Simtan Kaubandus OÜ – Violation Found (Estonia, 2024)

The DPA received a notification that Simtan Kaubandus OÜ, a retail company (the controller) used on-site security cameras on its territory with the purpose of monitoring its employees in real-time. The DPA decided to launch an investigation into the use of cameras in order to find out the the legal basis on which and the purposes for which the controller used the security cameras, and to verify compliance with Article 13 GDPR. The controller notified the DPA that the legal basis used for the security cameras is Article 6(1)(f) GDPR, i.e. legitimate interest (fraud or abuse of services). However, the controller did not submit to the DPA a legitimate interest analysis demonstrating that 1) the processing of personal data by means of security cameras is actually necessary for the purposes of the legitimate interest pursued by the controller, and 2) the legitimate interests of the controller outweigh the interests or fundamental rights or freedoms of the data subject. In addition, the controller provided the DPA with photos of the information labels only showing the camera symbol and the text video surveillance'. To begin with, the DPA noted that it is forbidden to monitor employees with cameras throughout working hours. Cameras must be directed only at specific security risks to ensure appropriate security of personal data processing under Article 5(1)(f) GDPR. The DPA was of the opinion that in order to rely on Article 6(1)(f) GDPR, i.e. the legitimate interest, there shall be legitimate interest analysis conducted. More specifically, the controller is obliged to compare its own legitimate interests with the interests and fundamental rights of the data subject to see whether Article 6(1)(f) GDPR can be invoked as a legal basis for the processing. Moreover, the DPA highlighted that the data processing must be transparent. The principle of transparency of the GDPR requires that all information and messages related to the processing of personal data must be eas