We received a complaint against a city-centre bar, alleging that it had disclosed the complainant’s personal data, contained in CCTV footage, to his employer without his knowledge or consent and that it did not have proper CCTV signage notifying the public that CCTV recording was taking place.

During our investigation, we established that a workplace social event had been hosted by an employer organisation in the bar on the night in question . The complainant was an employee of that organisation and had attended the workplace social event in the bar . An incident involving the complainant and another employee had taken place in the context of that workplace social event and there was an allegation of a serious assault having occurred . An Garda Síochána had been called to the premises on the night in question and the incident had been reported for a second time by the then manager and headwaiter to the local Garda station the following day . We established that the employer organisation had become aware of the incident and had contacted the bar to verify the reports it had received . Ultimately the bar manager had allowed an HR officer from the employer organisation to view the CCTV footage on the premises. The HR officer, upon viewing the CCTV footage, considered it a serious incident and requested a copy of the footage so that the employer organisation could address the issue with the complainant. The bar manager allowed the HR officer to take a copy of the footage on their mobile phone as the footage download facility was not working .

The Data Protection Commission (DPC) considered whether there was a legal basis, under the grounds of the ‘legitimate interests’ of the data controller or a third party under Section 2A(1)(d) of the Acts, for the bar to process the complainant’s personal data by providing the CCTV footage to the employer organisation . This provision allows for the processing that is ‘necessary for the purposes of the legitimate interests pursued by the data controller or by a third party or parties to whom the data are disclosed except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject’ .

In its analysis of this case, the DPC had regard to the judgment of the CJEU in the Riga regional security police case in which the CJEU had considered the application of Article 7(f) of the Data Protection Directive (95/46/EC) on which Section 2A(1)(d) of the Acts is based, and identified three conditions that the processing must meet in order to justify the processing as follows:

1. There must be the existence of a legitimate interest justifying the processing;
2. The processing of the personal data must be necessary for the realisation of the legitimate interest; and
3. That interest must prevail over the rights and interests of the data subject .

The DPC established during its investigation that, arising from the incident in question, there was an allegation of a serious assault committed by the complainant against a colleague and the bar had provided a copy of the CCTV footage to the complainant’s employer so that the employer could properly investigate that incident and the allegations made . The DPC took into account that as the incident had occurred during the employer organi- sation’s workplace social event, the employer might have been liable for any injuries to any employee that could have occurred during the incident . Accordingly, the CCTV was processed in furtherance of the employer organisation’s obligation to protect the health and safety of its employees . As the CJEU has previously held that the protection of health is a legitimate interest, the DPC was satisfied that there was a legitimate interest justifying the processing . The DPC also considered that the disclosure of the CCTV in this instance was necessary for the legitimate interests pursued by the employer organisation so that it could investigate and validate allegations of wrongdoing against the complainant . The DPC considered, in line with the comments of Advocate General Bobek in the Riga regional security police case, that it was important that data protection is not utilised in an obstructive fashion where a limited amount of personal data is concerned . In these circumstances, the DPC considered that it would have been unreasonable to expect the bar to refuse a request by the employer organisation to view and take a copy of the CCTV footage, against a backdrop of allegations of a serious assault on its premises, especially where the personal data had been limited to the incident in question and had not otherwise been disclosed . On the question of balancing the interest of the employer organisation against the complainant’s rights and interests, the DPC had primary regard to the context of the processing, where the bar had received a request for the viewing and provision of a serious incident on its premises, which it had deemed grave enough to report to An Garda Síochána . A refusal of the request might have impeded the full investigation of an alleged serious assault, and the employer organisation’s ability to protect the health and welfare of its employees . Accordingly, the DPC considered that it was reasonable, justifiable and necessary for the bar to process the CCTV footage by providing it to the employer organisation, and that the legitimate interest of the employer organisation took precedence over the rights and freedoms of the complainant, particularly given that the processing did not involve sensitive personal data and there had not been excessive processing .

On the facts, the DPC was also satisfied that the bar currently had adequate signage alerting patrons to the use of CCTV for the purpose of protecting staff and customers and preventing crime, and that in the absence of any evidence to the contrary offered by the complainant, the complainant had been on notice of the use of CCTV at the time in question .

In many of the complaints that the DPC handles, data subjects hold the mistaken belief that because they have not consented to the processing of their personal data, it is de facto unlawful  However, there are a number of legal bases other than consent that justify processing depending on the particular circumstances . With regard to the legitimate interests justification, the DPC will rigorously interrogate whether the circumstances of the processing satisfy the elements that the CJEU has indicated must be present for controllers to rely on this legal basis . Equally, however, the DPC emphasises that where the circumstances genuinely meet the threshold required for this justification, as per the sentiment of Advocate General Bobek of the CJEU, protection of personal data should not disintegrate into obstruction of genuine legitimate interests by personal data .