- Datenschutz PRAXIS - https://www.datenschutz-praxis.de - DatenschutzPraxis

CCTV and the GDPR: the correct storage period

Video surveillance of public spaces and in companies is increasing. For good reason, the General Data Protection Regulation requires a data protection impact assessment before implementing any broad surveillance of public spaces. This includes a review of the planned storage period.

Video surveillance: an evergreen topic in data protection

There are topics in data protection that remain current at all times. Video surveillance [1] is one of them:

It may therefore come as a surprise that the General Data Protection Regulation (GDPR) does not explicitly mention video surveillance. However, this is merely due to the particular requirements of legal prose: The GDPR specifically mentions “monitoring publicly accessible areas […], especially when using opto-electronic devices.”

The company that employs you as a data protection officer (DPO) probably also uses surveillance cameras, or a CCTV system may be in planning.

Even if this is not currently the case: You should make an effort to learn about the requirements applicable to video surveillance. You may be required to provide advice or conduct a review sooner than you think.

Video surveillance in the new German Data Protection Act (BDSG) and in the GDPR

Topics covered include permissibility and balancing of interests, identification, storage, purpose limitation and change of purpose [2], as well as notification of the data subjects [3], and deletion [4] of the data.

For the storage of video data, the following applies (with the GDPR taking precedence):

Supervisory authorities decry deficiencies in video surveillance

The activity reports and publications of the supervisory authorities for data protection provide important guidance for your advisory and monitoring tasks related to video surveillance.

Excessive use of video surveillance can be seen very commonly especially at the workplace. It’s a severe violation of general personality rights if an employer videotapes employees during their work without the employee’s knowledge. This is permitted only in exceptional cases and under certain conditions.

Data protection impact assessment for video surveillance

Large-scale video surveillance obviously presents high risks for the rights and freedoms of natural persons.

This is why the General Data Protection Regulation lists the “systematic monitoring of a publicly accessible area on a large scale” among the types of processing that require a data protection impact assessment [5] (DPIA).

Before implementing systematic and comprehensive video surveillance of an area accessible to the public, a controller must provide the following as part of a DPIA:

The storage duration for the video data must be commensurate with the purpose, no longer than necessary, and limited in a way that reduces the risks for the data subjects.

Oliver Schonschek
Oliver Schonschek is a physicist, analyst, and technical IT journalist for IT security and data protection.