VDAI (Lithuania) - 3R-741

From GDPRhub
VDAI - 3R-741
[[File:|center|250px]]
Authority: VDAI (Lithuania)
Jurisdiction: Lithuania
Relevant Law: Article 5(1)(a) GDPR
Article 6(1)(f) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 16.07.2024
Published:
Fine: 2,000 EUR
Parties: n/a
National Case Number/Name: 3R-741
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Lithuanian
Original Source: VDAI (in LT)
Initial Contributor: fb

The DPA fined a school €2,000 and held that it could not rely on Article 6(1)(f) GDPR for monitoring classrooms during school hours via video surveillance.

English Summary

Facts

The data subject is a child attending a school managed by the controller. The controller installed a video surveillance system in the classroom. This system was active also during school hours, therefore recording the images of both teachers and pupils.

The parent of a data subject filed a complaint with the DPA.

The controller argued that this processing activity was based on Article 6(1)(f) GDPR, since it had the legitimate interest of ensuring the safety of its property, employees and visitors.

Moreover, it pointed out that it needed to use a CCTV system because pupils sometimes stole school equipment or damaged the controller’s property.

Holding

First, the DPA noted that, before relying on the legal basis provided for by Article 6(1)(f) GDPR, a controller must carry out a legitimate interest balancing test, assessing if the interests of the data subject override the interest of the controller.

On this point, the DPA referred to the WP29 “Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC”. According to the latter, the impact of processing on the interests or fundamental rights and freedoms of the data subject is the decisive criterion in assessing the balance. Both positive effects and negative effects should be taken into account when assessing the impact of processing.

The DPA held that, in the case at hand, the controller had not taken into account the negative impact and effects on minors of a continuous video surveillance during school hours. The DPA pointed out that the controller had considered other risks such as cyberattacks or accidental deletion of data, but still did not assess the impact of video surveillance on minors.

In addition, the DPA found that the fact that the controller experienced some property damage is not a reason to apply the extreme measure of video surveillance during the classroom lesson, since the controller’s interest cannot outweigh the privacy rights of minors.

Finally, the DPA pointed out that it had contacted other EU DPAs, all of which confirmed that they do not consider possible relying on legitimate interest to allow video surveillance in classrooms during school hours.

On these grounds, the DPA found a violation of Article 5(1)(a) GDPR and fined the controller €2,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Lithuanian original. Please refer to the Lithuanian original for more details.

The company was fined for violating video surveillance during classes
principle of legality
in 2024
SHORT SUMMARY
Abbreviations
VDAI – State Data Protection Inspectorate
ADTAĮ – Law of the Republic of Lithuania on Legal Protection of Personal Data
GDPR - 2016 April 27 Regulation (EU) 2016/679 of the European Parliament and of the Council on
the protection of natural persons in the processing of personal data and for the free movement of such data and by which
repealing Directive 95/46/EC (General Data Protection Regulation)
The context of the decision
Decision date: 16/07/2024.
National or international case: national.
Controller: a private legal entity providing educational services (hereinafter - the Company).
Legal references: Article 5(1)(a) GDPR – violation of the principle of legality.
Decision: in accordance with Article 58(2)(i), Article 83(1), 2), 83 GDPR
Article 5(5)(a), ADTAĮ Article 34(10), GDPR Article 5(1)(a)
(principle of legality) violation, the Company was fined EUR 2,000 (two thousand) euros.
Summary of the decision
Cause of action
VDAI received a complaint from a natural person representing his minor child (hereinafter referred to as the applicant).
regarding video surveillance carried out by the Company in the classroom, during lessons and the right to access data
non-implementation. In the explanations provided by the company, it was stated that video surveillance in the classroom, lessons
at the time, carried out in accordance with a legitimate interest (GDPR, Article 6, Paragraph 1, Point f), and carried out
the purpose of video surveillance is the protection of property, employees and visitors and the investigation of incidents.
Main conclusions
In the examined case, VDAI decided that there is no reason to claim that the Company has a legitimate interest
ensuring the safety of property, employees and visitors is higher than the interests of its students. In addition,
it was established that the Company carries out the processing of personal data in question for purposes other than those,
which she indicated to VDAI (video of the lesson attended by the applicant's minor child
2
reviewed in order to assess the quality of the work of the Company's employee - the work of the Company's employee
for quality control, although the Company, while providing explanations to VDAI, argued that video surveillance
the purpose is to ensure the safety of property, employees and visitors and to investigate incidents). In view of this,
VDAI concluded that the Company's interest cannot be based on GDPR Article 6(1)(f).
point, accordingly, video surveillance during lessons is considered illegal
principle (Article 5(1)(a) GDPR).
The solution
The applicant's complaint was recognized as justified. The company was instructed to stop the ongoing video surveillance
and destroy the accumulated videos. For the established GDPR Article 5(1)(a) (legality
principle) the Company was fined EUR 2,000 (two thousand euros).
BROAD SUMMARY
Current provisions and interpretations of legal acts
The GDPR does not set out separate provisions for the regulation of video surveillance, so video is enforced
monitoring must comply with the general provisions of the GDPR. This means that personal data can only be processed
in accordance with the principles related to the processing of personal data established in Article 5 of GDPR and when such
the processing of personal data may be based on at least one legal condition for the processing of personal data,
provided for in Article 6 GDPR.
Article 6(1)(f) GDPR states that data processing is lawful only if
if processing the data is necessary for the legitimate interests of the data controller or a third party,
except in cases where such interests of the data subject or fundamental rights and freedoms make it necessary
to ensure the protection of personal data, are superior to them, especially when the data subject is a child.
If the data controller relies on a legitimate interest as a condition for the lawful processing of personal data,
before processing personal data, he must perform a legitimate interest assessment (balance) test. When applying
The condition of legal processing of personal data provided for in Article 6(1)(f) of the GDPR is very important
assess whether the interest is sufficiently expressed to apply the balancing criterion,
comparing it with the rights and freedoms of the data subject.
Article 29 data protection working group 2014-04-09 opinion no. 06/2014 for data
concepts of legitimate interests of the manager according to Directive 95/46/EC (hereinafter - Opinion) 7 Chapter III 3
part provides that "according to point f of Article 7 (essentially corresponding to point f of Article 6 of GDPR
point) the balance criterion must be applied - the legitimate interests of the data controller (or third parties).
must be weighed against the data subject's interests or fundamental rights and freedoms. Applying this
the result of the balancing criteria essentially determines whether Article 7(f) can be invoked as
on the legal basis of data processing.".
The Working Group has identified factors in the Opinion, some of which must be considered in the balancing exercise
criteria, i.e. i.e. a) assessment of the data controller's legitimate interests; (b) impact on data subjects; c)
tentatively established equilibrium; d) additional security measures applied by the data controller
in order to avoid any undue impact on data subjects.
The opinion notes that when assessing the balance, the decisive criterion is data processing
impact on the interests or fundamental rights and freedoms of the data subject. When evaluating the data
the effects of management should consider both positive and negative effects. It could be
for example, possible future decisions or actions of third parties, cases where individuals regarding their data
handling may experience social exclusion or discrimination, insults to honor and dignity or, generally speaking,
situations where the good name, bargaining power or independence of the data subject is threatened.
3
Along with the negative effects that can be specifically foreseen, it is necessary to take into account the general ones
the emotional impact (such as annoyance, fear and distress) that the data subject may experience as a result of the loss
ability to control your personal information or realizing that it has been or may have been inappropriate
used or compromised, for example by making it public on the Internet.
In the case under consideration, the Company did not analyze the negative impact and
24/7 video surveillance during classes will have an impact on minors.
The company indicated in the balance test that the probability of a negative impact is not high, but 29
data protection working group of Article 2009-02-11 in opinion no. 2/2009 regarding the identity of children
data protection has noted that a video surveillance system could be justified in places where
where security is critical, such as at school entrances and exits, but video surveillance of classrooms
cameras can restrict not only the freedom of education and speech of students, but also the freedom of teaching.
Also, the Company analyzed the impact on data protection in its evaluation report
risks such as: "External hacking into IT systems"; “Individual customer data leak due to
human errors'; Deletion of data due to human error'; "Deletion of data due to
technical failures"; "Data deletion due to cyber attack", but did not estimate the impact
conducted video surveillance of minors, no other measures have been analyzed
The company has undertaken why these measures were not sufficient/adequate, in what ways
reduce the risk to the privacy of data subjects (minors).
In its explanations, the company provided examples of incidents that had occurred previously, as a result of which
it was decided that the Company in order to defend its interests and present its reasonable position
supporting evidence, the only effective means is to carry out video surveillance (provided by the Company
examples: minors used to take textbooks given to them by the Company during lessons or
expensive scientific calculators; minors often put each other's things in, and
The company received claims from representatives of minors about missing during lessons or in the classroom
items left behind; After the company's employees left the classroom for a few minutes, some minors
persons vandalized property, and there was also a case where a minor opened himself arbitrarily in the 2nd
through the window of the office upstairs and climbed out onto the roof; minors are very often used
did not return the keys in the toilet).
However, in VDAI's opinion, the only reason to prove that things are not found or due to the disappearance of property/
damage is caused by a minor, there is no reason to apply the extreme measure of video surveillance
during lessons held in classes, the Company's interest in the case in question is not more important than
the right to privacy of minors who are classified as vulnerable persons.
During the investigation of the case, VDAI additionally applied to other supervisory institutions of the European Union regarding
information about their practices when the data controller conducts video surveillance training
on the premises of institutions, and most supervisory authorities informed that filming in classrooms is not allowed.
For example, the French supervisory authority informed that it is possible to film during school working hours
building access means entrances and exits for security purposes, e.g. to prevent unauthorized access,
however, systematic and continuous monitoring of school students and staff in school premises,
including classes is redundant and not allowed. The Estonian supervisory authority provided information that
for security reasons, cameras are a suitable solution to protect the school territory, but in Estonia
the supervisory authority is of the opinion that even for safety reasons the video is not allowed in the classroom
monitoring. The Italian supervisory authority also informed that video surveillance is possible in schools
inside only when necessary to protect the building and school property from vandalism, limited
filming only in places of possible incidents, but video cameras can only be activated during non-working hours
and their use during lessons or other activities with students is not allowed.
4
Significant circumstances when deciding on a fine 1
VDAI has assessed the nature of the violation committed by the Company, the purpose of data processing, and its impact
to the data subjects, also, the fact that the violation was not committed on purpose, acknowledged that the Company
the committed violation is considered a minor violation.
In accordance with the Guidelines 04/22 adopted by the European Data Protection Board on 05/16/2022 regarding
calculation of administrative fines according to the GDPR, it was decided to impose a fine of 2,000 euros on the Company, which
should be considered a proportional measure of impact.