Video Surveillance and the GDPR
Video surveillance footage often contains images of people. As this information can be used to identify these people either directly or indirectly, it qualifies as personal data. Both companies and end users should be aware of the value of their data and of the necessity to protect them.
In the context of today’s intensive use of cameras, which includes not just CCTV, but also dashcams, private security cameras and mobile phone cameras, video surveillance has become a commonplace and people have grown accustomed to being constantly under surveillance. However, as such video devices collect data and their functionality may deviate from the initial purpose of its controller, data protection principles must be taken into consideration.
Although there is a thin line between maintaining anonymity and keeping pace with the growing use of video devices, decisions on how such devices must be used have to be made on a case-by-case basis, keeping in mind the following guiding rules:
Before using/installing a camera, the purpose must be specified in detail so that the legitimate interest is met by the controller. These fundamental rights or interests of the controller must be real and current and reassessed periodically.
Whenever processing personal data through video devices, it should be adequate, relevant and limited only to what is necessary. To fall under these essential features, one must always consider if installing video surveillance is the only viable possibility, whether it is necessary to protect one’s legitimate interest or if there are alternative protection measures.
Video surveillance systems should be used only if there is a balance between the interests of the operator and the interests of the data subject. In each case, one must identify to what extent the interests of individuals can be affected and if negative consequences may arise.
Video monitoring may determine processing biometric data only if it has been technically processed to identify individuals. If the case, an explicit consent is required from all data subjects.
Right of Information
According to data protection principles, the rights of the data subject must always be taken into account when using video monitoring. Thus, a data subject has always the right to either obtain confirmation as to whether or not their personal data are being processed (when the video surveillance is not stored) or to receive access to information (if the data is stored or processed in any other way). The data subject is also entitled to request a controller to erase the concerned data, in which case the controller is bound to act consistently with no delay.
Taking into account the effects of video technologies on individuals, transparency must always be ensured by controllers within two layers of information.
- The first layer is the most crucial as this is how the controller first engages with the data subject, thus warning signs must be displayed with an icon to give easily understood information of the processing taking place. The first layer must identify controllers, the purposes of the processing and data subjects’ rights.
- The second layer requires that data subjects are also able to access any information regarding the video surveillance and the processing of data in hard copy and in the general vicinity of the area under surveillance. Digital sources are also permitted and must be mentioned in the first layer along with the QR code.
Controllers must take into account that data cannot be stored longer than their purpose and must also be adequately secured.
Analyzing both the privacy issues that may arise when setting up video surveillance and the practical use of such devices for certain security purposes, both the controller and the data subject must be aware that data protection implications are massive when using such technologies.