Publication date: 16.04.2024
Video surveillance (CCTV) is common in our daily lives, from monitoring public areas to securing private property. As a result, it is important to understand how GDPR regulations affect CCTV surveillance systems and the significance of compliance. Failure to comply with GDPR requirements can result in serious financial penalties and reputational harm.
This article will look at the importance of GDPR for video surveillance and how it affects companies and individuals. In addition, it will also highlight the best practices for ensuring GDPR compliance for CCTV surveillance installations.
What do you need to know before you start using CCTV?
When a company carries out video surveillance, the company becomes the data controller of the personal data that derives from the CCTV surveillance, and therefore the company must ensure that the surveillance complies with the GDPR and the applicable law.
This means, among other things, that the company must provide that there is a legal basis for the CCTV surveillance, as well as that it is carried out in accordance with the principles set out in Article 5 of GDPR. Personal data processing is lawful when it is necessary for the legitimate interests of the controller, except where such interests do not override the interests or fundamental rights and freedoms of the data subject.
For example, if a shop wants to install CCTV cameras in the shop to prevent further theft from the shop, then CCTV surveillance for crime prevention purposes will be an explicitly defined and legitimate purpose.
The obligation to provide information
If a company uses CCTV, it is usually obliged to inform the person being monitored. This follows from Article 14 of the GDPR. The information requirement applies where video surveillance is carried out in places or premises to which there is general access or in the workplace. The obligation to provide information on CCTV surveillance should be in accordance with Article 13 of the GDPR. Article 13 lists the information that the controller must provide to the data subject.
A clearly legible and visible sign should be placed to draw attention to the fact that a surveillance system is used in the area concerned, and a notice should be published on the purpose of the surveillance, the legal basis for the processing, the duration of the storage of the recording, the identity of the controller, the persons who are authorized to access the data, and the provisions on the rights of the data subjects and the procedures for exercising them.
Article 13 of the GDPR contains a number of exceptions to the information obligation. The controller may only fail to comply with the information obligation if one or more of the exceptions apply. According to Article 14 (5)(b) of the GDPR, the controller may refrain from providing information where it would be impossible or would involve a disproportionate effort.
Right of access to the recordings
The right of access is based on Article 15 of the GDPR and means that the data subject has the right to obtain from the controller information concerning whether personal data relating to him or her are being processed and, if so, to have access to the personal data and the information about the processing. In exceptional cases, the data subject's request may be refused if the request is manifestly unjustified or excessive, for example, if it is repetitive.
For example, a customer requests access to all the images of him/her in a large shopping center that receives many visitors a day. In order to respond to the access request, the shopping center asks the customer to provide the time and place when the customer was in the shopping center. If the customer does not provide this information, the shopping center may apply the excessive request exception.
Making CCTV surveillance safer
Before a company starts to use CCTV surveillance, it must check that it is sufficiently secure. This means, that the company must ensure that recordings, both stored and live, cannot be accessed by unauthorized persons. For example, screens with live television monitoring must be positioned so that they cannot be seen by customers, employees, or others. In addition, recordings from video surveillance should be stored in such a way that they are only accessible to those who need access to them for their work.
Therefore, access control to recordings should be introduced, for example through user rights management, password protection, multi-factor logins, and the like. It should also be provided that systems storing recordings are protected by firewalls and similar technical safeguards. To support the technical security measures put in place, it is also important to put in place measures such as guidelines and procedures to ensure that employees know when they can access and use recordings.
Conclusion
To summarize, one of the most important steps is determining and justifying the necessity for CCTV surveillance. In other words, the company has to have a legitimate reason to establish the system, such as preventing crime. Furthermore, the company has to make sure that it has adequate safety measures in place to protect any acquired footage, as well as policies and procedures in place to allow data subjects to exercise their GDPR rights.
You can also read about:
References