Each year the DPC receives numerous queries and complaints from various individuals complaining specifically about the use of CCTVs in restroom areas by various organisations such as public houses, nightclubs, restaurants and transport depots. More particularly, the complaints allege that the cameras are pointing over specific areas in restrooms where there is an increased expectation of privacy, such as over cubicles or urinals.

While, the DPC has engaged with organisations on a one-to-one basis, the issue of the lawfulness of the processing of personal data by way of CCTVs in restrooms needs to be considered more generally. Consequently, the DPC has examined these issues further and updated its Guidance on CCTVs for Data Controllers by including a specific section on ‘The use of CCTV in areas of an increased expectation of privacy.

The DPC received a complaint with regard to an individual who made an access request under Article 15 of the GDPR to a public/state hospital for a copy of all personal information held concerning them. The response from the hospital remained outstanding after more than a month, whereas information provided to the DPC indicated that due the health of the individual this matter required urgent attention.  

The DPC contacted the Data Protection Officer for the Hospital Group by phone and email to inform them of the urgency of the complaint, and requested they respond to the individual’s representatives promptly, providing them with a copy of the individual’s personal information as part of the engagement. The hospital followed the instructions from the DPC.

Whilst the hospital acknowledged receipt of the request within one month of its receipt, the personal data the individual was entitled to was only provided to the individual following the intervention of the DPC.