Mar 08

How to use CCTV in a GDPR compliant way

CCTVs are a common sight in many shops and public places but this does not mean that everyone can just put up their own cameras without much thought. A thorough assessment of the requirements and the circumstances is required to ensure CCTV surveillance can be conducted in a lawful manner. Abuse of surveillance may lead to severe infringements of individuals’ privacy.

Before initiating the processing you should conduct a privacy threshold assessment. This assessment may lead to the conclusion that the risks are high, in which case you should conduct a Data Protection Impact Assessment (DPIA) that goes in more detail about the proposed processing, the risks and potential additional safeguards that may be applied to reduce the risk to an acceptable level. Conducting a DPIA is necessary if one of the relevant conditions listed in Art. 35 GDPR applies, in particular if there is a systematic monitoring of a publicly accessible area on a large scale.

Beware also what technology you want to apply exactly, not all CCTV surveillance is the same. If you want to make use of automated facial recognition tools or some other intelligent video analysis techniques this will have an impact on the outcome of the assessment whether the processing may be carried out or if it is too intrusive to the rights of privacy of the affected individuals. The above also has close relation to the data minimisation principle, meaning that one may not use CCTV with extensive functionality (e.g., with facial recognition or sound recording functionalities) if this is not really required to achieve the designated purpose.

To ensure that CCTV surveillance can be done in a GDPR compliant manner, you should look into the following topics:

Is this form of processing really necessary?

A clear purpose should be defined for why camera surveillance will be done. Primary reasons for this may likely be to ensure the safety of staff and/or property. If the purpose is to surveil employees to ensure that they do their jobs adequately, this is unlikely to be seen as a lawful form of processing.The use of personal data must be limited to what is necessary for its intended purpose. You should only install CCTV after determining that it is appropriate and necessary to achieve the determined purpose. Alternative security measures, such as fencing, security personnel patrols, lighting and locks can be as effective as video surveillance in preventing property-related crimes. You should therefore assess on a case-by-case basis what the most reasonable approach is. Before implementing CCTV surveillance you should also take into consideration when and where using cameras is strictly necessary, e.g., it might suffice to turn them on during nighttime or outside regular working hours to prevent property-related risks.

What is the specific purpose for this processing and the appropriate legal basis?

It is necessary to identify the correct purpose(s) for the processing. Consider what the ultimate goal of CCTV surveillance is for you. Prominent examples are to support the protection of your property, to support the safety of the individuals on it, or to collect evidence for civil claims.

The appropriate legal basis follows from your chosen purpose. The starting point should be to consider if there is a legal obligation on you to carry out CCTV surveillance. If this is not the case you may want to investigate whether you can rely on a legitimate interest. Your interest needs to be a present issue and not a speculative or fictional scenario. For example, if there have been damages or thefts in the past which have been documented this supports your interest to set up CCTV for the purpose of protecting your property. Relevant factors here may also include if your business is in an industry prone to incur dangerous situations such as jewelers or banks, or if the geographical area in question suffers from a high crime rate. To rely on the latter argument, you should base it on either relevant crime statistics for the area or past experience of neighboring organisations in similar circumstances.

In order to check the possibility of relying on legitimate interest, you need to conduct a legitimate interest assessment to weigh your interest against the rights, interests, freedoms and expectations of the individuals involved. If this balancing test results in the conclusion that your interest outweighs the risks to the individuals – great! If not, you should look into whether you can reduce the processing or apply enough additional safeguards that reduce the risks to the individuals and thereby tip the balance in your interest’s favour. Examples of such actions may be to reduce the amount of cameras or the technology used to automatically analyse and categorise the obtained data, to reduce the time period for how long the data is being stored, or to limit the possibility of the footage being accessed from outside the premises.

In very limited cases, even consent may be the most appropriate legal basis, e.g. to analyse an athlete’s technique and performance. However, consent should only be used in exceptional circumstances due to its drawbacks and complexity, e.g., the danger of individuals feeling pressured into consenting to the processing.

What is the least amount of time you can store the data while still achieving the selected purpose?

Personal data cannot be processed forever (including mere storage). You have to determine a reasonable retention period for when the data is not needed anymore for achieving the purpose. Organisations often claim that their CCTV footage is kept for many years in case police requests the footage in the course of an investigation.  For private businesses not tasked with law enforcement functions this practice is usually excessive, unless there is a legal obligation requiring them to keep some evidence for a certain amount of time just in case police requests it at some point.  

How do I have to inform individuals?

It is paramount to inform individuals about the surveillance. This is commonly done via signs around the area that it is being filmed. On these signs you should publish the key information surrounding the processing, such as the controller’s name, purpose of processing and retention time. Other mandatory information following Art. 13 GDPR could be made available to individuals via a link (and QR code) on the sign. However, the full privacy notice should also be available in a non-digital form in the vicinity of the cameras, e.g., at the reception or cashier.

The GDPR grants certain rights to individuals, e.g. the right to access to their data, the right to erasure and the right to object to the processing. It is important to inform individuals about their rights and to comply with them if appropriate. More details on the circumstances on when and how a data subject request should be complied with can be found in our blog posts in the GDPR Requirements series.

CCTV surveillance is a complex area  and countries often have their own additional rules specific to this topic. It is therefore important to investigate if there are local rules applicable in your case.

‘Fun’ facts and ‘good to knows’

The common practice of installing fake/dummy cameras does not trigger the application of the GDPR since no personal data is being processed. The same applies if the video surveillance is conducted in such a way that it does not lead to the possibility to identify an individual, e.g. if the camera is recording from a high altitude.

See more related posts »

Related blog posts