EDPB Issues Guidance on Video Under GDPR

The European Data Protection Board (EDPB) has approved guidance on how to apply the General Data Protection Regulation (GDPR) to the processing of personal data through video devices. The examples are not exhaustive but are provided to offer general reasoning that can be applied across the processing of personal data from video.

GDPR does not apply where an individual cannot be directly or indirectly identified. However, where video surveillance is being carried out and an individual can be recognized, a number of articles come into play including Article 35(3)(c) requiring data protection impact assessments (DPIAs) for systematic monitoring of a public area on a large scale, and Article 37(1)(b) which requires a data protection officer (DPO) for regular and systematic monitoring of data subjects.

Although normally video which is used in the the course of the private or family life of individuals would fall within the household exemption to render GDPR inapplicable, if it is filmed in a public space and published on the internet to be viewed by an indefinite number of people it is no longer within the scope of the household exemption. Even if the filming occurs within a private person’s premises, there are a number of factors to assess whether the GDPR applies or not, including the relationship with the data subject, whether the scale and frequency of surveillance suggests professional activity, and the potential adverse impact on the data subject.

Lawful Basis for Processing

The lawful basis for processing video surveillance can be justified by any of the Article 6 grounds, however, the EDPB suggested that the most likely to be used are legitimate interest and public interest. Any processing must be accompanied by sufficient notice and transparency, including informing data subjects under Article 13 and documenting the purposes of processing in writing under Article 5(2).

A legitimate interest in video surveillance is justified by protecting property against burglary, theft or vandalism. However, a fictional or speculative threat is insufficient; there must be a real life situation such as damages or serious incidents in the past in order to document strong evidence of a legitimate interest. Other instances of “imminent danger situations” may also create a legitimate interest, such as shops selling jewelry and business known to be subject to crime such as gas stations.

Before installing video surveillance, an organization must consider whether the purpose of processing could be reasonably fulfilled by a less intrusive means. Security personnel, better lighting, tamper-proof windows, security locks and gatekeepers were all suggested as less intrusive options. Organizations must also critically examine whether it is suitable to obtain the desired goal. The controller needs to consider whether more limited data collection, such as only operating the cameras at night, could also meet the goal. The EDPB also questioned whether the surveillance systems need to record the surrounding public areas in addition to the property to be protected.

The data minimization principle should also be considered in the context of whether material should only be considered if there is an incident (and deleted after a specified time) or whether there should be real-time monitoring.

In balancing the interests of data subjects, EDPB suggests that theoretical risks (such as a dash cam engaged in constant recording to collect evidence if there is an accident) cannot be justified against the serious intrusions into data subject rights (such as by also recording people near the road).

As far as consent, while the EDPB acknowledges that it is is a theoretical option, it also explains that consent can only be the lawful basis for systematic monitoring in exceptional cases. It believes proving the subject has given consent and monitoring withdrawal of consent will both be difficult.

EDPB also noted the importance of additional scrutiny on processing of special categories of data, such as biometric data.

Data Subject Access Rights

A number of interesting challenges are raised with regard to these rights. For example, the guidance raised the question of whether identifying video should be handed over in response to a right to access request if other individuals can also be identified. Technical measures such as masking may need to be implemented. Additionally, if the controller would have to search through a large amount of stored material to find the product, it may not be possible to identify the data subject. For deletion requests of video surveillance, the guidance indicates blurring the picture with no ability to retroactively recover it would be considered erased under GDPR.

Transparency

EDPB suggests a two layered approach by which there is a warning sign at eye level a reasonable distance from the place monitored, which refers to a second layer providing additional mandatory details. It must be possible to access the second layer disclosure without entering the area of surveillance.

Retention

The recommended retention period for video surveillance to protect property is that erasure occur with an few days. The longer the period over 72 hours, the more the necessity of storage must be established due to the principles of data minimization and storage limitation.