The GDPR has been in place since May 2018 and still about half of companies have yet to complete its implementation. The neglected areas include camera systems. The following is based on my experience with the setup and operation of CCTV systems. The recommendations are also based on the strict requirements of the Office for the Protection of Personal Data, which it applies during inspections of camera operators.
The basic parameter is whether your CCTV is recording. If so, then you must ensure compliance with all basic GDPR principles. This means, in particular, taking into account the principles of legality, fairness and transparency, purpose limitation, data minimisation, storage constraints and data integrity and confidentiality, namely:
- determination of the purpose of the recording
- setting up the camera shots so that they do not unduly interfere with the privacy of the monitored persons
- setting the retention period of the camera recording
- identification of the premises covered by the camera system and provision of detailed information on recording
- security of the camera system and recordings; and
- creation of the necessary documentation.
- Determination of the purpose of the recording
The controller is obliged to determine the purpose of the personal data processing before processing. In the context of CCTV, such purposes are most often the protection of life and health, the protection of property, including the prevention of vandalism, and the possibility of providing evidence for possible judicial and other proceedings. I recommend specifying the purpose in the processing records or in your personal information register.
- Set camera shots
The CCTV system should contribute to the intended purpose, so think carefully and determine the sensing area in advance. Cameras should not occupy spaces that do not need to be monitored to achieve the intended purpose.
Thus, in accordance with the GDPR they will capture the controller's property, the car park that the manager uses, or the mantle of the controller's building, including the adjacent pavement or road. Generally, it is inappropriate to shoot adjacent buildings, their windows or entrances.
In the case of problematic footage, it is necessary to assess whether the CCTV system is sufficiently balanced by the legitimate interest in surveillance. If privacy concerns prevail, it is usually sufficient to mask parts of the image appropriately or change the camera's tilt angle.
Length of retention period of CCTV footage
CCTV footage should not be stored longer than necessary for the intended purpose of the camera monitoring. In practice, the periods for storing footage usually range from three to 14 days. Remember that a retention period longer than 72 hours should be well justified.
- Identification of the premises covered by the camera system
The solution to the information duty for cameras consists mainly in placing information signs at the entrance to the monitored area. The signs should be visible from a sufficient distance and clearly legible. For this purpose, it is advisable to include a camera pictogram. Furthermore, it should be stated that the space is monitored by a CCTV system, and a clear identification of the personal data controller and a contact where more information on personal data processing can be obtained must be provided.
Exercise of data subjects' rights and principles of personal data processing
The actual implementation of the requirements of data subjects or, for example, the police, will depend on the technical capabilities of the recording equipment. When selecting a recording device, you should take into account whether it allows you to search for and delete portions of records, export those records, or allow you to mask images, for example.
- Security of CCTV system
The GDPR obliges controllers and processors to ensure the security of personal data. As a CCTV operator, you must focus on all elements of the CCTV system that you operate, including cameras, any cabling and recording equipment. Part of the security is especially the setting of accesses, permissions of users and keeping of system logs (or operating log) so that it is possible to trace back who, when and what he did with camera recordings. It is also important that the operator of the CCTV system be properly trained. I recommend that you keep a record of this training for later review.
- Documentation of CCTV system
The CCTV documentation should include an assessment of the necessity of the chosen solution, risk analysis, records of processing activities, detailed descriptions of the CCTV system, including the organisational and technical measures adopted, internal regulations, relevant operational and contractual documentation and documentation of compliance. Personally, I recommend that the documentation should also include balance tests and possibly also an impact assessment on the protection of personal data.
Performing a balance test
As a rule, controllers base the processing of personal data in the form of video surveillance on the legal title "legitimate interests". The way to verify that you really have a legitimate interest is the so-called balance test. It examines whether personal data can be processed in a particular case, i.e. whether the interests of data subjects outweigh the legitimate interests of the controller or third parties. The balancing test verifies, among other things, whether the intended purpose can be achieved by less invasive means.
In practice, I encounter either formally performed tests or, conversely, long discourses from which it is not immediately clear what the conclusion is and what can best be done to achieve a positive test result. This is not about bureaucracy run amok. The Office for Personal Data Protection actually checks whether and how the balance tests have been carried out. At BDO we have developed a unique balancing test methodology that is effective and praised by our clients. We do not write long treatises. We use standardised carefully prepared test questions and, depending on the answer chosen, points are added or subtracted. The resulting value must be greater than zero and at first glance it is clear in which areas there is still work to be done. The client can then precisely measure just the amount of effort that gets him into positive values.
Conduct a privacy impact assessment
A DPIA is mandatory when processing is likely to result in a high risk to the rights and freedoms of individuals, taking into account the nature, scope, context and purposes of the processing. In cases where the CCTV system will cover busy public areas, the obligation to process a DPIA usually falls on the administrator.
 The processing necessary for the legitimate interests of the data controller or of a third party, except where the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data take precedence over those interests, in particular where the data subject is a child.