#23 Watch out While Watching – GDPR Requirements for Video Surveillance

If you are concerned for your property because of thefts, burglary or vandalism, you have probably already resorted to the use of CCTV or at least you have considered it. From a technical perspective, the placement of video devices is becoming easier and easier with the development of technology. However, the legal risks arising from the use of CCTV do not diminish – exactly the opposite. What requirements should you comply with when using video devices? What are the restrictions on processing of personal data by video devices? What obligations does Regulation 2016/679 (GDPR) impose on you as personal data controller? The European Data Protection Board (EDPB/The Board) gives some practical guidelines, the most important of which are summarized below:

Lawfulness of Processing

If none of the legal grounds listed in Article 6 GDPR applies, the processing of personal data would not be lawful. The most commonly used legal basis in the context of video surveillance is the legitimate interest of the controller (for instance, protection against burglary). It is necessary:

  • Imminent risk or dangerous situation to exist and the controller to be able to prove its existence – for example by means of statistics of the crimes rates in the area;
  • no other means for protecting the legitimate interest to be available, except the installation of CCTV; 
  • the reasonable expectations of the data subjects to be considered – e.g., it is inconceivable CCTV to be used in restrooms, bathrooms, etc.;
  • the surveillance to be strictly limited to the area of the premises that is being protected (the area may be expanded only if this is necessary for achieving effectiveness of the surveillance).

Disclosure of Video Footage to Third Parties

Any disclosure of personal data is a separate kind of processing for which a separate legal basis must be present. Such basis may be legal obligation of the controller to disclose the data to law enforcement authorities (e.g. investigation).

Processing of Special Categories of Data

If the processing of special categories of data is necessary, then at least one of the additional grounds allowing the processing must be present (Art. 9, § 2 GDPR). If the purpose of the processing is to protect the vital interests of the subject and he or she is physically or legally incapable of giving consent, this would justify the processing of such data (Article 9 § 2 (c)). Such an example is the monitoring of a patient, who was brought to the hospital unconscious. If the surveillance began when he was unable to consent, it would not be contrary to GDPR requirements. The Board also comments on the exception in Art. 9 regarding data which is manifestly made public by the data subject. According to the Board, the mere fact of entering the range of a camera does not permit the data controller to process special categories of data on the grounds that the data subject manifestly made them public.

Rights of the Data Subject

It is important to note that data subjects enjoy all the rights provided in the GDPR – the right to information and access to the data being processed, the right to be “forgotten”, etc. However, some of the data subjects’ rights require further clarification in the context of CCTV:

Right to Access

If the controller resorts only to real-time monitoring and no data is stored, then in case of a request by a data subject it is sufficient to confirm that no personal data is being processed any longer.

The Board also draws attention to cases where the data subject could not be provided with access to the processed data relating to him:

• If the disclosure of the data would adversely affect the rights of third parties (for example, providing video footage to one data subject could adversely affect the rights and freedoms of others where other subjects can be identified. In such cases, the Board advises not to restrict the right to access to the data subject, and instead use photo processing tools that hide the identity of third parties).

• If the controller is unable to identify the subject – for example, if plenty of people pass through the monitored area;

• If the request is manifestly unfounded or excessive (due to repetitiveness, for example);

Right to Erasure (Right to be Forgotten)

The personal data collected during processing must be deleted if they are no longer needed for the purposes for which they were processed. Furthermore, the personal data must be erased:

• Upon request of the data subject. If the data was provided to third parties, the latter must also be informed of the request made;

• Depending on the legal basis for the processing, personal data should be erased:

  • when the data subject withdraws his or her consent for processing;
  • when the interests of the subject override the legitimate interest of the administrator;
  • when the data subject objects to the processing of the data for direct marketing purposes.

In addition to the obligation of the controller to erase the data upon request, the principle of minimizing the data must also be kept in mind – the data processed should be relevant and limited to what is necessary for the purposes for which it is processed.

Right to Object

The data subject has the right to object to the processing of the data (before entering, monitoring, or leaving the surveillance zone). The controller must demonstrate that his or her legitimate interest or the protected public interest outweighs the subject’s rights and interests (for example, processing is necessary for the conduct of an internal investigation).

Transparency and Information Obligations in the Context of CCTV:

Some of the most useful guidelines given by the Board are related to the way the data subjects must be informed. A good practice that meets the standards of the Regulation is the so-called layered approach for presenting the information:

First layer: A warning sign that informs in a clear and unambiguous manner about the video surveillance. There is no need to indicate the exact location of the cameras. First layer – content:

  • Identity of the controller, including representatives and contacts of Data Protection Officer, if such is appointed;
  • Purposes and legal grounds for processing;
  • Data subject rights;
  • Information on the greatest impacts of the processing;
  • Any information that could surprise the data subject.

The second layer of information includes further details regarding the CCTV. It may be presented in the form of information leaflets placed in an easily accessible and visible place.

Storage Period and Technical Requirements

The longer the storage period (especially over 72 hours), the more evidence for the necessity of storage must be provided. Usually, the storage is justified by the potential need for the data to be used as evidence. However, a period of 24 hours is usually sufficient for this purpose.

When selecting technical means of monitoring, the controller must comply with all the principles concerning the data processing laid down in the Regulation. Appropriate technical and physical protection of the components of the CCTV system must be implemented. The access to the system and the recordings must be limited only to subjects authorized by the controller.

Impact Assessment

In the last part of the Guidelines, the Board recalls that if processing is carried out through systematic monitoring of publicly accessible areas on a large scale or when special categories of data are processed, the Regulation requires that a data protection impact assessment (DPIA) be carried out. The guidеlines on DPIA and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 are available here. A summary of them can be found in other posts on our blog (here and here).