IP - 07121-1/2020/199

From GDPRhub
IP - 07121-1/2020/199
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 6(1)(e) GDPR
Article 6(1)(f) GDPR
Article 32 GDPR
Article 58 GDPR
Type: Opinion
Outcome: n/a
Decided: n/a
Published: 14. 02. 2020
Fine: n/a
Parties: n/a
National Case Number/Name: 07121-1/2020/199
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Slovenian
Original Source: Informacijski pooblaščenec (in )
Initial Contributor: {{{Initial_Contributor}}}

On 14 February the Informacijski pooblaščenec, Information Commissioner of the Republic of Slovenia (IP), provided a non-binding opinion pursuant to Article 58 GDPR. The subject matter of the opinion regarded the legality of installing an automatic camera for the purpose of monitoring recreational activities on watercourses in the Triglay National Park (TNP). The IP refrained from commenting in the particular, but highlighted areas which required a closer look by the park.


English Summary[edit | edit source]

Content of the opinion[edit | edit source]

The first question concerned the purpose of installing the cameras. As highlighted by the IP, the stated purpose was to obtain information about the number and size of boats and the number of persons in them for statistical monitoring.

The IP recommended a setup which could give the national park data in anonymized form, highlighting the need to ensure that personal data is not captured and further processed with regards to specific or identifiable individuals. Furthermore, while stating the necessity for technical solutions if cameras were to be implemented, merely having the camera “facing the back” of the people being recorded was highlighted as probably being insufficient.

If the personal data cannot be provided in anonymized form, a legal basis would be required. Article 6(1)(e) and (f) was emphasized as potential relevant legal bases. The valid use of (e) and (f) as potential legal bases were not substantiated.

Furthermore, the IP brought attention to the fact that video surveillance required a Data Protection Impact Assessment and the guides written on the subject by the IP.

Finally, the IP highlighted the requirements under Article 32 to implement appropriate technical and organisational measures to ensure the security of processing.

Comment[edit | edit source]

Feel free to add your comment here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the ***LANGUAGE*** original. Please refer to the ***LANGUAGE*** original for more details.

Date: 02/14/2020
Title: Video surveillance for the purpose of monitoring recreational activities in TNP
Number: 07121-1 / 2020/199
Subject matter: Legal bases, Video and audio controls
Legal act: Opinion

The Information Commissioner (hereinafter referred to as IP) has received by e-mail your letter asking us about the possibility of installing an automatic camera for the purpose of monitoring recreational activities on watercourses in the Triglav National Park (hereinafter TNP). The Law on the Triglav National Park provides for the performance of tasks for monitoring and analysis of the state of nature and for managing the visit to the national park, whereby the data is obtained by the public institute through its own research ". A management plan for starting points for directing a visit to a national park should be drawn up, which should include, inter alia, a methodology for monitoring, in particular with a view to identifying the impact of the visit.

On the basis of the information you have provided, hereinafter referred to as Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and Directive 95/46 / EC (hereinafter: the General Decree), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07, officially consolidated text, hereinafter ZVOP-1), and 2 Article 43 of the Information Commissioner Act (Official Gazette RS, No. 113/05, hereinafter ZInfP), we provide our non-binding opinion on your question.

The IP clarifies that it cannot make a definitive assessment of the processing of personal data outside the inspection and administrative procedure. Therefore, we cannot give you a definitive answer in this opinion whether or not the installation of a recreational activity camera would be in compliance with personal data protection legislation.

The first question that you need to answer is whether the personal data would be processed in the case described above, or whether personal data processing could even be avoided. Considering that the purpose of video surveillance is merely to obtain information on the number and size of boats and the number of persons in them for (statistical) monitoring of recreational activities, the very image of the individual, ie his / her personal data, is not required at all. Therefore, as one of the most powerful personal data protection measures, we recommend anonymized data processing, so that with the proper camera setup and technology configuration, you ensure that you do not capture and further process information regarding specific or identifiable individuals. If you decide on the most secure solution, you must make sure that all reasonable steps are taken, and taking into account the latest technological developments, that personal data processing is not actually taking place. We believe that the mere location of the camera "facing the back" may not be a sufficient measure to prevent individuals from being identified or identifiable in any way and to take other appropriate measures.

 

If you cannot provide anonymized data processing, you, as the controller of personal data, must determine whether you have a legal basis for the legitimate processing of personal data.

 

According to the guidelines of the Information Commissioner on video surveillance (https://www.ip-rs.si/fileadmin/user_upload/Pdf/smernice/Smernice_o_videonadzoru_web.pdf), video surveillance on public lands is not explicitly regulated in the legislation of the Republic of Slovenia. lawful implementation is applied by the general provisions of the PDO-1 or, as of May 25, 2018, by the General Regulation. Video surveillance of public areas, such as video surveillance of traffic through intersections or video surveillance of recreational activities in TNP, is not regulated by law, which requires the legal basis for such video surveillance to be found in Article 6 (1) of the General Regulation.

The legal bases provided for in the General Regulation in Article 6 (1) are:

    the data subject has consented to the processing of his or her personal data for one or more specific purposes;
    processing is necessary for the performance of a contract to which the data subject is a contracting party or for the implementation of measures at the request of such individual before the conclusion of the contract;
    processing is necessary to fulfill the legal obligation applicable to the controller;
    processing is necessary to protect the vital interests of the data subject or other natural person;
    processing is necessary for the performance of a task in the public interest or in the exercise of public authority conferred on the controller;
    processing is necessary for the legitimate interests pursued by the controller or by a third party, except where such interests outweigh the interests or fundamental rights and freedoms of the data subject requesting the protection of personal data, in particular where the data subject is refer to personal information, child.

Due to the provisions of the Triglav National Park Act which you cite (Articles 42, 48 and 50), the provision of point (e) or (f) of Article 6 (1) of the General Regulation could be the legal basis for the processing of personal data. .

In the case of the introduction of video surveillance of public areas, which would result in the processing of personal data, we would like to draw your attention to one of the key elements of ensuring the responsibility of controllers for the protection of personal data, namely the so-called. Data Protection Impact Assessment (hereinafter referred to as DPIA), defined and prescribed by the General Regulation in Article 35. The first paragraph of Article 35 states that "[t] processing, in particular using new technologies, taking into account the nature, extent, circumstances and purposes of the processing, entail a high risk to the rights and freedoms of individuals, the controller shall, prior to processing, evaluate the effect of the intended processing operations on the protection of personal data. " The fourth paragraph of the same article stipulates that the supervisory authority determines and publishes a list of types of processing actions for which a data protection impact assessment is required. The Information Commissioner accordingly adopted and published document no. 014-1 / 2018/1 of 25.5.2018 (List of acts of processing of personal data subject to the requirement to carry out an impact assessment regarding the protection of personal data under Article 35, paragraph 4 of Regulation (EU) 2016/67). It is clear from the fourth item of the Schedule that the performance of a data protection impact assessment is obligatory in the case of the introduction of video surveillance of public areas, because it is a "systematic observation, monitoring or any control of individuals that the individual is not aware of or is not aware of. avoid or be unaffected (eg because it is carried out in publicly accessible areas). " It follows from the above that you will need to carry out the aforementioned DPIA before the planned processing of personal data.

With regard to DPIA, the Information Commissioner has drawn up guidelines, which we strongly recommend that you thoroughly review them before introducing video surveillance. They are available on our web site via the link: https://www.ip-rs.si/publications/guides-and-directions/prices-effects-of-protection-data/.

In addition, we would like to remind you of the provisions regarding the security of personal data, which means ensuring the integrity, confidentiality and availability of such data. In this respect, the General Regulation provides in Article 32 that, taking into account the latest technological developments and the costs of implementation and the nature, scale, circumstances and purposes of processing, as well as the risks to the rights and freedoms of individuals differing in likelihood and seriousness, the operator and the processor with implementation adequate technical and organizational measures shall ensure an adequate level of risk-based security, including, inter alia, the following measures as appropriate:

(a) pseudonymisation and encryption of personal data;

(b) the ability to ensure the continued confidentiality, integrity, accessibility and resilience of processing systems and services;

(c) the ability to timely restore the availability and access to personal data in the event of a physical or technical incident;

(d) the process of regularly testing, evaluating and evaluating the effectiveness of technical and organizational measures to ensure security treatment.

In determining the appropriate level of security, account shall be taken, in particular, of the risks posed by processing, in particular as a result of unintentional or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data that is transmitted, stored or otherwise processed.

Hoping to receive your answer, we welcome you.