Background information
- Date of decision: 6 September 2023
- Cross-border case or national case: National case
- Controller: University of Iceland (Háskóli Íslands)
- Legal references: Article 5 (Principles relating to processing of personal data), Article 12 (Transparent information, communication, and modalities for the exercise of the rights of the data subject), Article 13 (Information to be provided where personal data are collected from the data subject)
- Decision: Administrative fine, Compliance order
- Key words: Administrative fine, CCTV, Transparency,
Principles relating to processing of personal data, Public administration
Summary of the Decision
Origin of the case
In February 2021, the Icelandic SA received a complaint from an individual regarding video surveillance inside and outside the building of the University of Iceland. The complainant held that no notifications were visible to indicate that the CCTV system was installed and that information about the purpose, nature, scope, location, and other aspects of the monitoring was not provided or available. The Icelandic SA carried out a field inspection on the University’s premises to investigate the scope of the video surveillance and the signs and/or notifications of the existence of cameras. The conclusion was that data subjects were not notified of the monitoring before entering the scope of the surveillance. Therefore, the Icelandic SA concluded that the University had not complied with data protection principles in Article 5 GDPR and not informed the data subjects about processing in accordance with Article 12 and 13 GDPR.
Key Findings
- Failure to comply with the obligation to process personal data lawfully, fairly and in a transparent manner (Article 5(1)(a) GDPR)
- Failure to inform the data subjects about processing in accordance with Articles 12 and 13 GDPR
Decision
The Icelandic SA concluded that the University of Iceland had processed data, with the use of its surveillance system, unfairly and in an untransparent manner, in breach of Article 5(1)(a), and had not informed the data subjects about the surveillance system according to Article 12 and 13. Therefore, the Icelandic SA ordered the University, pursuant to Article 58(2)(d) GDPR, to put up signs, notifying the data subject of the existence of cameras before they enter the scope of the surveillance. Furthermore, the Icelandic SA ordered that the University must provide data subjects with information in accordance with Article 12 and 13 GDPR. In addition, the Icelandic SA imposed an administrative fine on the University of Iceland of app. EUR 10,289 (ISK 1.500.000).
For further information:
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.