Catalan's Data Protection Authority Opinion on the use of images obtained by the video surveillance system by tenants

The document addresses a query submitted to the Catalan Data Protection Authority regarding the use of images obtained from a video surveillance system. The query involves two entities: (i) the first entity manages a building with tenants with a video surveillance system compliant with Article 22 of Spanish Data Protection Act (Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the guarantee of digital rights) (referred hereinafter as "LOPDGDD") and (ii) the second entity is a tenant and experience the theft of a movable asset of his property. 

The second entity requested access to the surveillance footage to identify the perpetrator and potentially initiate disciplinary proceedings if the perpetrator is an employee (according to article 89.1 of Spanish Data Protection Acta which allows the access to said data for disciplinary purposes).

The Data Protection Officers (Delegado de Protección de Datos) of the two entities posed several questions to the Catalan Data Protection Authority: 

1. whether the provisions of Article 89.1 of the LOPDGDD serve as an additional legal basis under Article 6 of the GDPR or recognize a legitimate interest under Article 6.1.f of the GDPR;
2. the scope of the term "illicit act" in Article 89.1 of the LOPDGDD;
3. whether the first entity is legally authorized to provide the disputed images to the second entity under Article 89 of the LOPDGDD;
4. if the second entity can use the images to initiate disciplinary proceedings;
5. whether the first entity must provide the images if the second entity initiates disciplinary proceedings; and
6. if a co-responsibility agreement between the entities would allow the second entity to use the images for labour control purposes under Article 89.1 of the LOPDGDD.

The Catalan Data Protection Authority concludes that the first entity, as the data controller of the video surveillance system, can lawfully process the images under Article 6.1.e of the GDPR in relation to Article 22 of the LOPDGDD for security purposes. The communication of these images to the second entity can be justified under the legitimate interest ground (Article 6.1.f of the GDPR) if it is necessary to identify the perpetrator of the theft and initiate disciplinary action. However, this must be done in a manner that respects the principles of data minimization and purpose limitation. The document also suggests that a co-responsibility agreement between the entities, compliant with Article 26 of the GDPR, could allow the second entity to use the images for labour control purposes, provided all legal requirements, including prior information to employees, are met.

Authors: Cristina Grande, Counsel; María Baixauli, Junior Associate