SIA Quantrum – Complaint Upheld (Latvia, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
In Latvia, the data protection authority dismissed a complaint against SIA Quantrum regarding unauthorized sharing of CCTV footage. The authority found that the company had proper procedures in place and could not be held responsible for an employee's actions. This ruling reinforces the importance of having strong data management practices.
What happened
SIA Quantrum was cleared of wrongdoing after an employee shared CCTV footage without authorization.
Who was affected
Individuals recorded by the CCTV system at SIA Quantrum's premises.
What the authority found
The authority determined that SIA Quantrum had established adequate measures to manage data access and could not be held liable for the employee's misconduct.
Why this matters
This decision underscores that companies can protect themselves from liability if they have effective data protection policies in place, even if an employee acts against those policies.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The controller is a company which provides security services. In its premises, it uses a CCTV system which records both the video and the audio. The data subject filed a complaint with the DPA and argued that, after they were recorded by the CCTV system, the footage was sent to them by an employee of the controller on WhatsApp and Telegram. On 8 February 2023, the DPA opened an investigation. The controller argued that none of its instructions to employees include copying video material onto any kind of private devices. Therefore, in the present case, the video footage was sent to the data subject by an employee without any instruction or order by the controller. Moreover, the controller informed the DPA that the footage had been deleted and the employment relationship with the employee had been terminated. Firstly, the DPA noted that the controller has established procedures to manage access authorisations, access control, for organising video surveillance, for viewing the archive of video surveillance recordings, and for creating, issuing and storing a copy of recordings. The DPA held that these technical and organisational measures adopted by the controller comply with the requirements of Article 25(1) GDPR. Moreover, the DPA found that the controller cannot be held liable for the action of its employees who deliberately disregarded the rules set by the controller and obtain CCTV footage without the appropriate authorisation. On these grounds, the DPA did not find an infringement and dismissed the complaint. However, the DPA decided ex officio to extend the scope of the investigation with regard to the fact that the CCTV was equipped with an audio recording function. The DPA noted that this audio recording had been conducted on the basis of the [https://likumi.lv/ta/id/333567-noteikumi-par-apsardzes-darbibas-registru-apsardzes-darbibas-registraciju-un-prasibam-apsardzes-vadibas-centram Cabinet of Ministers Regulation of 21 June 2022 No. 369]. Sub-paragraph 4.24
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for SIA Quantrum in LV
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. SIA Quantrum - Latvia (2024). Retrieved from cookiefines.eu
Last updated: