera with which it records server rooms and covers the left side of the building and the room where it is located…

The liable party must notify the IP in writing of the implemented measures referred to in point 1 of the operative part of this decision no later than five (5) days after the elimination of the irregularity . The notification must also contain statements and evidence that the liable party has implemented the measures referred to in point 1 of the operative part of this decision and in what manner they have implemented them.


The fifth paragraph of Article 29 of the ZIN stipulates that in the event that the inspector has ordered the elimination of irregularities and deficiencies and set a deadline for the obligor to eliminate them, the liable party must immediately inform the supervisor of the eliminated irregularities. Accordingly, the liable party must notify the IP in writing of the implemented measures referred to in point 1 of the operative part of this decision no later than five (5) days after the elimination of the irregularity . The notification must also contain indications and evidence that the liable party has implemented the measures referred to in point 1 of the operative part of this decision and in what manner he has implemented them.


The ruling on the costs of the procedure is based on the provision of the first paragraph of Article 31 of the ZIN, according to which the costs of the inspection procedure, which were necessary to establish the facts proving that the taxpayer violated a law or other regulation, the taxpayer suffers.


Pursuant to the first paragraph of Article 118 of the General Administrative Procedure Act (Official Gazette of the Republic of Slovenia, No.  24/06  - official consolidated text,  105/06  - ZUS-1,  126/07 ,  65/08 ,  8/10 ,  82/13  and  175/20 - ZIUOPDVE), hereinafter: ZUP), the body decides in the decision on the costs of the procedure, who suffers the costs of the procedure, how much and to whom and within what period they must be paid. Pursuant to the second paragraph of Article 113 of the ZUP, if the proceedings were initiated ex officio, the costs of the proceedings shall be borne by the party, if the proceedings ended unfavorably for the party, or if the proceedings prove that the party caused it with its unlawful conduct. If the procedure ended favorably for the client, the costs shall be borne by the authority, except for the personal costs of the client (costs for its arrival, loss of time and earnings).


The IP special costs of the procedure were not incurred, and the liable party bears its own costs of the procedure. In accordance with the above, the IP decided on the costs of the proceedings as follows from point 3 of the operative part of this decision.


This decision is issued ex officio and is based on Article 22 of the Administrative Fees Act (Official Gazette of the Republic of Slovenia, No. 106/10 - officially consolidated text, 14/15 - ZUUJFO, 84/15 - ZZelP-J, 32/16 , 30/18 - ZKZaš and 189/20 - ZFRO) tax free.



INSTRUCTION ON REMEDY :

This decision is final in the administrative procedure. In accordance with the provision of Article 55 of ZVOP-1, no appeal is allowed against it, but it is permissible to initiate an administrative dispute. An administrative dispute shall be initiated by filing a lawsuit with the Administrative Court, Fajfarjeva 33, 1000 Ljubljana, within thirty (30) days of its service. The action shall be brought directly in writing before that court or shall be sent to it by post. It shall be deemed to have been filed in due time if it is submitted by registered mail by the last day of the claim deadline. In addition to the contested decision, the original, transcript or copy must be accompanied by one transcript or copy of the lawsuit and annexes for the defendant, if someone is affected by the administrative act, but also for him.







…










Serve:  


…


   Guidelines of the European Data Protection Board (England. Guidelines 3/2019 on processing of personal data through videodevices ), paragraph 38, page 13 ↑

   This may include ticking the box when visiting the website or a written statement, choosing the technical settings for information society services or any other statement or conduct that clearly indicates in this context that the data subject accepts the proposed processing. their personal data. Silence, pre-marked boxes or inaction therefore do not constitute consent. ↑