The National Center for Personal Data Protection, for information and application purposes, communicates about the fine imposed by Swedish Data Protection Authority to an Homeowners Association for the breach of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, (GDPR). The Swedish Homeowners Association placed four cameras in the building (one at the entrance to the building, two in the stairwell and one in the storage area) that processed both images and sounds.
The issue in the present case was complex, but one of the factors which led the Swedish Data Protection Authority to consider that there had been a breach of GDPR was that the processing of sounds (via cameras), in addition to images, was excessive and unjustified.
The Swedish Authority specifies that, in order to go further than just capturing images, by recording sounds, it is necessary to demonstrate an objective reason that justifies further interference with data subject’s privacy, by processing personal data and by monitoring audio, not just video. This means that any Homeowners Association, in addition to video, wants to record sounds through an audio / video camera, it must ensure that there are additional reasons for this. If the pursued goals could only be achieved by capturing images, then audio recording is not justified.
The non-compliant use of the four cameras, as well as the problem of informing the targeted residents, led the Swedish Authority to conclude that a breach of the GDPR had taken place.
In conclusion, the Homeowners Association was asked not to use the cameras located in the stairwell and at the entrance to the building, while the camera in the storage area could still be used, but only on the condition of no audio recording, being fined with 2 000 EUR.