Impact assesment

#23 Watch out While Watching – GDPR Requirements for Video Surveillance

If you are concerned for your property because of thefts, burglary or vandalism, you have probably already resorted to the use of CCTV or at least you have considered it. From a technical perspective, the placement of video devices is becoming easier and easier with the development of technology. However, the legal risks arising from the use of CCTV do not diminish – exactly the opposite. What requirements should you comply with when using video devices? What are the restrictions on processing of personal data by video devices? What obligations does Regulation 2016/679 (GDPR) impose on you as personal data controller? The European Data Protection Board (EDPB/The Board) gives some practical guidelines, the most important of which are summarized below:

Lawfulness of Processing

If none of the legal grounds listed in Article 6 GDPR applies, the processing of personal data would not be lawful. The most commonly used legal basis in the context of video surveillance is the legitimate interest of the controller (for instance, protection against burglary). It is necessary:

Imminent risk or dangerous situation to exist and the controller to be able to prove its existence – for example by means of statistics of the crimes rates in the area;
no other means for protecting the legitimate interest to be available, except the installation of CCTV;
the reasonable expectations of the data subjects to be considered – e.g., it is inconceivable CCTV to be used in restrooms, bathrooms, etc.;
the surveillance to be strictly limited to the area of the premises that is being protected (the area may be expanded only if this is necessary for achieving effectiveness of the surveillance).

Disclosure of Video Footage to Third Parties

Any disclosure of personal data is a separate kind of processing for which a separate legal basis must be present. Such basis may be legal obligation of the controller to disclose the data to law enforcement authorities (e.g. investigation).

Processing of Special Categories of Data

If the processing of special categories of data is necessary, then at least one of the additional grounds allowing the processing must be present (Art. 9, § 2 GDPR). If the purpose of the processing is to protect the vital interests of the subject and he or she is physically or legally incapable of giving consent, this would justify the processing of such data (Article 9 § 2 (c)). Such an example is the monitoring of a patient, who was brought to the hospital unconscious. If the surveillance began when he was unable to consent, it would not be contrary to GDPR requirements. The Board also comments on the exception in Art. 9 regarding data which is manifestly made public by the data subject. According to the Board, the mere fact of entering the range of a camera does not permit the data controller to process special categories of data on the grounds that the data subject manifestly made them public.

Rights of the Data Subject

It is important to note that data subjects enjoy all the rights provided in the GDPR – the right to information and access to the data being processed, the right to be “forgotten”, etc. However, some of the data subjects’ rights require further clarification in the context of CCTV:

Right to Access

If the controller resorts only to real-time monitoring and no data is stored, then in case of a request by a data subject it is sufficient to confirm that no personal data is being processed any longer.

The Board also draws attention to cases where the data subject could not be provided with access to the processed data relating to him:

• If the disclosure of the data would adversely affect the rights of third parties (for example, providing video footage to one data subject could adversely affect the rights and freedoms of others where other subjects can be identified. In such cases, the Board advises not to restrict the right to access to the data subject, and instead use photo processing tools that hide the identity of third parties).

• If the controller is unable to identify the subject – for example, if plenty of people pass through the monitored area;

• If the request is manifestly unfounded or excessive (due to repetitiveness, for example);

Right to Erasure (Right to be Forgotten)

The personal data collected during processing must be deleted if they are no longer needed for the purposes for which they were processed. Furthermore, the personal data must be erased:

• Upon request of the data subject. If the data was provided to third parties, the latter must also be informed of the request made;

• Depending on the legal basis for the processing, personal data should be erased:

when the data subject withdraws his or her consent for processing;
when the interests of the subject override the legitimate interest of the administrator;
when the data subject objects to the processing of the data for direct marketing purposes.

In addition to the obligation of the controller to erase the data upon request, the principle of minimizing the data must also be kept in mind – the data processed should be relevant and limited to what is necessary for the purposes for which it is processed.

Right to Object

The data subject has the right to object to the processing of the data (before entering, monitoring, or leaving the surveillance zone). The controller must demonstrate that his or her legitimate interest or the protected public interest outweighs the subject’s rights and interests (for example, processing is necessary for the conduct of an internal investigation).

Transparency and Information Obligations in the Context of CCTV:

Some of the most useful guidelines given by the Board are related to the way the data subjects must be informed. A good practice that meets the standards of the Regulation is the so-called layered approach for presenting the information:

First layer: A warning sign that informs in a clear and unambiguous manner about the video surveillance. There is no need to indicate the exact location of the cameras. First layer – content:

Identity of the controller, including representatives and contacts of Data Protection Officer, if such is appointed;

Purposes and legal grounds for processing;

Data subject rights;

Information on the greatest impacts of the processing;

Any information that could surprise the data subject.

The second layer of information includes further details regarding the CCTV. It may be presented in the form of information leaflets placed in an easily accessible and visible place.

Storage Period and Technical Requirements

The longer the storage period (especially over 72 hours), the more evidence for the necessity of storage must be provided. Usually, the storage is justified by the potential need for the data to be used as evidence. However, a period of 24 hours is usually sufficient for this purpose.

When selecting technical means of monitoring, the controller must comply with all the principles concerning the data processing laid down in the Regulation. Appropriate technical and physical protection of the components of the CCTV system must be implemented. The access to the system and the recordings must be limited only to subjects authorized by the controller.

Impact Assessment

In the last part of the Guidelines, the Board recalls that if processing is carried out through systematic monitoring of publicly accessible areas on a large scale or when special categories of data are processed, the Regulation requires that a data protection impact assessment (DPIA) be carried out. The guidеlines on DPIA and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 are available here. A summary of them can be found in other posts on our blog (here and here).

# 14 The Bulgarian Commission for Personal Data Protection adopted list of the processing activities where data protection impact assessment under GDPR is mandatory

Further to publication #12 Data Protection Impact Assessment from our Blog we inform You that the Commission for Personal Data Protection published a list of the types of processing operations for which data protection impact assessment (DPIA) is required. The list was published on 13.02.2019 on the Commission’s website.

Pursuant to the above-mentioned list data controllers whose main or single establishment is on the territory of the Republic of Bulgaria are required to conduct compulsory DPIA in each of the following cases:
• Large scale processing of biometric data for the purposes of the unique identification of a natural person, which is not occasional;
• Processing of genetic data for profiling purposes which produces legal effects for the data subject or similarly significantly affects them;
• Processing of location data for profiling purposes which produces legal effects for the data subject or similarly significantly affects them;
• Processing operations for which the provision of information to the data subject pursuant to Art. 14 of GDPR is impossible or would involve disproportionate effort or is likely to render impossible or seriously impair the achievement of the objectives of that processing, when this is related to large scale processing;
• Personal data processing by controller whose main place of establishment is outside the EU when its designated representative for the EU is located on the territory of the Republic of Bulgaria;
• Regular and systematic processing for which the provision of information pursuant to Art. 19 of GDPR by the controller to the data subject is impossible or involves disproportionate efforts;
• Processing of personal data of children in relation to the offer of information society services directly to a child;
• Migration of data from existing to new technologies when this is related to large scale data processing.

The current list – adopted on the basis of Art. 35 Para 4 of GDPR – is non-exhaustive and can be updated, if necessary. We will inform You accordingly for any such updates.

# 12 Data protection impact assessment – a key part of GDPR compliance

Further to the series of publications regarding the changes introduced by the GDPR, in this publication we will introduce you to one of the new concepts set out in the GDPR, namely the Data protection impact assessment (DPIA).

What is DPIA?

Data controllers are responsible for introducing appropriate safeguards to ensure compliance with the GDPR taking into account “the risks of various likelihood and severity to the rights and freedoms of natural persons”. In this sense, their role is not limited solely to the control and definition of the purposes and means of personal data processing, but also includes their obligation to manage the risks that could arise as a result of that activity.

The main objective of the DPIA is to clarify, to describe all processing processes, to assess their necessity and proportionality, and to contribute to the adequate and appropriate management of risks to the rights and freedoms of natural persons arising from the processing of their personal data.

What is DPIA expressed in and what does it contain?

Article 35, Para.7 of the GDPR sets out the minimum features of a DPIA, namely:

a systematic description of the envisaged processing operations and the purposes of the processing;
an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
an assessment of the risks to the rights and freedoms of data subjects;
the measures envisaged to address the risks and demonstrate compliance with thе Regulation.

The assessment of the risks to the rights and freedoms of the processing is one of the main components of the DPIA. Some of the risk assessment guidelines and principles set out in the GDPR partially overlap already existing internationally recognised risk management standards, such as ISO 31000:2009. Examples in this regard are:

establishing the context: “taking into account the nature, scope, context and purposes of the processing and the sources of the risk”;
assessing the risks: “assess the particular likelihood and severity of the high risk”;
treating the risks: “mitigating that risk” and “ensuring the protection of personal data”, and “demonstrating compliance with this Regulation”.

DPIA – when it should be carried out?

It is important to note that the carrying out of a DPIA is only mandatory where a processing is “likely to result in a high risk to the rights and freedoms of natural persons”. In this sense, considered to be the most dangerous is the processing of data that is of a very personal nature by technical means without human intervention (e.g. algorithms / software) including:

Systematic and detailed assessment of personal aspects related to health, workplace performance, personal preferences, location, economic status with respect to individuals, which is based on automatic processing, including profiling, for creating or using personal profiles;
Large-scale processing of special categories of data (e.g. data on racial or ethnic origin, political views, sex life, etc.) or personal data on convictions and offenses (Article 9, Para. 1 and Article 10 GDPR);
A systematic monitoring of a publicly accessible area on a large scale; etc.

In any case, the DPIA should be carried out before the processing. (Article 35, Para.1 and 10, Rec. 90 and 93). The Working Party under Art. 29 recommends that evaluation should be carried out, even when there is doubt as to the need for such assessment, as “DPIA is a useful tool to help controllers comply with data protection law” [1] and with the principle of accountability (for more information see publication #8 ACCOUNTABILITY AS A NEW PRINCIPLE OF GDPR).

Which data processing activities are considered high risk?

In the Guidelines of the Working Party under Art. 29 there are nine criteria in which the controller can identify operations that may result in a high risk to the rights and freedoms of the natural persons:

1) Existence of assessment or scoring, including profiling and prediction – an example in this respect are financial institutions reporting to their clients in connection with granting credits in databases for fighting against money laundering or terrorist financing; genetic testing for prediction of disease risks; companies that create behavioural or marketing profiles based on a website; etc.

2) Existence of automated decision making with legal or similar significant effect – automated decision making is the ability to make decisions by technological means without any human involvement. An example is when the decision on credit approval is made by a person on the basis of a profile designed entirely by automated means, or when the decision on the approval of the loan is made by means of an algorithm and the person is automatically notified of the decision without first being made a meaningful assessment by a human.

3) Existence of processing used for different types of surveillance or control of data subjects – including monitoring through which personal data is being processed where data subjects do not realize who collects their data and how it will be used, e.g. video surveillance in a public area;

4) Existence of processing of special categories of data – public hospitals that store patients’ medical records should carry out a DPIA because they operate with sensitive data, notably the health of natural persons;

5) Existence of large-scale processing of personal data – determining the scale is a separate process that involves careful consideration of factors such as: the number of data subjects involved, the volume of data or the scope of the different types of data, the duration or continuity, and the geographical scope of the processing activity;

6) Datasets that have been matched or combined, resulting from two or more processing operations performed for different purposes and / or by different controllers in a way that goes beyond the reasonable expectations of the subject – In such cases, the nature of the contractual arrangements, and the balance between the subject and the data controller in particular, should be examined, for example, to what extent the data subject is free to terminate the contract and seek alternative service providers;

7) Processing of data concerning vulnerable data subjects including any case where imbalance between the position of the data subject and the controller can be identified – examples in this respect are children – persons subject to treatment, mentally ill persons, asylum seekers, patients, elderly people, etc.

8) Existence of innovative use or applying technological or organisational solutions – an excellent example in this regard is the use of fingerprints and face recognition to improve access control;

9) Preventing data subjects from exercising the right to use a service or contract – here again is the example with a bank screens a client aganst a credit reference database, i.e. in this case, the processing of the subject’s personal data may lead to them being deprived of the possibility of taking a loan.

As a rule of thumb, a processing operation meeting less than two of the aforementioned criteria may not require the carrying out of a DPIA due to the lower level of risk. Conversely, the more criteria the processing operations meet, the higher the likelihood of high risk with regard to the rights and freedoms of natural persons.

In addition, GDPR imputes an obligation to the supervisory authority for establishment and publishing a list of the processing operations that require a DPIA. Moreover, the supervisory authority could establish and publish a list with the processing operations, for which a DPIA is not mandatory. Currently, the Commission for Personal Data Protection (CPDP) has not made such lists public yet.

What follows after the carrying out of DPIA?

DPIA does not constitute of a single action, but of an entire process of achieving and demonstrating compliance.

However, once carried out, the DPIA could be applied for assessment of numerous processing operations similar to the risks presented, taking into account the nature, scope, context and purposes in light of the concrete case. When the processing operation involves joint controllers, they need to define their respective obligations precisely and clearly. Their DPIA should set out which party is responsible for the various measures designed to treat risks and to protect the rights of the data subjects.

If the data controller considers a DPIA not to be mandatory, he is obliged to make a detailed statement of the reasons for not taking action.

Carrying out the DPIA may be outsourced to an outside person.

If the processing is wholly or partly performed by a data processor, the processor should assist the controller in carrying out the DPIA and provide any necessary information. The roles and responsibilities of the processors must be defined precisely in a separate contract/agreement. Such obligations are usually imposed to the processor in the data processing agreement between the controller and the processor.

The controller will also have to consult the supervisory authority whenever Member – state Law requires such actions.

In the light of the above, it remains intriguing what measures would be provided in the new amendments of the Personal Data Protection Act.

In conclusion, it should be emphasized on the fact that carrying out a DPIA is a key part of complying with GDPR in cases of high risk processing. This means that data controllers should be able to determine whether a DPIA has to be carried-out or not. Of course, the internal data controller policy could extend the list of data processing activities for a DPIA will be carried-out even beyond the requirements of the GDPR. Such an approach shall absolutely result in building greater trust and confidence of data subjects in the controller and in providing for additional safeguards for the lawful and adequate processing of personal data within the company.

[1] Data Protection Working Party under Art. 29: Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to pose a high risk” for the purposes of Regulation 2016/679 (WP 248 rev. 01), available here.