Video surveillance of public spaces and in companies is increasing. For good reason, the General Data Protection Regulation requires a data protection impact assessment before implementing any broad surveillance of public spaces. This includes a review of the planned storage period.
Video surveillance: an evergreen topic in data protection
There are topics in data protection that remain current at all times. Video surveillance is one of them:
- On one hand, there are frequent calls for more video surveillance. This happens whenever the security situation appears to worsen or media report a violent crime.
- On the other hand, there are many critics who warn of total surveillance and doubt the efficacy of such measures.
It may therefore come as a surprise that the General Data Protection Regulation (GDPR) does not explicitly mention video surveillance. However, this is merely due to the particular requirements of legal prose: The GDPR specifically mentions “monitoring publicly accessible areas […], especially when using opto-electronic devices.”
The company that employs you as a data protection officer (DPO) probably also uses surveillance cameras, or a CCTV system may be in planning.
Even if this is not currently the case: You should make an effort to learn about the requirements applicable to video surveillance. You may be required to provide advice or conduct a review sooner than you think.
Video surveillance in the new German Data Protection Act (BDSG) and in the GDPR
- 4 of the new German Data Protection Act contains new regulations for the video surveillance of areas accessible to the public.
Topics covered include permissibility and balancing of interests, identification, storage, purpose limitation and change of purpose, as well as notification of the data subjects, and deletion of the data.
For the storage of video data, the following applies (with the GDPR taking precedence):
- Storage or use are permitted where necessary to achieve the purpose, and if there is no indication that protected interests of the data subjects may have a higher priority.
- Processing for other purposes however is allowed only as required to prevent threats to public security or the security of the state, or for the prosecution of crimes.
- The data must be deleted immediately when it is no longer required for the purpose, or if legitimate interests of the data subjects are against further storage.
Supervisory authorities decry deficiencies in video surveillance
The activity reports and publications of the supervisory authorities for data protection provide important guidance for your advisory and monitoring tasks related to video surveillance.
Excessive use of video surveillance can be seen very commonly especially at the workplace. It’s a severe violation of general personality rights if an employer videotapes employees during their work without the employee’s knowledge. This is permitted only in exceptional cases and under certain conditions.
Data protection impact assessment for video surveillance
Large-scale video surveillance obviously presents high risks for the rights and freedoms of natural persons.
This is why the General Data Protection Regulation lists the “systematic monitoring of a publicly accessible area on a large scale” among the types of processing that require a data protection impact assessment (DPIA).
Before implementing systematic and comprehensive video surveillance of an area accessible to the public, a controller must provide the following as part of a DPIA:
- a systematic description of the planned processes and the purpose of processing, including legitimate interests pursued by the controller, if applicable,
- an evaluation of the necessity and proportionality of the processes with regard to the purpose,
- an assessment of risks for the rights and freedoms of the data subjects, and
- the remedies planned for managing the risks, including guarantees, safety precautions and processes to ensure the protection of personal data.
The storage duration for the video data must be commensurate with the purpose, no longer than necessary, and limited in a way that reduces the risks for the data subjects.
Oliver Schonschek is a physicist, analyst, and technical IT journalist for IT security and data protection.