Video surveillance for safety reasons has been a regular practice since a long time ago. However, nowadays, it does not affect only safety but people’s privacy as well.
In general, people are okay with being at places under video surveillance. It makes them feel safe because someone is watching over them.
Video surveillance is not inherently wrong. It may be conducted for noble purposes of safety and protection. But, it can be abused as well.
Should you be comfortable while someone is watching over you? Yes, if you value safety. No, if you value privacy.
Video recordings may easily collect and process personal data and invade privacy.
There are several ways in which video surveillance can invade privacy:
Recording persons. The sole act of recording persons invades privacy. Surveillance influences human behavior by putting people under pressure to behave in certain ways. People need to have their privacy, and having a camera turned to you invades it by default.
Secondary use of personal data. Video recordings could be used for unexpected purposes. The data controller may install cameras for security purposes, but they may use them for employee performance monitoring and marketing.
Turning cameras into intelligent tools. Nowadays, it is not difficult to exploit the captured images and turn traditional cameras into intelligent cameras. The video-generated of data, combined with these tools and techniques, increases the risks of secondary use and other types of abuse.
These are some obvious risks, and it is reasonable to expect that data privacy laws would aim to prevent misuse. That’s where GDPR comes into the picture.
GDPR applies to the processing of personal data. It does not discriminate on the actual activity of processing. Therefore it applies to video surveillance activities involving personal data processing.
There are two important tests to consider when determining whether GDPR applies:
If the video recording can identify a person, GDPR applies. If the video recording cannot place a person, it does not apply to the recording.
This means that fake cameras or recordings from high altitudes or far are excluded from the GDPR application.
Fake cameras do not record anything, while recordings made from far where persons can barely be seen certainly do not identify a person.
However, if you record persons from high or form far, you need to estimate whether you are high or far enough to avoid making a recording that identifies persons.
GDPR does not apply when the camera does not collect personal data. For example, a camera installed on a car for parking assistance adjusted to strictly assist parking and not collect data does not fall under the scope of the GDPR.
Article 2(2)(c) explicitly exempts from the GDPR the data processing “by a natural person in the course of a purely personal or household activity”.
Does this mean that every recording made at home is exempt from the GDPR? It depends.
In two separate cases, the Court of Justice of the European Union explains:
What does this mean?
It means that household exemption applies to:
Does this mean that video recordings from home for security reasons are exempt from the GDPR? It likely does fall under the household exemption, but not in all circumstances.
To process data, you need a lawful basis. Therefore, to implement any video surveillance practices aligned with the GDPR, you need a legal basis to do so.
There are three bases on which you could rely for video data processing:
You can rely on legitimate interests in data processing if:
Only public institutions can rely on the public interest as a legal basis for data processing in the case of video surveillance.
EU member states are free to pass their legislation related to video surveillance in line with GDPR principles. Still, the GDPR itself does not contain any specific provisions related to this issue.
It would be great to obtain consent for video monitoring, but in most cases, that is hardly possible. If the video surveillance system monitors many people at once, which is often the case, obtaining lawful consent according to the GDPR becomes an impossible mission.
You are free to obtain lawful consent from data subjects for video monitoring, though. The law allows you to rely on consent. However, you have to consider the strict GDPR requirements for obtaining consent and request it the right way. Otherwise, the consent is invalid and means nothing.
Some video surveillance systems collect and process special categories of personal data. A video may reveal someone’s political and philosophical views, religion, relationship status, sexual orientation, health issues data, etc. Some systems may even process biometric data.
That is why you need to be very careful when installing a video monitoring system that does not fall under the household exemption. You may unknowingly process a vast amount of sensitive personal data.
It is always a good idea to implement the data minimization principle, which means processing the minimum amount of data. In practice, this may mean avoiding video monitoring altogether.
Yes, you must inform persons that you monitor certain areas with video devices.
GDPR explicitly requires transparency by data controllers and processors and that applies to video surveillance as well.
EDPB guidelines propose two layers of information be provided to the data subject:
To get an idea of what you need to do in the case you conduct video monitoring, here is an example: the store owner that monitors the entrance due to safety reasons needs to provide customers with the following two layers of information:
As a general rule, yes, you can show the recording to other people as long as it does not violate the GDPR.
The GDPR will be violated if you show the recordings to anyone without the consent of the data subject.
This means that if you collect data for security reasons, such as data collected through video monitoring, you can show it to other people only if the persons recorded on the video consent to that. In all other cases, only the people responsible for ensuring security shall have access to the video.
In the same manner, if you upload on the internet a video that has been under the household exemption, GDPR begins to apply to that video, and you need to comply.
A video is under the household exemption as long as it has been recorded for household purposes and kept private.
From the moment you upload it to the internet and make it available for an indefinite number of people, it is not considered to be recorded for household purposes anymore.
From that moment on, GDPR applies to such video, and you need a legal basis for the processing, i.e., the uploading. In almost all possible scenarios, you’ll need to obtain consent from the people in the video.
There is one exception, though. When you need to comply with a legal obligation, you may need to disclose the videos to law enforcement authorities.
This may include the obligation to show recordings to investigation authorities or to court.
In general, GDPR requires data controllers to erase personal data as soon as it is not necessary anymore. The same applies to video recordings.
So, if you are a store owner monitoring the entrance and you had a peaceful day, you may need to delete the recordings right away. If you have been a victim of an assault, then you can keep the video to show it to the police.
Monitored persons are data subjects. They have subject data rights. If they choose to exercise their data subject rights, the controller has to respond.
Data subjects have all the rights granted by the GDPR. However, regarding video surveillance, the right to access, erasure, and object requires special attention.
If you have been monitored by video devices, submitting a data subject request is the way to protect yourself.
If you have installed video surveillance devices, this section will clarify how your data subjects can protect themselves against your practices.
The right to access grants the user has the right to obtain information on whether their data has been processed and to access such data. Responding to such requests is not a straightforward task, however.
There are two situations where the controller may not be able to respond:
Also, the controller may refuse the requests or charge a reasonable fee if the requests are excessive.
Where the video surveillance is being conducted on the grounds of legitimate interests or public interests, the data subject can object to the processing.
If the data subject objects, the controller must show that they have valid grounds for the surveillance.
You can object prior to entering the monitored area, during your time there, or after leaving. Being present in a monitored area does not mean that you consent to the surveillance. You can object at any time.
If you want to have your personal data erased forever from the controller’s database, you need to submit a request for erasure.
If your data subject submits such a request to you, you need to delete their data as soon as possible unless you need the footage to comply with a legal obligation.
You also need to delete the videos where:
We will take into regard two possible situations: one where you install security cameras on your commercial premises and one where you take private videos.
1. Installing security cameras on commercial premises. Ensure to:
2. Take private videos. Ensure to:
The lawfulness of the video surveillance is to be determined on a case-by-case basis.
It is a slippery slope, but as long as you stick to your legal basis and minimize the data processing and storage, you are close to meeting the requirements of lawful data processing by video devices.