Video surveillance, nowadays can be found almost everywhere. The widespread usage of video surveillance is known to all. However, there is a lack of understanding of the lawfulness of video surveillance and the measures that can be taken to protect our privacy. Video-surveillance footage often contains images of people. As this information can be used to identify these people either directly or indirectly (i.e. combined with other pieces of information), it qualifies as personal data (also known as personal information). Any form of surveillance is an intrusion on the fundamental rights to the protection of personal data and to the right to privacy.
Acknowledging this reality, the European Data Protection Board (‘EDPB’), has made available for public consultation its Guidelines on the processing of personal data through video devices (‘the Guidelines’), which includes not just CCTV, but also dashcams, private security cameras and mobile phone cameras. These Guidelines shed light on how video surveillance may be made use of and under what parameters, especially considering the new GDPR paradigm.
It is important to note that these Guidelines only concern video surveillance where personal data are being processed. Therefore, the surveillance must include information that relates to an identified or identifiable natural person (i.e., a ‘data subject’), such as footage of a person’s face, name tag, or other distinguishing characteristics that render them identifiable (e.g., unique tattoos or birthmarks). Personal data, in any but especially in this context, would also include car license plates, identification documents and most notably, biometric data. Footage lacking any such personal data (e.g., research cameras that solely monitor wildlife creatures, the night sky or microscopic organisms) would fall outside the scope of the GDPR and consequently, of these Guidelines.
Before setting up any kind of video surveillance system there should always be an assessment of whether such a system is needed in the first place. The Guidelines suggest considering alternatives wherever possible, depending on the purpose in question.
For video surveillance to be legal, it needs to be based on one of the 6 lawful bases for processing personal data (consent, contract, legal obligation, protection of vital interests, public task, or legitimate interests.) Before CCTV cameras are set up, a DPIA (data protection impact assessment) must be completed. A DPIA will help determine effective solutions and help in ensuring that the footage is adequate for its intended purpose.
If a surveillance system is indeed necessary, then measures need to be taken to communicate to the data subjects about the surveillance system. Such a notice would relay important information to the data subjects, in a simple and concise manner, specifically:
1. That they are in or about to enter an area where video surveillance is taking place.
2. Why the recording is taking place (i.e., the controller’s justification for installing a CCTV or other video system).
3. The identity of the controller (or its representative) responsible for the video system.
4. The rights that the data subject can avail themselves of in respect to such processing of their personal data.
5. The contact details of a data protection officer or, where one is not appointed, whichever individual would be responsible for the footage being recorded, who would ideally be the same individual whom the data subjects would be able to contact to exercise their rights.
6. Where the data subject can find further information regarding the processing of their personal data.
For the video surveillance methods to be GDPR-compliant, organizations should follow these steps:
1. Make sure people know they’re being recorded: Transparency is a core principle of the GDPR. People must be informed that their personal information is being collected to allow them to exercise their data subject rights. Make sure people are aware of being recorded by posting signs that say CCTV is in operation.
2. Clearly state why CCTV is being used: Under the GDPR, it’s not enough to say that personal data is being collected; the exact reason for using CCTV must be explained clearly.
3. Control who has access to CCTV: Monitoring practices could do more harm than good if the access to the footage is not limited. The GDPR requires that personal information should only be accessible to those who need it to complete a function of their job.
4. Delete footage when it’s no longer necessary: Most organizations have a retention period for CCTV footage, simply because it’s too impractical to keep the information indefinitely. The Regulation states that information can be stored for as long as it’s necessary for the purpose for which it was collected, and this time frame must be outlined before processing starts. Therefore, a system should be established to make sure information is deleted once the data retention deadline passes.
Storage of video surveillance footage
- The video footage should not be kept for longer than it is strictly necessary for the purpose that needs to be achieved.
- The footage material is usually retained for a short amount of time. In certain Member States, there can be additional provisions that regulate storage periods.
- Taking into consideration the data minimization and storage limitation principles, the personal data should in most cases be deleted automatically, after a few days.
- If the footage needs to be kept for longer, then it is recommended to conduct a risk assessment to document the reasons for longer data retention.
- A data controller should define the data storage period for each individual purpose. The retention period should be defined in accordance with the principles of necessity and proportionality and the data controller should be able to demonstrate compliance with the GDPR.