NAIH (Hungary) - NAIH-2732-2-2023: Difference between revisions
(moved the investigation part and arguments of the controller to the facts) |
(structured) |
||
| Line 84: | Line 84: | ||
The controller was a Budapest-based company that operates the Spandora Beauty Centre (spandora.hu), where facial and body treatments and medical aesthetic procedures are performed in 2 diagnostic rooms and 15 treatment rooms. The controller also distributed cosmetic products. | The controller was a Budapest-based company that operates the Spandora Beauty Centre (spandora.hu), where facial and body treatments and medical aesthetic procedures are performed in 2 diagnostic rooms and 15 treatment rooms. The controller also distributed cosmetic products. | ||
The DPA received several notifications in which clients and employees of the controller complained | The DPA received several notifications in which clients and employees of the controller complained about cameras recording image and sound in all premises (offices, treatment rooms, corridors, reception) at its headquarters. | ||
The DPA launched an official investigation on 19 October 2021 and carried out an on-site visit on 20 October 2021. This visit and the explanations of the controller showed the following : | The DPA launched an official investigation on 19 October 2021 and carried out an on-site visit on 20 October 2021. This visit and the explanations of the controller showed the following : | ||
''First,'' during this visit, the DPA examined each camera image separately and found that the cameras were monitoring the staff in the room where they eat, in training rooms and in customer treatment rooms. This implied that clients were often seen in incomplete clothing during treatments. The quality of the images and audio was sufficient to identify the data subjects. | ''First,'' during this visit, the DPA examined each camera image separately and found that the cameras were monitoring the staff in the room where they eat, in training rooms and in customer treatment rooms. This implied that clients were often seen in incomplete clothing during treatments. The quality of the images and audio was sufficient to identify the data subjects. The purpose of this processing was however not clearly defined. | ||
''Second,'' the controller explained that only the manager, the financial manager, the HR manager, and the warehouse manager had access to the recordings. However, | ''Second,'' the controller explained that only the manager, the financial manager, the HR manager, and the warehouse manager had access to the recordings. However, the on-site visit showed that the camera images were also seen by the sales manager, who said that he used them to check that the staff providing the treatments was communicating properly with the clients. The recordings were available on a computer in an unlocked room. To access them, one could click on a shortcut and enter a username which was written on a piece of paper stuck to the monitor. | ||
''Third,'' the consultation forms (which all clients were required to fill in at the reception desk before starting treatment) mentioned the placement of cameras and that the purpose of the monitoring was to protect clients and staff. It however did not mention the recording of audio. According to the controller, the employees were informed about the processing verbally and through the privacy notice. The investigation however showed that there was no mention of the cameras in the privacy notice in force. The controller amended the privacy notice following the opening of the DPA procedure. It stated that the purpose of the camera surveillance was to improve the service and to monitor the work of the employees | ''Third,'' the consultation forms (which all clients were required to fill in at the reception desk before starting treatment) mentioned the placement of cameras and that the purpose of the monitoring was to protect clients and staff. It however did not mention the recording of audio. According to the controller, the employees were informed about the processing verbally and through the privacy notice. The investigation however showed that there was no mention of the cameras in the privacy notice in force. The controller amended the privacy notice following the opening of the DPA procedure. It stated that the purpose of the camera surveillance was to improve the service and to monitor the work of the employees. It also provided information on the location of each camera in a blury drawing. | ||
''Fourth,'' the controller stored health data in the client database | ''Fourth,'' the controller stored health data in the client database, including covid vaccination status, pregnancy, sicknesses. | ||
''Fifth,'' | ''Fifth,'' in terms of legal basis, the controller stated that the signature of the consultation form constituted a consent to the processing for a marketing purpose. Later, the controller held that this processing was based on legitimate interest, and then in a further contradictory declaration, it stated that it did not use client data for such purposes | ||
=== Holding === | === Holding === | ||
The DPA assessed the compliance of the monitoring in the light of the different elements of the investigation. | |||
The DPA | |||
''First,'' the DPA stated that the monitoring was performed for an unclear purpose and without settings that minimized the processing. When the controller defended itself, it referred to the purposes in general terms and with contradictory statements. Consequently, the DPA concluded that the controller had breached the purpose limitation principle under [[Article 5 GDPR#1b|Article 5(1)(b) and (c) GDPR]]. The DPA, therefore, prohibited the processing of data by the camera in operators and in diagnostic and examination rooms and instructed the controller to delete in a documented manner the video recordings made in operators and in diagnostic and examination rooms. | |||
''Second,'' Regarding the people who could access the cameras. the DPA found that the controller did not guarantee the confidentiality of the data processing and did not take measures to protect personal data. Indeed, the images of the cameras and the stored recordings could be easily accessed. The DPA found that by failing to provide the default settings for the operation of the camera system that minimize data processing, the means necessary to ensure the highest possible level of protection of personal data, the controller violated [[Article 5 GDPR#1|Article 5(1) GDPR]] in [[Article 24 GDPR]] and [[Article 25 GDPR]], as well as [[Article 32 GDPR#1b|Article 32(1)(b) GDPR]] and [[Article 32 GDPR#2|Article 32(2) GDPR]], and instructed the controller to take appropriate technical and organizational measures to ensure that its processing operations comply with the legal provisions. | |||
''Third,'' concerning the information, the DPA found that the privacy notice did not comply with the requirements of the GDPR as it did not provide information on the location of each camera and its purpose, the area or object it monitored, or whether the employer was carrying out direct or fixed surveillance with the camera. It also did not provide for the specific duration of the storage of the recordings, the rules for viewing the recordings, or the purposes for which the recordings could be used by the employer. The consultation forms could not either be considered as compliant since they contained misleading information. The controller therefore didn't comply with the requirement of transparent processing under [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], and Article 13(1) to (2). The DPA instructed the controller to provide adequate, clear, and transparent information to data subjects about all processing and the circumstances of such processing. | |||
''Fourth,'' regarding the collection and storage of health data, the DPA recalled that the processing of sensitive data is possible if the data subject has given his or her explicit consent or if the processing complies with [[Article 9 GDPR#2|Article 9(2) GDPR]]. In this case, the controller did not demonstrate in its replies either that the processing of certain health data was indispensable for the performance of the services nor demonstrated to have collected a valid consent. Thus, the DPA found that the controller had violated [[Article 6 GDPR]] and [[Article 9 GDPR#2|Article 9(2) GDPR]] and prohibited the processing of the health data of the guests in connection with the records and ordered the controller to immediately stop recording the health data in the records in its database and to delete the personal health data of the data subjects from the records. | |||
''Fifth,'' the DPA found that there was no checkbox on the consultation form to authorize marketing. The clients therefore did not consent to the processing for this purpose. The controller also failed to proove a legitimate interest. The DPA concluded that, as the controller processed the data for marketing purposes without a legal basis, it had breached [[Article 6 GDPR#1|Article 6(1) GDPR]] in relation to this processing. For these reasons, the DPA instructed the controller to cease the unlawful processing and to bring the processing operation into compliance with the legal provisions by justifying the legal basis for the processing of the guests' data for marketing purposes. | |||
== Comment == | == Comment == | ||
Revision as of 11:42, 25 April 2023
| NAIH - NAIH-2732-2-2023 | |
|---|---|
 | |
| Authority: | NAIH (Hungary) |
| Jurisdiction: | Hungary |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 5(1) GDPR Article 6(1) GDPR Article 13(1) GDPR Article 13(2) GDPR Article 24 GDPR Article 25 GDPR Article 32(1)(b) GDPR Article 32(2) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 19.10.2021 |
| Decided: | 06.02.2023 |
| Published: | 06.02.2023 |
| Fine: | 30000000 HUF |
| Parties: | n/a |
| National Case Number/Name: | NAIH-2732-2-2023 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Hungarian |
| Original Source: | NAIH (in HU) |
| Initial Contributor: | Ábel Kaszián |
The Hungarian DPA held a beauty salon liable for a major GDPR infringement including employee and client surveillance, mishandling of sensitive data and using data for marketing purposes without proper consent.
English Summary
Facts
The controller was a Budapest-based company that operates the Spandora Beauty Centre (spandora.hu), where facial and body treatments and medical aesthetic procedures are performed in 2 diagnostic rooms and 15 treatment rooms. The controller also distributed cosmetic products.
The DPA received several notifications in which clients and employees of the controller complained about cameras recording image and sound in all premises (offices, treatment rooms, corridors, reception) at its headquarters.
The DPA launched an official investigation on 19 October 2021 and carried out an on-site visit on 20 October 2021. This visit and the explanations of the controller showed the following :
First, during this visit, the DPA examined each camera image separately and found that the cameras were monitoring the staff in the room where they eat, in training rooms and in customer treatment rooms. This implied that clients were often seen in incomplete clothing during treatments. The quality of the images and audio was sufficient to identify the data subjects. The purpose of this processing was however not clearly defined.
Second, the controller explained that only the manager, the financial manager, the HR manager, and the warehouse manager had access to the recordings. However, the on-site visit showed that the camera images were also seen by the sales manager, who said that he used them to check that the staff providing the treatments was communicating properly with the clients. The recordings were available on a computer in an unlocked room. To access them, one could click on a shortcut and enter a username which was written on a piece of paper stuck to the monitor.
Third, the consultation forms (which all clients were required to fill in at the reception desk before starting treatment) mentioned the placement of cameras and that the purpose of the monitoring was to protect clients and staff. It however did not mention the recording of audio. According to the controller, the employees were informed about the processing verbally and through the privacy notice. The investigation however showed that there was no mention of the cameras in the privacy notice in force. The controller amended the privacy notice following the opening of the DPA procedure. It stated that the purpose of the camera surveillance was to improve the service and to monitor the work of the employees. It also provided information on the location of each camera in a blury drawing.
Fourth, the controller stored health data in the client database, including covid vaccination status, pregnancy, sicknesses.
Fifth, in terms of legal basis, the controller stated that the signature of the consultation form constituted a consent to the processing for a marketing purpose. Later, the controller held that this processing was based on legitimate interest, and then in a further contradictory declaration, it stated that it did not use client data for such purposes
Holding
The DPA assessed the compliance of the monitoring in the light of the different elements of the investigation.
First, the DPA stated that the monitoring was performed for an unclear purpose and without settings that minimized the processing. When the controller defended itself, it referred to the purposes in general terms and with contradictory statements. Consequently, the DPA concluded that the controller had breached the purpose limitation principle under Article 5(1)(b) and (c) GDPR. The DPA, therefore, prohibited the processing of data by the camera in operators and in diagnostic and examination rooms and instructed the controller to delete in a documented manner the video recordings made in operators and in diagnostic and examination rooms.
Second, Regarding the people who could access the cameras. the DPA found that the controller did not guarantee the confidentiality of the data processing and did not take measures to protect personal data. Indeed, the images of the cameras and the stored recordings could be easily accessed. The DPA found that by failing to provide the default settings for the operation of the camera system that minimize data processing, the means necessary to ensure the highest possible level of protection of personal data, the controller violated Article 5(1) GDPR in Article 24 GDPR and Article 25 GDPR, as well as Article 32(1)(b) GDPR and Article 32(2) GDPR, and instructed the controller to take appropriate technical and organizational measures to ensure that its processing operations comply with the legal provisions.
Third, concerning the information, the DPA found that the privacy notice did not comply with the requirements of the GDPR as it did not provide information on the location of each camera and its purpose, the area or object it monitored, or whether the employer was carrying out direct or fixed surveillance with the camera. It also did not provide for the specific duration of the storage of the recordings, the rules for viewing the recordings, or the purposes for which the recordings could be used by the employer. The consultation forms could not either be considered as compliant since they contained misleading information. The controller therefore didn't comply with the requirement of transparent processing under Article 5(1)(a) GDPR, and Article 13(1) to (2). The DPA instructed the controller to provide adequate, clear, and transparent information to data subjects about all processing and the circumstances of such processing.
Fourth, regarding the collection and storage of health data, the DPA recalled that the processing of sensitive data is possible if the data subject has given his or her explicit consent or if the processing complies with Article 9(2) GDPR. In this case, the controller did not demonstrate in its replies either that the processing of certain health data was indispensable for the performance of the services nor demonstrated to have collected a valid consent. Thus, the DPA found that the controller had violated Article 6 GDPR and Article 9(2) GDPR and prohibited the processing of the health data of the guests in connection with the records and ordered the controller to immediately stop recording the health data in the records in its database and to delete the personal health data of the data subjects from the records.
Fifth, the DPA found that there was no checkbox on the consultation form to authorize marketing. The clients therefore did not consent to the processing for this purpose. The controller also failed to proove a legitimate interest. The DPA concluded that, as the controller processed the data for marketing purposes without a legal basis, it had breached Article 6(1) GDPR in relation to this processing. For these reasons, the DPA instructed the controller to cease the unlawful processing and to bring the processing operation into compliance with the legal provisions by justifying the legal basis for the processing of the guests' data for marketing purposes.
Comment
At the publication of this case summary, the privacy notice in question is still accessible from the website of the controller, for instance the truly illegible camera location drawing is there as well:
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
