SIA Quantrum – Complaint Upheld (Latvia, 2024)

The controller is a company which provides security services. In its premises, it uses a CCTV system which records both the video and the audio. The data subject filed a complaint with the DPA and argued that, after they were recorded by the CCTV system, the footage was sent to them by an employee of the controller on WhatsApp and Telegram. On 8 February 2023, the DPA opened an investigation. The controller argued that none of its instructions to employees include copying video material onto any kind of private devices. Therefore, in the present case, the video footage was sent to the data subject by an employee without any instruction or order by the controller. Moreover, the controller informed the DPA that the footage had been deleted and the employment relationship with the employee had been terminated. Firstly, the DPA noted that the controller has established procedures to manage access authorisations, access control, for organising video surveillance, for viewing the archive of video surveillance recordings, and for creating, issuing and storing a copy of recordings. The DPA held that these technical and organisational measures adopted by the controller comply with the requirements of Article 25(1) GDPR. Moreover, the DPA found that the controller cannot be held liable for the action of its employees who deliberately disregarded the rules set by the controller and obtain CCTV footage without the appropriate authorisation. On these grounds, the DPA did not find an infringement and dismissed the complaint. However, the DPA decided ex officio to extend the scope of the investigation with regard to the fact that the CCTV was equipped with an audio recording function. The DPA noted that this audio recording had been conducted on the basis of the [https://likumi.lv/ta/id/333567-noteikumi-par-apsardzes-darbibas-registru-apsardzes-darbibas-registraciju-un-prasibam-apsardzes-vadibas-centram Cabinet of Ministers Regulation of 21 June 2022 No. 369]. Sub-paragraph 4.24