Video Surveillance Under The GDPR

Video surveillance is one of the data protection areas that raises quite a few questions and implicates serious privacy risks. We are all aware of the widespread usage of video surveillance, when we walk into a bank, hotel, pharmacy, public areas like parks or squares, and our workplace. One billion surveillance cameras will be watching around the world in 2021, with current numbers at around 770 million surveillance cameras.

770 million surveillance cameras installed around the world today, and 1 billion in 2021However, we often lack understanding of the lawfulness of video surveillance, the measures that can be taken to protect our privacy and wheater our video footage is considered personal data at all. This topic brings more concerns with modern facial-recognition software being put to use, especially when we are talking about advanced social monitoring and control.

So if you are thinking of installing video surveillance in your organization, you are already conducting video surveillance, or you want to know more about your rights regarding this topic, this blog should be useful to you.

EU guidelines on video surveillance

European Data Protection Board issued guidelines on the processing of personal data through video devices and referred to surveillance technologies as generally limiting the possibility of remaining unnoticed.

There are a lot of guidelines published about this topic, like the one by the EU’s independent data protection authority -EDPS, that are trying to create a framework for this technologically ever-evolving area, for the past decade and more.

The sensitivity of the subject is further emphasized by the real threat for the protection of fundamental rights and freedoms of individuals and intrusion of privacy:

“…surveillance has increased in both the public sector (for law enforcement purposes and public security …) and in the private sector (for targeted advertising…). These practices can profoundly affect how individuals think and act, as well as other personal rights (such as freedom of expression or association). Any form of surveillance is an intrusion on the fundamental rights to the protection of personal data and to the right to privacy.  It must be provided for by law and be necessary and proportionate.”

EDPS Video-surveillance Guidelines

Is video surveillance footage personal data?

We got accustomed to the fact that the GDPR is aimed to protect our personal data, our name, our address, our e-mail. However, images are also considered personal data and are protected under the GDPR.

Whenever the footage or a picture of an individual is captured through the CCTV, that may be used to identify that person (directly or indirectly) it is considered to be personal data, and in those cases, GDPR requirements for personal data processing need to be put in place.

Is video surveillance footage a biometric data?

Not by itself, to qualify as biometric data by the GDPR, processing of raw data, such as the physical, physiological, or behavioral characteristics of a natural person, must imply measurement of these characteristics.

The GDPR states there has to be specific technical processing of that image related to the physical, physiological or behavioral characteristics in order for it to be considered biometric data.

The image or footgafe is not by itself considered to be a biometric data under Article 9, if it has not been specifically technically processed in order to contribute to the identification of an individual

Why is this important?

Biometric data is considered to be sensitive personal data and processing of sensitive data is restricted.

Processing of biometric data (and all personal data revealing racial or ethnic origin, political opinion, religious beliefs or health data) is prohibited unless the data subject has given explicit consent, or there are special circumstances allowing the processing.

There are 10 special circumstances under which you are allowed to process a special category of personal data. The processing of sensitive data is explained in full in Article 9 of the GDPR. We encourage you to read more about sensitive personal data:

Sensitive personal data - special category under the GDPR

When is video surveillance legal under the GDPR?

In order for video surveillance to be legal, it needs to be based on one of the 6 lawful bases for processing personal data (consent, contract, legal obligation, protection of vital interests, public task or legitimate interests.)

If you, as a data controller, want to implement a video surveillance system on your premises, consent is not recommended lawful base. Consent can only serve as a legal basis in accordance with Article 7 in exceptional cases.

The legitimate interest is far more likely to be the proper way to go. If that is the case, you will have to prove that the surveillance does not override the freedom and rights of an individual.

The legitimate interest needs to be of real existence and has to be a present issue. Legitimate purposes for video surveillance are often property protection or preservation of evidence.

Member State law may also be applied and the data controller might need to rely on it for the surveillance in public interest or surveillance conducted by the public authority.

Data controllers obligations

If you are a data controller, take note that you are primarily responsible for making sure that any processing of personal data is GDPR compliant.

There is a chance that you will have to conduct a data protection impact assessment or DPIA before video surveillance starts. We have talked about DPIA in more detail in one of our blogs:

What is a DPIA and how to conduct it? [Video & Infographics]

Data Protection Impact Assessment is a process that identifies and minimizes risks related to personal data processing. Organizations usually conduct a DPIA once they engage in a new data processing activity, or when they modify an existing processing activity (e.g. when new technology is deployed).

In the case of video surveillance, it will need to be conducted if surveillance imposes a high risk, if DPIA is imposed for a data processing activity described in Article 35(3) of the GDPR, or if the area under surveillance is a public area.

The controller is obligated to implement organizational and technical measures to protect all components of a video surveillance system and data, during storage (data at rest), transmission (data in transit) and processing (data in use).

Video surveillance notification

You as a data controller will also have to comply with the transparency principle and provide information about the surveillance.

For example, if you are covering a large public space like a hotel lobby. In this particular case, the notification on the door of the lobby with appropriate information should be considered.

Video surveillance under the GDPR
Example from Guidelines 3/2019 on processing of personal data through video devices

The notice should be easily visible, with the appropriate camera symbol informing everyone entering the premiss about video surveillance. Also, provide contact information about the data controller and reason for surveillance.

Other information can be made available to the data subject upon request since the sign probably will be too small to address all information from Article 13 and Article 14.

Data subjects rights

The data subject will have a right to obtain information from the data controller about whether his/her data is processed, access to the personal data and the information described in Article 15 of the GDPR- Right of access:

✅ what is the purpose of the processing
✅ what are the categories of processed personal data (including recipients or categories of recipients in third countries or international organizations)
✅ who are the recipients to whom the personal data have been or will be disclosed,
✅ for what period of time will data be stored (retention period)

When providing that information to the data subject, the controller should take all necessary measures to protect the identity of other people on the footage, if there are any (blurring their identity).

Note that since the footage is stored for a limited amount of time, this will affect the ability of a data subject to access his/her footage.

Organizational and technical measures

From the organizational and technical point of view, there are certain measures that need to be taken and are explained in the EDPB guidelines

Organizational measures:

• determine who is responsible for the management and operation of the video surveillance system
• what is the purpose and scope of the surveillance
• what are your transparency and information obligations
• the data retention period for video footage
• who has access to video recordings and for what purposes
• data breach procedure
• Incident management and recovery procedures…

Technical measures:

• secure physical security of all system components
data encryption
• usage of firewalls, antivirus or intrusion detection systems against cyber attacks
• access control…

Storage of video surveillance footage

You might be wondering, for how long do you keep the video surveillance footage and how should you store it?

The video footage should not be kept for longer then it is strictly necessary for the purpose that wants to be achieved. In practice, the footage material is usually retained for a short amount of time. In certain Member states, there can be additional provisions that regulate storage periods.

Let’s take a look at the example from EDPB guidelines:

If you are conducting video surveillance in your store to prevent vandalism, a regular storage period of 24 hours is sufficient. Closed weekends or holidays might be reasons for a longer storage period. If the damage is detected you may also need to store the video footage for a longer period in order to take legal actions.

Taking into consideration the data minimization and storage limitation principles, the personal data should in most cases be deleted automatically, after a few days.

If the footage needs to be kept for longer, then it is recommended to conduct a risk assessment to document the reasons for longer data retention.

As a data controller, you should define the data storage period for each individual purpose. The retention period should be defined in accordance with the principles of necessity and proportionality and the data controller should be able to demonstrate compliance with the GDPR.