Blog » HOW TO INFORM DATA SUBJECTS ABOUT CCTV SURVEILLANCE IN A GDPR-COMPLIANT WAY?
HOW TO INFORM DATA SUBJECTS ABOUT CCTV SURVEILLANCE IN A GDPR-COMPLIANT WAY?
24 July 2019
Operating video surveillance in a GDPR-compliant way can be a real challenge for data controllers in Hungary. A key aspect of the compliance with the GDPR is how the controller informs the data subjects (e.g. employees or customers) about the CCTV surveillance. Luckily, the European Data Protection Board which is the data protection authority of the EU has recently published a guideline on this issue. Read our short summary so that you know what to include in your camera privacy notice.
1. Layering is the key
Based on the GDPR the data subject shall be provided with several details of the data processing. Considering all factors, it is not always easy to provide all the necessary information and be transparent at the same time.
That is why the European Data Protection Board (EDPB) emphasizes that in relation with CCTV surveillance the layered approach of the information is particularly important.
That means that in practice the controller should use two layers: firstly, a warning sing which contains the most important information and secondly, a more detailed privacy notice with supplementary information.
2. First layer – Warning sign
As proposed by the EDPB controllers must install a warning sign preferably with an icon of a camera so that the data subject can understand easily that CCTV surveillance is operated on the premises.
This warning sign shall be positioned in such a way that the data subject (e.g. your customer) can easily recognize it and will be able to gather all the basic information before entering the monitored area.
A further requirement with the positioning of the warning sign is that it shall make clear for the data subjects which area is under surveillance exactly. For example, if you operate CCTV system in your whole headquarter building it is wise to put the warning sign before the main entrance and state that CCTV operates in the whole building.
3. What to include on the warning sign?
As mentioned, the warning sign is the place for the most basic information in relation with the data processing. That is particularly the purposes of the processing (e.g. property safety purpose) and the identity of the data controller (including your contacts details).
Further, you shall mention on the warning sign that the data subject has several data protection related rights such as right to access and right to erasure.
Last, but not least given that the warning only contains the most basic information you must include a reference to the more detailed privacy notice and where the data subject can get access to it.
4. But first – Surprising information
Besides the basic information you shall put information on the warning sign that could “surprise” the data subject.
The EDPB considers as such the storage period of the records as in the lack of providing the storage period the data subject can expect that there is only a live monitoring (without recording).
Similarly, the fact that the controller transmits the recordings to third parties can be considered as a surprising information which should be put on the warning sign.
5. Second layer – Detailed privacy notice
While in ideal case the warning sign about the CCTV surveillance contains every basic information mentioned earlier to be GDPR-compliant you shall provide the data subject with some additional information. For example, if you operate the CCTV based on your legitimate interest, you shall inform the data subject clearly about those interests.
Further, on the one hand, it is crucial that the detailed privacy notice is available at the site, e.g. on the reception or on a poster in the lobby.
On the other hand, the EDPB recommends that the second layer information is accessibly digitally that is without entering the surveyed area. You can provide a link to your website where the privacy notice is available or even a QR-code.
Based on the above we propose to check and if necessary, update your camera surveillance related privacy notices so that their inappropriate quality or format do not jeopardize your compliance with the GDPR.
Hungary: Steps Towards Differentiating Between Domestic and International Procedural Public Policy
Drawing a well-defined line of demarcation between domestic and international public policy when enforcing foreign arbitral awards sends a clear pro-arbitration message from national courts in any jurisdiction. Does Hungarian case law come close to this level of sophistication? This post analyses this question in the context of procedural public policy, and it does so based on two recent appellate court decisions rendered in the context of enforcement of arbitral awards in accordance with the New York Convention.Read more »
EU ISSUED NEW GDPR STANDARD CONTRACTUAL CLAUSES – WHEN AND HOW TO USE THEM?
During summer 2021, the European Commission published two new "standard contractual clauses" on data protection regulation, which can be applied on the one hand, to the legal relationship between data controllers and data processors covered by the GDPR , and to the transfers of personal data to third countries, on the other. In this article, we answer the questions: what these SCCs regulate, how do they differ from the previous SCCs and how can your company use the new SCCs?Read more »
CAN THE NON-COMPETITION AGREEMENT BE VALID WITHOUT A PRECISE COMPENSATION IN HUNGARY?
The non-compete agreement may provide protection of the legitimate economic interests of the employer even after the termination of employment relationship. However, the Hungarian Labour Code lays down strict requirements for the agreement. In our article we analyse a recent decision of the Supreme Court about the importance of the precise determination of the compensation, so you as an employer can conclude a valid non-compete agreement.Read more »