OÜ Laidoneri KV – Violation Found (Estonia, 2022)

A hotel company, OÜ Laidoneri KV (the controller), installed CCTV cameras visible in three external corners of its Park Hotel Viljandi, the public spaces on the ground floor as well as in the kitchen and the basement floor. The cameras monitored the employees of the hotel (data subjects). On its own initiative, the Estonian DPA started an investigation with the aim of finding out on what legal basis and for what purpose the CCTV cameras were used. During the proceedings, the controller explained that it used consent as a legal basis through the installation of information signs on the walls of the building, notifying data subjects that surveillance camera were active. First, the DPA recalled that according to Article 5(1)(a) GDPR, personal data processing must have a valid legal basis under Article 6(1) GDPR. As a general rule, the processing of personal data in an employment relationship can be lawful if it is related to the performance of a contractual obligation or a legal duty owed to the employer, or if it is in the legitimate interest of the employer or a third party. In the present case, the DPA stated that the fulfilment of contractual obligations can only be invoked for processing operations which are actually necessary for the employer to perform the employment contract, which the use of cameras certainly was not. The DPA also rejected the argument of the controller that the processing of personal data could be based on Article 6(1)(a) GDPR. The investigation revealed that the signs informing about the usage of CCTV cameras were not suitable as they lacked necessary information about the aim of the video surveillance, no legal basis was mentioned, and no information was provided about the controller. Therefore, the only possible legal basis would be legitimate interest under Article 6(1)(f) GDPR. However, in order to invoke this legal basis, an assessment must be carried out, showing that the interest of the controller outweighs the interests, fund