Blog » THE BIG BROTHER AT WORKPLACE – USING VIDEO TO MONITOR WORKERS IN HUNGARY
THE BIG BROTHER AT WORKPLACE – USING VIDEO TO MONITOR WORKERS IN HUNGARY
20 December 2017
Should you have employee permission for CCTV record at workplace? How to be compliant with data protection laws regarding video surveillance? What are the cases when the strict data protection rules do not apply? In this article we examine these questions on the basis of the EU Data Protection Regulation (GDPR).
Is CCTV monitoring data processing?
It may not sound obvious for many that not only the name, address and ID number of the employee are personal data, but also their look, fate and voice shall be considered so. This means that handling video and voice recordings about the employees is considered asb data processing just like processing the data mentioned above.
According to the General Data Protection Regulation (GDPR) of the EU, the employer may process such data, too, if it does not conflict the fundamental rights and freedom of the employee.
In accordance with the above, the Hungarian Labour Code entitles employers to monitor the behaviour of employees in relation with the employment relationship, but such control may not violate human dignity, and the private life of employees may not be monitored.
The CCTV operated by the employer has to be set according to the following 4 principles:
Recording the employees and processing such data does not require the permission of the employees, because such action is based on the permission of the law. However, the employer must provide the employees with clear information, so that the employees should know what happens with their data.
With regard to the above, the employees must be informed especially about that they are working in an area that is observed via CCTV, and also the circumstances why such recording is made about that place, who can have access to the recordings, how long will they be stored, where will they be forwarded, and how can the employee watch the recording.
The employer must be able to give justification why a specific camera is at a specific place, and what is the purpose of the recording. The employer can use the recordings only according to the original purpose of the recording.
The purpose can be the security, health protection, labour protection of employees, accident investigation, etc. One camera can serve more purposes, but any use differing from the defined purpose is unacceptable.
It is important that it is true that the employer is entitled to monitor the employees, but the purpose of the recording can’t be only this. The employer is not allowed to continuously monitor the employees, because this would limit the privacy of the employees to an unjustified extent. Thus the camera can’t be placed in a position so it would monitor only one specific employee.
It is advised to place the camera so that it would serve also other purposes. For example, in case of an employee working at the cashier, the camera placed above to record the money handed over can be well justified, and may also protect the employee’s interests.
Also, where a dangerous machine is being used, the recording of the operation can serve the health and physical safety of the employee, so in case of emergency the help may come faster.
Because of the purpose limitation there are also places where it is prohibited to place camera. Such places are typically the changing rooms and the lavatory. The employee’s right for dignity in these places is so high that cannot be overwritten by any other interest.
This principle has a strong relation with purpose limitation, because it is not reasonable to store the data forever. If the data doesn’t serve any purpose anymore (especially if there is nothing worth to mention in it), then such data should be deleted as soon as possible.
Such deadlines are regulated by the national law, that is in case of usual security purposes 3 working days, if the employee has no need to use the recordings. Employee may store the recordings for longer only in special cases, like protecting significant value or guarding dangerous material.
Please don’t forget that the lawful obtaining of the personal data is not the only goal when we are talking about data protection. We have to make efforts so that unauthorised persons should not have access to them. The data protection includes also the protection of the data against third parties.
We can increase the security by a separate locked room, or by using passwords in computers.
CCTV or not?
As we described above, the CCTV recordings are regulated very strictly. However, just because there is a camera somewhere, doesn’t mean the automatic application of such provisions.
For example a fake camera does not record personal data, so there is no data process. This means that using a fake camera does not require meeting the strict requirements of the GDPR. Surely it is a good question whether it is worth to use a camera that is unable to record anything, but it can be generally said that people observe the rules better if they think they are controlled.
The real time camera without recording is another option offering more opportunities. This camera shows the observed place on a screen in a separate place without recording. This can be useful, if the employer would need 10 security person to guard all main spots of a site, but using CCTV it is enough to hire one person controlling all places by watching 10 monitors.
The real time camera is like setting up many mirrors so that we can see several directions from one place. As there is no recording, we can’t talk about data processing, so there is no need to comply with the strict rules of the GDPR.
According to the above, it may be better for the employer to measure whether it is really necessary to do video recording. If it is the good choice considering some places, all the cameras need to be set up carefully, according to the requirements of the EU Data Protection Regulation.
WHY SHOULD YOU INVOLVE A LAWYER IN YOUR GDPR PROJECT?
In the last months preceding the entering into force of GDPR, the market was inundated with various service providers promising data protection compliance: data protection experts, counsels, IT experts, etc. Besides these providers, lawyers and law firms, experienced in the field of data protection also provide GDPR compliance services. We summarize the reason why you should involve them in your GDPR compliance project.Read more »
I GET “ONLY” STATISTICAL DATA FROM FACEBOOK – AM I DATA CONTROLLER UNDER GDPR?
Besides having a website, vast majority of businesses have company pages on the social networks like Facebook, Linkedin, etc. Do you become a data controller, being primarily responsible for data processing, if you get “only” statistical information of your visitors? The Court of Justice of the European Union addressed this question in its recent ruling.Read more »
HOW NOT TO DO DIRECT MARKETING? LEARN FROM THE MISTAKES OF TELEKOM!
In the recent past the Hungarian Data Protection Authority imposed a fine of 2 Million Hungarian Forints against Telekom, a major Hungarian telecommunication company, because of his unlawful direct marketing activity. Although the decision has been made before the entering into force of the GDPR, it is worth to examine the mistakes of Telekom. Indeed, the fine would have been much higher if it was imposed after the GDPR.Read more »