Video Surveillance Under GDPR: EDPB Issues Final Guidance

January 3, 2020Alerts

The European Data Protection Board (EDPB) has issued final guidance on the use of video surveillance.

Key takeaways:

  • The monitoring purposes of the cameras should be documented in writing and specified.
  • Data subjects must be informed of the purpose(s) of the processing. The mere purpose of “safety” or “for your safety” is not sufficiently specific.

Legitimate Interest

  • The most likely legal bases are: legitimate interest and “necessary in the public interest.”
  • Given a real and hazardous situation, the purpose to protect property against burglary, theft or vandalism can constitute a legitimate interest.
  • Video surveillance measures should only be chosen if the purpose of the processing could not reasonably be fulfilled by other means that are less intrusive to the fundamental rights and freedoms of the data subject.
  • The legitimate interest needs to be a real and present issue (i.e. it must not be fictional or speculative). A real-life situation of distress needs to be at hand – such as damage or serious incidents in the past – before starting the surveillance. In light of the principle of accountability, controllers are well-advised to document relevant incidents (date, manner, financial loss) and related criminal charges.
  • The existence of a legitimate interest as well as the necessity of the monitoring should be reassessed in periodic intervals (e.g. once a year), depending on the circumstances.
  • For legitimate interest to apply, the processing needs to be reasonably expected by the data subject. For this, the decisive criterion has to be if an objective third party could reasonably expect and conclude to be subject to monitoring in this specific situation.
  • Examples of unexpected monitoring: employee in his/her workplace, one’s private garden, living areas or in examination and treatment rooms, sanitary or sauna facilities.
  • Example of expected monitoring: bank ATM's.
  • Signs informing the data subject about the video surveillance have no relevance when determining what a data subject objectively can expect. This means, for example, that a shop owner cannot rely on customers objectively having reasonable expectations to be monitored just because a sign informs the individual at the entrance about the surveillance

Necessity of Processing | Balancing of Interests

  • Presuming that video surveillance is necessary to protect the legitimate interests of a controller, a video surveillance system may only be put in operation if the legitimate interests of the controller or those of a third party (e.g. protection of property or physical integrity) are not overridden by the interests or fundamental rights and freedoms of the data subject.
  • Important balancing factors can be the size of the area under surveillance and the number of data subjects under surveillance. The use of video surveillance in a remote area (e.g. to watch wildlife or to protect critical infrastructure such as a privately owned radio antenna) must be assessed differently than video surveillance in a pedestrian zone or a shopping mall.

Consent

  • Regarding systematic monitoring, the data subject’s consent can only serve as a legal basis in accordance with Article 7 (see Recital 43) in exceptional cases.
  • If the controller wishes to rely on consent it is his duty to make sure that every data subject who enters the area under video surveillance has given her or his consent.

Disclosure

  • Any disclosure of personal data is a separate kind of processing of personal data for which the controller needs to have a legal basis.

Special Category Data

  • Video surveillance is not always considered to be processing of special categories of personal data. However, if the video footage is processed to deduce special categories of data, Article 9 applies.
  • The use of biometric data, in particular facial recognition, entails heightened risks for data subjects’ rights
  • When the purpose of the processing is, for example, to distinguish one category of people from another but not to uniquely identify anyone, the processing does not fall under Article 9. However, Article 9 applies if the controller stores biometric data (most commonly through templates that are created by the extraction of key features from the raw form of biometric data (e.g. facial measurements from an image)) in order to uniquely identify a person.
  • Example: A hotel uses video surveillance to automatically alert the hotel manager that a VIP has arrived when it recognizes the face of the guest. These VIPs have given their prior explicit consent to the use of facial recognition before being recorded in a database established for that purpose. These biometric data processing systems would be unlawful unless all other guests monitored (in order to identify the VIPs) have consented to the processing according to Article 9 (2) (a) GDPR
  • In compliance with the data minimization principle, data controllers must ensure that data extracted from a digital image to build a template will not be excessive and will only contain the information required for the specified purpose, thereby avoiding any possible further processing. Besides, data controllers shall proceed to the deletion of raw data (face images, speech signals, the gait, etc.) and ensure the effectiveness of this deletion.
  • The controller should take all necessary precautions to preserve the availability, integrity and confidentiality of the data processed. To this end, the controller shall notably take the following measures: compartmentalize data during transmission and storage, store biometric templates and raw data or identity data on distinct databases, encrypt biometric data (notably biometric templates) and define a policy for encryption and key management, integrate an organizational and technical measure for fraud detection, associate an integrity code with the data (for example signature or hash) and prohibit any external access to the biometric data. Such measures will need to evolve with the advancement of technologies.
  • In exceptional cases, there might be a situation where processing biometric data is the core activity of a service provided by contract, e.g. a museum that sets up an exhibition to demonstrate the use of a facial recognition device. In that case, the data subject will not be able to reject the processing of biometric data should they wish to participate in the exhibition. In such a case, the consent required under Article 9 is still valid if the requirements in Article 7 are met.

Data Subject Requests

  • When responding to data subject access rights involving videos containing images with other people, data controllers should implement technical measures to fulfill the access request without revealing the identities of other people appearing in the video (for example, image-editing such as masking or scrambling).
  • If the video footage is not searchable for personal data, (i.e. the controller would likely have to go through a large amount of stored material in order to find the data subject in question) data subject should in its request to the controller, specify when – within a reasonable timeframe (e.g. one hour) in proportion to the amount of data subjects recorded – he or she entered the monitored area.
  • The controller should notify the data subject beforehand of what information is needed in order for the controller to comply with the request. If the controller is able to demonstrate that it is not in a position to identify the data subject, the controller must inform the data subject accordingly, if possible. In such a situation, in its response, the controller should inform the data subject about the exact area for the monitoring, verification of cameras that were in use, etc., so that the data subject will have the full understanding of what personal data may have been processed.
  • Blurring the picture with no retroactive ability to recover the personal data the picture previously contained, is considered erasing the personal data in accordance with GDPR.
  • Unless the controller has compelling legitimate grounds, monitoring an area where natural persons could be identified is only lawful if either
  1. The controller is able to immediately stop the camera from processing personal data when requested.
    OR
  2. The monitored area is restricted in such detail that the controller can assure the approval from the data subject prior to entering the area and it is not an area that the data subject as a citizen is entitled to access.

Transparency

  • The warning sign should be positioned at a reasonable distance from the places monitored in such a way that the data subject can easily recognize the circumstances of the surveillance before entering the monitored area (approximately at eye level).
  • The notice under Article 13 should be provided in a layered manner—first layer (warning sign) and second layer (other location).

First layer

  • The first layer information (warning sign) should generally convey the most important information, e.g.
  • The details of the purposes of processing
  • The identity of controller
  • The existence of the rights of the data subject, together with information on the greatest impacts of the processing. (e.g. legitimate interests pursued by the controller and contact details of Data Protection Officer)
  • Refer to the more detailed second layer of information and where and how to find it
  • Any information that could surprise the data subject. That could for example be transmissions to third parties, particularly if they are located outside the EU, and the storage period.

Second Layer

  • The second layer information must also be made available at a place easily accessible to the data subject, for example as a complete information sheet available at a central location (e.g. information desk, reception or cashier) or displayed on an easily accessible poster.
  • It should contain all information that has to be disclosed under Article 13 of GDPR
  • It should be possible to access the second layer information without entering the surveyed area, especially if the information is provided digitally (this can be achieved, for example, by a link). Other appropriate means could be a phone number that can be called.

Data Retention

  • Personal data may not be stored longer than is necessary for the purposes for which the personal data is processed.
  • To facilitate the demonstration of compliance with the data protection framework, it is in the controller’s interest to make organizational arrangements in advance (e.g. nominate, if necessary, a representative for screening and securing video material.)
  • Personal data should in most cases (e.g. for the purpose of detecting vandalism) be erased, ideally automatically, after a few days. The longer the storage period set (especially when beyond 72 hours), the more argumentation for the legitimacy of the purpose and the necessity of storage has to be provided.
  • If the controller uses video surveillance not only for monitoring its premises but also intends to store the data, the controller must assure that the storage is actually necessary in order to achieve the purpose.

Technical and Organizational Measures and DPIA

  • Given the typical purposes of video surveillance (protection of people and property, detection, prevention and control of offenses, collection of evidence and biometric identification of suspects), it is reasonable to assume that many cases of video surveillance will require a Data Protection Impact Assessment (DPIA).
  • Data controllers must implement organizational and technical measures that are proportional to the risks to the rights and freedoms of natural persons, resulting from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to video surveillance data.
  • They should adopt internal framework and policies that ensure this implementation both at the time of the determination of the means for processing and at the time of the processing itself, including the performance of Data Protection Impact Assessments when needed.

Apart from a potential DPIA needed, controllers should consider the following topics when they create their own video surveillance policies and procedures:

  • Who is responsible for management and operation of the video surveillance system?
  • Purpose and scope of the video surveillance project
  • Appropriate and prohibited use (where and when video surveillance is allowed and where and when it is not; e.g. use of hidden cameras and audio in addition to video recording
  • Transparency measures
  • How is video recorded and for what duration, including archival storage of video recordings related to security incidents?
  • Who must undergo relevant training and when?
  • Who has access to video recordings and for what purposes?
  • Operational procedures (e.g. by whom and from where video surveillance is monitored, what to do in case of a data breach incident).
  • What procedures do external parties need to follow in order to request video recordings, and what are the procedures for denying or granting such requests?
  • Procedures for Video Surveillance Storage (VSS) procurement, installation and maintenance
  • Incident management and recovery procedures

Odia Kagan is a partner at Fox Rothschild and chair of the firm’s GDPR Compliance & International Privacy Practice. For assistance with the full range of GDPR compliance issues contact Odia at [email protected] or 215.444.7313.

Additional Information