News
πͺπΈ CCTV Surveillance: When a Hotel Gets Tangled in Its Retention Periods!!!
β οΈ Inconsistencies in Data Retention Policy
π’ AEPD Issues a Warning!
π Facts:
π
05/11/2022 – Client Request
ποΈ A guest at a Spanish hotel requested access to CCTV footage from the parking lot covering the period from November 2 to November 5, 2022.
π
10/11/2022 – Hotel's Response
β The hotel stated that the footage was not stored, claiming that the cameras were only used for real-time monitoring.
βοΈ Contradiction: In the same message, the hotel mentioned that some footage could be provided to the courts if necessary, implying that some recordings were actually retained.
βοΈ Violations Identified:
1οΈβ£π Violation of the Right of Access (Article 15 GDPR)
π The hotel did not properly respond to the client’s request.
π The footage should have been retained until the request was processed.
2οΈβ£β³ Violation of the Right to Restriction of Processing (Article 18 GDPR)
π The hotel should have preserved the recordings until the request was examined.
π β The footage was deleted prematurely, preventing the client from exercising their right of access.
3οΈβ£β οΈ Inconsistencies in the Retention Policy
π The hotel provided contradictory information about the retention period of CCTV footage:
-
-
- β Initially, it claimed no footage was stored.
- β³ Later, it mentioned a 24/48-hour retention period.
- π Then, it referred to a 72-hour period, which was extended to 10 days after the complaint.
-
π΄ Sanctions and Corrective Measures:
π Official warning from the AEPD.
π Mandatory compliance measures within 60 days:
β
Ensure all access requests are processed before deleting data.
β
Establish a clear and consistent process for retaining footage when an access or restriction request is made.
β
Define a stable and sufficient retention period before automatic deletion of CCTV footage.