Tag Archives: data protection case-law

CJEU: CCTV camera in family home falls under the Data protection directive, but it is in principle lawful

CJEU gave its decision today in Case C-212/13 František Ryneš – under the preliminary ruling procedure. The press release is available here and the decision here.


A person who broke the window of the applicant’s home and was identified by the police with the help of the applicant’s CCTV camera complained that the footage was in breach of data protection law, as he did not give consent for that processing operation. The Data Protection Authority fined the applicant, and the applicant challenged the DPAs decision in front of an administrative court. The administrative court sent a question for a preliminary ruling to the CJEU.

Video image is personal data

First, the Court established that “the image of a person recorded by a camera constitutes personal data because it makes it possible to identify the person concerned” (para. 22).

In addition, video surveillance involving the recording and storage of personal data falls within the scope of the Directive, since it constitutes automatic data processing.

Household exception must be “narrowly construed”

According to the Court, as far as the provisions of the Data protection directive govern the processing of personal data liable to infringe fundamental freedoms, they “must necessarily be interpreted in the light of the fundamental rights set out in the Charter (see Google Spain and Google, EU:C:2014:317, paragraph 68)”, and “the exception provided for in the second indent of Article 3(2) of that directive must be narrowly construed” (para. 29).

In this sense, the Court emphasized the use of the word “purely” in the legal provision for describing the personal or household activity under this exception (para. 30).

Such processing operation is most likely lawful

In one of the last paragraphs of the decision, the Court clarifies that “the application of Directive 95/46 makes it possible, where appropriate, to take into account — in accordance, in particular, with Articles 7(f), 11(2), and 13(1)(d) and (g) of that directive — legitimate interests pursued by the controller, such as the protection of the property, health and life of his family and himself, as in the case in the main proceedings” (para. 34).

This practically means that, even if the household exception does not apply in this case, and the processing operation must comply with the requirements of the Data protection directive, these requirements imply that a CCTV camera recording activity such as the one in the proceedings is lawful.

NB: The Court used a non-typical terminology in this decision – “the right to privacy” (para. 29)

Complaints Dealt With by EDPS in 2010

I will continue my endeavour started yesterday (read all about it HERE). Before analyzing some of the cases from the EDPS 2010 Report, I shoul mention that in 10 cases resolved in 2010 the EDPS found there was no breach of data protection rules, while in 11 cases non-compliance with data protection law was found to have occured (and reccommendations were addressed to the data controler concerned).

Here are the cases, just as they are explained in the EDPS 2010 Activity Report:

I. Compliance

1. Acces to one’s own medical file. The EDPS received a complaint relating to access to one’s own medical file held by an institution’s medical service. The EDPS confirmed that under the data protection rules, access to personal data does not oblige the controller to send the original medical file, but that it implied in practice being able to have a look at it (in person or in certain cases indirectly via a doctor) and/or take copies of it. With regard to the right to rectification of inaccurate or incomplete data, the EDPS underlined that the obligation to rectify data in the context of medical data is related only to factual data and not to health related assessments. The controller is therefore not obliged under data protection rules to modify the conclusion of a specific medical report. In such a context, the right to rectify the data could result in the possibility to include another report from another medical professional containing a different assessment. The EDPS therefore concluded in this case that there was no breach to data protection rules.

II. Non-compliance

1. Publication of personal sensitive data. A complaint was received about the publication of highly sensitive personal data in the Official Journal of the European Union and in the minutes of a European Parliament session. Following an inquiry into the matter, the EDPS concluded that the opinion of the Member of Parliament could have been expressed and the political message of the Written declaration could have been transmitted effectively without revealing the identities of the persons concerned. The EDPS requested the deletion of the names of the persons invoked by the Member in the Written declaration and in any other medium. He also requested that a formal and effective procedure be established in order to ensure that definitive versions of documents published in the Official Journal and on the internet site of the Parliament take into account modifications introduced by the services in charge of the preparation of documents.

2. Communication of personnel numbers through an agency’s internal e-mail. A complaint was received relating to the communication of personnel numbers of the members of staff of an agency to all users via the agency’s internal email addresses. The purpose of the particular processing was to invite all members of staff for an appointment with the agency’s Security section to have their photograph taken. The EDPS considered that, for this purpose it was fully sufficient to send a list containing only last name and first name of all the persons concerned. The personnel number on this list was irrelevant and excessive in relation to the said purpose and thus in violation of Article 4 of the Regulation. The EDPS invited the agency to formally instruct staff dealing with personal data to be selective and exercise particular care when sending massive internal or external mailings containing personal data so as to ensure that only data which are necessary for the purpose of the message are included.

3. Covert video surveillance. A staff member complained against covert video surveillance in his institution. In particular, he questioned the lawfulness of the use of a video camera which recorded him, without his knowledge, when he entered his supervisor’s office in his absence. The EDPS concluded that the institution had not demonstrated the existence of a legal basis which would explicitly allow the possibility of such highly intrusive operations and provide for specific conditions and safeguards. Without such a transparent legal basis and a structured approach, the proportionality of covert video surveillance was doubtful. The EDPS, therefore, called on the institution to re examine whether it wished to avail itself of covert surveillance in the future and if so, to submit its plans to the EDPS for prior checking.

In conclusion, data protection complaints to an authority such as the EDPS vary as much as the general subject matter of data protection. Whether people don’t have access to their personal information, whether their sensitive data is published or whtether they are being surveilled in an office without knowing, they feel like their privacy is being invaded and they want to react somehow. Nevertheless, it is clear that the right to data protection is not an absolute one. In case I.1. from above, the individual did not have the right to simply modify data concerning his health, even though the modification was meant for his own medical file. Health is a sensitive subject matter and keeping track of one’s medical condition is important, even though the medical condition changed. It would be interesting to know more facts from this particular case to analyze in depth this limit of the right to data protection.