Right to secrecy

The Austrian Data Protection Authority (DPA) ruled on a complaint by a user of a parking garage in a shopping centre regarding the alleged violation of his “right to secrecy” under section 1 para 1 Austrian Data Protection Act. The operator of the garage used an automated license plate recognition system: license plates were photographed on entering the garage and then again when leaving the garage in order to monitor usage and charge for the parking time. The DPA’s ruling gives some guideline on the prerequisites for operating a compliant system:

• The camera only captures the area of the license plate (i.e. does not shoot pictures through the windshield).
• All data are only stored for the time necessary (i.e. generally deleted after one day).
• All data are exclusively used by the processor to fulfil the contract with the customer.

In this case, the system (also) served as theft prevention by checking the actual license plate with the plate number registered with a specific ticket. The operator successfully argued that the data in question are processed on the basis of the operator’s legitimate interest under Article 6 No. 1. (f) GDPR which can also serve as legal basis for data processing under section 1 para 2 Austrian Data Protection Act. The DPA argued, that even though possible alternatives to this system would be less invasive with respect to the users right to secrecy, such alternatives would be more costly and less efficient. The DPA concluded that the legitimate interests of the operator/processor therefore outweighed the data subject’s right to secrecy.

DPA's case file: DSB-D123.652/0001-DSB/2019