The Polish SA says a legal basis is required for audio surveillance and has fined the Warsaw Centre for Intoxicated Persons for a lack thereof.
The Polish Supervisory Authority was recently informed that between 2016 and 2021, the Warsaw Centre for Intoxicated Persons recorded sound through its surveillance system, without a legal basis to do so as stated in this report by the EDPB. According to reports, this was carried out throughout their facility through their installed surveillance system. The fact that the sound was recorded for such a long period of time means that the infringement potentially related to a large number of persons. According to the Polish SA, the audio recording of people who are often in the state of intoxication, which hinders them from making conscious statements or having adequate control over the sounds they make, is excessive.
The controller explained that the processing of this data was necessary for a legal obligation with which it complies.
When approached by the Polish SA, the controller was asked to indicate its legal basis for collecting personal data in the form of sound. The controller indicated that the processing of the data in this manner was necessary for a legal obligation with which it complies. In addition to the statute of the Centre, the controller referenced regulations included in the Polish Act on Upbringing in Sobriety and Counteracting Alcoholism. Furthermore, the controller explained that its system records both video and audio, and the purpose of processing is, among other things, to exercise continuous surveillance over, and ensure the safety of persons brought into the Centre to sober up. The controller also informed the Polish SA that the audio and video files are stored from 30 to 60 days, except in cases where the recording is secured to be used as evidence in ongoing proceedings.
The Polish SA determined that the regulations governing the centre’s activity did not allow them to record audio of personal data.
In its decision, the Polish SA stated that the controller cannot raise any of the grounds listed in Article 6.1 of the GDPR, particularly Article 6.1(c), which speaks of processing which is necessary for compliance with a legal obligation to which the controller is subject. The Authority also concluded that none of the regulations governing the Centre’s activity would allow the Centre to record audio of personal data as part of its surveillance.
A fine of €2200 was imposed on the Warsaw Centre for Intoxicated Persons.
When determining the amount of the administrative fine, the Polish SA took into account the degree of cooperation with the Authority by the controller as a mitigating factor. In addition, as a reaction to receiving notice of the initiation of administrative proceedings, the controller ceased the processing of data until the decision was issued, and erased all the registered data, showing consideration for the rights of data subjects. As a result, an administrative fine of €2200 was imposed on the controller.
Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.