Classification:
-
EDPB Guidelines.
-
Identification of data objects
-
License plates, Identification documents and biometric data
-
What to consider when setting up a video surveillance system?
-
Article 15 of the GDPR
-
Security measures for video surveillance systems
-
Storage and retention periods of video surveillance footage
-
Conclusion
Camera surveillance is almost everywhere these days. There are an estimated billions of surveillance cameras that can monitor you worldwide.
We are all aware of the widespread use of camera surveillance when we walk into a bank, hotel, pharmacy and other public places.
However, we often do not understand the legality of camera surveillance, the measures to be taken to protect our privacy and whether our video footage is even considered personal data under the GDPR.
EDPB Guidelines.
The European Data Protection Board (“EDPB”) has issued guidelines for processing personal data through video devices. Specifically, it concerns all video equipment made available for public viewing, this includes not only security cameras but also dashcams, private cameras security cameras and cameras from cell phones.
Identification of Data Objects.
It is important to note that these guidelines cover only camera surveillance involving
personal data
are processed. One speaks of personal data when the data can be used to natural personand (i.e., a “data subject‘ and‘) identify directly and/or indirectly. These images show, for example, the person’s face, a name tag, or other distinguishing features that make this personidentifiable make (e.g. unique tattoos or birthmarks).
License plates, Identification Documents and Biometric Data
Personal data includes at least, but especially in this context, car license plates, identification documents and biometric data. For the latter category, it is important to note that an image or video is not, by itself, considered biometric data within the meaning of Article 9 if it has not been processed specifically to contribute to the identification of a person.
Imagery without such personal data, for example, research cameras filming wildlife only, are outside the scope of the GDPR and therefore outside the scope of these Guidelines.
What should one consider when setting up a video surveillance system?
Before setting up a camera surveillance system, it should always be assessed whether such a system is is necessary at all. Indeed, both the EDPB Guidelines and the GDPR explicitly state that personal data should not be processed unnecessarily. Where possible, then, alternatives to video surveillance should be considered.
Camera surveillance can only be legal and GDPR-proof if the 6 legal bases for processing personal data are respected.
For camera surveillance to be legal, it must be based on one of 6 legal bases for processing personal data. These bases are as follows:
-
Permission
-
Contract
-
Legal obligation
-
Protection of vital interests
-
Public task
-
Legitimate interests
Before CCTV cameras are installed, it is recommended that a DPIA (data protection impact assessment) be conducted by an accredited DPO.
A DPIA is essentially a risk analysis that gives a good idea about the risk of a data breach. It also helps determine effective solutions and helps ensure that images are fit for purpose.
If it turns out that a surveillance system is indeed necessary, measures should be taken to communicate about the surveillance system to those affected.
Article 15 of the GDPR: The Right to Access Personal Data – Requirements and Next Information:
- What is the purpose of the processing?
- What are the categories of personal data processed (including recipients or categories of recipients in third countries or international organizations)?
- Who are the recipients to whom the personal data will be provided?
- How long will data be kept (retention period)?
Such a notice could convey important information to those affected in a simple and concise manner, specifically:
-
That they are in an area or about to enter an area where there is video surveillance.
-
Why the recording is taking place (i.e., the controller’s justification for installing a CCTV or other video system).
-
The identity of the controller (or its representative) responsible for the video system.
-
The rights the data subject may exercise in relation to such processing of his personal data.
-
The contact details of a data protection officer or, if none is appointed, the person responsible for the recorded images, ideally the same person whom data subjects can contact to exercise their rights.
-
Where data subjects can find more information about the processing of their personal data.
Security measures for video surveillance system
There are also some organizational and technical measures that are explained in the EDPB guidelines
Organizational measures included the following:
-
Determine who is responsible for the management and operation of the video surveillance system.
-
What is the purpose and scope of supervision?
-
What are your transparency and disclosure obligations?
-
Data retention period for video footage.
-
Who has access to video recordings and for what purposes?
-
Data breach procedure.
-
Incident management and recovery procedures…
The technical measures included the following:
-
Securing the physical security of all system components.
-
Data encryption.
-
Use of firewalls, antivirus or intrusion detection systems against cyber attacks.
-
Access Control.
-
Storage of video surveillance images.
Storage and retention periods of video surveillance footage
The video footage should not be kept longer than is strictly necessary for the purpose to be achieved. Therefore, the footage is usually kept for a short time. In certain member states, there may be additional provisions regulating retention periods. Taking into account the principles of data minimization and storage limitation, personal data should be automatically deleted after a few days in most cases.
What if I keep them longer anyway?
If images do need to be kept longer, it is advisable to conduct a risk assessment to determine the reasons for longer data retention.
A controller must determine data retention periods for each individual purpose. The retention period should be determined in accordance with the principles of necessity and proportionality. The controller must be able to demonstrate compliance with the GDPR.
Conclusie
Failure to properly handle video surveillance footage can lead to many GDPR issues. If you want to install CCTV for your business, you can always contact one of our authorized DPOs to guide you through the process and provide you with the necessary DPIA.