GDPR and Video Surveillance – All You Need to Know

How Video Surveillance Can Invade Privacy

There are several ways in which video surveillance can invade privacy:

Recording persons. The sole act of recording persons invades privacy. Surveillance influences human behavior by putting people under pressure to behave in certain ways. People need to have their privacy, and having a camera turned to you invades it by default.

Secondary use of personal data. Video recordings could be used for unexpected purposes. The data controller may install cameras for security purposes, but they may use them for employee performance monitoring and marketing.

Turning cameras into intelligent tools. Nowadays, it is not difficult to exploit the captured images and turn traditional cameras into intelligent cameras. The video-generated of data, combined with these tools and techniques, increases the risks of secondary use and other types of abuse.

These are some obvious risks, and it is reasonable to expect that data privacy laws would aim to prevent misuse. That’s where GDPR comes into the picture.

Does the GDPR Apply to Video Surveillance

GDPR applies to the processing of personal data. It does not discriminate on the actual activity of processing. Therefore it applies to video surveillance activities involving personal data processing.

There are two important tests to consider when determining whether GDPR applies:

1. Does the Video Recording Identifies a Person

If the video recording can identify a person, GDPR applies. If the video recording cannot place a person, it does not apply to the recording.

This means that fake cameras or recordings from high altitudes or far are excluded from the GDPR application.

Fake cameras do not record anything, while recordings made from far where persons can barely be seen certainly do not identify a person.

However, if you record persons from high or form far, you need to estimate whether you are high or far enough to avoid making a recording that identifies persons.

GDPR does not apply when the camera does not collect personal data. For example, a camera installed on a car for parking assistance adjusted to strictly assist parking and not collect data does not fall under the scope of the GDPR.

2. Does the Video Recording Falls Under the Scope of Household Exemption

Article 2(2)(c) explicitly exempts from the GDPR the data processing “by a natural person in the course of a purely personal or household activity”.

Does this mean that every recording made at home is exempt from the GDPR? It depends.

In two separate cases, the Court of Justice of the European Union explains:

• That the household exemption must “be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people” (Bodil Lingqvist case), and
• Regarding the video recordings that “even partially, a public space and is accordingly directed outwards from the private setting of the person processing the data in that manner, it cannot be regarded as an activity which is a purely ‘personal or household’ activity” (František Ryneš v Úřad pro ochranu osobních údajů).

What does this mean?

It means that household exemption applies to:

• Video recordings home that were intended only for private use, and
• Video recordings that contain records from the home only and nothing else.

Does this mean that video recordings from home for security reasons are exempt from the GDPR? It likely does fall under the household exemption, but not in all circumstances.

How to Process Videos Lawfully

To process data, you need a lawful basis. Therefore, to implement any video surveillance practices aligned with the GDPR, you need a legal basis to do so.

There are three bases on which you could rely for video data processing:

• Legitimate interest
• Public interest
• Consent

Legitimate Interests in processing

You can rely on legitimate interests in data processing if:

• You have an actual legitimate interest. Legitimate interests exist if a real issue is present. The case must not be speculative. If you want to install surveillance cameras in front of your home, there must be a real risk of assaults and burglary. If such crimes have never happened before to you or in the neighborhood, then an attack may be unlikely, and maybe your legitimate interest does not exist just yet.
  For example, if you want to install cameras surveilling the doors of your store, you need to have a reasonable basis to believe that someone may intrude. In such a case, you’ll need to show that other burglaries, assaults, or other similar crimes have occurred around the store in the past (it doesn’t have to have happened to you). General crime rates are not enough. It has to give you a reason to believe that your store may be attacked.
• The processing is necessary to fulfill your interest. Before installing the cameras, ensure that you cannot fulfill your interest without using the videos. In the case of video recording due to security reasons, EDPB suggests using other measures first, such as fencing the premises, better lighting, hiring gatekeepers or security personnel, securing better doors and windows, and so on. These measures, unlike video surveillance, do not collect and process personal data and are not affected by the GDPR or other privacy laws in any way.
  Also, you need to ensure that you record video only where necessary.
  As a general rule, the necessity of processing ends at the borders of your property. However, some situations may require surveilling just outside of your premises. If your store is next to the sidewalk, it is inevitable that your cameras will record a bit outside the premises. In such cases, you can pixelate parts of the video.
• Your interests override the interests of data subjects. When relying on legitimate interests for data processing, the controller must ensure that their own interest overrides the interests of the data subject. This means that your interest in safety shall be more important than someone else’s right to privacy.
  For example, a supermarket company installs cameras on their parking lot to keep an eye on customers’ cars. They record data subjects who leave their cars in the parking lot. It is the company’s interest to keep cars safe. It is in customers’ interest to have their car safe as well. Therefore, the supermarket company has a legitimate interest in installing cameras for videos surveillance.
  A pub in a neighborhood with low crime rates can install cameras inside to ensure evidence in the case of violence inside the pub. Still, if the cameras face toward the glass door, which also shows the faces of passengers, that does not override the interests of passengers. Therefore, such video surveillance would be unlawful.
  As a general rule, you need to take data subjects’ expectations in any given situation. They would expect to be recorded while on business premises, but not while they are in the toilet or a public space, such as a square.

Public Interest

Only public institutions can rely on the public interest as a legal basis for data processing in the case of video surveillance.

EU member states are free to pass their legislation related to video surveillance in line with GDPR principles. Still, the GDPR itself does not contain any specific provisions related to this issue.

Consent

It would be great to obtain consent for video monitoring, but in most cases, that is hardly possible. If the video surveillance system monitors many people at once, which is often the case, obtaining lawful consent according to the GDPR becomes an impossible mission.

You are free to obtain lawful consent from data subjects for video monitoring, though. The law allows you to rely on consent. However, you have to consider the strict GDPR requirements for obtaining consent and request it the right way. Otherwise, the consent is invalid and means nothing.

Do You Process Special Categories of Personal Data?

Some video surveillance systems collect and process special categories of personal data. A video may reveal someone’s political and philosophical views, religion, relationship status, sexual orientation, health issues data, etc. Some systems may even process biometric data.

That is why you need to be very careful when installing a video monitoring system that does not fall under the household exemption. You may unknowingly process a vast amount of sensitive personal data.

It is always a good idea to implement the data minimization principle, which means processing the minimum amount of data. In practice, this may mean avoiding video monitoring altogether.

Do You Need to Tell People About the Video Monitoring?

Yes, you must inform persons that you monitor certain areas with video devices.

GDPR explicitly requires transparency by data controllers and processors and that applies to video surveillance as well.

EDPB guidelines propose two layers of information be provided to the data subject:

• The first layer consists of a warning sign. The sign has to:
  • Be easily visible and readable
  • Positioned at a reasonable distance from the monitored spaces (no need to specify the exact location of the devices)
    Clarify what areas are under the monitoring
  • Ensure that the data subject is able to determine what area is monitored to make it easy for them to avoid such areas
  • Contain information about why you monitor the space, information on the impact of processing, your identity, the rights of the data subject, and other information that could potentially surprise the data subject (such as third parties with whom the video will be shared)
• The second layer of information has to be provided somewhere else where it is easily accessible. The second layer of information contains much more details about the processing. It is a document similar to a privacy policy, where the data subject could get comprehensive information about the video surveillance.
  This document has to be available somewhere on the premises of the monitored object or close to it, such as reception, cashier, etc.

To get an idea of what you need to do in the case you conduct video monitoring, here is an example: the store owner that monitors the entrance due to safety reasons needs to provide customers with the following two layers of information:

• A warning sign with some essential information on it
• An information sheet about the monitoring is available at the cashier for the customers to read upon request.

Can You Show Video Recordings to Other People?

As a general rule, yes, you can show the recording to other people as long as it does not violate the GDPR.

The GDPR will be violated if you show the recordings to anyone without the consent of the data subject.

This means that if you collect data for security reasons, such as data collected through video monitoring, you can show it to other people only if the persons recorded on the video consent to that. In all other cases, only the people responsible for ensuring security shall have access to the video.

In the same manner, if you upload on the internet a video that has been under the household exemption, GDPR begins to apply to that video, and you need to comply.

A video is under the household exemption as long as it has been recorded for household purposes and kept private.

From the moment you upload it to the internet and make it available for an indefinite number of people, it is not considered to be recorded for household purposes anymore.

From that moment on, GDPR applies to such video, and you need a legal basis for the processing, i.e., the uploading. In almost all possible scenarios, you’ll need to obtain consent from the people in the video.

There is one exception, though. When you need to comply with a legal obligation, you may need to disclose the videos to law enforcement authorities.

This may include the obligation to show recordings to investigation authorities or to court.

For How Long Can You Keep the Videos?

In general, GDPR requires data controllers to erase personal data as soon as it is not necessary anymore. The same applies to video recordings.

So, if you are a store owner monitoring the entrance and you had a peaceful day, you may need to delete the recordings right away. If you have been a victim of an assault, then you can keep the video to show it to the police.

What Rights Do Monitored Persons Have?

Monitored persons are data subjects. They have subject data rights. If they choose to exercise their data subject rights, the controller has to respond.

Data subjects have all the rights granted by the GDPR. However, regarding video surveillance, the right to access, erasure, and object requires special attention.

If you have been monitored by video devices, submitting a data subject request is the way to protect yourself.

If you have installed video surveillance devices, this section will clarify how your data subjects can protect themselves against your practices.

Right to access

The right to access grants the user has the right to obtain information on whether their data has been processed and to access such data. Responding to such requests is not a straightforward task, however.

There are two situations where the controller may not be able to respond:

• When providing access to the video footage may put other data subjects at risk. The other data subjects have to be identifiable from the video. The controller has to try to fulfill the request by editing the video, but if that is not possible, they can refuse the request.
• When the data subject cannot be identified. For example, when the person that submitted the request cannot be easily found on the footage because the footage lasts for 17 hours and thousands of people have been recorded. Identifying the requester may be like looking for a needle in a haystack.

Also, the controller may refuse the requests or charge a reasonable fee if the requests are excessive.

Right to object

Where the video surveillance is being conducted on the grounds of legitimate interests or public interests, the data subject can object to the processing.

If the data subject objects, the controller must show that they have valid grounds for the surveillance.

You can object prior to entering the monitored area, during your time there, or after leaving. Being present in a monitored area does not mean that you consent to the surveillance. You can object at any time.

Right to Erasure (Right to Be Forgotten)

If you want to have your personal data erased forever from the controller’s database, you need to submit a request for erasure.

If your data subject submits such a request to you, you need to delete their data as soon as possible unless you need the footage to comply with a legal obligation.

You also need to delete the videos where:

• The data subject has objected to the processing, and you failed to prove your legitimate interests, and
• The data subject has withdrawn the consent.

Summary: How to Conduct Video Surveillance Properly?

We will take into regard two possible situations: one where you install security cameras on your commercial premises and one where you take private videos.

1. Installing security cameras on commercial premises. Ensure to:

• Determine your purpose of processing
• Determine your legal basis for processing
• Monitor only your premises and nothing else unless it is not possible to fulfill the purpose
• Put a warning sign
• Have an information sheet on the premises

2. Take private videos. Ensure to:

• Meet the requirements for household exemption
• Not share them publicly if there are other persons on the video without asking them to consent first
• If you publish the video anyway, take it down as soon as a person who is on the video objects to that

The lawfulness of the video surveillance is to be determined on a case-by-case basis.

It is a slippery slope, but as long as you stick to your legal basis and minimize the data processing and storage, you are close to meeting the requirements of lawful data processing by video devices.