CCTV OPERATION AND THE NEW GDPR RULES

21 February 2018

Many companies have recognized the advantages of using CCTV, however, there may be many questions arising related to their usage: Do you have to apply the same rules to your employees and to your customers? Whom do you have to ask permission? How should you provide information? Where should you put your warning? We will give you answers to these questions in this article.

Using security camera means handling personal data

No matter how strange it sounds, other people’s look, face, voice is considered as personal data the same way as if we would talk about their name or birth date. So if you make a recording where other people are involved, you must take care of such recording in a way that complies with the new EU data protection rules.

This means that – among other requirements – you need a legal base to make and store recordings, and lay down rules how long we want to keep such recordings, who can have an access to such data, and how we protect them.

The basis of processing data

We have already mentioned in our article about monitoring the employees that in certain situations the employer is allowed to make recordings about the employees. For doing to it is not necessary to receive permission from the employee, you should only inform your employees about the fact that a recording is being made.

It is important that the lack of permission is not always correct. In the above mentioned situation it is acceptable, because there is a special connection between the parties: an employment relationship. Here, the law makes it acceptable that the employer can control the process of the work to protect his interests.

However, if we have a look at a store or a restaurant, where customers come and go, or a warehouse, where people from other companies arrive with their vehicles to deliver goods, there is no automatic permission by law that you can make recordings without their prior consent.

Law may create exceptions similar to the employment relationship, and describe a situation when somebody’s interests overwrite others’ rights regarding to their personal data (for example protecting life and physical safety, or guarding dangerous material). In such special occasions information may be enough.

However, if you are not in any of the above mentioned categories, then you must obtain the prior approval of the persons being recorded. Don’t worry, you don’t have to think about difficult authorizing procedures, it doesn’t even have to be in writing. The silent conduct of a person can be acceptable. Thus, if there is a clear sign at the entrance of the building that there is a CCTV in operation, the person standing outside can decide whether he accepts the fact that he will be recorded and enters, or doesn’t enter.

Information

Because in most cases the recording of foreign people is based on prior consent, it is very important that the conduct of the approval must be based on clear information. It is a basic rule that the warning must be outside the recorded place, so that the entering person should not find this information when it is way too late.

The correct information means that you should create a clearly visible, and an outstanding warning that mustn’t be hidden (for example by a curtain or other objects), and the bigger it is the better, so that it can be easily recognized.

The GDPR stresses that the sign should also be clear in a way that even a child could understand that. Considering this, instead of difficult legal expressions, it is better to use a picture and simple words marking that there is CCTV in operation.

The above written explanation might look like being in contradiction with the requirement of the GDPR to provide detailed information. Indeed, if the data subjects would like to know more, you should make the detailed information easily accessible for them. For example about information about the length of storing the recordings, or who may have access to the recordings.

You may fulfil such requirements for example in case of monitoring a shop, by making the detailed rules available at the shop assistant, or in case of a warehouse, you may insert detailed information in the contract of your business partners and contractors.

And the other requirements?

Speaking of detailed rules, you may already suspect that having the legal base and giving information is not enough for making security camera recordings. Just because you put out a sign with a camera to the door, you can’t have a rest. There are other principles in the GDPR that you must comply with, and you also have to make sure that you continuously meet the requirements.

All the cameras must be set for a specified purpose, and you should always use the recordings accordingly. It is a good idea to record the purposes in writing so that later it will be easier to prove complying with them.

You should also create rules for time storing the recordings, because the GDPR doesn’t make it possible to store the personal data forever. When mentioning storing, it is an important question who can have access to the recordings. So you should declare clearly who is entitled to have access, and also what rights such access includes.

The rules themselves have no effect, if the controller doesn’t provide keeping such rules, including especially the security of storing the recordings and deleting the personal data in time.

Conclusion

There is no doubt that CCTV has many advantages, however in order to enjoy such advantages, you should provide the circumstances to comply with the new GDPR rules while you make, store, use and delete the recordings by security camera. To prevent the penalties it is worth to create internal rules.