Identification of legitimate interest

1.       What is the purpose of processing personal data?

Ammende Hotell OÜ (hereinafter also the hotel or data controller) has installed surveillance cameras to the hallways, parking lot, entrances and public areas of its premises, which may also capture customers and employees. The purpose of personal data processing is to protect the property of the hotel and ensure the security of our employees and guests. The hotel wishes to ensure that unauthorised persons (i.e., not the employees or guests of the hotel) would not enter the territory of the hotel. Also, the hotel wishes to ensure that the guests and employees follow the internal rules of the hotel.

2.       Is personal data processing necessary for achieving one or several organisational objectives?

Protecting the property of the hotel as well as ensuring the security of our employees and guests serves the interests of the hotel as an organisation. The hotel must secure a safe working environment for its personnel. The hotel must also ensure a safe place of stay for our guests to protect both them and the reputation of the hotel. It is also important for the hotel to protect its property, the destruction of which would bring about economic loss for the hotel.

3.       Does the GDPR, the e-Privacy regulation or local legislation acknowledge the said personal data processing as a legitimate activity, provided that a weighing test with a positive result has been performed beforehand?

Recital No 47 of the GDPR stipulates that the processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. In this case, personal data is processed not directly for preventing fraud, but the aim is to ensure the safety of the employees and the guests of the hotel and to protect the property of the hotel and to identify the violations of the internal rules. However, these objectives are similar to those of preventing fraud.

Necessity test

1.       Why is personal data processing essential for the data controller?

Personal data processing is essential for the data controller because ensuring the security of its guests and employees is important for the data controller.

2.       Are there any other ways for achieving this objective?

There are no other more efficient ways for avoiding or stopping the damaging of the property of the hotel or the activities endangering the employees and guests of the hotel. Video surveillance allows us to observe certain areas in real time and in the event of any infringement, intervene immediately.

Weighing test

1.       May the data subject expect the said processing of personal data?

The data subject may expect the said processing of personal data. Pursuant to recital No 47 of the GDPR, both the employees and the guests of the hotel may be regarded as persons having “a relevant and appropriate relationship” with the controller. In such a case, it may be rather considered that the data subject may expect their personal data to be processed by the controller. Additionally, the data subject may assume that they are monitored with surveillance cameras on public areas, since the use of surveillance cameras is quite common for ensuring security.

2.       Does personal data processing add additional value to the service or product consumed by the data subject?

Yes. It is both in the interests of the employees and guests of the hotel that the hotel would be a safe place where internal rules are not violated. This ensures a safe and peaceful working environment for the employees. It also helps to ensure a safe and pleasant customer experience for the guests of the hotel.

3.       Is it likely that personal data processing affects the rights of the data subject negatively?

There is a risk that the said personal data processing may negatively affect the rights of the data subject. The recordings of the camera may capture sensitive information. Data controller has ensured the presence of notification labels to inform the data subject that they are monitored with a camera in the present room. However, there is still a risk of capturing sensitive information.

4.       Is it likely that personal data processing may cause unexpected loss or inconvenience for the data subject?

As explained in the previous answer, there is a risk that the recordings may entail sensitive information. It is possible that the data subject does not notice the label which notifies about the presence of a surveillance camera. However, this is a risk that cannot be completely eliminated. The data controller has given its utmost to inform the data subject about the surveillance cameras.

5.       Could there be negative consequences for the data controller if personal data would not be processed?

If personal data would not be processed, there is a risk that the data controller could not avoid the damages to its property or risks related to the security of its employees or guests. Also, there is a risk that the data controller will not discover the violations of internal rules quickly enough, which may again pose a risk for the employees and the guests.

6.       Is the processing of personal data in the interests of the person whose data is being processed?

Yes. Secure environment is not only in the interests of the data controller but also in the interests of the employees and the guests of the hotel.

7.       Which is the nature of the processed personal data? Does the GDPR stipulate a certain specific protection for such personal data?

Information that is within the field of view of the cameras is being processed. Since it is real-time camera surveillance of persons, there is a possibility that the cameras capture sensitive information. This risk has been attempted to be mitigated by informing people on the use of surveillance cameras with informative labels before the person enters the areas monitored by the camera. Camera surveillance is only in the entrance areas, the parking lot, the hallways and other publicly used areas. Camera surveillance is not used in rest areas or other areas where the recording of sensitive information is more likely.

8.       Would data processing limit or damage the rights of individuals?

Surveillance of a person with a camera is considered a rather infringing activity in personal data processing. This is an invasion of a person’s privacy.

9.       Is personal data collected directly from the data subject or indirectly?

Personal data is collected directly from the data subject (the data controller is the person who monitors the data subject with a camera).

10.   In the interaction between the person and the organisation, is there a situation where one has more power over the other?

The data controller is a hotel, i.e., a private legal person and not a legal person governed by public law who could be in a position of power towards the data subject. There are no situations between the hotel and the customer where one has more power over the other. The hotel has a certain power position regarding its employees. There is a so-called subordination relationship between the employer and the employee.

11.   Can the personal data processing in question be regarded as too intrusive or inappropriate, considering the relationship between the data controller and the data subject?

The use of cameras in hallways, near entrances, in the parking lot and in publicly used areas for security reasons cannot be considered too intrusive or inappropriate. Using camera surveillance in the said areas helps the data controller efficiently discover and/or avoid violations.

12.   Has a notification about personal data processing been submitted to the data subject? Does the notification indicate clearly enough how personal data is being processed?

Yes, a notification about personal data processing has been submitted to the data subject. The data controller has a privacy policy which describes the process how the hotel processed the personal data of its customers and employees. The privacy policy is available on the website of the data controller. Additionally, the data controller has specific procedure video surveillance, describing the purposes for using the cameras, the duration of keeping the recordings, the procedure for the data subject to get acquainted with the recordings, etc. The video surveillance procedure is also available on the website of the data controller.

13.   Is it possible for the data subject whose data is being processed to control the personal data processing and to object it?

Yes. In its privacy policy the data controller has given the data subjects the piece of information the submission of which is required by articles 13 to 14 of the general regulation. The privacy policy lists the rights of the data subject. Additionally, the privacy policy explains how the data subject can contact the data controller to execute their rights. Additionally, the video surveillance procedure of the hotel provides a procedure for the data subject to contact the data controller to execute their rights in relation to the recordings (e.g., permission to see the recording).

14.   Is it somehow possible to reduce the extent of personal data processing, so that the processing would be somewhat less intrusive?

For the protection of the main rights and freedoms of the data subject, the data controller has implemented different measures that are described below.

Protection measures

To avoid the infringement of the main rights and freedoms of the data subject, the data controller has implemented the following measures: 1) the data subject has been informed about the terms and conditions of the video surveillance; 2) the data controller has provided respective notification labels in the premises equipped with cameras; 3) the data controller has thoroughly considered the process of answering the inquiries of the data subject, including in a situation where the data subject wishes, for example, to see the recording they are on or if the data subject applies for the deletion of the recording; 4) the data controller has determined deadlines for keeping the video recordings (the recordings are maintained for 2 weeks). After 2 weeks, the video system starts overwriting the recordings. In the event of a security incident, the recording of the incident will be kept until the incident is solved; 5) the data controller has established access restrictions – the recordings are located in a virtual server where only the CEO of the company has access with personal user ID and passwords.

Conclusion of the analysis

Considering the above, it can be concluded that the use of cameras in hallways, near entrances, in the parking lot and in publicly used areas to identify potential security risks and violations of internal rules is possible based on Article 6 (1) f)) of the general regulation. Although the use of cameras constitutes as a considerably infringing activity in personal data processing, the data controller has implemented measures which ensure the transparency of processing for the data subject and the protection of the main rights and freedoms of the data subject (see measures listed in point D).

Final conclusion of the analysis: based on legitimate interest as the legal basis for personal data processing, the data controller can use the surveillance cameras (Article 6 (1) f)) of the general regulation).

Signed by: Sven-Erik Volberg

Position: Hotel Manager

Date: 28.09.2020

Review date of the weighing decision: 26.09.2020