On March 3, 2022, the Croatian Personal Data Protection Agency (AZOP) issued two fines for violation of the General Data Protection Regulation (GDPR).
The first fine was issued to a company in the energy sector for the violation of the right of access Article 15(3), and the other to a retail chain for violation of Article 32(1)(2)(4) on the security of processing. Both fines totaling around €213 thousand or 1.6 million HRK.
The two fines were both issued because of the video surveillance footage, however, the circumstances of these two cases are very different.
First GDPR fine
The AZOP issued a GDPR fine to an unknown Company in the energy sector in the amount of €124,000 (940,000 HRK), for failure to submit video surveillance recordings (CCTV records) at the request of data subjects.
What happened?
The DPA received a complaint from the data subject who requested the Company to submit video surveillance camera footage of the individual.
The data subject used the services of a petrol station at one of the Company’s branches and, due to dissatisfaction, filed a complaint in accordance with consumer protection regulations.
After that, in order to better protect his consumer rights, the individual requested the delivery of copies of his personal data (video surveillance camera footage), specifying the date and time.
The Company rejected the request because it considered that there was no written request from the competent authorities to provide a copy of the recording, that the purpose of the request was not justified, and that obtaining such a copy would adversely affect the rights and freedoms of gas station employees and customers.
At the prior request of the individual, the AZOP gave a general opinion on the obligation of the data controller to provide copies of the requested video surveillance footage. However, the Company could no longer provide the requested recordings since the footage is deleted after seven days.
Decision and the amount of the fine
The AZOP concluded that the Company violated the right to access personal data, by denying the individual the right to obtain a copy of the CCTV footage, for which GDPR prescribes administrative fines in the amount of up to €20 million or up to 4% of the total annual worldwide turnover for the previous financial year, whichever is greater.
While determining the final amount of the fine, the AZOP took into account the indirect material damages to the individual but also the fact that the Company indirectly avoided potential financial damage it could suffer due to the dispute with the individual, and by not submitting a recording it eliminated possibly important evidence in a special proceeding.
Second GDPR fine
The second GDPR fine of €89,000 (675.000 HRK) was issued to a retail chain, for failure to take appropriate security measures for the processing of personal data, which led to the unauthorized processing of personal data through social networks and in the media.
What happened?
The AZOP received a report on violation of personal data from the Company, stating that employees of the Company unauthorisedly and contrary to internal acts and instructions, recorded video surveillance footage with their mobile phones and published it on social networks and the media.
AZOP determined that the Company did not take adequate measures to prevent its employee from taking a video surveillance monitor image using a mobile device.
Decision
It was noted that the Company took certain organizational measures such as employee education and adoption of internal acts, but did not take appropriate technical security measures that could reduce the risk of a similar violation, neither before nor after the incident.
Also, the Company did not regularly monitor the implementation of technical and organizational measures aimed at ensuring the confidentiality, integrity, and availability of personal data, and failed to regularly test, evaluate and determine the effectiveness of technical and organizational measures to ensure the security of video surveillance.
In this case, the Company failed to implement appropriate technical security measures for personal data processing, for which violation of the GDPR prescribes fines up to €10 million or up to 2% of the total annual worldwide turnover for the preceding financial year, whichever is greater.
Conclusion
The AZOP considers that the corrective measures in the form of administrative fines are effective, proportionate, and dissuasive and that the amount is fully appropriate to the circumstances of both cases.
You can read the entire decision available only in Croatian; Izrečene upravne novčane kazne u ukupnom iznosu od 1.6 milijuna kuna
