The image of a natural person is undoubtedly a piece of personal data and is subject to the same legal protection as non-visual data.
Every company that uses video monitoring should know and comply with the legal regulations on personal data protection. Violations of these laws, including a failure to ensure data security, are punishable by severe fines and penalties.
Thus, the functioning of many organizations has changed since the introduction of the GDPR regulation back in 2018. Today, banks, shops, post offices, security companies, car parks, medical facilities, and other types of CCTV operators must comply with the new personal data protection regulations and requirements. However, as cases outlined in this report show, there is still much to do in this regard.
Data protection authorities are increasingly recording breaching of Art. 15 GDPR in video monitoring
Article 15 of GDPR leaves no doubt – everyone whose image is in the recording or photo has the right to access this information (we cover it in detail on our blog). Such a person may also request a copy of the data (recording) containing their images.
Of course, providing a copy should not adversely affect the rights of others. Fortunately, there are ways to protect the privacy of other people appearing in the recording. One of them is the method of blurring faces using computer vision technology (so-called AI anonymization software).
Video surveillance and risk
Video surveillance is one of the most commonly used security tools. While this is a useful solution, it comes with many challenges and limitations, including personal data processing regulations imposed by GDPR.
As society is currently more aware of its rights, there are more and more complaints about refusing to provide materials at the request of the data subject. Therefore, the European Data Protection Authorities impose fines on organizations that violate this right.
In this report, we have collected some examples of recent penalties for breaching Art 15 and other provisions of GDPR. Every company that uses video surveillance on their premises should read it to understand what practices are reported and penalized under the provisions of this personal data protection regulation.
List of selected GDPR penalties and fines:
1. A case of Spanish supermarket chain store
Mercadona S.A. is one of the leading Spanish retail and online shopping companies. In 2022, the Spanish DPA (Agencia Española de Protección de Datos - AEPD) issued a decision under which the supermarket chain store was charged with a penalty for breaching rights related to GDPR - the company was fined EUR 170,000. The fine concerned a violation of articles 12 and 15 of GDPR by failing to respond to the request of the data subject, as well as article 6 by removing the video material without legal basis.
In one of the video-monitored Mercadona supermarkets, the data subject suffered an accident. With the objective of claiming damages, the individual has exercised the right of access to the security camera image. As a consequence, this person asked the controller to provide the recording of the accident from the video monitoring system using the application form on the controller's website. The customer received an automatic reply saying that her message had been sent. The next step taken by the data subject was to submit a complaint to the controller about the accident by email. The controller replied to this message; however, it did not respond to the request for access to data for more than a month.
The data subject's lawyer has emailed the controller's data protection officer regarding the access request. The response received was that the DPO was not aware of any access request and that the video had already been deleted. After this negative response, an individual lodged a complaint with the DPA.
The Spanish data protection authority took further action, eventually imposing a fine on the supermarket for breaching the aforementioned GDPR provisions.
Read the full decision (available only in Spanish).
2. Minor fine for Greek telecommunication company
Another case of a breach of Article 15 of the GDPR took place in Greece in 2022. The Greek telecommunication company, WIND Ελλάς Τηλεπικοινωνίες ΑΕΒΕ, did not provide the data subject with the monitoring recording. For this reason, the Hellenic DPA imposed a fine of EUR 2,000 on the company.
The data subject visited the customer service point to extend the phone contract. During the renewal of the agreement process, WIND employees did not ask the subscriber for proof of identity. As it turned out later, due to many years of cooperation, employees confirmed the identity of the data subject using A.F.M. Furthermore, the data subject received no document to sign. The employees only presented a form with empty customer signature fields, their signature, and the company seal. Because of a system problem, the subscriber was unable to sign. However, employees assured the data subject that this would be enough to extend the contract.
On the same day, the data subject sent an e-mail both to the customer service point and to the Data Protection Officer. The subscriber requested access to video footage recorded by the WIND's cameras. However, he did not receive an answer. In an e-mail to the Data Protection Officer, the subscriber complained about a security gap in the process of renewing the contract and about the failure to comply with the right to access the data. Only after the intervention of the DPA, did the customer service point owner replied that the access request could not be granted because the registered material had been deleted. The DPA considered this a violation of Article 15 and imposed a fine on the Greek company.
More details on this case can be found here. The material is available in Greek.
3. Greek seaport management fined
DPA dealt with the case of a private car owner who was not given access to the surveillance footage captured by Heraklion Port Authority A.E. cameras. As a result, the Greek DPA fined the company EUR30,000 for breaching Articles 12(1), 12(2), and 15 of the GDPR.
Here is a more detailed description of the case. In Heraklion Port Authority A.E. territory, the data subject was involved in a traffic accident with another individual. A video surveillance system operated by the organization recorded the accident. As a result, the data subject submitted a request asking for the surveillance footage via email. However, the company refused to provide the material, stating that it would do so at the express request of the prosecutor's office. The data subject repeated the request, pointing out that the footage from the monitoring is necessary to prove the guilt of the other person involved in the car accident. However, he did not receive an answer.
The data subject approached the HDPA about a breach of the right of access to data. The HPA reasoned that it had not released the material because the data subject made the request 37 days after the incident. The organization cited a directive that data cannot be released after 15 days. Moreover, the HPA stated that the data had been deleted.
The investigation found that HPA did not delete the data and had no right to refuse access to the material. HDPA stressed that the 15-day period under the directive invoked by the company had been extended to 30 days. As a consequence, the Greek DPA fined the organization for breaching Article 15 of GDPR. Furthermore, the Greek company violated Article 12(1) and (2) of the GDPR by failing even to respond negatively to a data access request.
Summarizing all violations, the HDPA imposed a fine of EUR 30,000 on the company.
Go here to find detailed information in Greek.
4. Croatian petrol stations operator fined
The present case concerns a violation of Art. 15 sec. 3 of the General Data Protection Regulation. The Croatian Data Protection Authority fined one of the energy company's petrol stations (the name of which is currently unavailable) HRK 940,000.00 (EUR 124,245).
Let's look at the details of this case. The data subject used the services of a petrol station in one of the company's branches. The customer was not satisfied with the measurement of the fuel being filled. In accordance with consumer protection legislation, the data subject filed a complaint. Subsequently, the data subject requested a copy of the material recorded by the surveillance cameras, specifying the exact date and time of stay at the station. Unfortunately, the company did not accept this request, citing the following reasons:
- Lack of a written request from the competent authorities for a copy of the recording
- Unjustified purpose
- Obtaining a copy would negatively infringe on the rights of the service station employees and customers who were at the station at that moment
After the client received a general opinion from the DPA, the company said it could not release the surveillance footage because it was deleted after seven days. The DPA considered this conduct a violation of Article 15 of the RODO. In addition, it was established that the company, by not providing access to the monitoring recording, indirectly avoided material damage that it could have suffered as a result of a consumer dispute with the data subject. The company also disposed of the recording, which would have served as evidence in the case. In these circumstances, on March 8, the Croatian DPA issued a decision fining the energy company a sum of HRK 940,000.00 for violating the data subject's right of access to the recording.
More details on this case can be found here The material is available in Croatian.
5. Croatian petrol stations operator fined
In March 2022, the Romanian supermarket Kaufland Romania SCS was fined EUR 2,000. The Romanian data protection authority found the company to be in breach of Article 15 of the GDPR.
Although it is a case of rather minor fine, it is worth noting, that Kaufland Romania SCS was fined at least 3 times in 2022 alone.
Let us examine the details of this particular case. As a result of a complaint lodged by the data subject, the data protection authority initiated proceedings. The administrator did not comply with the request of the data subject to provide access to monitoring recordings. Although the recordings were available on the requested date, the administrator did not send a full copy of the materials registered by the camera. Failure to provide data to the data subject is a violation of Article 15 of the GDPR. The Romanian DPA, therefore, imposed a fine of EUR 2000 on the supermarket. Moreover, corrective action has been taken against the administrator. The Romanian supermarket should provide the data subject with all requested images, if any were available. Of course, so that the shared material does not have a negative impact on the rights of other people, the administrator should blur images that lead to their identification.
Although it is a case of rather minor fine, it is worth noting, that Kaufland Romania SCS was fined at least 3 times in 2022 alone.
Under this link, you will find full information about this case in Romanian.
6. Severe fine imposed on Limerick City and County Council
By the decision of 9 December, 2021, Limerick City and County Council was fined EUR 110,000. The penalty was imposed for the violation of:
- Article 13, that concerns information provided when collecting data from the data subject.
- Article 12, that deals with the scrutiny of this information.
- Article 15, that describes the right of access of the data subject.
Here are the details of the case. Following an inspection of personal data processing, the Irish DPA found County Limerick to be in breach of a number of data protection laws. The investigation revealed the use of surveillance to be illegal. Only 44 of the 401 CCV cameras met data protection requirements. The Irish DPA found that many of the installed cameras were being used for purposes other than those for which they were intended. Moreover, some were equipped with automatic number plate recognition without proper authorization.
In addition, the County Council did not post information on its website regarding CCTV cameras used for traffic management. It thus violated Article 13 of the GDPR. The Council failed to provide this information in a transparent and easily accessible manner, which is a violation of Article 12. Furthermore, the County Council breached Article 15 by denying access requests in relation to data processing at the Traffic Management Center. Based on these infringements, the Irish DPA imposed a fine of 110,000 EUR on the County Council. The commissioner also ordered these cameras to be turned off for up to 120 days. In particular, cameras that read the license plates of vehicles passing through the city.
Here is the decision issued by the Irish DPA.
7. Greek Municipal Transport company sufferers moderate penalty
The Hellenic DPA issued a decision on 3rd September, 2021, whereby the Municipal Transport Company RODA was fined EUR 8,000. The administrator has violated the following GDPR articles:
- Article 5(1)(c) relating to personal data, which should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Art. 12 (3) GDPR Art. 12 (3) of the GDPR, which states that the administrator shall, without undue delay, provide the data subject with information about the actions taken in connection with the request.
- Article 15 on the right of access by the data subject.
Former employees of the municipal transport company RODA lodged a complaint against the data controller. These people were in a legal dispute. The case concerned alleged embezzlement, of which the administrator accused a former employee. As a consequence, the data subject requested a copy of the recordings recorded by the bus surveillance system on the day on which the incident allegedly occurred. The surveillance recordings were to be used as evidence for defense in criminal proceedings. Unfortunately, the administrator of the municipal transport company did not respond to the former employee's request, violating Ar 12 and 15 of the GDPR. The Hellenic DPA has fined the data controller EUR 5,000. Moreover, the administrator provided a certificate to the former employee stating:
- the type and period of employment
- the reason for the dismissal, which was allegedly a crime.
The Greek authority considered this a violation of Art. 5 GDPR and awarded a fine of EUR 3,000.
Here is the decision issued by the Hellenic data protection authority.
8. Another penalty for Kaufland in Romania
In January 2021, the Romanian data protection authority decided to punish the operator of Kaufland Romania SCS for violating Article 15 of the GDPR. Because the administrator violated the right to access data, the authority fined him 14,846.4 lei (equivalent to 3,000 euros).
A complaint was delivered to the data protection officer in which the data subject stated that the administrator of Kaufland Romania SCS did not provide him with a full copy of the surveillance recording. According to the law, the controller is obliged to make the monitoring recordings available to the data subject. The administrator is also obliged to use a number of technical and organizational measures so as not to infringe on the rights of other natural persons. Therefore, the faces of all persons appearing in the recording should be blurred. The same applies to license plates. Since the administrator of Kaufland Romania SCS did not make the entire recording available to the data subject, he was fined. For violation of the provisions of Art. 15 sec. sec. 3, the Romanian DPA (ANSPDCP) imposed a fine of EUR 3,000.
You can find the original material on this case here.
9. Severe fine for local shop owner in Hungary
On 23 October, 2020, the Hungarian National Authority for Data Protection and Freedom of Information decided to punish a shoe store for violating provisions related to the GDPR. The store was fined 20,000,000 FT (EUR 54,800) for breaching the following articles: Art. 12 GDPR, Art. 15 GDPR, Art. 18 (1) c) GDPR, and Art. 25 GDPR.
On 26 May, 2018, a customer made a purchase in the store of the administrator and did not receive a change. The data subject requested the company to provide a copy of the video surveillance recording. They justified their request by wanting to prove that he had not received a change after payment. In the application, the data subject, referring to the exclusion from art. 18 sec. 1 lit. c GDPR asked the administrator not to delete the recording in question. However, the company did not comply with the request. The administrator refused to provide the recordings, justifying that the footage from the camera could be made available at the request of the police. This action violated Art. 15 GDPR, and the store further violated the GDPR by removing the video from monitoring despite the explicit request of the data subject.
The Hungarian data protection authority also found that the store did not take adequate organizational measures to ensure the right of access of data subjects, violating Art. 25 GDPR. In addition, the authority also stated that the store violated Art. 12 of the GDPR by failing to provide information about the refusal to provide the recording and by not explaining why the recording was not stored beyond the normal storage period.
Based on these violations, the Hungarian data protection authority imposed a fine of EUR 54,800 on the shoe store.
For more information on this case, please refer to the linked material.
10. Residential community from Spain fined
The housing association paid a fine of EUR 900 for a breach of personal data protection. The violation concerned Art. 5 GDPR. Here are the details of the case.
The DPA received a document indicating a possible violation of personal data protection provisions due to the installation of a video monitoring system. The investigation found that there were 57 cameras in the building, including one deactivated in the gymnasium. However, some cameras covered public spaces. The Spanish authority considered this a violation of Art. 5 GDPR, i.e., the principles of data minimization.
Taking into account all the circumstances, the authority imposed a fine of EUR 900 on the housing association. It is worth mentioning that the authorities initially fined EUR 1,500. However, it was changed due to voluntary payment and recognition of responsibility.
The original material in Spanish is available at this link.
11. A homeowner fined for recording public space beyond his private premises
With the decision made on 10 November, 2022, the Spanish DPA punished a private person who violated Article 5 of the GDPR. The individual was fined EUR 300 in total.
During the patrol, the civil guard noticed a camera in a private person's window that was interfering with public space. The individual claimed that the camera functioned as a video intercom to control the parking lot of his vehicle. However, the DPA considered this a violation of Art. 5 (1) c) GDPR. It states that personal data shall be adequate, relevant, and limited to what is necessary concerning the purposes for which they are processed (‘data minimization’). When installing a camera, it is important to provide information about the intended purposes and the individual who is responsible for processing the personal data captured. What's more, individuals should point cameras at private spaces.
As a consequence, the Spanish DPA imposed a fine of EUR 300 on the individual. In addition, the DPA ordered the individual to remove the camera within 15 working days of receiving the administrative act.
Detailed information in Spanish you can find at this link.
12. Fine for Spanish company violating some basic rules regarding video monitoring
The next matter concerns the Spanish company Lorent 2013 SL. The controller was fined EUR 600 by the Spanish Data Protection Agency for violating the law of the GDPR. Lorent 2013 SL breached Article 5 of the GDPR, which concerns, among others, the principle of data minimalization.
The City Council of Murcia sent a letter indicating that the data controller had video monitoring without providing adequate information. In addition, CCV cameras are directed to a public space without an earlier administrative permit for such action.
According to the law, video surveillance must be directed toward private spaces. It is forbidden to cover public space without a reasonable reason. Additionally, it is mandatory for the CCTV surveillance to have a visible information notice displaying the objectives and the individual responsible for processing any personal data involved.
The proceedings showed that Lorent 2013 SL breached Article 5 (1) c) regarding data minimization. Therefore, the Spanish DPA imposed a penalty on the company of EUR 600. Besides, the controller was obliged to place an information poster indicating that it was a video supervision area. In addition, the deactivation of the camera covered public space.
For more information, please see this link. This is an original decision issued by the Spanish DPA.
13. Fine for unauthorized monitoring installation belonging to private person
On 29 November 2022, by the decision of the Spanish DPA, a private person was fined EUR 500. This case concerns a breach of Article 5 of the GDPR.
On April 1, 2022, the Spanish Data Protection Agency received a request from the civil guard. The complaint was directed against a private person. The letter indicated that the individual had installed a video surveillance system whose cameras covered the public space. Moreover, the private person did not have any administrative authorization. In addition, the data controller published the recorded video on the social network Facebook. A controller justified that they installed the cameras, among others, due to the situation of animal abuse.
As per legal provisions, private individuals are prohibited from installing video surveillance systems aimed at obtaining images of public areas, except in cases allowed by the law. The proceedings proved that the controller acquires images of public space, processes data from third parties, and disseminates them in social networks.
The Spanish DPA considered this a violation of the principle of data minimization (Art. 5 (1)c)). Therefore, it imposed a fine of EUR 500 on the private person.
More information can be found in this original decision of the Spanish DPA.
14. Fine for non-compliance with several GDPR articles in Hungary
On 18 December 2018, NAIH imposed a fine of EUR 3,200 on a controller. This penalty has been issued because of contraventions of:
- Article 12 (4) GDPR by failing to notify the individual about their ability to file a complaint with the governing body.
- Article 13 of GDPR by not provide the data subject with all information when obtaining personal data.
- Article 15 of GDPR by not make the monitoring recordings available to the data subject.
- Article 18 (1) c) by failing to store recordings for later use by the data subject.
The Hungarian Data Protection Authority (NAIH) has received a request that the controller has not complied with the requests to exercise the rights of the data subject. The individual personally approached the controller in order to gain access to the audio recording of the general meeting. Moreover, the data subject has requested not to delete the recordings from the cameras. They stated that the controller had to block the recordings and provide copies of them for the legal proceedings and lawsuit concerning the securities' legal status. However, the controller did not comply with any of the requests. In connection with the above, the data subject lodged a complaint to the NAIH. The investigation showed that the controller violated GDPR rights. He was therefore fined a total of FT 1,000,000, which is equivalent to EUR 3,200.
Details of this case can be found in that decision.
15. Local Bank fined for not providing access to audio and video recordings
On 21 May 2019, the Hungarian Data Protection and Freedom of Information Authority issued a decision imposing a fine of EUR 2000 on a local bank. The controller has violated the following GDPR articles: Art. 12 (3), (4), (5) GDPR, Art. 15 GDPR, and Art. 18 GDPR.
The data subject was a customer of a local bank. They asked for permission to view recordings of phone calls and surveillance footage. The controller provided both copies of the phone call recordings and the opportunity to review CCTV recordings on-site. Although the bank allowed access to the recordings on the spot, it refused to provide a copy of the material. The controller justified his refusal by the fact that the recording contains the personal data of third parties. It should be mentioned that this is not legal, as other people's data can be obliterated. Consequently, the NAIH found this to be a violation of Art. 15 GDPR. Moreover, the bank also violated Art. 12 as it did not respond in due time, as well as Art. 18 by violating the right to limit data processing.
Taking into account all these infringements, the NAIH fined the bank in the amount of EUR 2,000.
Details of this case are available at this link.
16. Local Bank fined for not providing access to audio and video recordings
The Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) issued a decision granting a fine of EUR 5,800. The administrator has violated Art. 6 and Art. 15 GDPR.
The security staff of the bar assaulted the data subject, causing minor damage to their health. The event was captured by the cameras installed at the building. Consequently, the data subject requested to retain the recordings until the police took further action. They also asked for access to surveillance video. However, they did not receive any response. Moreover, the data subject claimed that the cameras were illegally monitoring public places. During the investigation, the administrator found that the recordings had been blocked. The truth is that he did not notify anyone about this. Since the administrator did not receive any request from the police or the data subject for further proceedings, he removed the previously blocked recordings. The administrator deleted the recordings after thirty days, based on the regulations in force at the time. He informed the data subject about this fact.
The administrator also justified that the cameras monitor the entrance to the building, and the parts of the public space are not fully visible.
In the investigation, the NAIH considered it a mitigating circumstance that, during the period in question, there were still rules in place that were not in line with the General Data Protection Regulation and that the administrator had never been penalized for breaches of the GDPR before.
Ultimately, NAIH imposed a fine of EUR 5,800 for violating:
- Art. 15 of the GDPR: The administrator did not make the recordings available to the data subject.
- Art. 6 of the GDPR: The administrator was unable to demonstrate that the data processing is lawful.
More information on this matter you can find here.
17. A small fine imposed on the homeowners association in Spain
By the decision of the Spanish DPA (AEPD) of 3 December 2022, a homeowners’ association was fined EUR 300 for violating rights related to the GDPR. The data controller violated Article 5 (1) c) of the GDPR concerning data minimization.
In May 2022, the General Data Inspection Directorate (SGID) received a letter. The data subject has stated that a video surveillance camera has been installed in the common areas of the building where he lives by the chairman of this community. The individual also added that the monitoring is not properly marked.
The investigation showed that CCTV surveillance covers a public area. In addition, although an information poster about the monitoring was placed, it did not include information about the data controller and the method of exercising rights under the applicable GDPR. The Spanish data protection authority considered this a violation of the principle of data minimization. As a result, taking into account all the circumstances, it imposed a fine of EUR 300. Besides, the controller was obliged to change the information poster and provide the DPA with evidence in this regard.
More information can be found in the original decision. The link is here.
Since our team has limited knowledge and resources, it was impossible to cover all the fines related to CCTV monitoring that have been imposed in the past years. Perhaps these are som representative ceses, and there are many more out there. We will continue to monitor the latest developments and expand the report as time goes by and more cases of violations appear.
Some considerations one shall keep in mind is that it was relatively recently when regulators have become interested in the protection of the image of persons registered in visual materials in the context of personal data processing.
We should expect the development of legislation towards more and more protection of the rights of individuals, granting further powers to processing entities, and more and more severe prosecution for infringements.
We can expect that the number and severity of penalties will only increase in the coming years. No more “business as usual” for video surveillance operators.