Blog » HOW TO INFORM DATA SUBJECTS ABOUT CCTV SURVEILLANCE IN A GDPR-COMPLIANT WAY?
HOW TO INFORM DATA SUBJECTS ABOUT CCTV SURVEILLANCE IN A GDPR-COMPLIANT WAY?
24 July 2019
Operating video surveillance in a GDPR-compliant way can be a real challenge for data controllers in Hungary. A key aspect of the compliance with the GDPR is how the controller informs the data subjects (e.g. employees or customers) about the CCTV surveillance. Luckily, the European Data Protection Board which is the data protection authority of the EU has recently published a guideline on this issue. Read our short summary so that you know what to include in your camera privacy notice.
1. Layering is the key
Based on the GDPR the data subject shall be provided with several details of the data processing. Considering all factors, it is not always easy to provide all the necessary information and be transparent at the same time.
That is why the European Data Protection Board (EDPB) emphasizes that in relation with CCTV surveillance the layered approach of the information is particularly important.
That means that in practice the controller should use two layers: firstly, a warning sing which contains the most important information and secondly, a more detailed privacy notice with supplementary information.
2. First layer – Warning sign
As proposed by the EDPB controllers must install a warning sign preferably with an icon of a camera so that the data subject can understand easily that CCTV surveillance is operated on the premises.
This warning sign shall be positioned in such a way that the data subject (e.g. your customer) can easily recognize it and will be able to gather all the basic information before entering the monitored area.
A further requirement with the positioning of the warning sign is that it shall make clear for the data subjects which area is under surveillance exactly. For example, if you operate CCTV system in your whole headquarter building it is wise to put the warning sign before the main entrance and state that CCTV operates in the whole building.
3. What to include on the warning sign?
As mentioned, the warning sign is the place for the most basic information in relation with the data processing. That is particularly the purposes of the processing (e.g. property safety purpose) and the identity of the data controller (including your contacts details).
Further, you shall mention on the warning sign that the data subject has several data protection related rights such as right to access and right to erasure.
Last, but not least given that the warning only contains the most basic information you must include a reference to the more detailed privacy notice and where the data subject can get access to it.
4. But first – Surprising information
Besides the basic information you shall put information on the warning sign that could “surprise” the data subject.
The EDPB considers as such the storage period of the records as in the lack of providing the storage period the data subject can expect that there is only a live monitoring (without recording).
Similarly, the fact that the controller transmits the recordings to third parties can be considered as a surprising information which should be put on the warning sign.
5. Second layer – Detailed privacy notice
While in ideal case the warning sign about the CCTV surveillance contains every basic information mentioned earlier to be GDPR-compliant you shall provide the data subject with some additional information. For example, if you operate the CCTV based on your legitimate interest, you shall inform the data subject clearly about those interests.
Further, on the one hand, it is crucial that the detailed privacy notice is available at the site, e.g. on the reception or on a poster in the lobby.
On the other hand, the EDPB recommends that the second layer information is accessibly digitally that is without entering the surveyed area. You can provide a link to your website where the privacy notice is available or even a QR-code.
Based on the above we propose to check and if necessary, update your camera surveillance related privacy notices so that their inappropriate quality or format do not jeopardize your compliance with the GDPR.
ONLINE SALE OF MEDICINAL PRODUCTS WITHOUT BORDERS? LUXEMBURG RULED
Cross-border online sale of medicinal products is a recurring issue before the Court of Justice of the European Union. This is no coincidence, as trade in medicines is a strictly regulated area in all Member States, which can easily conflict with the EU principle of freedom to provide services, and in the end, the "price" of excessive national restrictions is borne by the consumers. In our article, we summarize the recent ruling of the Court of Justice of the European Union on the limitation of the principle.Read more »
HOW REPORTING OF EMPLOYEE-TRAININGS HAS CHANGED FROM SEPTEMBER 2020 IN HUNGARY?
From September 2020 the rules, which regulate the status of the adult educators and the organisation of adult educations have changed. There are significantly more educations, which are considered as adult education and performing an adult education entails a lot more obligation. The changes affect almost every employer who organises certain kind of educations for its employees. We summarize the most important changes concerning the adult education.Read more »
LUXEMBOURG RULED: MESSI DRIBBLED PAST EVEN THE EUROPEAN TRADEMARK OFFICE
Messi hit the legal news again, this time not because of his tax issues. In September, the match between the EUIPO and the world-famous football player, which was ongoing since 2011, finally ended. Messi won the match, as the European Court of Justice ruled that because of his significant reputation, his name can be registered as a trademark despite the fact that it is similar to several earlier trademarks, which is otherwise a ground for exclusion. In our short article, we summarise the details of the case and the legal significance of the decision.Read more »