Nowadays, data protection requirements have become fundamental requirements on which the right to privacy depends. The General Data Protection Regulation, as the regulatory framework of the European Union, has greatly changed the way personal data is collected and processed. The most important part of the regulation is the process of data collection and processing, which should be recorded in such a way that it is known who collects and processes data, for what purpose and on what basis.
An interesting issue related to the protection of personal data is certainly the question of how to use the video surveillance system. The GDPR classifies video data as a group of sensitive data, which means that they require special protection measures.
What does the GDPR allow organizations in terms of video surveillance?
In the case of using video surveillance, it is important to analyze the justification of its use as a means of protection. The legal basis for video surveillance is generally the legitimate interest of the company (eg protection of property), and with the help of this recording it is possible to establish the identity of a person and therefore marked as personal data of a particularly sensitive nature. Accordingly, any organization whose premises are under video surveillance should take measures to secure processing.
Prior to the video surveillance itself, it is necessary to conduct a data protection impact assessment and list the list of all processing activities that are intended to be performed, as well as the reasons for which the video surveillance is carried out. A monitoring system should only be set up if the assessment shows that in this case there are potential benefits that outweigh the risks to individuals. Thus, there is no doubt that the video surveillance footage contains personal data that needs to be protected according to the principles of the GDPR regulation.
The role of data processing manager
The duty of the video surveillance organizationis to inform the persons who are in the monitored area. The sign should be clearly visible, and it is desirable that information on video surveillance be provided before entering such a space.
The notification must include the following:
- A sign that the space is under video surveillance
- Data about processing manager
- Contact information for possible realization of rights
GDPR regulation prescribes that it is necessary to keep evidence of persons who have access to recordings. The processing manager and the processing executor are obliged to establish an automated system of records for recording access to video surveillance recordings, which will contain the time and place of access, as well as the identification of persons who accessed data collected through video surveillance.
The law defines the period within which the recordings should be kept, after which they should be destroyed. Recordings obtained through video surveillance may be kept for a maximum of six months, unless another law prescribes a longer retention period or if the evidence is in court, administrative, arbitration or other equivalent proceeding.
When is it necessary to seek the consent of AZOP?
In some cases, users who intend to use the video surveillance system need to seek the consent of AZOP, the national data protection agency. The following are examples of such cases:
- Connecting a video surveillance system with biometric data or a database of individuals
- Face recognition or other biometric recognition
- Low sensitivity infrared cameras
- Dynamic-preventive monitoring (eg through applications for recognizing a person’s behavior)
- Special cameras with digital zoom capabilities
Precisely because of the problem of abuse of video surveillance, its use is legally prescribed. In Croatia, there are three laws related to the use of video surveillance: Personal Data Protection Act, Labor Act and the Occupational Safety and Health Act.
Therefore, it is important to keep in mind that the GDPR regulation prescribes a careful and detailed analysis of potential risks and benefits on the basis of which it is possible to assess the impact on personal data protection. Organizations that decide to install video surveillance should take care of procedures that will reduce the risk of data loss or loss.