On 10 July 2019, the European Data Protection Board or “EDPB”, the advisory body in which all national supervisory authorities are represented, adopted its provisional guidelines on the processing of personal data through video devices.
The guidelines are open for comments and suggestions until 9 September 2019. The final version will then be adopted.
The guidelines contain guidance on how the General Data Protection Regulation (GDPR) should be applied to the processing of personal data from video cameras (both traditional and smart cameras). The following topics are covered, among others:
- the applicability of the GDPR;
- the possible legal grounds;
- the transmission of camera images to third parties;
- the processing of sensitive personal data;
- the rights of the data subjects;
- the obligation of transparency and information;
- the retention periods;
- the technical and organisational security measures;
- the data protection impact assessment.
The guidelines contain many useful recommendations. The EDPB, for example, states that:
- the legal ground of “legitimate interests” can only be invoked if:
- there is a present interest given the concrete circumstances (e.g. serious incidents in the past, presence of valuable goods, etc.);
- camera surveillance is necessary and there are no alternative less intrusive measures (e.g. fences, security guards etc.);
- it is not overridden by the rights and freedoms of the data subject. This balancing of interests must be done carefully in the case of employees, who, according to the EDPB, most likely do not expect to be monitored in the workplace.
- an additional separate legal ground must be invoked if camera surveillance also involves the processing of sensitive personal data. The EDPB elaborates on biometric authentication systems and states that:
- these systems in most cases will require consent;
- such consent is only freely given (and therefore valid) if an alternative solution is offered.
- regarding the right to receive a copy:
- the protection of the rights of other data subjects must be guaranteed by technical measures (e.g. image-editing). However, this should not be used as an excuse to refuse the request;
- the data subject should in his request specify when within a reasonable timeframe he entered the monitored area.
- the information can be provided by the controller in two layers (namely, through a warning sign and a more complete information sheet such as a privacy notice that must be accessible to employees for consultation before they enter the monitored area).
Please note that it is not sufficient, according to the EDPB, to make such a notification available only in digital form. It should also be available in a non-digital format at a central, easily accessible location.
- Camera surveillance will require in most cases a data protection impact assessment (“DPIA”). This is a sort of “risk analysis” of the processing of personal data.
In Belgium, besides the GDPR and the EDPB guidelines (which have an important value), specific camera legislation such as CLA no. 68 and the Camera Act of 21 March 2007 must of course also be taken into account. For the recent modifications to this legislation, please see our newsflash of 16 August 2018.
Non-compliance with the legislative framework on camera surveillance, including data protection legislation, may give rise to sanctions and affect the validity of the obtained proof.
In a recent judgment of 2 April 2019 (Dutch - French), the Belgian Data Protection Authority (DPA) has already imposed a definitive ban on the processing of camera images and an order to remove all previous images. This concerned a case in which the installation of a camera in the communal kitchen of a building with student rooms – notwithstanding the correct declaration of this – was considered disproportionate by the DPA.
Make sure your camera surveillance system is compliant with the data protection legislation, as outlined in the EDPB guidelines, and the (recently amended) camera legislation.