Ministry – Violation Found (Luxembourg, 2024)

In October 2022 the DPA opened an inquiry into the video surveillance measures implemented by a secondary school (the controller). Following two on-site inspections and an exchange of information with the controller, the DPA found the following facts: * video surveillance cameras operated 24/7 and stored footage for 57 days (the controller clarified that 57 days was the longest possible time the direction could take leave for the summer holidays); * 6 members of the technical staff had access to real-time footage through a shared account; * only the principal and deputy principal had access to recorded footage. Each of them accessed footage through an individual account; * the system did not log access to either real time footage or recordings; * three posters at the entrance of the school, informed the data subjects (i.e.: the people whose footage were capture) about the use of CCTV surveillance. During the procedure, the controller stated that the legal basis for the processing of personal data, was its interest in preventing theft and vandalism. However, the DPA found that the controller did not assess the balancing of this interest with the rights and freedoms of the data subjects (i.e.: the people whose footage was captured). First, the DPA held that the school was the controller for the processing of personal data via CCTV cameras. It did not matter that the school did not have legal personality under Luxembourgish law. In this regard, the DPA pointed out that the school could determine the purposes and means of the processing, and could freely choose its processor for installing and operating the CCTV system. Second, the DPA observed that the controller relied on the legal basis of legitimate interest, without balancing its interest against the data subject’s. For this reason, the controller violated its accountability obligations. Third, the DPA held that the controller violated its transparency obligation. The information posters at the entrance of the sc