Leaked photos of the Latvian Prime Minister reaffirms the necessity to ensure data safety

The photos were circulated in social media and attracted a considerable public interest. The photos appear to be originated from a closed-circuit television (CCTV) which is usually present in grocery stores. Later on it was revealed that photos were actually taken in July of this year when wearing a mask was not obligatory in Latvia.

In its public announcement, the Data State Inspectorate reminded that processing of data is allowed only if there is a legal base provided by Article 6 Paragraph 1 of the GDPR (consent, performance of a contract, compliance with a legal obligation, vital interests, exercise of public interest or official authority, or legitimate interests). In general, the CCTV is a legitimate and appropriate mean to ensure safety of controller’s premises and property as well as other persons’ safety. However, the controller shall ensure that data obtained via video surveillance are used only for legitimate purpose and unauthorized third parties have no access. Since images apparently have been illegally extracted from CCTV recordings, handed over to unauthorized third party and published without any legal basis to do so, even though the Prime Minister is a public figure, whose daily professional routines are covered by media, there is a high probability of a data protection breach and harm to privacy of a data subject.

Aforementioned case once again points out that businesses shall keep in mind that those who perform video surveillance of public spaces need to perform various measures in order to ensure compliance with the GDPR. For instance, a data protection impact assessment, implementation of appropriate technical and organizational measures and providing information about the surveillance are considered as must have essentials to even conduct the video surveillance in the first place. No controller should underestimate the necessity to ensure safety of data obtained via CCTV. Images extracted from CCTV and accessed by unauthorized third parties can infringe the rights of a person affected, as well as be used to deceive and do harm. While in many instances exposure of a breach of Covid-19 prevention rules by officials and celebrities has been done within exercising freedom of expression, in this case the photos taken out of context have been contributing to circulation of misinformation and undermining state official’s authority and reputation. Compliance with data protection laws, strict policies and traceability of data processing activities can prevent this happening.

To sum up, it can be concluded that it is better and cheaper to learn from the mistakes of others than from your own, especially in the context of privacy infringements. Therefore, we encourage all data controllers and processors to pay increased attention to and revise the data processing processes they have been and currently are using in order to prevent potential risks related to excessive data processing. Should you need any assistance regarding this or other privacy matters, our Rödl & Partner data protection task force is ready to help.