Audio recording requires legal basis
The Polish DPA found a violation of the provisions of GDPR by the Warsaw Centre for Intoxicated Persons. It consisted in recording and capturing sound (voice) in the surveillance system installed in the Centre. As it was proved in the administrative proceedings in this case, personal data was processed in this facility without a legal basis. As a result, the controller was fined with PLN 10 000.
The Polish DPA was informed about the practices applied by the Warsaw Centre for Intoxicated Persons in connection with its surveillance system. The Centre was accused of recording sound at the premises of the facility through the installed surveillance system without any legal basis. The DPA asked the controller to comment on the information received and to indicate the legal basis authorising it to collect personal data in the form of sound.
he controller confirmed that its system records both video and audio, and the purpose of the processing is, among other things, to exercise continuous surveillance over persons brought to sober up in order to ensure their safety. It also informed that the surveillance record covering the rooms where the audio and video signal is recorded is stored from 30 to 60 days except when the recording is secured as evidence in ongoing proceedings. As the legal basis for the data processed in this way, the controller indicated the premise that the processing of the data is necessary for compliance with a legal obligation to which the controller is subject. Moreover, the controller referred to the regulations included in the Act on Upbringing in Sobriety and Counteracting Alcoholism, executive acts to this act and the statute of the Centre.
Assessment of the lawfulness of processing
In the opinion of the Polish DPA, the legal provisions did not authorise the controller to process data in the scope of sound recordings made at the premises of the Centre. Sound recording in this case is an excessive activity which is not justified by the provisions of both the GDPR and the Act on Upbringing in Sobriety and Counteracting Alcoholism.
As the Polish DPA argues in its decision, sound recording is a power that is reserved under national law primarily for services and in specific situations.
According to the DPA, it is difficult to assume that ensuring the safety and health of intoxicated persons justifies recording the sound as part of the surveillance, since the legislator has not adopted such a solution explicitly in the law.
In its decision, the Polish DPA also pointed to the European Data Protection Board's document "Guidelines 3/19 on the processing of personal data through video devices," which states that audio-visual recording is undoubtedly a greater form of interference with privacy than video alone. Moreover, the guidelines indicate that the controller, when selecting technical solutions relating to the surveillance performed, should not choose solutions that contain functions that are not necessary. These include: unlimited movement of cameras, zoom capability, radio transmission, analysis and audio recording.
Time of processing
The explanation provided by the controller shows that data including audio was recorded from 2016 to 2021. In this case, the Polish DPA assumed that the state of violation of the provisions of GDPR lasted from May 25, 2018, so from the beginning of the application of GDPR, more than three and a half years passed until the date of disabling the audio recording. The Director of the Centre issued a precautionary order to disable the audio surveillance at the premises of this facility, effective until the case is legally and finally concluded.
Grounds for imposing an administrative fine
In the opinion of the Polish DPA, the controller cannot invoke any of the grounds listed in Article 6(1) of the GDPR, and in particular the one indicated in Article 6(1)(c), according to which the processing of data is necessary for compliance with a legal obligation to which controller is subject. Moreover, none of the regulations governing the Centre's activity allows the Centre to record this type of data (sound) as part of surveillance.
The fact that the sound is recorded for such a long period of time makes the infringement to potentially relate to a large number of persons. In the opinion of the Polish DPA, the recording of voices of people who are often in the state of alcohol intoxication which prevents them from making conscious statements or controlling the sounds they make is excessive and unintended.
When determining the amount of the administrative fine, the mitigating circumstance - the degree of cooperation with the DPA - was also taken into account. It should be noted that the controller reacted (although not immediately) to the notice of initiation of administrative proceedings and ceased (preventively - until the decision is issued) the processing of data and erased all data registered by December 6, 2021. Such action by the controller demonstrates consideration of the rights of the persons staying at the premises of the Centre.