Austria’s First GDPR Fine Is For Video Surveillance
Should EU businesses be concerned if police see a business' surveillance cameras filming public areas?
This is what happened with Austria’s first GDPR fine, imposed on a betting shop for filming public areas with its security cameras.
The case racked up a total of almost $6,000 in fines, some of which were for non-GDPR violations. It has been appealed, so is not final. The case is nevertheless an important example of the heightened risk faced by end users in the GDPR era, particularly since it was the GDPR-related fine that was by far the highest.
In this note, we examine:
- How They Got Caught
- Alleged Violations
- GDPR vs non-GDPR Violations
- How The Fines Were Calculated
- Why the GDPR Fine was the Highest
- The frequency of Video Surveillance Fines in Austria
- Timing & Gravity of Offense
- Broader Meaning
*** *** **** *** ******
********* ** ********** **** *******, ***** ****** ******** ******* *** ************ cameras ******* ****** ***** ***** *** entrance ** * ******* **** ** the ****** ******** ** ***** **, ****. (******* ***** are ****** ** ***** ** ****** and ******* ******* ** * ***** store/bar ***** ******* *** *** **** machines ** ***** ****.)
* **** *** ****** ***** *** transferred ** *** ******** **** ********** agency,*** ***, ***** *** **, ****, *** date *** **** *** *******. **** is ******* ***** ** *** ****, illegal ***** ************ ***** **** ******* by ***** ***********, *** *** ***, the ****** **** ****.
List ** **********
*** *** ****** **** *** ******* shop ********* **** ******** ******* **********:
- *** ******** ******* ******* ** *** shop’s ******** ********* * ****** ******* lot *** ******* *****, ********* ****** passing ** *** ********’ ******* ******.
- *** ******* **** *** ********** **** authorities.
- ***** ************ ******* *** **** *** an ********** **** ****** **** ** justification ********. (******** ******* *** ******** legal ************* *** *** ***** ************ storage ******* ****** **** ** *****.)
- ***** *** ** ****** **** ********** that ***** ************ *** ***** ****.
*** ******* **** *** ******* ** the *** **** *** **** **********, although *** ******* *** ******* ** was **** ** * *****.
GDPR ** ***-**** **********
*** ***** ********* – ******* ****** areas – *** *** **** ****** listed ** ********* *** ****, **** the *** ************ *** ******** ******** of *** ***:
- ******* *, ***** ****** **** *** ********** of ******** **** ** “******* ** **** ** ********* ** relation ** *** ******** *** ***** they *** *********”. *** *** ***** that *** ******* ****’* ********** *********** *** *** *******’ ******** purpose ** *********** *** ********.
- ******* *, ***** **** *** *** ********** for ****** **********, **** ** “*******” and “********** ********”. *** *** ***** that *** ******* ****’* ******* ********* none ** ***** **********.
*** ***** ***** ******* **** *** violations *********’* ******** ******* ***, ***** *** ****** ** ****.
*** ****** ****** *** **** ** non-GDPR ***** ** **** “*** ******** of *** ******* ******* ******** ****** 25 *** ****” *.*. *** **** the **** *** *******. ********* ********** 2, *, *** * **** ******* under ******** ******* *********** ***** *** first *** ******* ***** *** ****.
How *** ***** **** **********
*** *** **** *********, *** **** was ***** *,*** ***** ($*,***). *** other *****, ***-**** ********** ******** ***** of *** ***** **** ($***), ** laid *** ** ******** ******** ******* law. *** ***** ** ***** *** **** 4,800 ***** ($*,***). * **% ***** fee *** *****, ******** *** ***** to *,*** ***** ** $*,***.
(**********: “**** ** *****”, “******* ** case ***** *** *** *********”, “************ period”, “[*****] *********”)
GDPR ****** ****** *****
*** **** **** *** **** ********* was ***** *** *,*** ***** ***** the ***-**** ***** **** **** *** euros ** *** * ***********.
*** ***'* ****** **** ******* ******* confirmed ** **** (******** *****):
********* ********, *** **** ****** ****** its*** **(*) *** (*)significantly ****** **** concerning the determination of the total amount of an imposed fine in relation to prior legal provisions in force before the GDPR.
************, ******* **** ************* ********************* **** ***** **** ** ************ ** the **** ** *** ********; * small ******* **** ***** *** ** slapped **** *** ******* **** ****, which *** ***** ** ******* ***** or *% ** ****** ****** *******.
*** **** ** ** *************. *** example, * ****** **** * ******** who *** ** ****** ****** ** 40,000 ***** [$**,***] **** * **-*******-**** fine [$** *******].
Frequency ** ***** ************ ***** ** *******
**** ** *** *** ***** **** illegal ***** ************ ** ***** ** Austria. ******** ** *** *** ******* statistics, ******* **** **** **** ***** are * "****** **********", ****** *** after *** ****:
*** ******** ** *** ****** ***** concern *** ******** ******* *** ** CCTV.
Timing/Gravity ** *******
*** ****** ************* ** *** ******* shop ***** ** ***** **** *** the ***** **** ********* ** ********* 2018. *** **** *** ******** *** case *** *** *** ** *******’* federal *****, ***** *** *** ** rule ** **, *** *** ********* to ****.
*** *** **** ********* **** **** is *******’* ***** **** ****. *** months-long ***** ** **** ***** ***** from *** **** **** **** ********** are ***** ******* * ******* ** cases ***** ***** **** ****** *** GDPR’s *********.
*** *** ****** *** ****’* ******* to ** “*********” ****** “**********” ** “aggravating”. **** ** ******* *** ******* shop ****’* **** *** ******** ****** of **********, ******* *** ******* *** months-long ***** ************.
**********
**** **** ******** * ************ ************ example ** *** ***** *** ** higher ****** ** *** ****. * $*,*** **** *** * ****** small **** *** ** ***** * significant ******, *** ** ** ****** that *** ***** **** ***** **** been ****** *** *** *** ********** taken ***** ***** *** ****’* ********* on *** **.
**** ** ********* *** *****, ***********, and *** ****** ********** ***** ************ data ****** ****** **** ** ****.
* **** *** "******* ****** *****"???
"*** ******* **** *** ********** **** authorities"
*** ****!
***** ** *** **, ******* ** privacy **** **** *** * **** time ********* ***** ************ **** **** stringently (*** **** ******** *** ****.) For ******* ** ****** *** ******************** **** ********** **** ********** ******** ******* **** film ****** *****, "**** ** **** want ** ****** *** ******** ** their ******* ****** ** ***** ** their ****.”
"***** *****" ** *** ****....
************** *********, *** ***** *** ****** of ***** ******* “*******” ******** ******** of ****** ***** ******. *** ** sight *** ** ****...
*** ****** ****** *** **** ** non-GDPR ***** ** **** “*** ******** of *** ******* ******* ******** ****** 25 *** ****” *.*. *** **** the **** *** *******. ********* ********** 2, *, *** * **** ******* under ******** ******* *********** ***** *** first *** ******* ***** *** ****.
**** ******* **** *** *** *************************** ** **** **** **** *** GDPR **** ** $*,*** ***** **** been ******; *** **********, *** *********************** ** ****, **** **** *** 3 $*** ***** ***** **** **** imposed.
** **** ** **, *** ** you *** ****
** *** *** ****-******* **** **** was ** *** *** *******.
**** ** **** ****** ** **** be $****, **** **** *** ***-**** spread **** ***** *****, *** **** for *** **** *******?
****, *** ** *******. **** *'* saying ** **** *** *** *** alleged ********** ***** ***** ***** *** 25, *** * ********** ***** **** been *********** ** **** **********, ****** than **** *. ***** *** **** gives *********** ************* **** ****** ** imposing *****, **** ** *** ********** could **** **** *****, *** *******, 2,400 ***** - ** ****'* *,*** x * = *,*** ***** ***** in *****, ** ****** $**,***.
**** *** ***-**** ********** **** *** "spread **** ***** *****"; **** *** was * ********** ********* ** ******* regulations.
* **** **** ** ***** ** interpretation **** ***** *** **** ********** are ********* ****** **** *** ****** head ** *** ******** **** ********** agency ******** *******. ** ********* **** to **, ******* ** **** (******** added):
"********* ********, *** **** ****** ****** its *** ** (*) *** (*)significantly ****** **** concerning the determination of the total amount of an imposed fine in relation to prior legal provisions in force before the GDPR. In addition, in this particular case, the Austrian DPA had to take transitional provisions into account, which ******* *** ***** ***** ***** ** *** ******** ***** ********* prior to the GDPR in which the infringing action started before the 25th of Mai 2018."
**** *'* ****** ** **** *** all *** ******* ********** ***** ***** after *** **, *** * ********** would **** **** *********** ** **** violations, ****** **** **** *.
** *** *** ****** ************ **, *** **** ******* ******* was *** ******* ** ******* *****?
*** **** *********, ***************** **, **** *** ********** *** cameras, *** ***** **, ******** *** retention ****** ***?
**** ****** ******** ** **, *** it’s ********.
** *** ***** ****, ** *** of *** * ******** ******** ** both ************* * *** ******* ***** **** statutes, ** ***** **** * *** arbitrary ** ****** **** ************ *** asymmetrically, **** ******* **** **** ********* over * ****** ** ******* **** period.
**** **** **** ***** :)
* *** *** ** ***** ******, but *** **** *** **** ******** the ******* “*** ***** ***** ***** gefunden”...
** *** *** ****** **** ***** *** **, *** **** ******* ******* was *** ******* ** ******* *****?
*** **** *********, ******** ****** *** **, **** *** ********** *** cameras, *** ***** **, ******** *** retention ****** ***?
*** **** ***** **** "**** ** the ******* ********** ******** ****** *** 25." ** ********** *, *, *** 4 **** ***** ** *********** ****** the ****, *** ********* * *** only ********* **********. ******* ********** *-* were ******* ***** ************ ***** ** GDPR, *** **** ***'* ** ********** for *** **** ******* ****-****. ***** ** no ******* ** *** **** *********** cameras, ******* ** *****, ***.
* *** *** ** ***** ******, but *** **** *** **** ******** the ******* “*** ***** ***** ***** gefunden”...
** ***, * ***** *** **** in *** *******. *** *** ********* ****.
* **** * *** ****** **** covers *** **** **** ***** ** my *******, ** ****** ***'* **** it **** ***** ******* ***. *** cops ***** *** ***** **** **** teenagers ******* ** *** ** *** cars.
*** ** *** ****** *** ****** driving *****? ****, *** *** ****** the **** *** *** ********* ** some ******** ******** ************* ** ***** in ******** ** *** ******?
* ***** *** ********** * ****** company ** ****** ******** *** ******* where * *****.
**** *** ***** ** *** ****** or ****** :)
* ****** ***'* ********** *** ******** reception ** ****. **** ***-** ******* seem ** **** ** ******* **** than * ******.
** ** * *** *** ***** positives
- **** ************* ** ****
- **** ***** *** *************
********** *** ****** ****** ****** ** applauded. **** ***** * ****** ***** for *** ******** *** ****** *** a ****** ***** ** ********* *** installation.
********** **** ****** **** * ****** quality *** ****** ******.
******* ****, ****** ******* ******, *** just **** *** *********** ******, (**** up *** *** **).
* **** * ****** ****'* ***** on ** ******** ** ***, * see *** **** ** **** ******* by, *** ** ****** **** **** turn **** ** ********. ** *****'* see *** ** ***** *****, *********, or ***** *****. **'* * "***** neighborhood" ** ** * ******* *** angle ** **** ****** ******* ** they ******'* ****.
* ****** **** *** ** ** neighbors *** * *** ******* **' off *** ****** ** *** **** of ***** *****, ****** **** ** don't ** * **** ***** **** play. ******* **** ******* ** ** neighborhood *** * ***** **** ****** got **** ** ******* **** **** decided ** **** ******** ** * honor **** ******* ******* ******* ***** backyard **** ***** ******** ****. *** kid *******'* ** **** *****, *** posting ** ** *** ***** ******* Facebook ***** (**** ** ******* ** see) *** ****** ** *** **** in ******* *** ****.
* **** * *** ****** **** covers *** **** **** ***** ** my *******, ** ****** ***'* **** it **** ***** ******* ***.
* ****** **** **** ******* ** was ********* *** ***, ***** *** no ********* ** **** ******** ******** being ********.
** **'* **** ******** *** *** within *** ******, **** **** *** the *** *******. ** ******** *****.
**'* *** ****** ** *** ****** a ****** ** ***** ******, ** public ***** ** ******* ******* ** to **** ******* ********. **** *** enter ******** ******* ******** *** ***'* have *** *** ** ***** ****** choices. *********** **** *** **** ** be ***** ******... * ***'* ***** agree **** **** ****
** ******* **** ** *** ******, a ******* **** **** **** ******* to ** ** *** ******** **** between *** ** *** *********, ** someone **** *** **** ** ***** that *** ** *** ***** * entrances ** *** ***** **** **** to ** ****'* ***** ******.
** *** ** *****, ** *** camera ****** ** * ****** ****, I *** *** **** ** ***** car, *** **** *** ***** ** the **** **** **** **** ** driveway, **** ** **'* **** ** turn ******. ****** * *** *** a ****** ***** **** *** **** into ****** * ******* ***'* *** same ** * ***** ****** **** sees * ******** ****.
*** ** *** ****** *** **** up *****/******** ** ****** ** ***** backyard ** ********, ** ** ******** or * **** *** **** ** shame ****** ****** ** ***** ** running **** ****** ** *** ***. I'm *** **** ** *** **, but ** *** ******, **** ** intended ** ** **** *******, *** published ****** ** ********.
**** *** ******** ****** ************, it **** ****** **** * *** for *** **** ** **** ********* and ****** ** *** ******* **** a **** ** *** ****** ******* having ** ***/******* **********. ** ***** is ******* ******** ***** ** ** the ******* **** *** **** ** wanting ** ****.
****, * ***** ***** * sign ** *********** ** *** ******* are ** ***** ****. **** ** pessimistic ** *** ****
**** **** ** ************** ** * practical *****, *******, *****'* ** ********* anywhere ** *** **** ** ******** EU ******* **** **** ***** ******** video ************ *** *** ******** ** long ** *** ******* *** ** plain ****. (*** *** *** ***: a *********** *** ***** ***** ******* are ****** ******* **** **** ******** don't **** ****** ** **** ** and ****** ****).
*** * **** ** *** ***** and **** ***'* **** *** **.
**** ** *****, "***'** ** ******".
* *** ********** *** **** **** way, *** **** ******* **** **** not ** ******** ********* ******** ******* on *** *****, ******* ** *** road *** **** ******* ** **** garden *** ******* ****?
**** ** * ******, *** * good ***** *** *** *** ****
...*** **** ******* **** **** *** so ******** ********* ******** ******* ** his *****, ******* ** *** **** but **** ******* ** **** ****** and ******* ****?
* ******* ****** *********** ** **** rules ***** **** *****, *** * advocate *** ********* ********* ** ***** where *** **** ** *** *****. The ************ ** ********** ************ ** everyday **** ** ********* ** * notionally **** *******.
*'* ****** **** **** ** ***'* have **** **** ** *********, ***** private ******* ** ***** **** ****** to **** *** ******** ** ***** of *** ***** **** **** ******* responsible *** *** ************ ** * rapist/murderers, *** ******* * ****** ** other ******. *** ****** ********* **** on ******* **** *****.
** ** **** **** ***** ****** laws ****** ********** ******.
***, **** *****. * ******* ******** exists ** *** ** **** ******* to ***** ******* ******* ** **** solve ****** *****. ******, ** *** US, * ****** ** ***** ****** departments ***** ********* ** ******* ******* to **** ***** ******. ** ** is ** *********** ******** ******* *******, security, *** **** (*.*., ***** ******* cameras *** **** **** ********* **** building *** ********** ****** *******).
*********** *******, ****** **** **** ****** as *** ***** ***** **** ********** and *****. **** *** ********* ** GDPR **** ******* **** *** ***** in *** ****** ****** *** ***** countries.
******* ********* ******* ** *** ********** wasting **** *** *********. ** **** really ***** **** *** ****** ***** bad ****** *** ***** ** ****** with ***** *** ***********. *'* *** for **** *********, ******** ******* *** controlling ** ******** ****, *** ****** have ** ** ********* ***** **** makes ***** *** ***** *** **** for *** **** **** ****** ****.
******: **** **** *** ***** ***** this ******* **** **** *** ******, Austria's **** ********** **************** * $*,*** ****** * *** *** ********* *** GDPR ***** ** ********* ******** ******* in *** ********* **** ****** ****** areas ** *** *******.
** ******** **, ****, *** ******** DPA ***** **** * *** ***** Mr. ****** - *** ***** **** was *** ********* - ********* * cameras (*** ** *** *******, *** other ** *** ******) **** **** filmed "***** ** *** ******** ******** for ******* ***" **** **:
****** **** "********* ** ****** *****" ** ***** some ** *** ******* *** ****'* put ** * **** ********** *** video ************.
*** *** ***** *** **** ******** Articles * *** * ** *** GDPR, **** **** *** ******* **** case, *** ***** **. ****** *,*** euros ** ***** $*,***:
*** **** ******** **** ******'* ****: common ***** ** ********** **** *******, walkways, *** *** **** ********** "******"; to ** **** *********, ********* *** only **** ***** *** ********.
* *** ***** **. ****** - his ***** **** *** *** *********...
******* ** ****? ;)
**, **, * ***** **** ** just ************ ****** (**** ******** *** GDPR) ** *********** *** ****** ********/****** involved ** ***** *****/***. **** ******** countries **** ******* ********.
******: **** ********** ********* ******
** ***** ****, *******'* ******* *************** *** ********* ** * ***** ************ ********* to ***** ************. *** **** ***** determined **** *** *** *** *** sufficiently **** *** ****'* ******* ***** surveillance ** * ******** ******, *.*. the *******:
**** ******** *** ******** ******* *********** and *** *********** **** ************, ******* it *** * **** ******* * GmbH [******* ********* *******] *** ************ acts ** *********** ******* * ******* person ("******" ****** *** ******* ********* ** ***) ** *** ************** *********** ** the *** (** ***** **** **** appear ** *** *****; *** *** method *** * ******** **** **********) set ****.
******* * ***** ********** *** **** *****'* **** **** Austrian *** **** ****** ***** **********:
********* ** ******** ************, *** **** Protection ********* *** ****** ************** ***** on * ***** ****** *** ********** of *** **** *** *** ******** Data ******* *** ************, ** *** violations *** ********* ** *********** *** hold * ******* ******** ** *** legal ****** ********* ** ** *** violations *** ****** ** **** ** supervision ** ******* ** * ****** in * ********** ****. *******, ******* the ******** *** *** ***** ********** act ** *** **** ********** ********* indicated **** ********* ** ***** ********** had *** ** *** ************* *** was ********* ************ ** *** ***** entity *** ***** ********* ** **** as * ***** *** *** ************** fine *******. ** *** ******* ********** required *** ***** ***** *** **** never ********* ** *** **** ********** Authority ****** *** ********* **** ****** for ***********, *** ******* ************** ***** had ** ***** *** ************** ******* imposed ** *** *******.
**** ** ** *****, ***** ** no ******** ***** ********* *** *** away **** * ********* ** ** wasn't *** *******/****** ************ *** ********* one. ** * ******* ******** ******* a *********, *** ********** ***** ****** ***********:
*** ******** ********* ** *** ***** person [...] ** ***** ** *** accusation **** *** ********** ***** ***** that *** ******** *** "***********" ******or **** **** *** **** ** "******** ***" ******** ******* **** ** ******* ** **********
**** *****.