[SPAIN] Sanction of a company of video surveillance systems

[SPAIN] Sanction of a company of video surveillance systems
Maëva Vidal

The Spanish data protection authority has sanctioned a video surveillance system company for violating Articles 6 and 13 of the General Data Protection Regulation (GDPR).

The organization had installed a sign informing of the installation of a video surveillance system. However, the sign did not indicate the identity of the controller. Moreover, according to the document labeled "Employee Confidentiality Undertaking", provided by the company for signature by its employees, the collection only concerned the viewing of the worker's image, which was not the case in practice.

The possibility of setting up a video surveillance system

The physical image and voice of a person, as defined in Article 4.1 of the GDPR, are personal data. Images and voice captured by a camera or video camera system are indeed personal data: their processing is therefore subject to the Data Protection Act.

Natural or legal persons, public or private, may set up a video surveillance system for the purpose of preserving the security of persons and property, as well as their facilities, in accordance with Article 6.1 of the GDPR. However, cameras and cameras installed for security purposes may not obtain images of the public highway, unless it is essential for this purpose or it is impossible to avoid it due to the location of the cameras. And, in such an extraordinary case, cameras may only capture the minimum amount necessary to preserve the safety of persons and property, as well as their facilities.

The obligation to inform data subjects

Article 12.1 of the GDPR states that anyone who carries out processing of personal data, such as the capture of images by a video surveillance system, must provide data subjects with the information specified in Articles 13 and 14 of the GDPR.

The basis of the necessary information must at least refer to the existence of the processing (video surveillance), the identity of the controller, the possibility to exercise the rights provided for in Articles 15 to 22 of the GDPR, and where to obtain further information about the processing of personal data.

In addition, the Spanish data protection authority found that the company had not provided sufficient information about the video surveillance, including information about the processing, the identity of the controller and the exercise of data subjects' rights.

Moreover, there is no evidence in the proceedings that the controller informed customers and employees of the collection of their personal data involving the voice of the data subjects.


newsletter

Subscribe to our newsletter

We will send you a few emails to keep you informed of our news and what's new in our solution*

*You will always be able to unsubscribe on each newsletter. Learn more.

The protection of personal data: a necessary defense for the individual in case of abuse

The AEPD sanctioned a property syndicate for including, without consent, the phone number in the WhatsApp application, and for not respondin...

Maëva Vidal

Sanction of the operator Orange España: lack of verification the identity of the person concerned

The Spanish Data Protection Agency (AEPD) has fined Orange Spain €30,000 for illegally registering a telephone line in the name of a custome...

Maëva Vidal

CJEU ruling against Google: Right to oblivion extended against manifestly inaccurate information

In a ruling dated December 8, 2022, the Court of Justice of the European Union (CJEU) states that the search engine operator must dereferenc...

Margaux Morel

A small step for DPOs, a big step for data protection

Dastra.eu is free to try, easy to set up, and work seamlessly together.

Startup for free Ask for a demo

Free 30 day trial - No credit card required - No commitment