GDPR effect on video surveillance

Video surveillance has become one of the most commonly used methods for securing assets and keeping employees safe. It is very difficult to imagine banks, shops and public institutions today without video surveillance, and it is very likely that its absence would lead to less security. However, less attention is paid to the fact that the cameras are placed in a large number of public spaces, and their excessive setting negatively affects the privacy of persons. What does the GDPR say about this?

GDPR or the General Data Protection Regulation is a new privacy and dana protection law that comes into force on May 25, 2018. Although not directly specified in the Regulation, the video surveillance systems through the sensitive data regarding personal information receive a designation as security systems that need to have particular protection measures. By definition, personal data that are of sensitive nature in terms of fundamental rights and freedoms are data that are revealing racial or ethnic origin, mental health and health status dana, economic or social status data, which only a part of data that can be collected by using video surveillance. According to GDPR, video surveillance is considered to be a high-risk activity that requires special caution, especially if fit is carried out in public places with many passers-by. Legitimate interest of the company (property protection, crime prevention, etc.) must be used as a legal basis for video surveillance.

Video surveillance must only show what it is intended to see

When we are already  talking about its purpose, the video surveillance system must have a clear and documented purpose, and everyone in the vicinity must be unambiguously informed that:

  • The area is under video surveillance;
  • The video surveillance is used for protection of property;
  • The recording is saved for XY hours;
  • The person in charge of personal data is someone  who is available through e-mail address…;
  • All information should be multilingual.

One of the key features of the guidelines is the how long is the recording kept. The EDPS recommendation is that the recordings are not kept more than seven days (168 hours), which is only for us only defined for money-holding institutions, not for other users. The recommendation is also that the recording are recorded over as early as possible, and that 48 hours is sufficient enough time to determine whether the recording needs to be extracted for legitimate reasons, or simply automatically overwritten. One of the essential obligations of users who intent to install a video surveillance system is that they should seek the consent of the National Personal Dana Protection Agency (AZOP) for the following cases:

  • Connecting the video surveillance system with biometric data (eg. finger prints for access control), database of suspect individuals (eg. store thieves), or vehicle registration for automatic recognition of license plates;
  • Indexing data in recordings for automatic search and recognition of people in recordings (eg. for tracking individual movements);
  • Face recognition, or any other way of biometric recognition;
  • Any mode of dynamic-preventive surveillance (eg. the use of applications that automatically recognize the person's behavior and create an alarm based on predefined suspicious behavior, movement, dress, or their body language speech);
  • Network of cameras installed with the application to track people's movements through large spaces;
  • Systems connected with applications associated with sound level change recognition (eg. someone starts to shout in certain area);
  • Infrared cameras with low sensitivity, thermal cameras such as special devices that can „see“ under low light conditions can be seen through walls, or a special scanner for examining people;
  • Special cameras with advanced optics and digital zoom capabilities.

According to the guidelines, AZOP should be consulted for all above-mentioned systems, and make an analysis of the impact on privacy, as well as analyze whether system can be replaced by some other form of technical protection.

The important thing to do for existing and future systems is to create a video surveillance policy for the site in question, with the location analysis for each camera, the reason for its placement, the field of view, the user list with their rights, the journal of accessing the recorded content, the automatic overwriting for certain number of hours, adequate protection of physical access to recorders and recorded content. Additionally, it is necessary to watch out for the 72-hour period for alarming in case of loss, destruction or intrusion into the system.

There is still a little time left before the application of GDPR, therefore, all preparatory measures for implementing the upcoming regulation need to be made. The ESS team is at your disposal for more information.