Blog » CCTV OPERATION AND THE NEW GDPR RULES
CCTV OPERATION AND THE NEW GDPR RULES
21 February 2018
Many companies have recognized the advantages of using CCTV, however, there may be many questions arising related to their usage: Do you have to apply the same rules to your employees and to your customers? Whom do you have to ask permission? How should you provide information? Where should you put your warning? We will give you answers to these questions in this article.
Using security camera means handling personal data
No matter how strange it sounds, other people’s look, face, voice is considered as personal data the same way as if we would talk about their name or birth date. So if you make a recording where other people are involved, you must take care of such recording in a way that complies with the new EU data protection rules.
This means that – among other requirements – you need a legal base to make and store recordings, and lay down rules how long we want to keep such recordings, who can have an access to such data, and how we protect them.
The basis of processing data
We have already mentioned in our article about monitoring the employees that in certain situations the employer is allowed to make recordings about the employees. For doing to it is not necessary to receive permission from the employee, you should only inform your employees about the fact that a recording is being made.
It is important that the lack of permission is not always correct. In the above mentioned situation it is acceptable, because there is a special connection between the parties: an employment relationship. Here, the law makes it acceptable that the employer can control the process of the work to protect his interests.
However, if we have a look at a store or a restaurant, where customers come and go, or a warehouse, where people from other companies arrive with their vehicles to deliver goods, there is no automatic permission by law that you can make recordings without their prior consent.
Law may create exceptions similar to the employment relationship, and describe a situation when somebody’s interests overwrite others’ rights regarding to their personal data (for example protecting life and physical safety, or guarding dangerous material). In such special occasions information may be enough.
However, if you are not in any of the above mentioned categories, then you must obtain the prior approval of the persons being recorded. Don’t worry, you don’t have to think about difficult authorizing procedures, it doesn’t even have to be in writing. The silent conduct of a person can be acceptable. Thus, if there is a clear sign at the entrance of the building that there is a CCTV in operation, the person standing outside can decide whether he accepts the fact that he will be recorded and enters, or doesn’t enter.
Because in most cases the recording of foreign people is based on prior consent, it is very important that the conduct of the approval must be based on clear information. It is a basic rule that the warning must be outside the recorded place, so that the entering person should not find this information when it is way too late.
The correct information means that you should create a clearly visible, and an outstanding warning that mustn’t be hidden (for example by a curtain or other objects), and the bigger it is the better, so that it can be easily recognized.
The GDPR stresses that the sign should also be clear in a way that even a child could understand that. Considering this, instead of difficult legal expressions, it is better to use a picture and simple words marking that there is CCTV in operation.
The above written explanation might look like being in contradiction with the requirement of the GDPR to provide detailed information. Indeed, if the data subjects would like to know more, you should make the detailed information easily accessible for them. For example about information about the length of storing the recordings, or who may have access to the recordings.
You may fulfil such requirements for example in case of monitoring a shop, by making the detailed rules available at the shop assistant, or in case of a warehouse, you may insert detailed information in the contract of your business partners and contractors.
And the other requirements?
Speaking of detailed rules, you may already suspect that having the legal base and giving information is not enough for making security camera recordings. Just because you put out a sign with a camera to the door, you can’t have a rest. There are other principles in the GDPR that you must comply with, and you also have to make sure that you continuously meet the requirements.
All the cameras must be set for a specified purpose, and you should always use the recordings accordingly. It is a good idea to record the purposes in writing so that later it will be easier to prove complying with them.
You should also create rules for time storing the recordings, because the GDPR doesn’t make it possible to store the personal data forever. When mentioning storing, it is an important question who can have access to the recordings. So you should declare clearly who is entitled to have access, and also what rights such access includes.
The rules themselves have no effect, if the controller doesn’t provide keeping such rules, including especially the security of storing the recordings and deleting the personal data in time.
There is no doubt that CCTV has many advantages, however in order to enjoy such advantages, you should provide the circumstances to comply with the new GDPR rules while you make, store, use and delete the recordings by security camera. To prevent the penalties it is worth to create internal rules.
CAN YOUR DEBTOR ESCAPE LIQUIDATION BY SETTING OFF CLAIMS IN HUNGARY?
The initiation of a liquidation procedure is an effective debt collection method, since the debtor may only avoid being liquidated by paying the claim if the conditions specified in the Act on Bankruptcy Proceedings and Liquidation (Bankruptcy Act) are met. For this reason, in the case of liquidation, one of the most common defences of the debtor is the reference to offsetting. But can the debtor refer to offsetting without limitation during liquidation? In our short article we answer this question.Read more »
SZIGET FESTIVAL FINED RECORD HUF 30 MILLION FOR GDPR BREACHES – WHAT WENT WRONG?
A few days prior to the first anniversary of the entry into force of the GDPR the Hungarian Data Protection Authority imposed the biggest data protection fine in Hungary so far. The target was the biggest Hungarian festival organizer company thanks to whom the public may enjoy the SZIGET, the VOLT or the Balaton Sound Festival. The Data Protection Authority reviewed the check-in system of the festival and the data processing in relation with the check-in. In our short article we summarize the mistakes the Authority identified.Read more »
CONSTRUCTION TRUSTEESHIP IN HUNGARY - GETTING PAID IN CONSTRUCTION PROJECTS AS SUBCONTRACTOR
Construction trusteeship, as mandatory collateral management of major private construction projects in Hungary, strives for protecting subcontractors against non-paying general contractor, by allowing direct payments from employer under certain conditions. How does it work in practice and what are the limits of subcontractor protection? We address these issues in this article.Read more »