Blog » HOW TO INFORM DATA SUBJECTS ABOUT CCTV SURVEILLANCE IN A GDPR-COMPLIANT WAY?
HOW TO INFORM DATA SUBJECTS ABOUT CCTV SURVEILLANCE IN A GDPR-COMPLIANT WAY?
24 July 2019
Operating video surveillance in a GDPR-compliant way can be a real challenge for data controllers in Hungary. A key aspect of the compliance with the GDPR is how the controller informs the data subjects (e.g. employees or customers) about the CCTV surveillance. Luckily, the European Data Protection Board which is the data protection authority of the EU has recently published a guideline on this issue. Read our short summary so that you know what to include in your camera privacy notice.
1. Layering is the key
Based on the GDPR the data subject shall be provided with several details of the data processing. Considering all factors, it is not always easy to provide all the necessary information and be transparent at the same time.
That is why the European Data Protection Board (EDPB) emphasizes that in relation with CCTV surveillance the layered approach of the information is particularly important.
That means that in practice the controller should use two layers: firstly, a warning sing which contains the most important information and secondly, a more detailed privacy notice with supplementary information.
2. First layer – Warning sign
As proposed by the EDPB controllers must install a warning sign preferably with an icon of a camera so that the data subject can understand easily that CCTV surveillance is operated on the premises.
This warning sign shall be positioned in such a way that the data subject (e.g. your customer) can easily recognize it and will be able to gather all the basic information before entering the monitored area.
A further requirement with the positioning of the warning sign is that it shall make clear for the data subjects which area is under surveillance exactly. For example, if you operate CCTV system in your whole headquarter building it is wise to put the warning sign before the main entrance and state that CCTV operates in the whole building.
3. What to include on the warning sign?
As mentioned, the warning sign is the place for the most basic information in relation with the data processing. That is particularly the purposes of the processing (e.g. property safety purpose) and the identity of the data controller (including your contacts details).
Further, you shall mention on the warning sign that the data subject has several data protection related rights such as right to access and right to erasure.
Last, but not least given that the warning only contains the most basic information you must include a reference to the more detailed privacy notice and where the data subject can get access to it.
4. But first – Surprising information
Besides the basic information you shall put information on the warning sign that could “surprise” the data subject.
The EDPB considers as such the storage period of the records as in the lack of providing the storage period the data subject can expect that there is only a live monitoring (without recording).
Similarly, the fact that the controller transmits the recordings to third parties can be considered as a surprising information which should be put on the warning sign.
5. Second layer – Detailed privacy notice
While in ideal case the warning sign about the CCTV surveillance contains every basic information mentioned earlier to be GDPR-compliant you shall provide the data subject with some additional information. For example, if you operate the CCTV based on your legitimate interest, you shall inform the data subject clearly about those interests.
Further, on the one hand, it is crucial that the detailed privacy notice is available at the site, e.g. on the reception or on a poster in the lobby.
On the other hand, the EDPB recommends that the second layer information is accessibly digitally that is without entering the surveyed area. You can provide a link to your website where the privacy notice is available or even a QR-code.
Based on the above we propose to check and if necessary, update your camera surveillance related privacy notices so that their inappropriate quality or format do not jeopardize your compliance with the GDPR.
LAWFUL DISMISSAL IN HUNGARY - PART VI: TERMINATION WITHOUT NOTICE
In the last two articles of our series on “lawful dismissal” we present the most severe sanction that can be applied to an employee, the immediate (formerly: extraordinary) termination. This measure is applied in serious incidents only, so many employers believe that they will not need to use the sanction. But, as we know, the devil does not sleep and it is in the details, so the employer needs to be prepared for this scenario as well to avoid further inconvenience.Read more »
5 CURRENT GDPR-FINES ACROSS EUROPE – LEARN FROM OTHERS’ MISTAKES
The supervisory authorities in Europe controlling compliance with the GDPR have not sat on their hands in the last couple of months. In this short article we collected five interesting cases from the recent past. The wide discretionary powers of the data protection authority is well illustrated by the fact that sometimes the GDPR fine was only EUR 2000, but in another case a company has been fined for EUR 11,5 Million! Continue reading if you would like to avoid the same or similar expensive errors.Read more »
LAWFUL DISMISSAL IN HUNGARY - PART V: PROTECTION AGAINST DISMISSAL
In the previous articles on the lawful dismissal, we discussed that, ranging from the employee’s behaviour to the employer’s reorganization, there can be many legitimate reasons for dismissal by the employer. However, irrespective of the legitimate reason, the employment relationship cannot be terminated if the employee is protected against dismissal by law (i.e. the Labour Code). From our article, you can learn about these protections.Read more »