Video surveillance and the GDPR. What will change?

Guest authors

At a time when technology, including smart cameras, allows companies to collect much more sensitive information about individuals, more stringent supervision of the protection of personal data is certainly needed. A video recording of an identifiable person naturally forms part of an individual’s personal data. The General Data Protection Regulations (GDPR), which will apply throughout the European Union from May 2018, will therefore affect camera system operators.

We asked Mgr. Eva Škorničková, the creator of the Czech GDPR education, training and consulting website, GDPR.cz, what changes will be introduced by the GDPR, particularly with regard to video surveillance.

How prepared are Czech companies for GDPR?

Unfortunately, not very. Despite an intensive media and educational campaign on the GDPR in the first half of this year, many companies have not progressed much further. In addition, a variety of companies have started to proliferate, offering “miraculous” GDPR technologies or services to quickly solve it. Here, I appeal to the public not to be subject to these practices, as GDPR compliance is a long-term project involving the redeployment of internal processes and information systems, which may take several months to years for various entities. Unfortunately, most companies have consistently failed to comply with the current law on personal data protection and will therefore have much more to do with GDPR rules.

As regards camera systems, with the advent of the GDPR there is no longer an obligation to notify the Office for Personal Data Protection. On the other hand, what administrative tasks have been added?

The GDPR introduces some new obligations, such as keeping records of activities. Record keeping is a kind of substitute for the cancelled registration duty under the current Act No. 101/2000. Since operating a camera system cannot be considered occasional processing, each CCTV operator should prepare for this new duty in time. Just like today’s Section 13 of Act No. 101/2000 Coll., the GDPR contains a separate section dealing with data security, which concerns the obligations of the administrator.

So, people who find themselves being filmed by a camera have a new right to more accurate information about their data processing?

Exactly. According to the GDPR, the administrator should take all appropriate measures to provide the monitored persons with information in a brief, transparent, comprehensible and easily accessible manner concerning the processing of their data by the camera system, especially when it comes to data about children. This means that when I enter a shop where cameras are watching me, besides the sign with information about cameras, I have the right to know the details of the recording, and the administrator should make this information available in writing or by other means in printed or electronic form.

Another new obligation under the GDPR is mandatory reporting of data leaks to the Office for Personal Data Protection. What form should it take?

The reporting of breaches of personal data to the Surveillance Authority (Article 33) is a new obligation under which the administrator must report any breach of personal data security to the competent supervisory authority under Article 55 without undue delay and, if possible, within 72 hours of becoming aware of the breach, unless it is unlikely that the breach would result in a risk to the rights and freedoms of natural persons. This new duty will definitely apply to the camera system operator, so it is essential that they take full account of the secure processing of these records.

Does the GDPR make employee monitoring harder?

No, the same rules that the Office for Personal Data Protection already define in its opinion will apply. Employees must therefore be informed about the location of the camera system, but there is no need to ask employees for their consent, as this involves processing of personal data on the basis of the employer’s legitimate interest. The working group also issued further guidance on employee monitoring at the workplace under Article 29 in June 2017.

How the GDPR affects camera system

What’s new?
  • No obligation to notify the Office for Personal Data Protection of the installation of the camera system (the CS)
  • Obligation of the administrator to provide more information about the method of data processing with the help of the CS
  • Obligation of the administrator to keep a written record of CS operation
  • Obligation of the administrator to report leaks of personal data (or security breach) to the Office for Personal Data Protection
  • Obligation to develop a Data Protection Impact Assessment (DPIA) with regards to “extensive systematic monitoring of publicly accessible premises”
  • Obligation to appoint a so-called data protection officer (applies to public entities or specialists for the processing of personal data) 
What stays the same?
  • If video surveillance is proportionate, consent is not required, even for employees
  • CS operation and stored recordings or personal data must be adequately secured against unauthorized access

A final consideration if you offer video as a service. Consider appointing an Officer. The GDPR specifies the role of the administrator, who has the primary responsibility for the handling of personal data, and the role of the processor. The current trend in video surveillance is a model where the entire solution, including cameras and other hardware, software and data storage, are the property of the processor (outsourcing company), while the administrator only rents the service. The supplier company is likely to be a specialist in the processing of personal data, and in addition, according to the GDPR, it must appoint a so-called data protection officer, a person who acts as a consultant and mediator for all data security issues.

The questions are answered by: Eva Skornickova

Eva is a member of the Working Group for the personal data protection legislation at the Office of the Government of the Czech Republic. She studied law at University of Ottawa in Canada and the Charles University in Prague and has worked as a diplomatic consul at the Czech Embassy in Canada. For 15 years she worked as Executive and the Chief Legal Counsel of the Central European legal divisions in the multinational companies Kimberly-Clark and Mondelēz (former Kraft Foods). She runs the information website GDPR.cz and the expert Czech GDPR group on LinkedIn.

More on www.skornickova.eu/english

Read more about how collaboration will ensure GDPR compliance within supply chains in this previous blog post.

Read about implications for video surveillance:  GDPR white paper