Blog » HOW TO INFORM DATA SUBJECTS ABOUT CCTV SURVEILLANCE IN A GDPR-COMPLIANT WAY?
HOW TO INFORM DATA SUBJECTS ABOUT CCTV SURVEILLANCE IN A GDPR-COMPLIANT WAY?
24 July 2019
Operating video surveillance in a GDPR-compliant way can be a real challenge for data controllers in Hungary. A key aspect of the compliance with the GDPR is how the controller informs the data subjects (e.g. employees or customers) about the CCTV surveillance. Luckily, the European Data Protection Board which is the data protection authority of the EU has recently published a guideline on this issue. Read our short summary so that you know what to include in your camera privacy notice.
1. Layering is the key
Based on the GDPR the data subject shall be provided with several details of the data processing. Considering all factors, it is not always easy to provide all the necessary information and be transparent at the same time.
That is why the European Data Protection Board (EDPB) emphasizes that in relation with CCTV surveillance the layered approach of the information is particularly important.
That means that in practice the controller should use two layers: firstly, a warning sing which contains the most important information and secondly, a more detailed privacy notice with supplementary information.
2. First layer – Warning sign
As proposed by the EDPB controllers must install a warning sign preferably with an icon of a camera so that the data subject can understand easily that CCTV surveillance is operated on the premises.
This warning sign shall be positioned in such a way that the data subject (e.g. your customer) can easily recognize it and will be able to gather all the basic information before entering the monitored area.
A further requirement with the positioning of the warning sign is that it shall make clear for the data subjects which area is under surveillance exactly. For example, if you operate CCTV system in your whole headquarter building it is wise to put the warning sign before the main entrance and state that CCTV operates in the whole building.
3. What to include on the warning sign?
As mentioned, the warning sign is the place for the most basic information in relation with the data processing. That is particularly the purposes of the processing (e.g. property safety purpose) and the identity of the data controller (including your contacts details).
Further, you shall mention on the warning sign that the data subject has several data protection related rights such as right to access and right to erasure.
Last, but not least given that the warning only contains the most basic information you must include a reference to the more detailed privacy notice and where the data subject can get access to it.
4. But first – Surprising information
Besides the basic information you shall put information on the warning sign that could “surprise” the data subject.
The EDPB considers as such the storage period of the records as in the lack of providing the storage period the data subject can expect that there is only a live monitoring (without recording).
Similarly, the fact that the controller transmits the recordings to third parties can be considered as a surprising information which should be put on the warning sign.
5. Second layer – Detailed privacy notice
While in ideal case the warning sign about the CCTV surveillance contains every basic information mentioned earlier to be GDPR-compliant you shall provide the data subject with some additional information. For example, if you operate the CCTV based on your legitimate interest, you shall inform the data subject clearly about those interests.
Further, on the one hand, it is crucial that the detailed privacy notice is available at the site, e.g. on the reception or on a poster in the lobby.
On the other hand, the EDPB recommends that the second layer information is accessibly digitally that is without entering the surveyed area. You can provide a link to your website where the privacy notice is available or even a QR-code.
Based on the above we propose to check and if necessary, update your camera surveillance related privacy notices so that their inappropriate quality or format do not jeopardize your compliance with the GDPR.
NOW WHAT WITH DATA TRANSFERS TO THE UNITED STATES? – CONSEQUENCES OF THE FRESH EU JUDGEMENT
The recent judgement of the European Court of Justice (CJEU) invalidating the EU-US Privacy Shield raised several questions concerning international personal data transfers. Companies who normally transfer personal data to the U.S. and use U.S.-based service providers are asking themselves: are we still allowed to do this? If not, what should we do now? In this short article we will explain the judgement of the CJEU and the current situation.Read more »
CAN EMPLOYERS WITHHOLD WAGE DURING INTERNAL INVESTIGATION IN HUNGARY?
Can employers withhold the wage of employees because of an ongoing internal investigation? Is the suspicion that the employee caused damage sufficient to hold back mone, or the payment cannot be refused in this case? We analyse the recent decision of the Hungarian Supreme Court and answer this question in this article.Read more »
CAN FOREIGN LEGAL SUCCESSORS BE SUED IN HUNGARY ON CONTRACTUAL BASIS? – RULING OF SUPREME COURT
Due to the protective measures of the EU Recast Brussels I Regulation (1215/2012), persons domiciled in an EU member state can be sued in another member state only in limited cases. One of these exceptions is the jurisdiction granted by the Regulation to courts of the place of the performance of a contract. However, does this exception apply in cases of legal succession or subrogation? The Supreme Court addressed this issue in a recent decision.Read more »