Video surveillance and the checklist of a good DPA: the “case” of the Municipality of Monterotondo
With the measure no. 100 of February 22, 2024, the Garante per la protezione dei dati personali has expressed its opinion, inter alia, on the relationship between an entity, a data controller, and its data processor and on the relations that bind the two entities, in particular on the concrete content of the contract put in place between them under Article 28 of Regulation (EU) 679/2016 (GDPR).
The measure offers interesting insights both on the video surveillance front and on the subject of the content of the contract entered into between data controller and data processor (The act of appointment as a data controller or, in English parlance, the “Data Processing Agreement,” or more simply DPA) whose content is clearly spelled out in Article 28(3) of the GDPR: “Processing by a controller shall be governed by a contract or other legal act under Union or Member State law, binding the controller to the data controller and stipulating the subject matter regulated and the duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects, and the obligations and rights of the controller.”
The case
The case analyzed by the Guarantor concerned the Municipality of Monterotondo, which, as the data controller, outsourced to the external company APM, a special company, the activity of installing and managing the devices related to waste collection (so-called “compactors”), equipped with surveillance cameras connected with the municipality, without previously entering into a contract on data protection under Article 28 GDPR.
This act was necessary because the Municipality, and APM, as its data controller, appeared to have carried out a processing of personal data, from March 2021 to June 9, 2022, carried out, however – and herein lies the other objection made by the Authority – in the absence of appropriate information to the interested parties having the Municipality mistakenly considered the system associated with the compactors as a “security alert” and not as a tool of true “video surveillance,” aimed at detecting acts of vandalism or events relevant to the security of the facilities or the safety of users.
Finally, the municipality appeared to have “failed to take appropriate technical and organizational measures to ensure a level of security appropriate to the risk” thus violating Art. 32 of the GDPR.
The video surveillance disclosure challenge
The Guarantor recognizes, as a first point, that in accordance with the principles of lawfulness, fairness and transparency, the data controller is required to take appropriate measures, such as to provide the data subject, prior to processing personal data, with all the information required by the GDPR, in a concise, transparent, intelligible and easily accessible manner (Articles 5 par 1. lett a) and 12 and 13 of the GDPR).
These principles regarding first- and second-level information on video surveillance had not been complied with; in fact, the municipality had not put up any “warning signs” (first-level information near the site where the video surveillance took place) but had instead placed information signs, which it had deemed “sufficient” to alert the data subjects to the processing being carried out, placing them, however, at a site far away from the one that would actually be affected. In addition, the cartel contained information related to the prevention of widespread and predatory crime phenomena, inadequate, therefore, to ensure the transparency of a distinct and specific treatment than the one actually carried out.
The requirements of a “good” DPA
The most meaty passage in the Guarantor’s assessments, however, is the one related to the definition of the “contractual” relationship between owner and responsible party.
In fact, the municipality had, as anticipated, outsourced the installation and management of the system to APM, entrusting it with the processing of the images resulting from the footage taken by the system, without entering into any contract on data protection under Article 28 GDPR, thereby violating the parr. 3 and 9 of Art. 28 of the GDPR. Given the fact that both the controller and the processor have a duty to ensure the existence of a contract or other legal act that states the instructions regarding the processing, the Authority can “impose an administrative fine on both the controller and the processor,” as also specified by the Guidelines 07/2020 on the concepts of controller and processor under the GDPR (adopted by the European Data Protection Board on July 7, 2021, para. 103).
At a later stage, even when formalized, this deed had not been signed by APM, but only by the municipality, and the signing by the supplier had only taken place once the investigation had begun.
The late contract, which was signed after the start of the investigation, also had only “formally” the elements set forth in Art. 28 GDPR, but did not concretely describe what the processing of personal data would be based on.
The Garante has therefore reiterated how the “act of appointment” must contain all the instructions and technical and organizational measures that the controller deems to be given to the data controller, aimed at ensuring a level of security appropriate to the risk.
The Authority then recalled how such a contract must be drafted taking into account the specific data processing activity, regulating, in particular:
- Theobject of processing, with sufficient specifications so that the main object of processing is clear;
- The duration of treatment;
- the nature of the processing: the type of operations performed as part of the processing (e.g., “filming,” “recording,” “image storage,” etc.);
- the purpose of the processing, as comprehensively as possible, depending on the specific processing activity, so that external parties (the Supervisory Authorities) can understand the content and risks of the processing entrusted to the relevant controller;
- The type of personal data, in as much detail as possible;
- categories of stakeholders specifically;
- a reference-even if only by relationem-to theact or contract governing the underlying relationship between the parties.
Conclusions
Faced with the aforementioned violations, but evaluating as positive the level of cooperation of the municipality and considering the fact that the violation was yes, protracted over a long period of time, but did not concern special categories of personal data or personal data related to criminal convictions and offenses, the Guarantor decided to adopt an injunction order ordering the entity to pay the sum of 3,000 (three thousand) euros as a fine.
But this measure, as mentioned, is of interest not so much because of the sanction received or the case in point, but because of the important rule, perhaps trivial, but still highly overrated today by practitioners, in the public as well as the private sector, that the contract between data controller and data processor is not a mere formal step, but a foundational element in being able to process personal data correctly, to be tailored and adapted to the specifics of the individual processing.
Therefore, it is of paramount importance to have not only good appointment schemes to use with your suppliers and partners – including the “
Standard contractual clauses between data controllers and processors pursuant to Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council
” published by the European Commission – but also receive adequate training (or make use of consultants and DPOs trained for this purpose) to ensure that the acts of appointment provide sufficiently detailed information with respect to the specific processing they are going to regulate.