AGRUPACION DE LOS CUERPOS DE LA ADMINISTRACION DE INSTITUCIONES PENITENCIARIAS – Complaint Upheld (Spain, 2023)

On 14, 19 and 21 September 2021, three penitentiary associations lodged a complaint against the Secretaría General de Instituciones Penitenciarias (the General Secretariat of Penitentiary Institutions of Spain - SGIP) due to leaked images captured by the video surveillance system of the penitentiary center of Villena (Alicante). In these images the aggression of some officials against a prisoner can be seen. The images only motivated an internal investigation to determine possible disciplinary responsibilities. The Spanish DPA considered that the General Secretariat of Penitentiary Institutions of Spain did not have the appropriate measures in place to ensure a level of security appropriate to the risk, violating Article 32 GDPR. Who leaked the file could not be ascertained as there were no accredited records of users who may have accessed the system. Any inspctor was able to access the recorded images, regardless of whether or not they were authorized to do so. The Spanish DPA reprimanded the General Secretariat of Penitentiary Institutions of Spain for the leak of images captured by the video surveillance system of the penitentiary center of Villena (Alicante) and for violating Article 32 GDPR. The General Secretariat must within a period of 6 months, affirm that it has adopted the necessary measures to ensure records of access to personal data, and also grant profiles to civil servants so that each one can only access the information that is necessary for the performance of their duties.