Italy’s Data Protection Authority Publishes FAQs on CCTV

December 10, 2020Alerts

Garante, the Italian data protection authority, has issued FAQ's on CCTV surveillance and data protection. Highlighting the European Data Protection Board's (EDPB) guidelines on the topic, here are some takeaways:

Area of Surveillance

It is not necessary to reveal the precise location of the camera, as long as there is no doubt about which areas are subject to surveillance and the context of the surveillance is clear.

Retention Period

  • In most cases (for example if video surveillance is used to detect vandalism) it should be deleted after a few days, preferably through automatic mechanisms.
  • The longer the envisaged retention period (especially if longer than 72 hours), the more reasoned the analysis must be in relation to the legitimacy of the purpose and the need for conservation.
  • For example, the owner of a small business would normally notice any vandalism the same day it occurred. A storage period of 24 hours is therefore sufficient. However, closing on weekends or longer holidays could justify a longer retention period.
  • In some cases it may be necessary to extend the retention times of the images initially set by the owner or provided for by law. For example, in the event that this extension is necessary to follow up on a specific request from the judicial authority or the judicial police in in relation to an ongoing investigative activity.

Data Protection Impact Assessment

  • A DPIA may be required for integrated systems, both public and private, that connect cameras between different subjects as well as intelligent systems capable of analyzing images and processing them — for example, in order to automatically detect abnormal behaviors or events, report them and possibly record them.
  • It is always required, in particular in the case of large-scale systematic surveillance of an area.

In the Workplace

  • An employer can install CCTV, but exclusively for organizational and production needs, for work safety and for the protection of company assets, in compliance with the other guarantees provided for by the sector legislation on the installation of audiovisual systems and other control instruments.

Personal Use

  • The processing of personal data through the use of cameras installed in one's home for exclusively personal purposes of control and security is among those excluded from the scope of the regulation.
  • In these cases, any employees or collaborators present (babysitter, maid, etc.) must in any case be informed by the employer.
  • In any case, it will be necessary to avoid monitoring environments that harm the dignity of the person (such as bathrooms), adequately protect the data acquired through the smart cams with suitable security measures, in particular when the cameras are connected to the internet, and to not disseminate the collected data.

Exceptions to Application

  • The data protection legislation does not apply to the processing of data that does not allow the identification of people, directly or indirectly, as in the case of high-altitude shooting (carried out, for example, through the use of drones).
  • It does not apply in the case of false or switched-off cameras because there is no processing of personal data (it being understood that, in the working context, the guarantees provided for by Article 4 of law 300/1970 still apply) or in the case of cameras integrated into a car to provide parking assistance (if the camera is constructed or adjusted in such a way that it does not collect any information relating to an individual, such as license plates or information that could identify passers-by).

Odia Kagan is a partner in the firm's Privacy & Data Security Practice and Chair of the GDPR Compliance & International Privacy Practice. For questions about this alert or assistance with data processing and data privacy issues, contact Odia at [email protected] or 215.444.7313.