Newsletter July 2019

Welcome to July’s newsletter

Feature article: The use of CCTV and the principle of Transparency

The French Data Protection Authority CNIL has fined a company €20,000 for constant video footage of employees.

A reminder of the rules of transparency:

Those affected (employees and visitors) must be informed, using a sign visible in the premises under video surveillance: The following is a quick reminder of the rules

Purpose: Do you have a clearly defined purpose for installing CCTV? What are you trying to observe taking place? Is the CCTV system to be used for security purposes only? If not, can you justify the other purposes? Will the use of the personal data collected by the CCTV be limited to that original purpose?

Lawfulness: What is the legal basis for your use of CCTV? Is the legal basis you are relying on the most appropriate one?

Necessity: Can you demonstrate that CCTV is necessary to achieve your goal? Have you considered other solutions that do not collect individuals’ personal data by recording individuals’ movements and actions on a continuous basis?

Proportionality: If your CCTV system is to be used for purposes other than security, are you able to demonstrate that those other uses are proportionate? For example, staff monitoring in the workplace is highly intrusive and would need to be justified by reference to special circumstances. Monitoring for health and safety reasons would require evidence that the installation of a CCTV system was proportionate in light of health and safety issues that had arisen prior to the installation of the CCTV system. Will your CCTV recording be measured and reasonable in its impact on the people you record? Will you be recording customers, staff members, the public? Can you still justify your use of CCTV when the effect it will have on other people is considered? Are you able to demonstrate that the serious step involved in installing a CCTV system that collects personal data on a continuous basis is justified? You may need to carry out a Data Protection Impact Assessment to adequately make these assessments. 

Security: What measures will you put in place to ensure that CCTV recordings are safe and secure, both technically and organisationally? Who will have access to CCTV recordings in your organisation and how will this be managed and recorded?

Retention: How long will you retain recordings for, taking into account that they should be kept for no longer than is necessary for your original purpose, and DPC Guidance is to retain for no more than 28 days.

Transparency: How will you inform people that you are recording their images and provide them with the other information required under transparency obligations? Have you considered how they can contact you for more information, or to request a copy of a recording?

Here is the CCTV Guidance from the Irish DPC:

On the flip side of the Rights request over CCTV was this ruling in Denmark:

Danish DPA rules Art 15 not contravened by a refusal to meet a Data Subject Access Request (“DSAR”) for CCTV as it may give insight into television surveillance recordings revealing the location of cameras and any blind spots, and therefore there was a real risk of compromising the safety of the metro rail system. Metro emphasized in the assessment that complainants had not provided a specific reason for their interest in gaining insight, for example by (parts of) the recordings showing a relationship of particular importance, for example. a fall accident, assault, theft or the like. This is a first, as normally the reason for a DSAR is considered irrelevant by Data Protection Authorities.

Metro Services argued that CCTV can reveal the location of cameras and any blind spots, and therefore there was a real risk of compromising the safety of the metro. Metro Service had, after a “concrete assessment”, found that the interest of the data subject in this case had to be weighed against public interest reasons, including public security and / or prevention, investigation, detection or prosecution of criminal offenses or the enforcement of criminal sanctions , including protection against public security.

Metro Service argued that the data subject had not provided a specific reason for wanting the CCTV footage, for example in order to see evidence of a fall, accident, assault, theft etc. such that the rights of the data subject must give way to the overriding consideration of the public safety of the passengers using the metro.

The CNIL in France fines a Property Management Company €400,000 euro

Following the complaint of an individual, the CNIL issued a penalty of €400 000 euro against a property management company for having inadequately protected the data of users of its website. 

The decision here:

Old Databases: The importance of having a plan – and sticking to it

The Danish Data Protection Authority recently proposed a fine of DKK1.5m (€200k) for furniture company, IDDesign A/S for failure to delete the personal data of about 385k customers

 The DPA investigated whether IDDesign had set deadlines for the deletion of customers’ data and whether the deadlines were complied with.

 Some furniture stores used an older system that gathered the names, addresses, telephone numbers, e-mail addresses and purchase history of some 385k customers. The personal data in the old system had never been deleted once it was replaced with a new system.

IDDesign did not indicate if the personal data in the old system were still necessary for processing purposes.

Danish DPA Press Release:

EDPB Press Release:

La Liga fined for foul play over its App

The Spanish Data Protection Authority has imposed a fine of €250,000 on La Liga de Fútbol  Profesional for violations of the principle of transparency under the GDPR in respect of its mobile app. 

The article states that the app, advertised as allowing supporters follow results of games, is actually being used to detect the establishments that screen football matches without paying licence fees.

When installing the application and giving its approval, La Liga can remotely activate the microphone of any user’s mobile so that an automatic system detects by the ambient sound if it is in a bar that emits a ‘pirate’ signal.

The way in which La Liga warned its users of this procedure was been considered ambigous by the DPA and because this “spy function” of the app involves a recording of the environment where the user is and is seen as collecting personal data, the DPA said that La Liga must notify the user not only when installing the app, but every time which activates this data collection.


Technical News: Interesting ruling on what constitutes GDPR data

An recent decision from the Cologne Regional Court about whether the right of access under the GDPR also includes e-mails or internal notes containing personal data relating to the data subject.

Data subjects have a comprehensive right of access to their personal data processed as well as further information under to Art. 15(1)(a – h). Personal data includes name, date of birth, health data, account number, medical records, expert opinions or other comparable communications from other sources.

However, according to the Court, the right of access does not include all internal processes, such as notes, or to the fact that the person concerned can receive all exchanged correspondence, which is already known to the person concerned, reprinted and sent. Legal evaluations or analyses are also not considered personal data.

The right under Art. 15 is not about accounting to the data subject, but rather is intended to ensure that the data subject can assess the scope and content of the stored personal data. Copies of personal data does not mean a copy of the documents containing personal data, but a copy of the personal data itself.