Sligo County Council – €29,500 Fine (Ireland, 2024)

On the 25 June 2018, the Irish DPA (Data Protection Commission - DPC) began an ex-officio investigation into the controller, a local County Council (Sligo). The controller had installed CCTV cameras at bottle banks and in housing estates stating that they were to aid the enforcement of the Irish Litter Pollution Act 1997 and to help detect anti-social behaviour. The cameras therefore constantly filmed public and private areas This video footage was then stored by the controller. The controller could not demonstrate any records of logs regarding the data processing and it was unclear for how long the data was stored. The cameras, as they were installed in public spaces filmed passers-by and individuals using nearby facilities such as a community centre. Some of the monitoring screens were in public spaces (such as the community centre) and could therefore be accessed by unauthorised persons. One CCTV footage monitor was not password protected while another had the capability to log all access to the system but staff had not been trained to use this function. The DPC found that the use of the CCTV cameras at the bottle banks could not be justified under the Litter Pollution Act 1997 nor the Waste Management Act 1996. Article 8(2) of the Law Enforcement Directive does not provide for such a broad scope of CCTV footage to be processed. Therefore, the Law Enforcement Directive only applied to some of the processing. The DPC found a total of 14 issues throughout the course of the inquiry ranging from unlawful processing to failing to conduct a Data Protection Impact Assessment. The DPC found violations of the GDPR as well as the Irish Data Protection Act 2018 which transposes the GDPR into national law. The DPC found the following violations of the GDPR showing negligence on the part of the controller: For failing to ensure the appropriate security of the CCTV monitoring screens, the controller had breached Article 5(1)(f) GDPR and Article 32(1) GDPR. The DPC hi