IP (Slovenia) - 0611-182/2021/23

From GDPRhub
IP - 0611-182/2021/23
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 5(1)(b) GDPR
Article 5(1)(c) GDPR
Article 6(1)(f) GDPR
Article 38 URS
Article 74 ZVOP-1
Article 75 ZVOP-1
Article 77 ZVOP-1
Article 77 ZVOP-2
Article 78 ZVOP-2
Type: Other
Outcome: n/a
Started:
Decided: 24.05.2023
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 0611-182/2021/23
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Slovenian
Original Source: IP (Slovenia) (in SL)
Initial Contributor: nho23

The Slovenian DPA ordered a controller to cease using some of the video cameras on the company's premises because video surveillance in, e.g. restrooms and corridors, could not be based on legitimate interest as there is no realistic threat to property or people.

English Summary

Facts

This decision is based on an inspection procedure done by the Slovenian DPA, where a company (the controller) was requested to provide answers, on 8 July 2021, 19 August 2021 and 25 October 2021, to the questions concerning the lawfulness of the video surveillance carried out by the controller over their premises and the surrounding area.

The controller stated that video surveillance was introduced to ensure the protection of property and the safety of persons per the controller's legitimate interest according to Article 6(1)(f) GDPR.

It further explained that the surveillance occurred in accordance with Articles 75 and 77 of the Personal Data Protection Act (Zakon o varstvu osebnih podatkov - ZVOP-1) because it was impossible to do it in a less restrictive way.

Additionally, it put security systems in place: access to archives of videos was password-protected, limited to certain persons and only accessed in exceptional cases, e.g. to provide evidence in criminal proceedings. The controller stated that they informed the representative trade union and gave reasons as to why the cameras were installed, which the trade union supported.

The controller also informed their employees about the installation of the video surveillance system by posting it on the company's notice board. Hence, the controller believed that the surveillance complied with the rules on video surveillance, could be based on Article 6(1)(f) GDPR, and complied with Articles 3, 24 and 74 ZVOP-1 and Article 38 of the Slovenian Constitution.

During the course of their inspection visit, the DPA also found that CCTV cameras were installed in a way that covered almost the entire premises of the controller, including external areas and bathrooms, while under Article 78 ZVOP-2, areas where no property or persons could be in danger do not need to be protected.

Holding

The DPA reprimanded the controller to stop using some of their video cameras.

The DPA held that monitoring the entire premises only because there is a potential risk of persons or property being harmed is not covered by legal bases of national law nor of the GDPR. Additionally, the security of property and people in certain places could be ensured in a less extreme manner. The controller had already secured all entrances and exits of the premises with cameras, in accordance with Article 77 ZVOP-2, which the DPA saw as enough protection for persons and property.

The DPA did not see the controller's reasons as a legitimate interest. For a controller to use the legal basis "legitimate interest", they have to do a preliminary balancing test to assess if the pursued goals are legitimate and if the processing is appropriate and necessary to achieve those goals. The DPA held that video surveillance in, e.g. restrooms and corridors, could not be based on legitimate interest because there is no realistic threat to property or people. Moreover, the controller did not use the most appropriate, suitable and necessary measures to achieve the goals; it could have used less restrictive means in some areas. Further, the controller has to ensure that the rights and freedoms of individuals are not overridden, in particular: where data subjects cannot reasonably expect to be subject to monitoring by the controller, taking into account their relationship to the controller, as stated in Recital 47 GDPR in connection with the EDPB Guidelines 3/2019 on processing personal data through video services. In this instance, the employees could not reasonably have expected to be subject to video surveillance in restrooms and some other areas. Thus, the DPA said that the controller did not fulfil the conditions of the legitimate interest test. Therefore, the IP concluded that the controller could not rely on Article 6(1)(f) GDPR.

The DPA pointed out that if there is live video surveillance happening on the controller's premises, the processing must have also been in accordance with Article 5(1)(b) GDPR concerning purpose limitation. Here, the monitoring of the live image should have been done only to protect property and people, which could only be achieved by continuous monitoring of the live images by an authorized person who could take appropriate measures if there was an incident; the purpose of the processing. However, the controller delegated the monitoring to employees who actually carry out other work.

Comment

The DPA's inspection procedures started under the ZVOP-1 and continued in accordance with the ZVOP-2. This is stated in the original source of the DPA's decision. The ZVOP-2 replaced the ZVOP-1 which was the Personal Data Protection Act before. The ZVOP-2 came into force on 26 January 2023 and is the Slovenian implementation of the GDPR[1].

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details. 

Number: 0611-182/2021/23
Date: 24 May 2023

Information Commissioner (hereinafter: IP) ...issuance based on Articles 2 and 8 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/2005, 51/2007–ZUstS-A; hereinafter: ZInfP), 29, 34 ., Articles 36 and 55, in connection with Article 119 of the Personal Data Protection Act (Official Gazette of the RS, No. 163/22; hereafter ZVOP 2), Articles 57 and 58 of Regulation (EU) 2016/679 of the European of the Parliament and the Council of 27 April 2016 on the protection of individuals in the processing of personal data and on the free flow of such data and the repeal of Directive 95/46/EC (General Data Protection Regulation, hereinafter: General Regulation) and Articles 29 and 32 of the Inspection Control Act (Official Gazette of the RS, No. 43/2007-UPB1, 40/2014; hereinafter: ZIN), in the matter of inspection control over the implementation of the provisions of the General Regulation and ZVOP-2 against ... (hereinafter: the liable party), according to official duties next

THE DECISION

I. The taxpayer..., due to the identified irregularities in connection with the implementation of the provisions of the General Regulation and ZVOP-2 at the address..., must stop performing video surveillance with the following cameras:

1….
2….
….

II. The taxpayer must implement the measures from point I of the pronouncement of this decision within 10 days from the service of this decision.

III. The taxpayer must notify the state supervisor in writing about the elimination of the identified irregularities within three days after the elimination of the irregularities and submit evidence of the elimination of the irregularities.

IV. The authority did not incur any special costs in this procedure, and the taxpayer bears his own costs of the inspection procedure.

P r a s i o n s

1. Procedural actions, findings of the IP and statements of the liable party

The State Supervisor for the Protection of Personal Data made the decision stated in the sentence of this decision on the basis of findings in the inspection procedure. As part of the inspection process in question, on 8/7/2021, 19/8/2021 and 25/10/2021, invitations for written explanations, documentation and statements (No. 0611-66/2020/3 and No. . 0611-66/2020/7), in which the taxpayer was asked to provide answers to the questions asked, which related to the legality of the implementation of video surveillance, which the taxpayer carries out over business premises and the surrounding area. On February 22, 2022, an inspection visit was carried out at the taxpayer's premises, as part of which a tour of the premises and surroundings at the address of the taxpayer,...

Among other things, it follows from the taxpayer's answers (and the submitted attachments) to the submitted invitation dated 7/8/2021 that video surveillance was introduced solely for the purpose of ensuring the protection of property and security
People, security of movable property and equipment and security of office premises and control of entrances to
facilities. It was introduced based on the legitimate interest of the company due to the above-mentioned purposes
namely in accordance with Articles 75 and 77 of ZVOP-1, because it is not possible to carry out this control in another/milder way. ...On certain parts, which are otherwise defined as... 1x/week during a limited time, video surveillance is carried out only for the stated purposes in accordance with the attached Rules on the implementation of video surveillance and in accordance with the Bathing Rules. Cameras that cover parts that are defined as ...i once a week for a limited time are marked in the regulations with the following codes: K095, K096, K097, K098, K099, K100 and K103. In this area, the cameras are installed in accordance with the requirements of the inspectorate, in relation to protection..., as it is a specific architecture, which has a lot...and as a result, without video surveillance, it is not possible to carry out high-quality surveillance from the lookout towers.... Access to archive videos is possible via a connection to the video surveillance system. Access is password protected. Only persons defined as a commission in Article 3 of the Rules on the Implementation of Video Surveillance have access.
The collection of video surveillance footage is located within the video surveillance system. The collection is accessed only in exceptional cases, in order to provide evidentiary material in criminal proceedings, compensation claims or disciplinary proceedings (as defined in the Rules on the Implementation of Video Surveillance).
The taxpayer also stated that before the adoption, he consulted with the representative trade union and presented to him the reasons and purpose of introducing the video surveillance system. The representative union had a positive
opinion and supported the introduction of a video surveillance system, as it ensures greater security
employees and guests. He stated that he does not have the documentation, as it is for such discussions with the union
does not keep minutes.
The video surveillance system is located on two servers, which are installed in special server rooms
premises, and physical access is secured with a lock. Access to servers for access purposes
access to archive footage is password protected. They have access to the live image...within the specific object for the purpose of controlling individual parts of the object.
Access to the live image is provided only within the office stationary computers within the framework
individual…. Access to archive recordings
however, only persons who are defined as a committee in Article 3 of the Rules on the Implementation of Video Surveillance have access.
The taxpayer informed the employees about the introduction of the video surveillance system by publishing the contents of the Rules on the Implementation of Video Surveillance on all the company's bulletin boards (he does not keep a separate record of the announcements on the bulletin boards). Customers are informed about the implementation of video surveillance through notices placed at the entrances to each facility. The taxpayer attached examples of notifications to his answers.
The collection of personal data on video surveillance is in charge of..., who is appointed as the authorized person for data protection in the company. Access to archival recordings is granted only to persons listed in Article 3 of the Implementation Rules
video surveillance defined as a commission:…. Recordings are kept in accordance with the Rules on the Implementation of Video Surveillance, i.e. for a maximum of 90 days. Cameras do not record audio.

In the answers to the second (19/08/2021) and third (from 25/10/2021) IP call, the taxpayer provided screenshots from the work where he was at a certain time...and defined what he was supposed to protect with each from them. He stated that on certain parts, which are defined as... once a week for a limited time, video surveillance is carried out only for the aforementioned purposes in accordance with the attached Rules on the implementation of video surveillance and in accordance with ... (both documents were attached by the taxpayer to the answer). Cameras that cover parts that are defined as... once a week for a limited time are marked in the regulations with the following codes: K095, K096, K097, K098, K099, KIOO and K103. In this area, the cameras are installed in accordance with the requirements of the inspectorate, in relation to ...and consequently, without video surveillance, it is not possible to carry out quality control from....
The taxpayer also explained about the mentioned cameras that with the camera K095 he protects...

The state inspector notes that most of the rest areas and other areas used by both guests and employees are illegally and disproportionately covered with cameras that are supposed to protect people. Based on the content of the taxpayer's answers, several irregularities regarding the implementation of video surveillance are identified. ...on February 22, 2022, an inspection visit will be carried out at the taxpayer's premises, and the taxpayer will again be provided with more detailed explanations regarding ensuring the legality of the implementation of video surveillance. The findings from the inspection are based on the minutes, no. 0611-182/2021/16. Due to the necessary explanations, which could not be obtained during the inspection due to the absence of some employees, the taxpayer was asked to provide written explanations and documentation on February 24, 2022.

From the taxpayer's answers of 8 March 2022 (No. 0611-182/2021/18), it appears, among other things, that according to the received inspection report no. 0611-182/20221/16 dated February 22, 2022 further refined this area in accordance with the directions of the supervisor; that he established records of the traceability of processing according to the supervisor's recommendations; that he held another consultation with the trade union and forwarded the invitation and minutes of the consultation with the trade union and that he informed the employees of the notice on the implementation of video surveillance and published the Rules on the implementation of video surveillance on all company notice boards. It is established that, in order to protect the property and safety of the guests, the obligee provides access to recordings or live picture. Among other things, from all the submitted answers (and attachments) there are also screenshots of the cameras, which show the entire interior surfaces of the business premises and the exterior surfaces over which the taxpayer performs video surveillance. The taxpayer stated in the explanations that video surveillance is carried out for the purpose of protecting property and belongings and for the safety of guests and staff. 165 cameras are supposed to be installed, which, according to the taxpayer's explanations, cover the following areas (printouts of camera images that the taxpayer provided to IP on 4/3/2022 and printouts of camera images that were provided to IP on 4/11/2022 are slightly differ, therefore the inventory refers to the displayed state of the working cameras, which is derived from the actual state of the transmitted camera image printouts, after the last change of the video surveillance system, dated 7/23/2021 (which is derived from the acquired screen image printouts):

…

The taxpayer also stated that he followed the purpose of protecting property and people by looking at the cameras. From the provided printouts of images from all operating cameras, the state supervisor concludes that many cameras show a disproportionate part of the areas with which the taxpayer is supposed to achieve the legal purposes he states, and that a large part of the established video surveillance is illegal.

On October 26, 2022, the IP sent the taxpayer a Briefing with the findings and a call for clarification before the decision was issued, regarding the findings regarding the video surveillance in question.

Among other things, it follows from the taxpayer's answer that regarding the statements that some cameras encroach on surrounding areas, he believes that the cameras cover only the areas owned by the company... and that he has already provided other relevant explanations in previous letters that he Submitted by IP on 7/20/2021, 8/30/2021, 11/2/2021, 3/4/2022. The taxpayer also attached printouts of the camera images to the answers. It is found that the printout corresponds to the situation on 04/06/2021, which shows the actual situation that the taxpayer had before the last change in the areas covered by the cameras from 07/23/2021 and which the taxpayer had previously submitted to the IP ( as an attachment to the answers of March 4, 2022). The findings of which the IP informed the taxpayer on 26/10/2022 and the measures from the sentence of this decision therefore refer to the findings regarding the state of the installation of cameras from 23/7/2021.

Despite referring to the fact that the IP has already provided more detailed explanations in the above answers, the taxpayer also stated that the Regulations... impose on him much more than just protection against..., as... they require the continuous provision of general safety, which covers a wide range of dangers, over which, as the owner and manager, he must constantly have control. Paragraph 1 of Article 6 of these regulations, among other things... and eliminates the causes that could lead to the creation of danger for visitors. In view of the above, in his opinion, the law nowhere explicitly states that... he cannot help himself with a video surveillance system, but it is essential that continuous observation is ensured.

In paragraph 2 of Article 6 of the Rules of Procedure, there is an obligation...

The taxpayer also stated that by following the criteria of the rulebook, he meets the legal requirements regarding the number of observation points and the number of... In doing so, it takes into account all the milder measures to achieve security on..., which are provided for by the regulations, which justifies the fact that the video surveillance system pursues a legitimate interest. The taxpayer assesses that a video surveillance system is in place to ensure the safety of ... as well as their property, in accordance with f. point 6/1 of Article 6 of the EU General Data Protection Regulation and is not inconsistent with the pursuit of proportionate interference with the rights of individuals.

The taxpayer also stated that the established video surveillance system, in terms of recording recordings, is actually not permanent, but in accordance with legal requirements is kept for a limited period of 90 days and duplicated. Likewise, the obligee keeps a record of the traceability of any insights and in everything else follows and satisfies the legal requirements, which he must comply with when the video surveillance system is in place; that video surveillance is carried out in accordance with Article 74 of ZVOP-1; that it has the appropriate notices; that the video surveillance system is protected against access by unauthorized persons; that it has prescribed all measures to secure personal data in its internal acts and that a method of securing personal data is provided in the manner referred to in Article 24 of ZVOP-1 and that records are kept on the inspection of recordings. The person responsible for this believes that this still follows the protection of the fundamental rights and freedoms of individuals, as defined by Article 38 of the Constitution of the Republic of Slovenia and the principle of proportionality, as defined by Article 3 of ZVOP-1. The processing is limited and does not conflict with the purposes. The encroachment on the rights of individuals is not disproportionate to the interests being pursued, since it is exclusively about protecting property and people. Recordings are reviewed only in emergency situations, in addition, the traceability of insights is ensured and a commission for insights is determined. Based on the above, the taxpayer assesses that the video surveillance system is established transparently.

2. Provisions of regulations on which the decision is based

In accordance with the provision of Article 119 of the new Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 163/22; hereinafter ZVOP-2), which entered into force on 26 January 2023, inspection procedures are initiated on the basis of the ZVOP -1, continue in accordance with ZVOP-2.

ZVOP-1 regulated video surveillance as a field regulation in Articles 74 to 77. ZVOP-1 and as a system law prescribed the method of realizing the constitutionally guaranteed human right to the protection of personal data, determined rights, obligations, principles and measures to prevent unconstitutional, illegal and unjustified interference with the privacy and dignity of the individual in the processing of personal data (Article 1). ZVOP-1 contained special provisions on video surveillance in the provisions of Articles 74 to 77, which are used for the implementation of video surveillance, unless another law provides otherwise (paragraph 1 of Article 74 of ZVOP-1). In the case under consideration, in the part of video surveillance carried out by the taxpayer, there are special regulations that specifically regulate the possibility of conducting video surveillance over...

The applicable ZVOP-2 regulates video surveillance in Chapter 3 of II. works (Articles 76-80), namely:
· Article 76 - general provisions on video surveillance and protection of personal data;
· Article 77 - video surveillance of access to official office or business premises;
· Article 78 – video surveillance inside the work premises;
· Article 79 - video surveillance in means of transport intended for public passenger traffic;
· Article 80 - video surveillance in public areas.

General provisions and requirements for the establishment of video surveillance are defined in Article 76 of ZVOP-2. The decision on the introduction of video surveillance is taken by the supervisor, director or other authorized individual of a public sector person or a private sector person as manager. The reasons for introducing video surveillance must be explained in the written decision.

The operator who implements video surveillance must publish a notice about it. The notification must be visibly and distinctly published in a way that allows the individual to become familiar with its implementation and to be able to refuse entry to the controlled area. In addition to the information from the first and second paragraphs of Article 13 of the General Regulation, such notification must contain the following information:
1. a written or unequivocally graphical description of the fact that video surveillance is being carried out;
2. processing purposes, indication of the operator of the video surveillance system, telephone number or e-mail address or web address for the purposes of exercising the individual's rights in the field of personal data protection;
3. information on specific effects of processing, in particular further processing;
4. contact details of the authorized person (phone number or e-mail address);
5. unusual further processing, such as transfers to entities in third countries, live monitoring of events, the possibility of audio intervention in the case of live monitoring of events.

Instead of publication in the notice, the notification of the individual can also be carried out in such a way that the operator publishes the information from the first and second paragraphs of Article 13 of the General Regulation and the information from points 3 to 5 of the notice on the website. In this case, the notification from the previous paragraph must publish the web address where this information is accessible (e.g. URL address of the website).

The collection of recordings of the video surveillance system contains a recording of an individual (picture), information about the location, date and time of the recording, exceptionally, if this is particularly necessary, as well as sound.

Video surveillance is not permitted in elevators, toilets, changing rooms, hotel rooms and other similar spaces where an individual reasonably expects a higher level of privacy. Video surveillance recordings may be kept for a maximum of one year from the moment the recording was made, taking into account the principles from Article 5 of the General Regulation.

The operator who implements video surveillance must ensure that the video surveillance system is secured, as stipulated in Articles 24 and 32 of the General Regulation.

In accordance with the provisions of Article 24 of the General Regulation, the controller implementing video surveillance must implement appropriate technical and organizational measures, taking into account the nature, scope, circumstances and purposes of the processing, as well as the risks to the rights and freedoms of individuals, which vary in probability and severity, to ensure and is able to prove that the processing takes place in accordance with the General Regulation. In accordance with the provisions of Article 32 of the General Regulation, taking into account the latest technological development and costs of implementation, as well as the nature, extent, circumstances and purposes of processing, as well as risks to the rights and freedoms of individuals, which differ in probability and severity, by implementing appropriate technical and organizational measures to ensure an adequate level of security in relation to the risks.
Inspection, use or transmission of video surveillance system footage is admissible only for purposes that legally existed or were stated on the notice at the time the footage was captured.

According to the provisions of Article 76 of ZVOP-2, the operator of the video surveillance system must provide the so-called processing traceability - the possibility of subsequently determining which recordings were processed, when and how they were used or to whom they were forwarded, who performed these processing actions, when and for what purpose or on what legal basis. It keeps this data in the processing log from Article 22 of the ZVOP-2 for two years after the end of the year in which it was created.

Video surveillance of access to official work or business premises (Article 77 ZVOP-2):

Video surveillance of access to official work or business premises may be carried out if this is necessary for the safety of people or property, to ensure control of entry or exit to or from these premises, or if due to the nature of the work there is a possibility of endangering employees. In these cases, video surveillance is permitted if the owners of office/business premises who own more than 70% of the common parts agree to it.
Video surveillance is carried out without recording parts of residential buildings that are not official office or business premises and without recording entrances to apartments.
All employees who work in the monitored area must be informed in writing about the implementation of video surveillance and all the information that must be contained in the notification about the implementation of video surveillance.
The collection of personal data related to the control of access to official work or business premises may contain a recording of an individual (picture), information about the location, date and time of the recording, exceptionally, if this is particularly necessary, as well as sound. In addition, the collection may also contain the date and time of entering and exiting the official office, the personal name of the recorded individual, the address of his permanent or temporary residence, employment, the number and type of his personal document, and the reason for entry, if the specified personal data collected together with a recording of the video surveillance system.

Video surveillance inside the work premises (Article 78 ZVOP-2):

The implementation of video surveillance within the working premises can only be carried out when it is absolutely necessary for the safety of people or property or for the prevention or detection of violations in the field of gambling or for the protection of classified information or business secrets, and this purpose cannot be achieved by milder means. Video surveillance can only be carried out in relation to those parts of the premises and to the extent that the aforementioned interests must be protected.
It is forbidden to use video surveillance to record workplaces where the employee usually works, unless this is necessary in accordance with the conditions for implementing video surveillance inside the workplace.
Under the above conditions, direct monitoring of what is happening in front of the cameras is only permissible if it is carried out by expressly authorized personnel of the operator.
Before the implementation of video surveillance within the workplace, employees must be informed in advance in writing about its implementation, and in addition, before introducing video surveillance within the workplace, the employer must consult with the representative trade union at the employer and the works council or workers' representatives. The consultation takes place within 30 days or within another longer period determined by the employer. When it comes to the introduction of video surveillance, which is used to record the workplaces where the employee usually works, the consultation is carried out within 60 days or within another longer period determined by the employer.
In the field of national security and the protection of classified information, except for the protection of classified information of the lowest level of secrecy, and for concessionaires under the law governing gambling, in parts of the premises where gambling is carried out, the employer must, before starting the implementation of video surveillance inside the working premises there is no need to consult with the representative trade union at the employer and the works council or workers' representatives.
Video surveillance of common areas in commercial buildings is permitted if the owners who own more than 70% of the common parts agree to it.

Video surveillance in other places is permissible only under the conditions provided for in another law or if the conditions set out in Article 6 of the General Regulation are met for the implementation of video surveillance (Processing is legal only and to the extent that at least one of the following conditions is met:
(a) the data subject has consented to the processing of his personal data for one or more specified purposes;
(b) processing is necessary for the performance of a contract to which the data subject is a contracting party, or for the performance of measures at the request of such an individual prior to the conclusion of the contract;
(c) the processing is necessary to fulfill a legal obligation applicable to the controller;
(d) processing is necessary to protect the vital interests of the data subject or other natural person;
(e) processing is necessary for the performance of a task in the public interest or in the exercise of public authority assigned to the controller;
(f) processing is necessary due to the legitimate interests pursued by the controller or a third party, except when such interests are overridden by the interests or fundamental rights and freedoms of the individual to whom the personal data relates, which require the protection of personal data, in particular when the individual , to whom personal data refer, a child.)

Article 5 of the General Regulation stipulates that personal data must be:
(a) processed lawfully, fairly and transparently in relation to the data subject (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and lawful purposes and may not be further processed in a manner incompatible with these purposes; further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89(1) is not considered incompatible with the original purposes ("purpose limitation");
(c) adequate, relevant and limited to what is necessary for the purposes for which they are processed ("minimum scope of data");
(d) accurate and, where necessary, up-to-date; all reasonable steps must be taken to ensure that inaccurate personal data is deleted or corrected without delay, taking into account the purposes for which it is processed ("accuracy");
(e) kept in a form that allows the identification of the individuals to whom the personal data refer only for as long as is necessary for the purposes for which the personal data are processed; personal data may be stored for a longer period if they will be processed solely for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89(1), whereby appropriate technical and organizational measures must be implemented from this regulation to protect the rights and freedoms of the data subject ("storage restriction");
(f) are processed in a way that ensures adequate security of personal data, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage through appropriate technical or organizational measures ("integrity and confidentiality").
2. The controller is responsible for compliance with paragraph 1 and is also able to prove this compliance ("responsibility"). As an administrator, the liable party must also be able to prove that personal data is processed in accordance with Article 5 of the General Regulation, which sets out the principles regarding the processing of personal data.

It is undoubtedly established and proven that in the case of video surveillance, which the taxpayer has established over his business premises and its surroundings, it is video surveillance, which according to ZVOP-2 and the General Regulation is considered as processing of personal data. The taxpayer also uses the established video surveillance to monitor the "live" image.

In the part of the taxpayer's activities, it is also necessary to mention some provisions of the Rulebook on Measures...

3. Explanation of inspection measures

According to the findings in the inspection procedure, all the taxpayer's explanations and the attached supporting documentation, the taxpayer implements video surveillance over ... and other business premises in such a way that, in addition to the entrances and exits from the premises, it also monitors the entire premises and external surfaces with installed cameras, which enables him monitoring the movement of guests as well as employees. It is established that all the cameras mentioned in the sentence of this decision show the entire premises or parts of the premises where none of the property is located (which, given the value, danger, etc. article of the General Regulation in any way legally protected), they are used by guests and employees (internal and external parts of business premises), etc.. It is established that the established video surveillance enables the taxpayer to monitor the movement of individuals around the premises and on parts of the external surfaces, which is not an admissible purpose, with which video surveillance could be carried out over business premises and external surfaces, where there is no property and no danger to the lives of people located in these areas. Merely stating that video surveillance covers e.g. rest areas, corridors, etc. because the individual may pass out, it does not withstand the assessment of the legal basis for admissible processing of personal data, as will be explained below. In the circumstances under consideration, the taxpayer could also ensure the safety of property and people in some places with video surveillance, namely in such a way that the cameras would only cover areas of concrete property that cannot be protected with milder means or parts...as stipulated in the Rules. In addition to the above, it is worth highlighting the fact that the taxpayer has already secured all entrances and exits from business premises with cameras. The display of camera images can be seen from the printouts of the images that the taxpayer attached to his explanations.

In view of the taxpayer's claims that the video surveillance is in place in the work ... to ensure safety against..., quick reaction in case of accidents, elimination of dangers, ensuring the safety of visitors as well as property, in accordance with point 6/1(f) of the article of the General Regulation and that it is not inconsistent with a proportional interference with the right of individuals, the IP explains that based on all the findings and explanations provided by the taxpayer, it is not possible to speak of a proven legal basis that the taxpayer would exercise due to a legitimate interest. When assessing the legality of the processing of personal data carried out by the taxpayer with an individual camera, the IP found that only in a few cases can it be assessed as an admissible legal basis according to Article 6/1(f) of the General Regulation, as will be explained in the following content. In doing so, the IP emphasizes that, based on the circumstances of each case of personal data processing, the operator must assess whether the conditions for using legitimate interest as an appropriate legal basis are met by carrying out a preliminary weighing test. With such a test, which for the purposes of proof must be in writing, the controller assesses within its processes whether the purposes for which it is striving are legal, whether the processing of data is appropriate and necessary to achieve these purposes, and whether there is a balance between the pursued goal on on the one hand and interference with the rights and freedoms of individuals on the other.

In order for the operator to be able to rely on the legal basis from point (f) of the first paragraph of Article 6/1 of the General Regulation, three cumulative conditions must therefore be met:
(1) the controller's interest must be legitimate (in which case the English version that uses the word "legitimate" can also be used to aid interpretation), and such interest must be clearly expressed, real and existing and based on national law or legal principles;
(2) the processing must be necessary to achieve the legitimate interest pursued by the controller;
(3) the interests or fundamental rights and freedoms of the individual do not prevail over the interests of the controller. At this point, it is necessary to carry out a weighing test between the interests of the manager and the interests or fundamental rights and freedoms of the individual.

At the same time, it is also necessary to mention the introductory provision (47) of the General Regulation, which states that in any case, a careful assessment would be necessary to determine the existence of a legitimate interest, including whether the individual to whom the personal data relates can, in at the time of collection of personal data and reasonably expects that they will be processed for the purpose in question. In particular, the interests and fundamental rights of the data subject could prevail over the interests of the data controller when the personal data are processed in circumstances where the data subjects do not reasonably expect further processing

Also from EDPB Guidelines no. 3/2019 on the processing of personal data through video devices (Guidelines 3/2019 on processing of personal data through video devices), it follows that when assessing the adequacy of legitimate interest as a legal basis, it is necessary to perform a 3-step test, taking into account the criterion of reasonable expectations of individuals ( from point 47 of the introductory provisions of the General Regulation), to which personal data refer, in relation to their relationship to the controller. Based on the stated legal bases, the IP, as already stated in the inspection control procedure, weighed whether the taxpayer demonstrates a legal basis of legitimate interest and, based on the objective criteria of the stated test, found that the taxpayer did not meet the criteria of legitimate interest for the implementation of video surveillance over the entire areas of business premises. Even with the first criterion, i.e. the existence of a legitimate interest in the implementation of video surveillance, the existence of a legitimate interest in the implementation of video surveillance in rest areas, in..., corridors, walkways, etc., cannot be justified, because according to the evidence presented, the existence of threats to property and of people's safety, is not realistic and does not exist at the moment of judgment about the legality of the purpose (safety ... and safety of property). At the same time, it should be noted that the taxpayer in all his statements, internal acts, etc. completely ignores the rights of employees who are captured by video surveillance in the workplace. From the point of view of a holistic assessment, the IP also assessed the criteria of the necessity of processing and the weighing of interests and concluded that the obligee does not meet any of the stated conditions. The criterion of the necessity of processing is not met in this particular case, since the establishment of video surveillance in the premises where guests and employees are located is not the most appropriate, appropriate and necessary measure to achieve the purpose, since the purpose pursued by the established video surveillance could in some parts be achieved with milder measures, such as ensuring the transmission of camera images, which would only cover e.g. areas..., taking into account the provisions of the Regulations, without rest areas. The third criterion, which talks about the weighing of the interests of the controller and the individual, is assessed together with the introductory recital or the introductory provision of point 47 of the General Regulation, which defines the reasonable expectation of privacy of individuals to whom personal data refer, given their relationship to the controller. It also follows from the content of the Guidelines that it is a reasonable expectation of an individual's privacy that there is no video surveillance established over him when he is in public spaces, especially if these are typically used for regeneration or leisure activities in spaces where individuals gather and/or communicate, e.g. for tables in restaurants, parks, etc. This means that in these public spaces, the legitimate interests or rights and freedoms of the individual to whom the personal data refer will often prevail over the legitimate interests of the controller. From all of the above, the IP concludes that the taxpayer does not fulfill the condition from Article 6/1(f) of the General Regulation, which refers to the existence of a legitimate interest of the operator. The taxpayer did not prove it in the procedure before the issuance of this administrative act.

It is concluded that the video surveillance system in question covers the following rooms or area and was assessed by the IP as illegal in the part where there is no legal basis for implementation, as follows from the following table:

Zap. no. No. cameras Scope of control Legal basis

With such a range of cameras with which video surveillance is carried out at the taxpayer's premises, it should also be emphasized that the taxpayer may have supplemented the video surveillance or possibly changed the view of individual cameras before the issuance of this decision, while the IP or the state supervisor.

On the basis of the above, the IP notes that, according to the above provisions of ZVOP-2, the person liable for security in those premises and on those external surfaces where, according to the IP's assessment, there is no legal basis for the implementation of video surveillance and where video surveillance is carried out with the cameras specified in the sentence of this decision, may achieved through milder measures, e.g. with the already established protection of entrances and exits from the premises, covering areas of concrete property, ..., under the conditions as stipulated by the Rules. With the possible implementation of video surveillance in workplaces, e.g. ...etc. however, it would only protect concrete property, cash, work equipment. Introduced video surveillance over the entire interior spaces, etc. (hereinafter: premises), according to IP's findings, it does not correspond to the legal purposes from Article 77 of ZVOP-2, Paragraph 1 of Article 78 of ZVOP-2 and Article 6 of the General Regulation. With video surveillance over the entire premises, the taxpayer controls entire areas, which means monitoring movements and events in the premises and surroundings where he has installed cameras, which is inadmissible from the point of view of the provisions of the General Regulation and ZVOP-2. The taxpayer would ensure security in the premises by using video surveillance to monitor entrances and exits from the premises and perhaps only specific equipment, cash registers, etc. and..., as stipulated by the Rules, can provide in accordance with the provisions of the General Regulation, ZVOP-2 and the Rules. Such control would represent a significantly smaller intrusion into the privacy of employees who work in these premises, as well as guests and all others who may enter its premises or to the area of his property.

The IP also notes that, in order to protect property and people, it is possible to inspect recordings or live picture. Viewing camera downloads or "live pictures" are possible in several places. At the same time, the taxpayer did not justify the necessity of monitoring the live image of the cameras in places other than at work... which should be monitored only at work and under the conditions stipulated by the Rules.
With regard to the monitoring of live image transmission, the IP points out that a priori it is not possible to rule out the possibility that the taxpayer enables the monitoring of events in his business premises via live image, but the processing of personal data represented by viewing the live image must be justified through the purposes for which performs video surveillance. IP also draws attention to provision (b) of Article 5(1) of the General Regulation, which stipulates that personal data may only be collected for specified and lawful purposes and may not be further processed in such a way that their processing would be inconsistent with these purposes.
The monitoring of the live image of the video surveillance system should thus be aimed exclusively at protecting property and ensuring the safety of people (of course, to the extent that legal video surveillance, which the obligee would legally carry out over his property and parts of the premises, was provided beforehand), and the latter would be by the very nature of things can only be achieved by continuous monitoring of the live image by an authorized person, e.g. security officer, ... (but not, for example, a person authorized to supervise the fulfillment of the obligations of workers, managers, ... etc.). An employee authorized to ensure security could take appropriate action immediately upon detecting an incident (..., theft, fight, damage to things,...) and prevent the occurrence of (major) damage or more serious injury to the guest, which is, last but not least, the purpose of implementing video surveillance in the taxpayer's premises.
The taxpayer may entrust the monitoring of the live image of the video surveillance system exclusively to a person whose basic (and exclusive) duty is to monitor what is happening in the taxpayer's premises from the point of view of security and, in the event of detected incidents, to inform the competent authorities about them in accordance with the taxpayer's rules, or services (paramedics, police, etc.). In the specific case, the obligee transfers the monitoring of the live image to the employees, who primarily have to perform the work...etc., which means that they cannot fulfill the purpose of security in the premises in the mentioned way. ...The monitoring of the live image, which is enabled for managers, only indicates the exercise of control over employees and the events in the rooms where the cameras are located.

4. Conclusive

Based on the explanation, it was necessary to order the taxpayer to eliminate the identified irregularities on the basis of points 1 and 4 of the first paragraph of Article 29 of ZVOP-2 and (d) of the second paragraph of Article 58 of the General Regulation and on the basis of point 4 of the first paragraph of Article 29 ZVOP-2 and point (f) of the second paragraph of Article 58 of the General Regulation prohibit the implementation of video surveillance in certain places, namely in the manner specified in point I of the pronouncement of this decision.

Orders to eliminate identified irregularities and ban the processing of personal data are based on findings in the inspection process.

Pursuant to paragraph 5 of Article 29 of the ZIN, the taxpayer must notify the State Supervisor for the Protection of Personal Data of the corrected irregularity within three days of the implementation of the measure referred to in this decision.

On the basis of Article 118 of the ZUP, the decision decides on the costs of the procedure. The authority did not incur any special costs in this procedure, and the costs of the inspection procedure, which were necessary to establish the facts that prove that the taxpayer is violating the law or another regulation, are borne by the taxpayer in accordance with the first paragraph of Article 31 of the ZIN, therefore it was decided in IV . point of the pronouncement of this decision.

This decision is issued ex officio and, based on Article 22 of the Administrative Fees Act (ZUT; Official Gazette of the Republic of Slovenia, No. 106/2010-UPB5, with amendments), the fee is exempt.



Lessons on the legal remedy:
This decision is final in the administrative procedure. According to the provision of the second paragraph of Article 54 of ZVOP-2, an appeal is not allowed against it, but an administrative dispute is admissible by filing a lawsuit at the Administrative Court of the Republic of Slovenia, Fajfarjeva 33, 1000 Ljubljana, within 30 days of receiving this decision. The claim is filed with the competent court directly in writing or sent to it by post. This decision in the original or an uncertified copy must be attached to the lawsuit in duplicate.


Serve:
  1. https://www.ip-rs.si/zakonodaja/zakon-o-varstvu-osebnih-podatkov/zvop-2
Retrieved from "https://gdprhub.eu/index.php?title=IP_(Slovenia)_-_0611-182/2021/23&oldid=35023"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki