News

?? Inconsistencies in Data Retention Policy
? AEPD Issues a Warning!

? Facts:

? 05/11/2022 – Client Request
?? A guest at a Spanish hotel requested access to CCTV footage from the parking lot covering the period from November 2 to November 5, 2022.

? 10/11/2022 – Hotel's Response
? The hotel stated that the footage was not stored, claiming that the cameras were only used for real-time monitoring.
?? Contradiction: In the same message, the hotel mentioned that some footage could be provided to the courts if necessary, implying that some recordings were actually retained.

?? Violations Identified:

1?? ? Violation of the Right of Access (Article 15 GDPR)
? The hotel did not properly respond to the client’s request.
? The footage should have been retained until the request was processed.

2?? ? Violation of the Right to Restriction of Processing (Article 18 GDPR)
? The hotel should have preserved the recordings until the request was examined.
? ? The footage was deleted prematurely, preventing the client from exercising their right of access.

3?? ?? Inconsistencies in the Retention Policy
? The hotel provided contradictory information about the retention period of CCTV footage:

• ? Initially, it claimed no footage was stored.
• ? Later, it mentioned a 24/48-hour retention period.
• ? Then, it referred to a 72-hour period, which was extended to 10 days after the complaint.

? Sanctions and Corrective Measures:

? Official warning from the AEPD.
? Mandatory compliance measures within 60 days:
? Ensure all access requests are processed before deleting data.
? Establish a clear and consistent process for retaining footage when an access or restriction request is made.
? Define a stable and sufficient retention period before automatic deletion of CCTV footage.