Monthly Newsletter from Ambit

Ambit Compliance Monthly Newsletter

?What caught our eye in July 2023

?

1.?????Italy: Garante fines Autostrade per l'Italia (ASPI) €1 million for unlawfully processing the personal data of 100,000 individuals

A consumer association lodged a complaint with the Italian Supervisory Authority for issues arising in a toll reimbursement app, created by Free To X. During the course of the Garante investigation, it was noted that the app had been incorrectly identified as a data processor, rather than data controller. The incorrect categorisation resulted in incorrect information within the privacy policy and ultimately resulted in the unlawful processing of personal data of around 100,000 data subjects.?

?

Please see EDPB Guide on Concepts of Data Controller and Data Processor here.

?

2.?????Spain: AEPD fines Birou Gas €60,000 for failure to respond to information request

During an investigation, the Spanish supervisory authority requested information from Birou Gas and permitted 10 business days to respond. When Birou Gas failed to respond, the AEPD found that Birou Gas obstructed the supervisory authority’s investigative powers and fined the company €60,000 which was reduced to the €48,000 voluntary payment provided by the company.

?

3.?????Sweden: Court rejects appeal for wider camera surveillance by public authority

A Swedish public authority requested additional surveillance hours in their permit covering public areas to commence from 15.00 rather than 20:00 to 06:00. In their request, the council indicated that the area requested was crime prone and the increased hours of surveillance were necessary for the purpose of preventing and investigating crimes, disturbances of public order and safety. Initially granted, the permit was ultimately denied by the Supreme Administrative Court as the processing on that scale was not relevant to the purpose. ?

?

The Moral of the story is…

?

Data Protection Commission - Case Study 4: Access to CCTV footage

?

What Happened?

The DPC received a complaint from a data subject who made a SAR to an educational institute following an alleged attempted assault. The data subject provided a specific area, time and location for two CCTV camera angles. The data controller responded with some still images from the footage which they deemed to be the “significant” footage. By the time of the complaint, the footage has been overwritten in line with their 30 day retention period.

The DPC investigation focused on the data subject’s right of access. They clarified that the data subject’s access right entitles them to video format of the footage requested, an only in exceptional circumstances is it acceptable to provide an alternative such as stills.

?The data controller was ultimately in contravention of Data Protection legislation as it failed to comply with the data subject's right of access in respect of a complete set of personal data processed and responding outside the statutory timeframe of one calendar month.

What does it mean for my organisation?

CCTV is a growing concern in the ever advancing technological world. Often a complex system for data controllers to ensure they are able to achieve their purpose but also consider and abide by data subjects’ rights under data protection legislation.

?

The DPC guidance on CCTV is the key consideration for data controllers when managing CCTV in practice. The primary advice is to limit your processing of data subjects’ images to clearly defined purposes, with an identified lawful basis, and notify data subjects of those purposes at the time of collection. Examples include:

?

·??????CCTV Signage

·??????CCTV Policy

·??????CCTV Procedure

·??????Data Protection Policy

·??????Subject Access Request Policy

·??????Subject Access Request Procedure

?

Ensure you only process data subjects’ images for what the identified purposes only. This will protect both your business’ interests and the rights of all data subjects captured. Monitoring or recording footage which is not in line with the purposes or retention periods identified ?could open up risk to the company in escalations to the DPC.

?

Tales from the coalface

On occasion it is necessary to retain or utilise personal data for learnings, future business planning or to preserve organisational memory. However to do so in line with the GDPR and Data Protection legislation can be complicated. Ensuring you retain personal data collected for a specific purpose, and for only as long is as necessary, underpins the GDPR ethos.

Are there other any options?

Following the Data Protection Commission’s recirculation of ?their 2019 guidance on Anonymisation and Pseudonymisation of personal data, here we differentiate between these two methods of removing personal identifiers:

1.????"Anonymisation" of data means processing it with the aim of irreversibly preventing the identification of the individual to whom it relates. Data can be considered effectively and sufficiently anonymised if it does not relate to an identified or identifiable natural person or where it has been rendered anonymous in such a manner that the data subject is not or no longer identifiable.

2.????"Pseudonymisation" of data means replacing any identifying characteristics of data with a pseudonym, or, in other words, a value which does not allow the data subject to be directly identified. Utilising a pseudonym can be appropriate in some circumstances but bear in mind, the protection afforded would not be to the same value as anonymising, as it is often possible to analyse the underlying data to identify an individual.

The key to all processing activities is to underpin the GDPR principles of ‘privacy by design’ and ‘data minimisation.’ Extend these principles to any identifiers where an individual could be distinguished from another, either directly or indirectly, by descriptors or associated knowledge of the scenario under review.

Contributors to this newsletter:

Gillian Traynor, Caoimhe McDaid and Jim O’Sullivan