The Personal Data Protection Agency (AZOP) published, on July 5, 2023, its decision in which it imposed corrective actions against the City of Zagreb, specifically the City Office for Reconstruction, Construction, Spatial Planning, Construction Works, Municipal Affairs, and Traffic (the City Office) for violation of the General Data Protection Regulation (GDPR) and the Act on the Implementation of the General Regulation on Data Protection (the Act), following receiving complaints from citizens and media reports.

Background to the decision

In particular, AZOP noted video surveillance system in public areas of the City of Zagreb was initially installed for the purpose of monitoring improperly stopped and parked vehicles, managing traffic, issuing orders to move improperly stopped and parked vehicles and taking measures in accordance with the authorities specified by the Road Traffic Safety Act and the Misdemeanor Act. Moreover, AZOP noted that these activities were also monitored by authorized traffic wardens within the Traffic Enforcement Department. Following complaints from citizens and media reports about the potential use of the video surveillance system installed in public areas of the City of Zagreb to identify offenses committed by individuals who improperly dispose of waste in public areas, AZOP conducted a supervisory procedure to ascertain all the circumstances regarding the processing of personal data through video surveillance.

Findings of the AZOP

During the supervisory procedure, AZOP determined that the City Office:

• keeps records of data processing activities related to the processing of personal data through video surveillance covering public areas within the City of Zagreb, contrary to the provisions of Article 30(1) of the GDPR;
• has not implemented appropriate organizational measures to ensure an adequate level of security for processing personal data through video surveillance covering public areas within the City of Zagreb, contrary to the provisions of Articles 32(1) and 32(2) of the GDPR, as well as Articles 28(1), 28(3), and 28(4) of the Act. Although responsible individuals stated that municipal enforcement officers have general access to the Operational Communication Center, primarily based on their needs and independent judgment, including the ability to access and request the exemption of video surveillance recordings for proceedings within their jurisdiction, AZOP found that the data controller did not anticipate or document an internal legal framework for managing the video surveillance system, including procedures and protocols concerning the potential disclosure and/or exemption, including the submission and receipt of requests from employees of the Department of Municipal Enforcement for accessing the recordings made by the video surveillance system in public areas; and
• has not adequately indicated that public areas are under video surveillance, in accordance with Article 13(1) of the GDPR, in conjunction with Article 27(2) of the Act.

Outcomes

Based on the findings, the City Office has been instructed to establish an appropriate internal legal framework for managing the video surveillance system within 90 days. In particular, AZOP noted that the framework should define and implement policies and procedures related to video surveillance of public areas.

In addition, AZOP instructed the City Office as the data controller, to install signs indicating that public areas are under video surveillance. AZOP highlighted that the signs should be clearly visible upon entering the surveillance perimeter of each location where cameras are installed, in accordance with Article 27(1) of the Act. AZOP also specifically ordered the City Office to align the content of all signs regarding the existence of the video surveillance system in public areas, in accordance with Article 27(2) of the Act.

You can read the decision, only available in Croatian, here.