NAIH (Hungary) - NAIH-1006-3/2022

From GDPRhub
Revision as of 16:56, 18 May 2022 by Ea (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
NAIH - NAIH-1006-3/2022
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 5(1)(b) GDPR
Article 5(1)(c) GDPR
Article 6(1)(f) GDPR
Article 13(1) GDPR
Article 13(2) GDPR
Type: Complaint
Outcome: Upheld
Started: 21.05.2021
Decided: 29.03.2022
Published: 29.03.2022
Fine: 500,000 HUF
Parties: n/a
National Case Number/Name: NAIH-1006-3/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Hungarian
Original Source: NAIH (in HU)
Initial Contributor: Abel Kaszian

The Hungarian DPA imposed a fine of approximately €1,300 on a car repair shop. The DPA held that the shop violated Articles 5, 6 and 13 GDPR by failing to properly inform its employees about CCTV surveillance and for using it in areas intended for work breaks.

English Summary[edit | edit source]

Facts[edit | edit source]

In April 2021, the Hungarian DPA received a complaint from a company, which was a co-owner of a property, where two separate car repair shops were operating. It said that the co-owner – the controller – installed six cameras in the shop and was not willing to remove them or give information about their operation.

In May 2021, the controller replied to the DPA stating that the reason for the installation of the cameras was to protect the safety of the tools and other valuable objects in the shop. He added that the cameras were not used for surveillance of public areas. Furthermore, all of his employees gave their written consent to the surveillance and there was a sign installed about the video surveillance as well since 8 May 2021. He also sent pictures of each camera, as well as the privacy policies that were in effect since 8 May 2021. In them, the controller stated that the primary purpose of the CCTV system was to protect human life, to guard dangerous substances, to protect business, payment, banking and securities secrecy, and to protect assets.

One of the cameras was installed in "the kitchen". This was space not used for work, only for rest and dining activities. However, the company's safe deposit box was also located there. There was also a camera in the “office/customer waiting room”. The controller claimed that the administrative work was carried out in this room. Also, the cash register, the (bank) card reader, and the cash desk were located in this room.

Holding[edit | edit source]

First, the DPA found that since the controller stated in his privacy policy that the legal basis for the data processing was not consent, he should have conducted a legitimate interest assessment. Since he did not do so, he violated Article 6(1)(f) GDPR. However, provided that the controller can justify the proportionality of this during the balancing of interests, the DPA noted that the degree of danger of the work carried out on these premises (car mechanic activities) and the high value of the assets stored there (cars, tools, etc.) may justify the use of CCTV surveillance. Consequently, the DPA ordered the controller to amend his privacy policy so that it explicitly states that the legal basis for processing is the legitimate interest of the data controller. In addition, the DPA noted that the privacy policy contains literal quotes from completely irrelevant laws or laws no longer in effect.

Second, the DPA held that to comply with the principles of purpose limitation under Article 5(1)(b) GDPR and data minimisation under Article 5(1)(c) GDPR, the controller must change the angles of view of the cameras installed in the "office/customer waiting room" and "kitchen" rooms so that they do not cause unjustified surveillance of employees. In the DPA’s view, the angle of view of the cameras installed in the "office/customer waiting room" is such that employees and customers can be monitored. The DPA further observed that the camera's field of view in the “kitchen” is directed towards the dining table, which does not include the safe deposit box in question. Therefore, the purpose of the protection of persons and property does not apply here.

Third, the DPA ordered the controller to amend the privacy notice of the camera system to comply with Article 13(1) GDPR and Article 13(2) GDPR. The controller sent a photograph to the DPA showing that on 8 May 2021, it had placed a pictogram sign at the entrance of the premises to bring attention to the camera surveillance. As the data processing began on 5 March 2021, the requirement of adequate information in time was not met.

In issuing a fine of approximately €1,300, the DPA took various factors into account. Among the aggravating factors were that the DPA became aware of the infringement based on a complaint which could not be resolved between the parties, the infringement was still in progress during the DPA’s investigation, and the infringement concerned fundamental privacy rights, namely Article 5(1)(b) GDPR and Article 5(1)(c) GDPR. On the other hand, some of the mitigating circumstances listed were that there were only two cameras facing such problematic areas, the infringement affected a limited number of persons (6 employees in total), the data subjects did not suffer any specific harm or damage as a result of the infringement, there was nothing to indicate that the controller violated the GDPR intentionally, and it was the controller's first offence.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

The National Data Protection and Freedom of Information Authority (hereinafter referred to as the Authority)

hereinafter referred to as the “Customer”) in the data protection authority proceedings initiated on 2 July 2021 due to the circumstances revealed during the official inspection initiated on 11 May 2021

1. Notes that

the. the Customer has violated Article 5 of Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (hereinafter: the General Data Protection Regulation) (b) and (c) ("purpose limitation" and "data saving") when setting the angle of view of the camera installed in the "office waiting area" and "kitchen" premises of its headquarters to be suitable for unjustified surveillance of workers and not only for the assets to be protected .

b. The Client infringed Article 6 (1) (f) of the General Data Protection Regulation, as the consent of the employees was the legal basis for the operation of the chamber system instead of invoking the legitimate interest of the data controller.

c. The Customer has violated Article 13 (1) - (2) of the General Data Protection Regulation by not properly informing its employees about the circumstances of the camera data processing taking place there.

2. obliges the Customer to

the. change the viewing angles of the cameras installed in the “office waiting room” and “kitchen” premises at the headquarters so that they are not suitable for unreasonable surveillance of employees and are in line with the purpose of protecting the person and property of the system.

b. Amend the data management policy of the camera system so that it is not the consent of the employees but the legitimate interest of the data controller that forms the legal basis for the operation of the system and therefore perform the necessary balancing test.

c. Amend the data protection information sheet of the camera system to comply with Article 13 (1) to (2) of the General Data Protection Regulation and Annex III./3 of the Decision. of this Article.






…………………………………………………………………………………………………………………………………… ………………………………….
 

1055 Budapest

Falk Miksa utca 9-11.
 

Tel .: +36 1 391-1400
Fax: +36 1 391-1410
 

ugyfelszolgalat@naih.hu
www.naih.hu
 




3. due to the above violations, the Customer within 30 days from the final adoption of this decision

HUF 500,000, ie five hundred thousand forints

order to pay a data protection fine;

4. order the disclosure of the final decision by masking (anonymising) the personal data and the Customer's identification data.

The fine shall be paid by transfer to the forint account of the Authority for the collection of centralized revenues (10032000-01040425-00000000 Centralized collection account IBAN: HU83 1003 2000 0104 0425 0000 0000). When transferring the amount, NAIH-1006/2022. JUDGE. number should be referred to.

If the debtor fails to meet his obligation to pay the fine within the time limit, he shall be liable to pay default interest. The amount of the late payment allowance is the statutory interest rate, which is equal to the central bank base rate valid on the first day of the calendar half-year affected by the delay. The late payment allowance shall be paid to the Authority's centralized collection account for centralized revenue (10032000-01040425-00000000 Centralized collection account).

In the event of non-payment of the fine and the penalty payment, the Authority shall order the enforcement of the decision, the fine and the penalty payment.

There is no administrative remedy against this decision, but it can be challenged in an administrative lawsuit within 30 days of its notification to the Metropolitan Court. The application must be submitted to the Authority electronically, which will forward it to the court together with the case file. The request to hold a hearing must be indicated in the application. For those who do not receive a full personal tax exemption, the fee for an administrative lawsuit is HUF 30,000, and the lawsuit is subject to the right to record material fees. Legal representation is mandatory in proceedings before the Metropolitan Court.

EXPLANATORY STATEMENT

I. Background, clarification of the facts

1. Content of the notification received by the Authority

On 22 April 2021, […] (hereinafter: Kft.) Lodged a complaint with the Authority by post. In the application, he stated that the Ltd. and […] private individuals owned the property below […] in a 1/2 to 1/2 share. There is a car repair activity in the property. Litigation is pending between the owners in connection with a property dispute or the termination of joint ownership.

The Client, who is managed by […] in the property, also carries out car repair activities. The property functions as the Client's premises and is thus included in the company register.








2
 



On March 7, 2021, the representatives of the Ltd. wanted to start renovation works on the above property and to start moving into it. They only managed to do this by breaking the doors or with the help of the police. Upon entering the property, the representatives of the Ltd. were confronted with the fact that a recently installed camera system was operating there.

[…] The co-owner of the property and also the managing director of the Client could not give an answer as to who owns the cameras and in what quality they were equipped. According to him, he broadcasts live images to his business partner's phone […]. As the Ltd., as the co-owner of the property, was not informed or asked about the installation of the cameras in advance, and no information material / signs were installed on the property, he asked the Client's manager to dismantle them or settle any questions or access related to the system. . On March 16, 2021, the representatives of the Ltd. disconnected the cameras from the power supply and communication line in the presence of the Client's managing director.

Later, on April 10, 2021, the representatives of the Ltd. noticed in the property that the cameras are working again and there are still no warning signs for the cameras, there is no data management information. The representatives of the Ltd. again asked the Client's managing director to take action in connection with the lawful operation of the camera system or to dismantle them. They said they did not receive a substantive response.

The above allegations were supported by the complainant Kft. The complainant also enclosed the decision of his […] Registrar […] rejecting his application for property protection proceedings.

The complainant asked the Authority to carry out an investigation into the above-mentioned camera data processing, which he considered to be illegal.

2. They have been established during an official inspection ordered on the basis of the application

1) The Authority will issue NAIH-4360-3 / 2021 on 11 May 2021 in connection with the camera surveillance of the Client at work. initiated an official audit on file number in order to assess whether the Client has fully complied with its obligations under the General Data Protection Regulation. At the same time, the Authority informed NAIH-4360-2 / 2021, the company that submitted the complaint, about the initiation of the official inspection. case number.

2) In order to clarify the facts, the Authority issued NAIH-4360-3 / 2021. By order no.

Based on the statements given by the Client for the order, it can be stated that it has indeed installed surveillance cameras in the area of the above property, where work is being carried out (vehicle repair, maintenance). According to the statement, the surveillance cameras were installed on March 5, 2021. The decision to install the system was made by […] (Client's managing director and 75% co-owner), as he owns 1/2 of the observed property. The reason given by the Customer for the installation was that the locks on all the front doors of the workshop in the property had previously been damaged, presumably with the intention of burglary. After that, it was not possible to enter the workshop due to the complete destruction of the locks, and police action was taken in the case.






3
 



As an additional reason for installation, Customer has indicated the protection of objects and tools in the workshop. The workshop doors open directly to the public area, there is no fence or yard, the fencing of the area is not possible due to its nature.

The customer also stated that on 7 March 2021 […] and […] (representing the complainant Ltd. as a property owner) the workshop entrance and interior doors were dismantled for renovation. As the lockability of the property was removed, the doors were screwed in with OSB. After these events, an internal data recording unit was added to the cameras. At the request of the Authority, the Client appointed a natural person named […] as the data controller, who is a 25% co-owner of the Client.

According to the customer's statement, the camera system only monitors the interior of the property, not public space. Only persons working there may be present in the workshop, customers and other strangers may not be on the property since March 6, 2021. The number of persons working in the workshop is 4 full-time and 2 are casual workers.

According to the customer, the employees were informed in writing about the introduction of the camera system, which they accepted with their signatures. The client forwarded a copy of the “statement of consent” signed by all employees to the Authority. According to the standard text on the declaration filled in with the employee's personal data (name, birth data, address, SZIG number):

'[T] he employee's personal data I, the [employee's] signature, certify that the property at number […] will be monitored at the premises of the employer by means of a closed-circuit camera system for security purposes, during which a live image will be transmitted during my working hours. I have received information about the system and I acknowledge that I do not wish to object. [date, then signature of employee and legal signature of Customer]. ”

In addition to the above, a camera pictogram on the workshop door will alert you to the operation of the system in 2021.
from May 8.

The recordings are stored both in the recording unit in the camera and on a cloud basis, the cameras in the indoor rooms (kitchen, warehouse-office, customer waiting office) record for 3 days, while the cameras in the workshop record for 7 days. According to the Customer, it is not possible to monitor the live image, you can access and view other recorded recordings with the permission of […] (Customer's 25% owner) […] (Customer's 75% owner).

The client submitted to the Authority the images transmitted by the cameras, as well as a hand-drawn site plan of the property, indicating the viewing angles of each camera.

3) Later, the Authority issued NAIH-4360-5 / 2021. By order no.

Customer has stated that it has a data protection policy and data protection information regarding the camera surveillance system, which it has sent to the Authority in a copy. The regulations are effective from May 8, 2021.









4
 



(a) The main findings of the "Surveillance Information System for the Surveillance System" are as follows: property protection. The application of the system is not intended to influence employee behavior. Customer has been named as data controller, but […] 's name and contact information have been provided as contact details.

For a total of six cameras, the purposes of data management (which is uniformly property protection) and the area monitored were also marked separately. According to the information, the storage period of the recordings is uniformly three working days, which can be extended to 30 days in extremely justified cases. After the storage time, the recordings are automatically deleted (overwritten). The way the data is stored is electronic.

The person entitled to view the recordings […], which is available in the event of "theft, material damage", only "in the event of an incident". The legal basis for the data processing is only stated in the prospectus that "the lawfulness of the data processing of the system does not require the consent of the monitored persons".

Legislation on which data management is based includes the General Data Protection Regulation and Act CXII of 2011 on the right to information self-determination and freedom of information. In addition to Act LXVI of 1995 on Public Documents, Public Archives and the Protection of Private Archival Material (hereinafter: the Information Act). Act No. 335/2005 Coll., on the general requirements for the records management of bodies performing public functions. (XII. 29.) of 2001 on certain issues of electronic commerce services and services related to the information society. and Act C of 2003 on Electronic Communications.

(b) The document entitled 'Data protection and data management rules for the camera surveillance system' largely reproduces the requirements of the information document described in point (a) above. The difference between the two is that the regulations deal with the legality of the application of the system in a separate chapter, which contains quotations taken from the following legal acts: XLI of 2012. Act LXIII of 1999 on Passenger Transport Services Act CXXXIII of 2005 on the Supervision of Public Spaces. Act on the Rules for the Protection of Persons and Property and for the Investigation of Private Investigators. In addition to those mentioned in point (a), these additional pieces of legislation are also listed in the section entitled "Legislation on which the data processing is based".

The regulations also contain the Infotv. the general provisions on the obligation to register in the data protection register.

The regulations contain different provisions regarding the storage time of recordings compared to the prospectus. According to them, the Customer stores the camera recordings in the “general case” for 3 working days, while in the case of the workshop cameras the storage time is 7 days. The extension of the storage period due to extraordinary circumstances to 30 days is also indicated here.

As regards the legal basis for data processing, the rules also merely state that the consent of the data subjects is not required.

In addition to the above, the policy contains short, general, ie non-specific system requirements for data security and the handling of data protection incidents.






5
 



In addition, it also contains general provisions on the status and duties of the Data Protection Officer, but does not designate a person.

c) The Client also forwarded to the Authority a document entitled “Data Management Information” dated 20 May 2019. This document contains general data protection information regarding the personal data handled by the Customer, information about the personal data handled on its website, in the course of its direct marketing activities and in connection with its general business operations. This information does not apply to the camera system.

4) In addition to the above, Customer has stated that Customer […] will have access to the camera recordings through a telephone application. In the case of an event, the recorded images will be viewed with the consent of […]. Such a case has not yet taken place.

Regarding the filming of the “office-waiting” room, the Client stated that administrative work is currently taking place there. This room has a cash register and (bank) card reader, as well as a cash register.

3. Facts established during the data protection authority proceedings

In addition to the further clarification of the facts, the Infotv. With regard to Section 60 (1), the Authority decided to initiate data protection authority proceedings on 2 July 2021, of which NAIH-4360-8 / 2021. notified the Customer on July 7, 2021, according to the returned return receipt.

1) In order to further clarify the facts, the Authority referred to NAIH-4360-9 / 2021. By order no.

According to the customer, he does not have an interest test for the camera system. Customer also reiterated that the purpose of the system is not to monitor employees, only to protect property.

In connection with the protection of dangerous substances in the data management information, the protection of business, payment, banking and securities secrets through the use of the camera system, the Client stated that the documents related to the company, the cash register and the cash register are stored in the monitored property. , card reader, computers, and an external hazardous material storage key. The customer also stated that there is no work in the kitchen room, only a resting and dining activity, and that the company's cassette is located here.

The telephone application that can be used to view the recordings (YCC365, version number: 4.1042.5.050) is also suitable for viewing live images, but this is not checked by anyone at the Customer, only in the event of an event will the recording recorded on the cloud-based storage be reviewed.

The Authority also questioned why statements of consent were made by employees when the data subject's consent could not be the legal basis for data processing under the system's own data protection rules. To this, Customer responded by consulting with employees who agreed to equip the cameras for security purposes prior to installation.






6
 



These contributions were also recorded in writing to avoid possible future disagreements.

2) NAIH-4360-11 / 2021, the Authority's internal IT security expert. has prepared an expert opinion on the basic features of the smartphone application used by the Customer (YCC365), which the Customer uses to view the camera images.

According to experts, the app, which can be installed on a smartphone, is available to both iOS and Android users, allowing real-time video to be streamed and stored. The first time you use the application, you must register an account using an email address by clicking "Sign Up". After connecting to a wifi network and scanning the QR code generated by an application with the selected camera, the live image will be displayed in the application after successful connection.

The preview image transmitted by the camera as well as other functions (eg camera control, tilt, zoom) are also available remotely. The 30-day cloud hosting service is free to try in the app, after which time you can subscribe to it. The cloud service is supported by Amazon AWS, all video and audio are stored in amazon’s web services; US-EU Safe Harbor protocol with encryption. After inserting an SD card into the camera, the camera saves the videos on the SD card while deleting the old ones.

The Authority has issued NAIH-4360-12 / 2021. CL of the General Administrative Procedure Act 2016. (hereinafter referred to as the Act) sent the expert opinion to the Client in order to exercise the rights granted in this section. According to the returned return receipt, the client received the order on September 24, 2021, and no comments have been received from the Authority to date.

3) Finally, the Authority issued NAIH-1006-1 / 2022. The customer had a total net sales revenue in the business year 2021, given that the data processing in question concerned that year and to consider the aspects of an administrative fine that could be imposed under Article 83 of the General Data Protection Regulation. According to the customer's statement, the net sales revenue in 2021 was HUF […].

II. Applicable legal provisions

The Ákr. Pursuant to Section 99, the authority - within the limits of its competence - monitors the observance of the provisions of the law and the fulfillment of the provisions of the enforceable decision.

The Ákr. Pursuant to Section 101 (1) (a), if the authority finds an infringement during an official inspection, it shall initiate official proceedings. Infotv. Pursuant to Section 38 (3) and Section 60 (1), the Authority In the scope of its duties under Section 38 (2) and (2a), it shall conduct ex officio data protection authority proceedings in order to enforce the right to the protection of personal data.

The Ákr. Pursuant to Section 104 (1) (a), the Authority shall initiate proceedings ex officio in its area of competence if it becomes aware of a circumstance giving rise to the initiation of proceedings; pursuant to paragraph 3 of the same paragraph, the ex officio proceedings shall begin on the day on which the first procedural act is performed, without notice to the known client if the authority decides to do so within eight days of the opening of the proceedings.







7
 



Pursuant to Article 2 (1) of the General Data Protection Regulation, the General Data Protection Regulation applies to the processing of data which is the subject of the proceedings.

According to Article 4 (1) of the General Data Protection Regulation, "personal data" shall mean any information relating to an identified or identifiable natural person ("data subject"); identify a natural person who, directly or indirectly, in particular by reference to one or more factors such as name, number, location, online identifier or physical, physiological, genetic, mental, economic, cultural or social identity of the natural person identifiable.

According to Article 4 (2) of the General Data Protection Regulation, "processing" means any operation or set of operations on personal data or files, whether automated or non-automated, such as collection, recording, organization, sorting, storage, transformation or alteration, retrieval, viewing, using, communicating, transmitting or otherwise making available, coordinating or linking, restricting, deleting or destroying.

Pursuant to Article 5 (1) (b) of the General Data Protection Regulation, personal data must be collected for specified, explicit and legitimate purposes and not processed in a way incompatible with those purposes; further processing for the purposes of archiving in the public interest, for scientific and historical research purposes or for statistical purposes ("purpose limitation") shall not be considered incompatible with the original purpose in accordance with Article 89 (1).

Pursuant to Article 5 (1) (c) of the General Data Protection Regulation, personal data must be adequate, relevant and not excessive in relation to the purposes for which they are processed ("data protection").

Under Article 5 (2) of the General Data Protection Regulation, the controller is responsible for complying with the principles set out in Article 5 (1) and must be able to demonstrate such compliance ("accountability").

According to Article 6 (1) (f) of the General Data Protection Regulation, the processing of personal data is lawful only if and to the extent that at least one of the following conditions is met: priority shall be given to the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the child concerned is a child.

Pursuant to Article 13 of the General Data Protection Regulation

1. Where personal data concerning the data subject are collected from the data subject, the controller shall provide the data subject with all of the following information at the time the personal data are obtained:

(a) the identity and contact details of the controller and, if any, of the controller 's representative;
(b) the contact details of the Data Protection Officer, if any;
(c) the purpose of the intended processing of the personal data and the legal basis for the processing;

(d) in the case of processing based on Article 6 (1) (f), the legitimate interests of the controller or of a third party;

(e) where applicable, the recipients or categories of recipients of the personal data, if any;






8
 



(f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organization and the existence or absence of a Commission decision on adequacy, or in accordance with Article 46, Article 47 or Article 49 (1). in the case of the transmission referred to in the second subparagraph of

indications of guarantees and a reference to the means of obtaining copies thereof or their availability.

2. In addition to the information referred to in paragraph 1, the controller shall inform the data subject of the following additional information at the time of obtaining the personal data, in order to ensure fair and transparent processing of the data:

(a) the period for which the personal data will be stored or, if that is not possible, the criteria for determining that period;

(b) the data subject's right to request the controller to access, rectify, delete or restrict the processing of personal data concerning him or her and to object to the processing of such personal data and the data subject's right to data portability;

(c) in the case of processing under Article 6 (1) (a) or Article 9 (2) (a), the right to withdraw the consent at any time, without prejudice to the lawfulness of the processing carried out prior to the withdrawal;

(d) the right to lodge a complaint with the supervisory authority;

(e) whether the provision of personal data is based on law or a contractual obligation or a precondition for the conclusion of a contract, whether the data subject is obliged to provide personal data and the possible consequences of not providing such data;

(f) the fact of the automated decision-making referred to in Article 22 (1) and (4), including profiling, and, at least in those cases, comprehensible information on the logic used and the significance of such processing for the data subject. has expected consequences.

Act XCCCIII of 2005 on the Protection of Persons and Property and the Rules of Private Investigation. Pursuant to Section 30 (3) of the Act (hereinafter: the Act), an electronic surveillance system shall not be applied in places where surveillance may violate human dignity, in particular in a locker room, rehearsal room, washroom, toilet, hospital room and social institution home.

Pursuant to Section 9 (2) of Act I of 2012 on the Labor Code (hereinafter: the Labor Code), an employee's right to privacy may be restricted if the restriction is absolutely necessary for a reason directly related to the purpose of the employment relationship and is proportionate to achieving the goal. The employee shall be informed in advance in writing of the manner, conditions and expected duration of the restriction of the right to privacy, as well as the circumstances justifying his necessity and proportionality.

Mt. 11 / A. § (1), the employee may be inspected for his or her employment-related conduct. As part of this, the employer may also use technical means, informing the employee in writing in advance.

Infotv. Pursuant to Section 61 (1) (a), the Authority may apply the legal consequences specified in the General Data Protection Decree in connection with the data processing operations specified in Section 2 (2) and (4).







9
 



Pursuant to Article 58 (2) (b) and (i) of the General Data Protection Regulation, the supervisory authority, acting in a corrective capacity, shall convict the controller or processor if its processing activities infringe the provisions of the Regulation or impose an administrative fine in accordance with Article 83, in addition to or instead of the measures referred to in this paragraph, depending on the circumstances of the case. Paragraph 2 of the same Article

Pursuant to point (d), the supervisory authority, acting within the scope of its remedial powers, shall instruct the controller or processor to bring its data processing operations into line with the provisions of this Regulation, where appropriate and within a specified period of time.

The conditions for imposing an administrative fine are set out in Article 83 of the General Data Protection Regulation. Infotv. 75 / A. §, the Authority shall exercise its powers under Article 83 (2) to (6) of the General Data Protection Regulation, taking into account the principle of proportionality, in particular by laying down rules on the processing of personal data laid down in law or in a binding act of the European Union. In the event of a first breach, the remedy shall be carried out primarily in accordance with Article 58 of the General Data Protection Regulation, by alerting the controller or processor.


III. Decision

1. The legal basis of the examined data processing

1) According to the definition in Article 4 (1) of the General Data Protection Regulation, a person's face or image shall be considered as personal data, and the taking of an image and any action on data shall be considered as data processing within the meaning of Article 4 (2).

Given that the viewing angles of the cameras are designed to monitor workers in the building below […] in addition to the premises and assets located on the basis of the documents sent to the Authority, the rules on camera surveillance at work should also be taken into account. assessment of the legality of the case. In assessing this, the following labor law rules apply.

Pursuant to Section 42 (2) (a) of the Labor Code, the employee is obliged to perform work under the direction of the employer on the basis of the employment contract. Accordingly, b. carried out in accordance with regulations, instructions and customs. In order to comply with these legal obligations, Mt. 11 / A. § (1) provides for the possibility for the employer to control the employee in the context of his employment-related conduct. This right necessarily goes hand in hand with the processing of personal data.

Data management related to employer control is data management arising from the provisions of the Mt., the nature of the employment relationship, independent of the employee's consent. In the context of consent, it should be noted that it must be voluntary as defined in the General Data Protection Regulation1. Regarding voluntary contributions


1 Article 4 (11) of the General Data Protection Regulation: "" consent of the data subject "shall mean a voluntary, specific and well-informed statement by the data subject indicating, by means of a statement or unambiguous statement of consent, that he or she consents to his or her consent. processing of personal data concerning them. "





10
 



however, the Data Protection Working Party3 (hereinafter referred to as the "Data Protection Working Party"), set up under Article 29 of the Repealed Data Protection Directive2, has stated in a number of resolutions that the possibility of voluntary consent in an employee-employer relationship is questionable. In the world of work, it is therefore appropriate to use a different legal basis, data processing based on the legitimate interest of the employer, instead of the data subject's consent.

Thus, under the legal basis for a legitimate interest under Article 6 (1) (f) 4 of the General Data Protection Regulation, personal data may be processed if the processing is necessary to protect the legitimate interests of the controller (or a third party), unless those interests are preceded by personal data protection. data protection rights.

It is important that the employer, as data controller, has to exercise a balance of interests in order to invoke this legal basis.5 The balance of interests is a multi-step process of identifying based on the weighting, it must be determined whether personal data can be processed. If, as a result of the balance of interests, it can be established that the legitimate interest of the employer precedes the right of employees to the protection of personal data, a camera system may be operated.

However, due to the "principle of accountability" under Article 5 (2) of the General Data Protection Regulation, the employer must demonstrate that the electronic monitoring system it uses is compatible with the purpose of data processing and that the interests of the controller are paramount. This requirement sets out the framework for the purpose for which an electronic monitoring system may be operated at the workplace.

The Authority also notes here that in assessing the interests involved, the Client must also take into account why the monitoring of the entire area of the undivided jointly owned property to be monitored is essential for the specific purpose.

2) The data protection regulations sent to the Authority ("Camera Surveillance System Data Protection and Data Management Regulations") do not specify the legal basis for camera surveillance, only that the data subject's consent cannot be the legal basis for such data processing. In comparison, the Client has obtained statements of consent from each of the employees concerned, which have also been signed by the parties concerned.


2 Directive 95/46 / EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data

3 Prior to the date of application of the General Data Protection Regulation, the Working Party was an independent European advisory body on data protection and privacy issues, replaced by the European Data Protection Board.

4 Article 6 (1) (f) of the General Data Protection Regulation: “The processing of personal data shall be lawful only if and to the extent that at least one of the following conditions is met: the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, shall take precedence over those interests. "

5 The Data Protection Working Party 6/2014 provides assistance in carrying out the balance of interests. Opinion No 1/2008 on the concept of the legitimate interests of the controller under Article 7 of Directive 95/46 / EC, which may also be interpreted during the period of application of the General Data Protection Regulation. The opinion is available at the following link: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf






11
 




In clarifying the facts, the Authority asked why consent had been given by employees when the data subject's consent could not be the legal basis for data processing under the system's own data protection rules.6 To this, the Client replied that he had consulted with contributed to their equipment for security purposes. These contributions were also recorded in writing to avoid possible future disagreements. Customer has also stated that it does not have a balancing test for the camera system.

Based on the above, notwithstanding the provisions of the data protection regulations, the Customer has in practice based the operation of the camera surveillance system on the consent of the parties concerned instead of on its own legitimate interests. This is confirmed by the statements of consent requested and the lack of a balancing test.

However, according to the previous subsection III./1./1 of the decision, the use of a workplace camera surveillance system cannot be based on the consent of the employees. Such systems may be operated in the workplace in the legitimate interest of the controller.

In addition, the Code contains verbatim quotations from the law on the lawfulness of the application of the system7, which are completely irrelevant for camera data management. These additional pieces of legislation are also listed in the section entitled “Legislation underlying data management”. The regulations also contain the Infotv. The general provisions on the obligation to register in the Data Protection Register have also been taken over from the repealed text.

Based on the above, it is clear from the regulations created in connection with the operation of the system that the Customer has been randomly compiled on the basis of a possibly invalid data management policy used as a template, as well as randomly selected legal references.

The Authority states here that in the data management regulations the data controller must be able to specify the legal basis of the data processing on the basis of the legal provisions in force, he cannot evade this obligation by listing various legal references at random.

The customer therefore infringed Article 6 (1) (f) of the General Data Protection Regulation by operating the camera system, as the consent of the employees was the legal basis for the operation of the system instead of the legitimate interest.



6 NAIH-4360-9 / 2021. Question 6 of Order No.

7 - 1995 LXVI. Act on Public Documents, Public Archives and the Protection of Private Archival Material,
- 335/2005. (XII. 29.) on the general requirements for the document management of bodies performing public tasks,

- CVIII of 2001 Act on Certain Issues in Electronic Commerce Services and Information Society Services,
- Act C of 2003 on Electronic Communications,
- XLI 2012 Act on Passenger Transport Services,
- LXIII of 1999 Act on the Supervision of Public Spaces,

- 2005 CXXXIII. Act on the Rules for the Protection of Persons and Property and for the Investigation of Private Investigators.

8 The obligation to register in the data protection register previously maintained by the Authority is regulated by Infotv. It has been deleted from its text in force since 27 July 2018. At present, such a register is not kept by the Authority, so data controllers do not need and do not have the opportunity to log in.





12
 




2. The purpose of the examined data management

1) In the replies sent to the Authority and in the attached documentation, the Client stated the purpose of data management as the protection of the security of the buildings and the property located there, as well as the protection of dangerous goods and payment transactions, and personal protection purposes. The purpose of operating the camera system is thus not to monitor and influence the work of employees, but to protect people and property.

In this context, it is important to mention that respect for human dignity is an absolute limit to camera surveillance in the workplace, so that cameras cannot be operated to monitor workers and their activities on a permanent basis without a specific purpose. It is also illegal to use an electronic surveillance system, the purpose of which is to influence the behavior of employees at work, and to monitor and control employees with cameras on a permanent basis. The reason for this is that monitoring for control purposes typically violates the principle of necessity proportionality, as the employer has several other ways to make use of Mt. 11 / A. § (1). Therefore, it is not possible to operate cameras that only monitor workers and their activities on a permanent basis. Exceptions are workplaces where the life and physical integrity of workers may be in imminent danger, so that cameras can be operated exceptionally, for example in assembly halls, smelters, industrial plants or other establishments containing a source of danger. It should be emphasized, however, that a camera may be operated to protect the life and physical integrity of workers only if the danger actually exists and is direct, ie the potential danger cannot be a constitutionally acceptable purpose for data processing. However, all this must be demonstrated by the employer in the balancing test.

In the case of surveillance for property protection purposes, the employer must also prove during the balance of interests that there are in fact circumstances which justify the location of each camera and that the objective to be achieved cannot be achieved in any other way. An additional important requirement in the case of surveillance for property protection purposes is that the employer must pay particular attention to the fact that the angle of view of the camera in question is essentially the object to be protected and does not become a suitable means of monitoring the work of employees.

In addition, an electronic monitoring system may not be used in a room designated for the purpose of taking a break from work. An exception to this may be the case if there is any valuable property to be protected in this premises in connection with which an interest of the employer can be proved (for example, the employees have repeatedly damaged the equipment and the damage had to be borne by the employer). In this case, a camera can be placed in the room for this specific purpose, but in this case the employer must also pay special attention to the fact that the camera can only focus on the property to be protected, also in accordance with the principle of data saving.

2) Based on the customer's responses and the sent images transmitted by the placed cameras, it can be stated that they:

- The workshop for car installation work in the building, the cars and tools stored there are monitored (3 cameras).







13
 



- Monitors a storage room and the goods, tools and parts stored there (1 camera).

- It monitors the customer waiting area and the office for receiving customers, where the cash register and the bank card reader terminal are also included in the field of view of the camera (1 camera).

- Surveys the kitchen, facing the dining table (1 camera).

In the opinion of the Authority and in accordance with the legal provisions referred to above, the image transmitted by 3 cameras in the workshop and the image transmitted by 1 camera monitoring the storage room may correspond to the personal and property protection purposes indicated by the Customer. The degree of danger of the work performed in these premises (car repair activity), as well as the high-value assets stored there (cars, tools, etc.) may justify its camera surveillance, if the proportionality of this can be justified by the Client during the balance of interests.

In connection with the camera surveillance of the customer waiting room and the cash register, the client also indicated the purposes of protection of property, as well as the protection of dangerous substances and the protection of business, payment, banking and securities secrets. This is because the cash register, cash register, card reader, computers, as well as the key for storing external hazardous materials are stored here. Based on the position of the Authority, the viewing angle of the camera installed in the customer waiting room is suitable for the employees to check the employees and the customers and customers arriving there through the employee entitled to view the image of the camera. This is because it monitors not only the cash register, card reader workstation and key cabinet, but almost the entire room, including the customer waiting area. Constant monitoring of the latter part of the room is not justified for the protection of property, the protection of hazardous materials and the protection of business and payment secrets. The Authority notes that the protection of banking and securities secrecy indicated by the Client may not arise in connection with the Client's activities, as it is not an undertaking engaged in the activity of a credit institution.

Finally, in connection with the monitoring of the kitchen, the Client stated that there was no work there, only a resting and dining activity, and that the company's cassette was also located here. In connection with the monitoring of this room, the Authority notes that the angle of view of the camera is on the dining table and does not include the referred to cassette. The image transmitted by the camera is therefore not suitable for surveillance for personal and property protection purposes, but the employees' work breaks (meals) take place here. The angle of view of the camera is therefore suitable for unjustified observation of employees while taking breaks between work, but it is not able to fulfill the indicated purpose of protection of property, because the armor cassette does not fall into it.

3) Based on the above, the Authority concludes that the angle of view of the camera installed in the “office-waiting” and “kitchen” premises of the Customer's headquarters is suitable for unreasonable surveillance of employees and is therefore incompatible with the original purpose of personal and property protection. The processing of data through the camera therefore infringes the principle of "purpose limitation" under Article 5 (1) (b) of the General Data Protection Regulation.

In addition, as the visual text of these cameras is not aimed at the assets to be protected, but the image it transmits covers a wider spectrum, thus allowing full surveillance of the premises, the Authority considers that the principle of data protection - Article 5 of the General Data Protection Regulation ( 1) c) also violates this data processing of the Applicant.






14
 




In view of the above, the Authority requested the Applicant, in the operative part of this decision, to adjust the viewing angles of the cameras installed in the “office-waiting” and “kitchen” premises of its premises in such a way that they are not suitable for unjustified surveillance of employees and only for security purposes.

3. Informing the data subjects about the data management examined

1) In the case of data processing related to camera surveillance at work, it is an essential requirement that employees receive adequate, transparent and easy-to-understand information about data processing. In this connection, the following must be taken into account:

Pursuant to Section 9 (2) of the Mt. Mt. 11 / A. § (1), if the employer also uses technical means to control the employees, he must inform them in writing in advance.

Article 13 (1) to (2) of the General Data Protection Regulation sets out the information to be provided to employees in relation to data processing.

In the case of data processing related to camera surveillance, the system of requirements provided for in the General Data Protection Regulation requires employees to be informed in particular of the following essential circumstances:

- the identity (with the exact name of the legal or natural person) and contact details of the operator of the electronic monitoring system,

- the contact details of the Data Protection Officer, if such a person has been appointed by the controller,

- the location of each camera and its purpose, the area or object they are observing, and whether the employer is making direct or fixed surveillance with that camera,

- the legal basis for data processing,

- the determination of the legitimate interest of the controller,

- the storage period of the recording,

- the range of persons entitled to access the data and the persons and bodies to which the recordings may be forwarded by the employer,

- the rules for reviewing the recordings and the purposes for which the recordings may be used by the employer,

- the rights of employees in relation to the electronic monitoring system and the way in which they can exercise those rights,

- the means of redress available to them in the event of a breach of their right to information, including the possibility of recourse to the Authority.








15
 




With regard to the obligation to provide information, it is also necessary to emphasize that for each camera, the employer must indicate precisely for what purpose the camera was placed in the given area and to which area and equipment the angle of view of the camera is directed. This allows the employer to justify to employees why it is considered necessary to monitor the area. The practice whereby an employer only informs employees in general that they use an electronic monitoring system in the workplace is not acceptable.

Based on the documents provided and sent by the customer at the request of the Authority, the following information regarding the operation of the camera system can be established.

The main findings of the "Surveillance Information System for the Surveillance System" are as follows: The primary purpose of the system is to protect human life, physical integrity, personal liberty, the protection of dangerous goods, the protection of business, payment, banking and securities secrets and property. The application of the system is not intended to influence employee behavior.

Customer has been named as data controller. […] 'S name and contact information are provided.

For a total of six cameras, the data management purposes (which are uniformly property protection) and the monitored area were also marked separately. According to the information, the storage period of the recordings is uniformly three working days, which can be extended to 30 days in extremely justified cases. After the storage time, the recordings are automatically deleted (overwritten). The way the data is stored is electronic.

The person entitled to view the recordings […], which is available in the event of "theft, material damage", only "in the event of an incident". The legal basis for the data processing is only stated in the prospectus that "the lawfulness of the data processing of the system does not require the consent of the monitored persons".

The additional legal acts indicated by the Client in the prospectus (Act LXVI of 1995, Government Decree 335/2005 (XII. 29.), Act CVIII of 2001 and Act C of 2003) are completely irrelevant from the point of view of data management, as they do not contain applicable standards for camera data processing. In any case, the purpose of referring to them has not been indicated in the prospectus, so it is completely unnecessary to list them.

The customer has also forwarded to the Authority a document entitled “Data Management Information” dated 20 May 2019, which, however, does not apply to the camera system, so the Authority will not make any further findings in this regard.

2) In connection with the above, it can be stated that the data management information incorrectly contains the legal basis of the data processing, as it does not clearly indicate it, it only indicates that it is not necessary to obtain the consent of the data subject. Instead, the Client should have indicated Article 6 (1) (f) of the General Data Protection Regulation, ie the legitimate interest of the controller, as the legal basis for the processing, as set out in Article III / 1 of the Decision. also explained in part. In the case of data processing on the basis of a legitimate interest, it should have referred to the results of the interest balancing test performed, however, according to the Client's statement, it does not have one. In addition, the






16
 



The prospectus, like the data management rules of the system, also identifies completely irrelevant legislation and objectives (see Section III./1 of the Decision for the legal basis and Section III / 2 for the objectives).

In addition to the above, the data management prospectus does not contain information on the rights of employees in relation to the electronic monitoring system and how they can exercise their rights, as well as the possibility to apply to the Authority for the enforcement of their rights.

Article 13 (1) of the General Data Protection Regulation stipulates that the controller must make all of the listed information available to the data subject at the time of obtaining the personal data.

In relation to the above, the Authority concludes that the prospectus does not comply with Article 13 (1) to (2) of the General Data Protection Directive due to the following considerations:
- the actual legal basis for the processing (legitimate interest of the controller) has not been indicated,

- the prospectus does not include a balancing test,
- the prospectus refers to legislation that is irrelevant to data management,

- the prospectus also indicates purposes not related to data processing (protection of business, payment, banking and securities secrecy),

- the prospectus does not contain information on the rights of the data subject and the means of redress.

The Client forwarded to the Authority a photograph showing that he had placed a pictorial warning sign at the entrance to the business premises for a call for camera surveillance on 8 May 2021. As an additional requirement in connection with the appropriate information is that the employer is obliged to place an alert about the fact that he uses an electronic monitoring system in the given area9, but the Client did not comply with this until more than two months after the data management started on 5 March 2021. the requirement for adequate information was not met either.

Based on the above, it can be concluded that there was no and at present no adequate information on camera data management for the employees working at the site (a total of 6 people during the period under review) based on the available information.

Based on the above, the Authority found that the Customer had violated Article 13 (1) to (2) of the General Data Protection Regulation and therefore requested that a data protection notice be prepared in accordance with the law.

5. Findings concerning the sanction applied.

The Authority has examined the type of sanction it intends to impose on the Applicant

for the breaches detected and whether a data protection fine is justified. In this context, the Authority complies with Article 83 (2) of the General Data Protection Regulation and Infotv. 75 / A. §, subject to Infotv. § 61 (5), considered all the relevant circumstances of the case and established that in the event of an infringement discovered during the present proceedings, the Client


9 See European Data Protection Board 3/2019. Guidelines on the processing of personal data by video tools, 28-29. He.
Online: https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201903_video_devices_en.pdf





17
 



warning and summons is not in itself a sufficiently proportionate and dissuasive sanction, so it is appropriate to impose a fine.

In determining the need to impose a fine, the Authority considered the aggravating and mitigating circumstances of the infringements as follows:

Aggravating circumstances:

- According to the available data, the infringing camera data processing and insufficient information have existed at the investigated headquarters from 5 March 2021 to the present day. [Article 83 (2) (a) of the General Data Protection Regulation]

- The Authority became aware of the data processing on the basis of a public interest notification. The public interest notifier has previously indicated to the Client the infringing nature of the data processing, in connection with which the Client has not taken any action. [Article 83 (2) (h) of the General Data Protection Regulation]

In setting the amount of the fine, the Authority took into account that

Infringements of principle by the applicant are covered by Article 83 of the General Data Protection Regulation

(5), they constitute an infringement falling within the higher maximum fine category.

Mitigating circumstances:

- The lack of infringing camera surveillance and information only affected a smaller number of persons (a total of 6 employees) with regard to the data processing examined. [Article 83 (2) (a) of the General Data Protection Regulation]

- At the site, only two cameras ("office waiting room" and "kitchen") can be used for unjustified surveillance of workers. [Article 83 (2) (a) of the General Data Protection Regulation]

- In the course of the proceedings, the Authority did not receive any information indicating that the persons concerned had suffered any specific inconvenience or damage as a result of the infringement. [Article 83 (2) (a) of the General Data Protection Regulation]

- There was no circumstance that the Customer was guided by intent in setting the conditions for the data processing in an unlawful manner, so that only negligence can be established on his part [Article 83 (2) (b) and (d) of the General Data Protection Regulation]

- The Authority has taken into account that it has not previously established a violation of the processing of personal data against the Client. [Article 83 (2) (e) of the General Data Protection Regulation]

Other circumstances considered:

- The Authority also took into account the fact that the Client cooperated in all respects with the Authority in the investigation of the case, although this conduct






18
 



did not go beyond compliance with the obligations - it did not explicitly assess it as an attenuating circumstance. [Article 83 (2) (f) of the General Data Protection Regulation]

The Authority did not consider Article 83 (2) (c), (g), (i), (j) and (k) of the General Data Protection Regulation to be relevant in deciding on the legal consequences.

In determining the amount of the fine, the Authority took into account that, based on the statement given by the Client at the request of the Authority, in the business year from 1 January 2021 to 31 December 2021

It had net sales of HUF […], ie HUF […]. In setting the fine, the Authority took into account the business year 2021 in view of the duration of the infringement. Based on the above, the amount of the fine imposed is proportionate to the gravity of the infringement and cannot be considered excessive.

The Authority shall inform Infotv. Pursuant to Section 61 (2) (c), it ordered the disclosure of the decision by concealing the Customer's identification data, as it does not affect a wide range of persons.


ARC. Other issues

The powers of the Authority shall be exercised in accordance with Infotv. It is defined in § 38 (2) and (2a), and its jurisdiction extends to the entire territory of the country.

The Ákr. Pursuant to Section 112 and Section 116 (1) and Section 114 (1), the decision is subject to administrative appeal.

The rules of an administrative lawsuit are defined by Act I of 2017 on the Procedure of Administrative Lawsuits (hereinafter: the Public Procurement Act). A Kp. Pursuant to Section 12 (1), the administrative lawsuit against the decision of the Authority falls within the jurisdiction of the court. Pursuant to Section 13 (3) (a) (aa), the Metropolitan Court has exclusive jurisdiction. A Kp. Section 27 (1)

(b), legal representation is mandatory in litigation falling within the jurisdiction of the Tribunal. A Kp. § 39

According to paragraph 6, the lodging of an application does not have suspensory effect on the entry into force of the administrative act.

A Kp. Section 29 (1) and with this regard Pp. Act CCXXII of 2015 on the general rules of electronic administration and trust services applicable pursuant to § 604. Pursuant to Section 9 (1) (b) of the Act (hereinafter: E-Administration Act), the legal representative of the customer is obliged to communicate electronically.

The time and place of the submission of the application is Section 39 (1). Information on the possibility of requesting a hearing can be found in Kp. It is based on § 77 (1) - (2).

The amount of the fee for an administrative lawsuit shall be determined in accordance with Act XCIII of 1990 on Fees. Act (hereinafter: Itv.) 45 / A. § (1). From the advance payment of the fee, the Itv. Section 59 (1) and Section 62 (1) (h) shall release the party instituting the proceedings.

The Ákr. Pursuant to Section 132, if the debtor has not complied with the obligation contained in the final decision of the authority, it may be enforced. The decision of the Authority Pursuant to Section 82 (1), it becomes final with the communication. The Ákr. Section 133 of the Enforcement - if by law or government decree






19
 



unless otherwise provided by the decision-making authority. The Ákr. Pursuant to Section 134, enforcement is carried out by the state tax authority, unless otherwise provided by law, a government decree or a decree of a local government in a matter of local government. Infotv.

Pursuant to Section 60 (7), the Authority shall enforce the decision with regard to the obligation contained in the decision of the Authority to perform a specific act, to behave in a certain manner, to tolerate or to cease.

Budapest, March 29, 2022


Dr. Attila Péterfalvi

President
c. professor




















































20