CCTV Camera Installation in Malta Apartment Block Found Unlawful Under GDPR Article 6(1)

[REDACTED]

vs

[REDACTED]

COMPLAINT

1. On the 8th May 2025, Mr REDACTED lodged a complaint with the Information and Data Protection Commissioner (the “Commissioner”) in terms of article 77(1) of the General Data Protection Regulation1 (the “Regulation”), alleging that Mr REDACTED installed three (3) cameras,2 one pointing towards the street, one pointing towards the front common entrance and one towards the back common entrance, of the block of apartments where both the controller and the complainant have property, without a lawful basis, and consequently, these cameras are leading to the unlawful processing of the personal data pertaining to the complainant.

INVESTIGATION

1. By means of a letter dated the 22nd May 2025 and pursuant to the internal investigative procedure of this Office, the Commissioner provided the controller with a copy of the complaint, including the supporting documentation, and enabled the controller to submit any information which he deemed necessary and relevant to defend himself against the allegation raised by the complainant. In terms of article 58(1)(e) of the Regulation, the Commissioner ordered the controller to submit copies of the image grabs taken from the footage of the cameras, including information in relation to the brand and model number of the cameras or system installed by the controller.

1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

2 The cameras in question are installed at [REDACTED]

1. As no response was forthcoming, by means of a letter dated the 13th August 2025, the Commissioner reiterated his request for submissions, as a final opportunity, pursuant to article 58(1)(e) of the Regulation, to provide copies of the image grabs taken from the footage of the CCTV cameras, including information in relation to the brand and model number of the CCTV cameras or system installed by the controller.
2. By means of an email dated the 29th August 2025, the controller provided the Commissioner with an email he had sent, dated the 20th June 2025, albeit to a misspelled email address, in which the controller conveyed his submissions, including the following salient arguments, for the Commissioner to consider during the legal analysis of the case:
   • a. that, the complaint is malicious and that the complainant is abusing of his position, allegedly in the public sector;
   • b. that, “[the controller] and the residents have placed these cameras for our safety and for the good of this area...”;
   • c. that, there are issues in the area with people vandalising cars, shouting and making a disturbance, and that “[r]ubbish is thrown unlawfully such as old furniture, boilers etc. People also place garbage bags which would be collected 2 days later...”;
   • d. that, the controller “...installed the cameras with the approval of the Administrator of the Block”;
   • e. that, “[n]one of the residents of the block have any objection about the cameras being installed”; and
   • f. that, “it is imperative that these Cameras remain installed for they provide us with a feeling of Safety and cleanliness”.
3. Annexed with the email in question dated the 20th June 2025, the controller also submitted photographs, as supporting documentation in relation to their submissions as per the claim of paragraph 4(c) above.
4. By means of an email dated the 9th September 2025, the Commissioner requested the controller to provide image grabs for each of the three (3) cameras and to indicate from which camera each of the image grabs were taken.
5. As the Commissioner noted in the controller’s submissions the assertion that the cameras in question were installed “with the approval of the Administrator of the Block”, and that “[n]one of the residents of the block have any objection about the cameras being installed” the

Commissioner furthermore requested, by means of an email dated the 21st November 2025, to confirm whether there is an agreement in place between the condomini in relation to the CCTV cameras installed, which capture the common parts (front and back entrances) in question, or other proof of unanimous authorisation by such condomini.

1. As no response was forthcoming, the Commissioner reiterated his request through an email dated the 3rd December 2025.
2. By means of an email dated the 21st December 2025, the Commissioner received further submissions from the controller. However the response did not include the information which was repeatedly requested from the controller, namely the image grabs and the supporting evidence to back the claim of the agreement expressed by the condomini for the installation of the CCTV cameras.
3. By means of an email dated the 6th March 2026, and for the purposes of confirming whether the complainant is an affected data subject, the Commissioner requested the complainant to provide any information the Commissioner can rely on, that they have a proprietary right over an apartment in the block in question, such as ownership.
4. By means of an email dated the 10th March 2026, the complainant provided the following information:
   • a. that “Flat [REDACTED] and Garage [REDACTED] both located at [REDACTED] [REDACTED] have been in the ownership of my in-laws Mr & Mrs [REDACTED] since 1978, then acquired by deed of sale”;
   • b. that “[i]n 2019, the said properties devolved onto my wife [REDACTED] and I, in part through inheritance and in part through exchange and buying of the undivided shares, rendering me and my wife as sole co-owners of the said properties and of the [REDACTED]”;
   • c. that “[a]s a condomino [sic] recognised by the Administrator, I am moreover a member of the Maintenance Committee of [REDACTED] whose officially-registered, in-house Administrator, Mr [REDACTED] is himself a condomino [sic] residing at flat [REDACTED] in the said Court”; and
   • d. that “[f]urthermore, as owner and condomino [sic] at [REDACTED], I have in several instances spontaneously volunteered to provide personal funds in meeting hefty Condominium payments in connection with necessary up-keep projects periodically

undertaken as evinced by the attached Condominium Account of Expenses for 2024-25 provided by the Administrator”.

LEGAL ANALYSIS AND DECISION

1. In principle, the Commissioner recognises the need for the installation of a camera to ensure the security and safety of a private property. However, appropriate and sufficient guarantees should be effectively provided to ensure that such camera is not capturing third-party properties.
2. As a preliminary step of the investigation, the Commissioner examined the subject-matter of the complaint where the complainant alleged that the processing activity conducted by the cameras, installed by the controller, are unlawfully processing his personal data, involving the monitoring of the common entrances of the block in question and a public space, from which he must necessarily pass, in order to access such building, in violation of a lawful basis pursuant to article 6(1) of the Regulation.
3. Article 1 of the Regulation, read in conjunction with recital 10 thereof, aim to ensure a high level of protection of the fundamental rights and freedoms of natural persons, in particular article 8 of the Charter of Fundamental Rights of the European Union, which stipulates that everyone has the right to the protection of personal data concerning him or her.
4. As part of the legal analysis of the case, the Commissioner preliminarily considered whether the alleged processing activity falls within the material scope of the Regulation, in terms of articles 2(1) and 4(2) thereof. As a corollary, the Commissioner gave the controller the opportunity to provide his submissions, including the request to the controller to submit copies of the image grabs taken from the footage of the cameras in terms of article 58(1)(e) of the Regulation.
5. Despite repeated attempts by the Commissioner to obtain a copy of the image grabs of the cameras in question, the controller failed to provide this information. Such failure constitutes an infringement of article 31 of the Regulation, which obliges the controller to cooperate, upon request, with the Commissioner in the performance of his investigative tasks.
6. From the submissions of the controller and the photographic evidence brought before the Commissioner, and in view of the continued failure to produce the requested image grabs, the Commissioner has sufficient grounds to determine that the cameras in question constitute devices equipped with video recording capabilities - ones which are installed and angled in

such a way so as to surveil the common entrance(s) of the block in question and a public space, from which the complainant must necessarily pass in order to access such building.

1. Surveillance by means of a video recording device which involves the registration and, or constant retention of personal data, in principle constitutes as processing of personal data according to the Regulation because the activity brings about the collection and retention of personal data of natural persons which enter the space being monitored and who are identifiable based on their appearance. In fact, the Court of Justice of the European Union (the “CJEU”) confirmed that “the image of a person recorded through a camera constitutes as personal data in the sense of the provision mentioned in the previous point to the extent that it allows the person concerned to be identified”.3
2. The CJEU in the Ryneš4 judgment held that video surveillance which “covers, even partially, a public space and is accordingly directed outwards from the private setting of the personal processing the data in that manner, it cannot be regarded as an activity which is a purely ‘personal or household’ activity” [emphasis has been added]. In the present case, it is abundantly clear that the processing activity does not fall within the household exemption in terms of article 2(2)(c) of the Regulation, and therefore, the processing of personal data should fully comply with the provisions of the Regulation and the rights and freedoms of the affected data subjects.
3. Owing to the proximity, angle and manner in which these cameras are installed – at both sides of the building in question where the common entrances are located – creates a reasonable impression, for each and every individual who access the common entrances, that their personal data is or is likely being processed. The use of these cameras would therefore be leading to the collection and retention of the data pertaining to the data subject/s in question, being the condominium and tenants, beyond the personal or household exemption of the Regulation, and thus, would constitute a processing activity in terms of article 4(2) of the Regulation.
4. The immediately foregoing includes the complainant who, by reason of his proprietary title to an apartment in the block, and being a member of the Maintenance Committee of the block in question, accesses the block in question from time to time, which renders him an affected data

3 Judgment of the 11th December 2014, Frantisek Ryneš vs Úrad pro ochranu osobních údajů, C-212/13, para. 22.

4 Case C-212/13, paragraph 33.

subject for the purposes of the Regulation should he pass through the monitored space of any of the camera(s) in operation.

1. This means that Mr ██████████ would be acting in his capacity as a controller within the meaning of article 4(7) of the Regulation. Consequently, he – and, to the extent the administrator concerned is involved in terms of executing – is ultimately responsible to demonstrate that all processing activity carried out by him is or will be in full compliance with the provisions of the Regulation.
2. Whilst the Commissioner notes from the submissions of the controller, that the reason why the controller introduced devices capable of recording personal data is because inter alia “...[the cameras] provide [them] with a feeling of Safety and cleanliness”, Mr ██████████ as a controller is obligated to ensure and demonstrate that the processing activity is in conformity with the principles and provisions of the Regulation.
3. The principle of lawful processing, which is one of the principles of data protection, states that every processing data operation needs to have a legal basis for processing. Therefore, article 6(1) of the Regulation stipulates what could constitute as a legal basis while also considering the other principles for data processing as stipulated in article 5 of the Regulation.
4. The European Data Protection Board5 (the “EDPB”) provides that every legal basis that falls under article 6(1) of the Regulation could provide a basis for the processing of personal data by means of video recording. Generally, the appropriate legal bases to install CCTV cameras for the purpose of monitoring public space and the common parts is either to obtain the consent of the affected data subjects or else to process the personal data of the affected data subjects on the basis of a compelling legitimate interest.
5. In the course of the Commissioner’s investigation, it was noted that two (2) of the cameras are angled towards the common entrances of the building in question and possibly also capturing a public space and third party properties – one focusing on the front common entrance and one focusing on the back common entrance – whilst the third camera is focusing indiscriminately outwards, onto the adjacent street. Consequently, this third camera is not only capturing third-party properties, but also a public space, indiscriminately.

5 Guidelines 3/2019 on Processing of Personal Data through Video Devices, Version 2.0, adopted on the 29th January 2020, paragraph 16.

1. The Commissioner emphasises that it remains the responsibility of the controller pursuant to the principle of accountability as set forth in article 5(2) of the Regulation to effectively demonstrate that the processing activity conducted by means of the cameras is based on a lawful basis, such as the consent of those having access to the building in question by virtue of property they have a right to, for the purposes of article 6(1)(a) of the Regulation, given that the cameras will be capturing all those residents acceding to or exiting from the building's common entrances, as well as a legitimate interest in terms of article 6(1)(f) of the Regulation, insofar as the object of one of the cameras is capturing specifically a public space.
2. In the course of the investigation and the right to a fair hearing, the Commissioner provided Mr ██████ the opportunity to demonstrate that the considerations pursuant to article 6(1)(a) of the Regulation for the cameras in question, were fulfilled, in his capacity as controller as per article 4(7) thereof. The Commissioner requested the controller to confirm whether, there is an agreement in place between the condomini in relation to the CCTV cameras installed which capture the common parts – front and back entrances – in question, or whether there is any other proof of the consensual authorisation of each of the condomini of the block as data subjects in respect of the cameras in question.
3. The controller failed however to provide to the Commissioner such supporting documentation – on the basis of which “the approval of the Administrator of the Block” was taken - nor to affirm the veracity of the claims made.6
4. Without prejudice to the foregoing, it is moreover evident that the complainant – as a data subject who has to pass through the spaces monitored by the cameras in question to accede to his property – did not give his consent, for his personal data to be processed by the controller by means of either of the cameras; whether the two (2) cameras focusing on the common entrances at Triq ██████ and whether the camera angled outwards onto the part of the street Triq ██████ which meets the intersecting street Triq ██████.
5. The Commissioner considered therefore, if the controller could be considered as having a legitimate interest, in terms of article 6(1)(f) of the Regulation, in order to conduct this processing activity. The ground of legitimate interest under article 6(1)(f) of the Regulation enables the controller to process personal data if it “is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests

6 Refer to paragraph 4(e) hereof.

are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data”.

1. Recital 47 of the Regulation, which corresponds to article 6(1)(f) of the Regulation, reiterates that “[t]he legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller”.

2. The EDPB states in its Guidelines 3/2019 that:

“Video surveillance is lawful if it is necessary in order to meet the purpose of a legitimate interest pursued by a controller or a third party, unless such interests are overridden by the data subject’s interests or fundamental rights and freedoms (Article 6 (1) (f)). Legitimate interests pursued by a controller or a third party can be legal, economic or non-material interests. *However, the controller should consider that if the data subject objects to the surveillance in accordance with Article 21 the controller **can only proceed with the video surveillance of that data subject if it is a compelling legitimate interest which overrides the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims”7 [emphases have been added].*

1. The settled case-law of the CJEU emphasises that legitimate interest needs to fulfill a three-part test, which is outlined hereunder:

“As the Court has previously held, that provision lays down three cumulative conditions so that the processing of personal data is lawful, namely, first, the pursuit of a legitimate interest by the data controller or by a third party; second, the need to process personal data for the purposes of the legitimate interests pursued; and, third, that the interests or fundamental freedoms and rights of the person concerned by the data protection do not take precedence over the legitimate interest of the controller or of a third party (judgment of 4 July 2023, Meta Platforms and

7 Guidelines 3/2019 supra (n 5), paragraph 18.

Others (General terms of use of a social network), C-252/21,

EU:C:2023:537, paragraph 106 and the case-law cited8.

1. As part of the evaluation of the existence of a legitimate interest, the controller has to be able to therefore demonstrate (i) the existence of an legitimate interest, that (ii) the processing is necessary, and that (iii) there is no less intrusive way that can be adopted by the controller to reach the intended objective and respect the rights and fundamental liberties of the complainant, particularly, the right to respect to private life and to the protection of personal data as guaranteed by articles 7 and 8 of the Charter of Fundamental Rights of the European Union.9
2. Accordingly, the Commissioner proceeded to examine the present case based on this cumulative three-part test for the purposes of determining whether the controller could be able to rely on the ground of legitimate interest under article 6(1)(f) of the Regulation as a legal basis to legitimise the processing activity, for the purposes of 6(1) of the Regulation.
3. First, the processing is conditional upon the existence of a legitimate interest of the controller or a third party. The Regulation does not define legitimate interest, and thus, it is for the controller to determine whether there is a legitimate aim that could justify an interference with the right to the protection of personal data. The Commissioner interprets “interest” to be the broader stake that a controller may have in the processing, or the benefit that the controller or third parties may derive from such processing. This interpretation is substantiated by the recitals of the Regulation, which provide some non-exhaustive examples of situations in which legitimate interest could exist – such as processing of data for the purpose of preventing fraud, processing of data for direct marketing purpose, the transmission of certain data within a group of companies and the processing of data for the purpose of ensuring network and information security. Other interests which are considered as legitimate emerge from the case-law of the CJEU, which held that transparency or the protection of the property, health and family life, are legitimate interests.10
4. Consequently, the argument for instance, that “these Cameras [should] remained [sic] installed for they provide [the controller and residents] with a feeling of Safety and cleanliness” is not a sufficient justification in terms of the forgoing.

8 C-621/22, Koninklijke Nederlandse Lawn Tennisbond vs Autoriteit Persoonsgegevens, decided on the 4th October 2024, paragraph 37.

9 Charter of Fundamental Rights of the European Union [2012] OJ C326/391.

10 C-92/09 and C-93/09, Volker and Markus Scheche and Eifert, paragraph 77 and C-212/13, Rynes, paragraph 34.

1. The EDPB has confirmed that the processing of personal data for safety and security purposes could constitute a legitimate interest, however, in the manner and extent as follows:

“Given a real and hazardous situation, the purpose to protect property against burglary, theft or vandalism can constitute a legitimate interest for video surveillance. The legitimate interest needs to be of real existence and has to be a present issue (i.e. it must not be fictional or speculative). A real-life situation of distress needs to be at hand – such as damages or serious incidents in the past -before starting the surveillance. In light of the principle of accountability, controller would be well advised to document relevant incidents (date, manner, financial loss) and related criminal charges. Those documented incidents can be a strong evidence for the existence of a legitimate interest.”11 [emphasis has been added]

1. In this respect, the Commissioner considered the applicability of this first part of the test to all three (3) of the cameras installed on the façade of the block in question, for the purposes of a legitimate interest in relation to each corresponding scope, as described in paragraph 30 hereof.
2. The Commissioner noted the submissions of the controller which were accompanied with photographic documentation, which evidence related solely to the claim that “[r]ubbish is thrown unlawfully such as old furniture, boilers etc... [and] garbage bags ...”. The Commissioner however did not receive other evidence to back the controller’s other claims, such as in relation to the vandalism on vehicles in the vicinity. The Commissioner notes that the controller neither provided any copy of a police report/s pertaining to the forgoing claims.
3. This notwithstanding, and after assessing the submissions provided by the controller, the Commissioner concluded that the controller did not produce evidence to concretely show that there is a sufficiently real and hazardous situation in the spirit of the aforementioned guidelines which would merit the surveillance by virtue of cameras as installed.
4. As the processing activity by virtue of these cameras did not fulfil the first part of the legitimate interest test, the Commissioner did not proceed to assess the rest of the three-part test, given that it must be fulfilled cumulatively in order for the controller to rely on a legitimate interest for the purposes of article 6(1)(f) of the Regulation.

11 Guidelines 3/2019 supra (n 5), paragraphs 19 and 20.

1. This leads to Commissioner to conclude that since the controller has not managed to effectively demonstrate that there is indeed a lawful basis that could be availed of by the controller to legitimise the processing by the cameras under complaint, the systematic and continuous monitoring by virtue of the cameras, angled to capture a public space – and third party properties – which leads to the processing of personal data of the complainant and any data subjects who pass through the monitored space(s) in an arbitrary and indiscriminate manner, by passing through the public street, is consequently unlawful and an infringement of the rights and freedoms of the complainant.
2. In the decisions of the Tribunal in the names of Raymond Orland vs John Caruana and Matthew Bianco vs Philip Incorvaja, on the 15th September 2022, the Tribunal confirmed the Commissioner’s decisions whereby the controllers were ordered to stop the processing activities in question given that they were processing personal data without a legal basis in terms of article 6(1) of the Regulation.

On the basis of the foregoing considerations, the Commissioner is hereby deciding that the cameras installed by the controller are unlawfully processing the personal data of the complainant, and therefore, this processing activity constitutes an infringement of article 6(1) of the Regulation.

By virtue of article 58(2)(f) of the Regulation, the controller is hereby being ordered to stop the processing operation and remove the three (3) cameras within twenty (20) days from the date of service of this decision. The controller is hereby being ordered to inform the Commissioner of the action taken immediately thereafter, supported by photographic evidence to effectively demonstrate compliance with this order. The information about the corrective action taken shall be submitted by means of an email on idpc.cctv@idpc.org.mt.

In terms of article 83(6) of the Regulation, the controller is hereby being informed that non-compliance with the contents of this legally-binding decision shall result in the appropriate corrective action, including the imposition of a proportionate and dissuasive administrative fine.

Ján Dequara

Information and Data Protection Commissioner

Decided today, the 26th day of April, 2026

Right of Appeal

The parties are hereby being informed that in terms of article 26(1) of the Data Protection Act (Cap. 586 of the Laws of Malta), any person to whom a legally binding decision of the Commissioner is addressed, shall have the right to appeal to the Information and Data Protection Appeals Tribunal within twenty (20) days from the service of the said decision as provided in article 23 thereof.

An appeal to the Information and Data Protection Appeals Tribunal shall be addressed to:

The Secretary

Information and Data Protection Appeals Tribunal

158, Merchants Street

Valletta.