Verisure – Violation Found (Sweden, 2024)

The Swedish DPA started an investigation, following a tip to local medias, stating that employees of the security company Verisure, the controller, unlawfully shared footage from cameras in private individuals´ homes between themselves. The controller started an internal investigation and found no indication of improper sharing of personal customer information as described by the tip. Moreover, it considered that there is no evidence suggesting ongoing or current violations of the international regulations. More specifically, the image material was available to authorised personnel in the company´s system for a specific amount of time, and was subsequently archived for a certain period of time, to be able to share images with law enforcement authorities. The controller specified that the footage is stored for exactly the needed time to comply with the purposes of the processing. Additionally, all image views require logging in with specific credentials, making it impossible to export them outside of the controller´s system. First, as to the type of log in information, the DPA found that there was no issue with the technical measures in place in the controller´s systems. Second, the DPA highlighted the gravity of processing data subjects´ pictures for amusement purposes and its noncompliance with Article 6 GDPR. However, nothing emerged to indicate that the alleged unlawful handling of image material has taken place. The DPA further ascertained the existence of appropriate measures as per Article 32(1) GDPR. Since the controller processes personal data of a large number of data subjects and the fact that such processing happens in the context of an alarm management service, the data processed is of a very privacy-sensitive nature. Moreover, data subjects expect a high degree of confidentiality and protection against unlawful or unauthorised processing. These elements point out that the controller shall implement measures that counter this high risk to the right