News

⚠️ Inconsistencies in Data Retention Policy
📢 AEPD Issues a Warning!

📌 Facts:

📅 05/11/2022 – Client Request
🛎️ A guest at a Spanish hotel requested access to CCTV footage from the parking lot covering the period from November 2 to November 5, 2022.

📅 10/11/2022 – Hotel's Response
❌ The hotel stated that the footage was not stored, claiming that the cameras were only used for real-time monitoring.

⚖️ Contradiction: In the same message, the hotel mentioned that some footage could be provided to the courts if necessary, implying that some recordings were actually retained.


⚖️ Violations Identified:

1️⃣🔍 Violation of the Right of Access (Article 15 GDPR)

📌 The hotel did not properly respond to the client’s request.
📌 The footage should have been retained until the request was processed.

2️⃣⏳ Violation of the Right to Restriction of Processing (Article 18 GDPR)

📌 The hotel should have preserved the recordings until the request was examined.
📌 ❌ The footage was deleted prematurely, preventing the client from exercising their right of access.

3️⃣⚠️ Inconsistencies in the Retention Policy

📌 The hotel provided contradictory information about the retention period of CCTV footage:

• • • ❌ Initially, it claimed no footage was stored.
    • ⏳ Later, it mentioned a 24/48-hour retention period.
    • 🕒 Then, it referred to a 72-hour period, which was extended to 10 days after the complaint.
      
      

🔴 Sanctions and Corrective Measures:

🔔 Official warning from the AEPD.

📜 Mandatory compliance measures within 60 days:

✅ Ensure all access requests are processed before deleting data.
✅ Establish a clear and consistent process for retaining footage when an access or restriction request is made.
✅ Define a stable and sufficient retention period before automatic deletion of CCTV footage.