Video surveillance under the GDPR

Video surveillance is one of the data protection areas that raises a few questions because it implicates serious privacy risks.

An estimated one billion surveillance cameras are watching you around the world in 2021.

We are all aware of the widespread usage of video surveillance, when we walk into a bank, hotel, pharmacy, public areas like parks or squares, and our workplace.

However, we often lack understanding of the lawfulness of video surveillance, the measures that can be taken to protect our privacy, and wheater our video footage is even considered personal data by the General Data Protection Regulation (GDPR).

This topic brings more concerns with modern facial-recognition software being put to use, especially when we are talking about advanced social monitoring and control.

So if you are thinking of installing video surveillance in your organization, you are already conducting video surveillance, or you want to know more about your rights regarding this topic, this article should be useful to you.

EU guidelines on video surveillance

European Data Protection Board issued guidelines on the processing of personal data through video devices and referred to surveillance technologies as generally limiting the possibility of remaining unnoticed.

There are a lot of guidelines published about this topic, like the one by the EU’s independent data protection authority -EDPS, that are trying to create a framework for this technologically ever-evolving area, for the past decade and more.

The sensitivity of the subject is further emphasized by the real threat for the protection of fundamental rights and freedoms of individuals and intrusion of privacy:

“Any form of surveillance is an intrusion on the fundamental rights to the protection of personal data and to the right to privacy.  It must be provided for by law and be necessary and proportionate.”

EDPS Video-surveillance Guidelines

Is video surveillance footage personal data?

We got accustomed to the fact that the GDPR is set to protect our personal data, our name, our address, our e-mail. However, images can also be considered personal data.

Whenever the footage or a picture of an individual is captured through the CCTV, that may be used to identify that person (directly or indirectly) it is considered to be personal data.

In those cases, GDPR requirements for personal data processing need to be put in place.

Is video surveillance footage biometric data?

Not by itself, to qualify as biometric data by the GDPR, processing of raw data, such as the physical, physiological, or behavioral characteristics of a natural person, must imply measurement of these characteristics.

The GDPR states there has to be specific technical processing of that image related to the physical, physiological, or behavioral characteristics in order for it to be considered biometric data.

The image or footage is not by itself considered to be biometric data under Article 9  if it has not been specifically technically processed in order to contribute to the identification of an individual

Why is this important?

Biometric data is considered to be sensitive personal data and processing of sensitive data is restricted.

Processing of biometric data (and all personal data revealing racial or ethnic origin, political opinion, religious beliefs, or health data) is prohibited unless the data subject has given explicit consent, or there are special circumstances allowing the processing.

There are 10 special circumstances under which you are allowed to process a special category of personal data.

The processing of sensitive data is explained in full in Article 9 of the GDPR. We encourage you to read more about sensitive personal data:

When is video surveillance legal under the GDPR?

In order for video surveillance to be legal, it needs to be based on one of the 6 lawful bases for processing personal data (consent, contract, legal obligation, protection of vital interests, public task, or legitimate interests.)

If you, as a data controller, want to implement a video surveillance system on your premises, consent is not recommended lawful base.

Consent can only serve as a legal basis in accordance with Article 7 in exceptional cases.

The legitimate interest is far more likely to be the proper way to go. If that is the case, you will have to prove that the surveillance does not override the freedom and rights of an individual.

The legitimate interest needs to be of real existence and has to be a present issue.

Legitimate purposes for video surveillance are often property protection or preservation of evidence.

Data controllers obligations

If you are a data controller, take note that you are primarily responsible for making sure that any processing of personal data is GDPR compliant.

There is a chance that you will have to conduct a data protection impact assessment or DPIA before video surveillance starts.

We have talked about DPIA in more detail in one of our blogs:

A Data Protection Impact Assessment is a process that identifies and minimizes risks related to personal data processing.

Organizations usually conduct a DPIA once they engage in a new data processing activity, or when they modify an existing processing activity (e.g. when new technology is deployed).

In the case of video surveillance, it will need to be conducted if surveillance imposes a high risk, if DPIA is imposed for a data processing activity described in Article 35(3) of the GDPR, or if the area under surveillance is a public area.

The controller is obligated to implement organizational and technical measures to protect all components of a video surveillance system and data, during storage (data at rest), transmission (data in transit), and processing (data in use).

Video surveillance notification

You, as a data controller will also have to comply with the transparency principle and provide information about the surveillance.

For example, if you are covering a large public space like a hotel lobby, the notification on the door of the lobby with appropriate information should be considered.

The notice should be easily visible, with the appropriate camera symbol informing everyone entering the premises about video surveillance.

Also, provide contact information about the data controller and the reason for surveillance.

Other information can be made available to the data subject upon request since the sign probably will be too small to address all information from Article 13 and Article 14.

Data subjects rights

The data subject will have a right to obtain information from the data controller about whether his/her data is processed, access to the personal data and the information described in Article 15 of the GDPR- Right of access:

• what is the purpose of the processing
• what are the categories of processed personal data (including recipients or categories of recipients in third countries or international organizations)
• who are the recipients to whom the personal data have been or will be disclosed,
• for what period of time will data be stored (retention period)

When providing that information to the data subject, the controller should take all necessary measures to protect the identity of other people on the footage, if there are any (blurring their identity).

Note that since the footage is stored for a limited amount of time, this will affect the ability of a data subject to access his/her footage.

Organizational and technical measures for video surveillance

From the organizational and technical point of view, there are certain measures that need to be taken and are explained in the EDPB guidelines

Organizational measures:

• Determine who is responsible for the management and operation of the video surveillance system
• What is the purpose and scope of the surveillance
• What are your transparency and information obligations
• The data retention period for video footage
• Who has access to video recordings and for what purposes
• Data breach procedure
• Incident management and recovery procedures…

Technical measures:

• Securing physical security of all system components
• Data encryption
• Usage of firewalls, antivirus, or intrusion detection systems against cyber attacks
• Access control…

Storage of video surveillance footage

You might be wondering, for how long should you keep the video surveillance footage and how should you store it?

The video footage should not be kept for longer than it is strictly necessary for the purpose that wants to be achieved.

The footage material is usually retained for a short amount of time. In the certain Member States, there can be additional provisions that regulate storage periods.

Let’s take a look at the example from EDPB guidelines:

If you are conducting video surveillance in your store to prevent vandalism, a regular storage period of 24 hours is sufficient. Closed weekends or holidays might be reasons for a longer storage period. If, for eample property damage is detected you may also need to store the video footage for a longer period in order to take legal actions.

Taking into consideration the data minimization and storage limitation principles, the personal data should in most cases be deleted automatically, after a few days.

If the footage needs to be kept for longer, then it is recommended to conduct a risk assessment to document the reasons for longer data retention.

As a data controller, you should define the data storage period for each individual purpose. The retention period should be defined in accordance with the principles of necessity and proportionality and the data controller should be able to demonstrate compliance with the GDPR.