Cyprus Hairdressers and Barbers Registration Council – Complaint Upheld (Cyprus, 2023)

The Cyprus Hairdressers and Barbers Registration Board (controller) installed a closed circuit video surveillance system in its entire office, which recorded office employees, as well as various people entering the office on a daily basis. The controller stated that these cameras were installed for the purpose of financial control and transparency. A data subject complained on this matter to the Cyprus Commissioner. They stated among other things that the controller did not have signs to inform about the surveillance. In its defence, the controller argued that it had warning signs in place in the past (which were removed for renovation work) and that it obtained data subject's consent to use surveillance cameras. On the basis of the information presented by the controller, the Cyprus Commissioner considered that the legal basis should be consent, under Article 6(1)(a) GDPR. However, according to the EDPB Guidelines 5/2020 on consent, taking into account the existence of an imbalance of power between the controller and the employees, the Commissioner found that it was unlikely that employees were able to freely consent to the CCTV facility without fear of possible consequences of their refusal (see also Recitals 32 and 42 of the GDPR). The Commissioner therefore held that, the operation of CCTV cameras failed to comply with the principles of the GDPR, in particular that of lawfulness, by violating the provisions of Articles 6 and 5(1)(a) GDPR.