Blog » IS IT ENOUGH TO HAVE A WARNING STICKER FOR APPLYING CCTV ACCORDING TO GDPR?
IS IT ENOUGH TO HAVE A WARNING STICKER FOR APPLYING CCTV ACCORDING TO GDPR?
05 November 2018
Do you operate video cameras for observing employees or customers? Do the cameras make recordings or is it only a live broadcasting? If you think that a warning sticker about CCTV operation solves all the problems related to GDPR, that’s a big mistake. In our newest article we explain one of the decisions of the Data Protection Authority in Hungary.
The procedure at the authority
The Data Protection Authority in Hungary has recently published a decision where they investigated the CCTV operation at a company. In this particular case the company committed several data breaches, that could have happened at any company, so it is worth to consider the following points as a guideline and check whether your company meets the data protection expectations.
You should always have a legal basis
The Data Protection Authority highlighted a very important, basic misunderstanding that might happen at many companies: having an aim for CCTV is not the same as having a legal basis for it.
The company that was under investigation gave the following answer after being asked about the legal base: “we operate CCTV for the safety of the vehicles, because several owners have already accused us of causing damage to their vehicles.”
However, the above mentioned description does not create a legal basis for recording, it is rather an answer to the question what their aim is. The legal basis means that something provides you a possibility, allows you to make CCTV recording. Due to the earlier Hungarian regulation, the concept that such a right can originate only from the consent of the data subjects or direct permission of the law is still widespread.
However, according to the General Data Protection Regulation that is to be applied from 25th May this year, there are way more potential legal bases – altogether six cases – from which the followings might be useful for indicating in case of operating CCTV:
- consent: you have to be careful that the consent must be freely given, made in writing or orally upon receiving information, and in case of employees – due to the hierarchical relationship – it cannot be applied. Furthermore, there are cases for example in stores, where it is not practical, because it is not reasonable that all the customers entering the observed territory will make a declaration about giving a consent for the recording.
On the contrary, if you operate a warehouse, and you know that the recordings might concern your business partners (such as sub-contractors), you can give information and receive their consent before entering the area affected.
- necessary for exercising a legitimate interest of your company or a third party: in most cases this might be the best, as neither the direct permission of a legal regulation, nor the consent of the data subject is necessary. You just have to indicate your legitimate interests that you want to protect, and do a balance of interests to prove your interests overwrite the data subjects’ interests, and it doesn’t cause unnecessary restrictions for the data subjects.
- it serves the vital interests of the data subject or of another person: for example, in case the employee works in a dangerous position, where the CCTV might help in the detection and fast troubleshooting of accidents or life-threatening situations.
It is very important that you should always choose a legal basis for operating CCTV – the same way as in other data processing activities.
Inform the persons being observed
If somebody applies CCTV, it is common to put a sticker outside to warn the people that a video recording is being made. After doing so, many companies think they have nothing else to do, and they don’t provide further information to the data subjects.
This is a serious mistake, because the Security Services Act – that should be also applied in this case – requires that the observed persons should be informed at least about the followings:
- the aim of the observation and making and storing the recordings
- the legal basis of the data processing
- the place where the recordings are available
- the duration of storage
- the person applying (operating) CCTV system
- the persons being entitled to have access to the recordings
- the process how the data subjects can exercise their rights
The Data Protection Authority added the followings to the above mentioned list that should also be included in the information:
- the position of each video camera, the territory and subjects being observed, and information whether it is a livestreaming camera or does it make recordings
- the data protection measures taken by the company
- rules on how someone can watch the recordings and how the company can use the recordings
The above mentioned information should be provided in a way that anyone can become aware of its content before entering the observed area.
Warning! Information is necessary even in the lack of recording!
The Data Protection Authority confirmed the interpretation of the Security Service Act, that says one must inform the observed persons even if the video cameras don’t make recordings, just observes the territory in a livestreaming system.
What is the conclusion?
Probably many companies have made the same mistakes as the one in this particular case, operating CCTV without legal base and providing insufficient information.
Please be careful that in case you make recordings with CCTV system, you should always have a strong legal basis that you choose from the six points being available under the GDPR. In addition, the information should go beyond showing a sticker at the door with a simple warning, and provide information with the obligatory content according to the guidelines of the Data Protection Authority.
CAN THE EMPLOYER EXPAND THE EMPLOYEES’ DUTIES WITHOUT CHANGING THE JOB DESCRIPTION IN HUNGARY?
The position and tasks of the employee are one of the key elements of the employment contract and are typically recorded in the job description. It is often a matter of dispute between the parties whether the employer can unilaterally modify the job description at all, and if so, to what extent. In a recent court decision, a Hungarian appellate court addressed the above question in a situation where the employer supplemented the employee's tasks with new tasks similar to his existing tasks. In this article, we analyse the recent decision on this matter.Read more »
CAN A HARSH FACEBOOK COMMENT BE A LAWFUL GROUND FOR DISMISSAL IN HUNGARY?
Social media platforms significantly changed the ways how people express their opinions: sharing views became easier than ever. On the one hand, this is positive, but on the other hand, it is also dangerous in the employment context, as the employee's opinion may be prejudicial to the employer's interests. A recent decision of the Hungarian Supreme Court gives answer to the question whether the employer can dismiss the employee for expressing his opinion on Facebook.Read more »
NEW EU – US DATA PRIVACY FRAMEWORK - SIMPLIFIED DATA TRANSFER TO THE US
With the Schrems II judgment, which invalidated the Privacy Shield, the CJEU (Court of Justice of the European Union) make it more difficult to comply with the GDPR for companies transferring personal data from the EU to the US. However, the new EU-US Data Privacy Framework (or “Framework”) adopted on 10 July aims to put an end to this situation. But how does the Framework make data transfers between the EU and US easier? In this short article, we explain the basics of the new Framework and answer the above question.Read more »