The fact that people and many premises are monitored by cameras is something we encounter in everyday life. Whether it is in office buildings, shopping centres, public transport, at work, at the entrance to a residential building or at a neighbour’s garage door, CCTV systems are a omnipresent and almost inevitable part of modern days.
Although the use of CCTV cameras is nowadays commonplace, it is important to remember that, despite their prevalence, they constitute a significant infringement of the rights and freedoms of the subjects they capture, and their use may involve the processing of personal data.
Camera monitoring systems in practice
In practice, nowadays, the very first (and often the only) step after setting up a CCTV system is to put up an information sign displaying a pictogram. However, such a course of action is completely inadequate.
The following is a description of the procedures that must be followed and the questions that should be asked by the administrator (of the CCTV system and thus also of personal data-collector) when introducing a new CCTV system or revising an existing one.
When is personal data (not) processed?
First of all, it is important to note that not all uses of CCTV systems lead to the processing of personal data.
The processing of personal data does not occur when using camera systems that are unsuitable for this purpose and which do not have technical parameters that allow a higher degree of identification of the monitored person. The key term for assessing whether or not processing of personal data takes place is the so-called ‘degree of identification’.
No processing of personal data occurs if the recorded person does not occupy more than 25 % of the height of the frame, or if one pixel of the image corresponds to less than 40mm of the subject’s actual height, even with the use of additional technical means (e.g. zoom).
What questions to ask before introducing a camera system?
Before we proceed to the individual questions that should be raised before the introduction of the camera system, it is necessary to reiterate the basic principle of personal data processing, i.e. that the processing of personal data should interfere with the rights and freedoms of the subjects as little as possible, i.e. the interference should be minimised.
The very first question that any potential data controller must ask is what is the title on which the personal data will be processed.
For the purpose of introducing CCTV systems, the following basis for data processing are possible:
- consent of the subject;
- legitimate interest of the controller or third parties;
- the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
Processing based on the consent of the subject is generally very complicated and fickle for the purposes of CCTV (data subjects can withdraw their consent) and is therefore not recommended.
In order to assess whether the use of a CCTV system is appropriate on grounds of the legitimate interest of the controller or of a third party, it is necessary to carry out a so-called ” balancing test”, i.e. to assess three basic aspects of the considered measure:
- suitability criterion;
- the criterion of necessity; and
- criterion of proportionality.
Steps of the balance test
Before a potential data controller resorts to the introduction of a CCTV system, he or she should undertake the following steps.
First of all, the potential data controller should assess and describe the existence of a real threat. In the context of the existing threat, he or she should evaluate possible approaches to mitigating the risk or eliminating it completely. The placement of CCTV should be only one of several options considered.
The second important question that the potential data controller should address in cases where it has been assessed that the use of a CCTV system is necessary for the purpose, is what measures can be taken to minimise the infringement of the rights and freedoms of the persons being recorded. In this context, the potential controller should evaluate what technical parameters the CCTV system ought to have, i.e., for example, the number and location of cameras, the setting of their coverage, the deactivation of some of their features and the functions of other components of the CCTV system, the tailoring of the operational time of the CCTV system to a certain period of time only and then, if there is retention of the footage, to preserve this footage only for the necessary period of time.
Furthermore, the potential collector should consider whether the introduction of the CCTV system is necessary to achieve the purpose being pursued (e.g. protection of property from theft or damage, or compliance with health and safety rules by employees) and whether the purpose being pursued cannot also be achieved in another way which would be less invasive of the rights of the subjects. In other words, he or she should assess whether the introduction of a CCTV system is the most appropriate solution and whether it is the most advantageous and necessary option.
Last but not least, the potential controller should assess the balancing criterion, i.e. analyse the balance between the rights and interests of the controller and the rights and interests of the subjects whose personal data are to be processed and assess whether the legitimate interests of the controller or third parties outweigh the interests and rights of the subjects.
How to proceed with the implementation?
If the desired purpose cannot be achieved by means other than the introduction of a CCTV system (the balance test is positive), the data controller still has many obligations to fulfil. These include in particular the necessary establishment of protocols, procedures and creation of multiple documents.
The following are among the essential duties of the administrator:
- the obligation to provide subjects with the option to exercise their rights under the GDPR (e.g. the right to information, the right of access, rectification and erasure, the right to restriction of processing, the right to portability of the data obtained and the right to object to processing);
- the obligation to keep proper documentation;
- the obligation to protect the collected personal data and to prevent the data breaches or misuse; and
- the obligation to report personal data breaches.
The most important requirement is to draw up documentation of the CCTV system, which should include in particular:
- a record of processing activities;
- balance test as an analysis of the necessity of deploying a camera system;
- analysis of the obligation to prepare a DPIA for the proposed camera system, the prepared DPIA, or documentation of technical and organizational measures;
- design and technical documentation of the camera system;
- contractual documentation, including any processing agreement (if there is another entity processing personal data for the controller);
- directives for the operation of the CCTV system;
- evidence of consent of the data subjects (if the data are processed on the basis of the consent of the data subjects);
- information documents (in multiple layers); and
- documentation of personal data breaches.
Duties of the controller
The above-mentioned obligations are not unique and compliance with them is (with exceptions) required in all cases of processing of personal data. However, there are some particularities associated with the use of CCTV systems, some of which we shall discuss further.
The information obligation takes a special form when using CCTV systems – for practical reasons, it is usually implemented in two separate steps. At the beginning of the article, an information sign with a pictogram was mentioned, indicating that the area is being monitored by a CCTV system – its proper placement is the first step towards fulfilling the information obligation. The Methodology presents the basic standards for the design and placement of such an information sign. However, despite misconceptions, the placement of an information sign is not sufficient. The next, second and follow-up step is to provide thorough, detailed information with prescribed content according to Articles 13 and 14 of the GDPR. This secondary information must be easily accessible, at the least for as long as the monitored area is accessible to authorised data subjects.
Some of the above-mentioned rights can only be exercised if a camera system with recording is installed, i.e. the right to access, rectification and deletion of personal data is completely excluded in cases where no camera recording is made and only online monitoring takes place.
The security of CCTV systems is an important and extensive obligation. No wonder. CCTV systems can process very sensitive information in respect of their location, which makes it essential that technical and organisational risk management measures are established.
For this purpose, the controller is obliged to draw up an accompanying document which includes the identification and description of the specific CCTV system, the method of verifying the functionality of the technical and organisational measures and a description of these technical and organisational measures adopted to mitigate the following four categories of threats:
- unauthorised access to CCTV equipment, cameras, cabling, recording equipment or display equipment;
- unauthorised access to CCTV footage;
- unauthorised reading, copying, transmission, modification and deletion of CCTV footage; and
- natural event and weather conditions.
For CCTV systems with a high risk to the rights and freedoms of the subjects, the proposal of technical and organisational measures is carried out within the framework of the DPIA investigation; for other CCTV systems the proposal is carried out directly by the controller (or processor), either on the basis of their own analysis or on the basis of the classification specified in the Methodology.
Methodology of the Personal Data Protection Office
At the beginning of 2024, the Office for Personal Data Protection (“OPDP“) published a new, updated Methodology for the Design and Operation of CCTV Systems from the Perspective of Personal Data Processing and Protection[1] (“Methodology“), which replaced the previous document from 2012 and which addresses subsequent legislative developments. In particular, the adoption of the crucial Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR“), as well as the European Data Protection Board’s Guidelines 3/2019 on processing of personal data through video devices [2].
The Methodology and the procedures contained therein are not binding nor enforceable in any way. However, it serves as a practical guide which can be used as a voluntary basis for the introduction of video surveillance systems.
The above conclusions and the content of our article respect and are consistent with the Methodology.
Conclusion
The introduction of a CCTV monitoring system may often appear to be straightforward – but the opposite is true, as just like any other processing of personal data, it requires the preparation of extensive documentation and the setting up of procedures through which subjects of personal data processing will be able to exercise their rights. A proper set-up of a video camera monitoring system is a technically and administratively demanding exercise that the potential data controllers should consider properly.
Should you have any questions or need assistance in particular with the preparation of documentation, please do not hesitate to contact us.
[1] The Methodology from OPDP is available here: metodika-kamerove-systemy-webpdf.pdf (gov.cz).
[2] European Data Protection Board’s Guidelines 3/2019 on processing of personal data through video devices is available here: guidelines-3-2019-ke-zpracovani-osobnich-udaju.pdf (gov.cz).
Mgr. Kateřina Vyšínová, junior lawyer – vysinova@plegal.cz
Mgr. Jakub Málek, managing partner – malek@plegal.cz
16. 5. 2024