Q: What are compliance obligations under GDPR if you operate CCTV surveillance?
A: The data controller must consider the following:
- Data subjects should be informed about the purpose of processing according to Article 12 of the General Data Protection Regulation (Regulation 2016/679) (“GDPR”) and therefore made aware that video surveillance is in operation. For CCTV recordings, this can be achieved by a combination of methods, including, warning signs containing the most important information, such as identity of controller, purpose of processing, and reference to an existing privacy notice for CCTV Footage.
- The data controller must document all purposes of processing of that video surveillance system according to Article 5(1)(b) of the GDPR, such as the protection of private property and assets.
- The data controller should justify their processing activity in accordance with Article 6 of GDPR. The provisions which are more likely to apply to video surveillance is the controller’s legitimate interest (unless such interests are overridden by the data subject’s interests or fundamental rights and freedoms), and the necessity to perform a task carried out in the public interest or in the exercise of an official authority.
- The data controller should also justify the element of ‘necessity’. Video surveillance measures should only be chosen if the purpose of processing could not reasonably be fulfilled by other means which are less intrusive to the fundamental rights and freedoms of the data subject.
- The controller should only monitor what is necessary and not direct the video surveillance to environments that are outside the scope of surveillance. By way of an example, the footage should only capture the immediate property of the controller instead of neighbours’ property or public areas. Installing cameras in employees’ recreational premises could be deemed as a highly intrusive measure.
- The data controller should keep retention periods in check. On 5 October 2018, in a case in the names of Maltapost plc v Kummissarju ghall-Informazzjoni u l-Protezzjoni tad-Data, the Court of Appeal in Malta confirmed the position adopted by the Information and Data Protection Commissioner that CCTV footage should, as a general rule, be deleted after seven days, and, by way of exception, retained for a maximum of twenty days where the controller would be monitoring a high-risk area.
- A data controller should consider protecting the personal data by design and default. Before implementing a video surveillance system, the data controller should ensure that its technical and organisational measures favour privacy. This could be achieved by means of security measures (such as access control that is limited to authorised people only), or default settings in the system that would protect personal data.
- Article 35(3)(c) of the GDPR requires controllers to conduct a data protection impact assessment when the type of processing is likely to result in a high risk to data subjects. This could be where the controller aims to adopt systematic monitoring of a publicly accessible area on a large scale, or where special categories of personal data would be processed on a large scale. Where such risk cannot be mitigated, consultation with the supervisory authority is mandatory.
Q: Does the GDPR apply to you if you use CCTV surveillance at home?
A: The GDPR caters for a “household exemption” which should, in the opinion of the European Data Protection Board, be construed narrowly. Article 2(2)(c) provides that the processing of personal data by a natural person in the course of a purely personal or household activity is out of the scope of the GDPR.
If the surveillance covers a public space and the image capturing technology is directed outwards from the private setting of that person, it cannot be regarded as a private activity which would benefit from the household exemption. This means that if a person installs a CCTV camera monitoring their front door and covering a public space or a neighbour’s property, that person cannot benefit from the household exemption.
Q: What about dash cams?
A: The European Data Protection Board provides that where a dash cam is installed for the purpose of collecting evidence in case of an accident, this camera should not constantly record traffic as well as persons who are near the road. The interest in having video recordings as evidence in the more theoretical case of a road accident, cannot justify the interference with data subjects’ rights, particularly where that footage is used for different purposes, such as when this is uploaded on online social media platforms.
Q: What about disclosure of CCTV footage to law enforcement agencies?
A: The transfer of personal data by a controller to law enforcement agencies is regulated by the GDPR. A data controller would usually rely on a legal obligation as a basis for handing over that data to law enforcement agencies. This legal obligation is usually a matter that is regulated by national law.
The GDPR does not apply to the processing of personal data by competent authorities for law enforcement purpose, for instance, where the Police are investigating a crime.
Q: Can a data subject request a copy of the CCTV footage from the controller?
A: Where real time data is no longer available, the data controller can only give information that no personal data is processed together with the information obligations under Article 13 of the GDPR.
Where the data is available and the data subject requests a copy of it, the controller should not hand out footage that captures personal data about other data subjects and in such circumstances, blurring third parties is recommended. Furthermore, no more data should be provided than is necessary. This means that the data controller should seek a date and time to identify that part of the footage where the data subject would feature.
Q: Can a data subject request that their data is erased?
A: A data subject can request that any stored data about them is erased without undue delay if one of the circumstances under Article 17(1) of the GDPR exist. This may be the case, for instance, where the processing of personal data is unlawful or when the data is no longer needed. If the footage is passed on to other controllers, such as footage which is posted online, the data controller must take steps to inform such other controllers to remove that personal data. The steps taken to remove that data should be reasonable when considering available technology and cost of implementation.
If the legitimate interest of the data controller to store the data outweighs the interests of the data subjects, the controller can retain that data.
More guidance on the above topic is available in the guidelines on the processing of personal data through video devices recently published by The European Data Protection Board. See: https://edpb.europa.eu/our-work-tools/public-consultations/2019/guidelines-32019-processing-personal-data-through-video_en