Blog

Back to Blogs

Proper use of CCTV systems from a GDPR perspective

08.09.2022 | Autor: Top privacy, s.r.o.
7

Security cameras are one of the most commonly used methods of protecting property, health, and people in monitored areas, or for detecting crime and vandalism. It is often the recordings from security cameras that provide law enforcement agencies with highly reliable evidence due to their authenticity and immediacy. In many cases, however, the question arises as to whether these cameras record images beyond the permitted scope or whether their location is legal at all.

Proper use of CCTV systems from a GDPR perspective

In practice, it often happens that people who decide to install security cameras are not sufficiently aware that their installation and use are subject to a specific legal framework, which undoubtedly includes the area of personal data protection.

A security camera can capture a lot of information about a person that may be considered personal data for the purposes of the GDPR. This includes, for example, the image of the person in the footage, but also information about their movements and whereabouts at a given time and in a given space. It is therefore important that certain limits are set for the use of security cameras. The basic rule is to clearly define and specify the purpose for which the security cameras were installed. We would like to point out that the purpose must be specific and as precise as possible so that it cannot be perceived as vague and indefinite, which under certain circumstances would allow situations that would otherwise be illegal to be subsumed under the given purpose. In this way, the operator ensures that the principle of purpose limitation is respected, which means that only processing operations that are compatible with the specified purpose and can be clearly classified as such will be carried out. Such a clear definition could include, for example, ensuring the protection of property or detecting crime, such as various petty thefts in supermarkets. When processing personal data, the controller must also comply with the principle of data minimization and therefore process personal data only to the extent necessary to achieve the specified purpose. The principle of minimization also applies to the storage of data itself (in this case, CCTV recordings) – the storage period for CCTV recordings should be as short as possible, most often limited to the time necessary to fulfill the purpose itself.

But what happens when CCTV recordings are used contrary to the defined purpose?

The ÚOOÚ has dealt with this issue on several occasions. Most recently, it ruled on the unauthorized use of CCTV recordings for labor law purposes. The parties to the proceedings were the applicant, an employee of a museum, on the one hand, and the museum as the employer and public institution on the other. The applicant argued that the employer had used the security camera recordings unlawfully and therefore contrary to the predefined purpose, as the camera recordings were used as supporting evidence to prove her breach of work discipline. The operator (the museum) stated that the purpose of the security cameras was to ensure the protection of the collection items. However, the evidence presented showed that the security camera recordings were indeed used as supporting evidence to prove a breach of work discipline, as the operator itself stated this in the record of the disciplinary proceedings. The ÚOOÚ therefore concluded that monitoring an employee's work duties and ensuring the protection of collection items are so different that, without the express consent of the employee or another legitimate legal basis, it cannot be considered the processing of personal data in accordance with the GDPR.

In this context, it may be pointed out that the issue of employee monitoring is not exclusively a matter of personal data protection, but is also closely related to labor law and the rights and obligations of employees and employers. The Labor Code, in Section 13(4), stipulates that an employer may not, without serious reasons related to the specific nature of the employer's activities, interfere with an employee's privacy at the workplace and in the employer's common areas by monitoring the employee without prior notice. At the same time, if the employer introduces a control mechanism, they are obliged to discuss with employee representatives the scope of the control, the manner in which it is carried out, and its duration, and to inform employees of the scope of the control, the manner in which it is carried out, and its duration. A control mechanism may only be introduced in the workplace if the employer has serious reasons for doing so, such as the protection of property or, as in the case under consideration, the protection of collection items. In this context, reference can be made to the established case law of the ECtHR, according to which an employer may not use a monitoring mechanism solely for the purpose of monitoring the work performance of employees. In the situation that arose in the case in question, it should therefore be noted that if an employer monitors its operations for the purpose of monitoring security and protecting property, it may not use these cameras to monitor the work activities of employees without an adequate legal basis. When introducing a control mechanism in the workplace, the employer must comply with the so-called criteria of lawfulness of the control mechanism, which arise from the ECtHR decision in the case of Bărbulescu v. Romania. These criteria are (i) the obligation to inform employees, (ii) the existence of legitimate reasons for monitoring, (iii) whether there was a less intrusive way of interfering with employees' privacy that would have achieved the same purpose, (iv) how the employer handled the camera recordings, and (v) whether employees had the opportunity to appeal to an impartial body. As the above criteria were not met in the case in question, the employer acted unlawfully and beyond the scope of the purpose it had set itself, the ÚOOÚ found a violation of the purpose limitation principle under Article 5(1)(b) of the GDPR and imposed a fine of EUR 700 on the employer (controller).

Lessons learned and a few final thoughts:

  • If you use a camera system, do not forget to clearly identify the purpose of personal data processing.
  • Ensure compliance with the principle of minimization of personal data storage - The European Data Protection Board's guidelines recommend a maximum period of 72 hours for the destruction of camera recordings (note: this is only a recommendation; the controller may deviate from this period in justified cases. However, if a specific retention period has been set and this is exceeded, the principle of data minimization is violated),
  • Ensure that only a clearly defined group of people has access to camera recordings, thereby preventing violations of the principles of integrity and confidentiality of personal data,
  • When implementing a control mechanism, ensure that all legislative requirements are met. The employer must first comply with all the requirements of the Labor Code, specifically Section 13(4) of the Labor Code (informing employees, discussing the introduction of the mechanism with employee representatives). This is followed by compliance with the GDPR, which includes the preparation of a comprehensive DPIA document.
  • Only use a control mechanism in the workplace if you have fulfilled all your legal obligations and there are serious reasons for its introduction in your workplace. Use these records only for the purpose specified in advance, otherwise you will be interfering with the privacy of your employees, which may ultimately lead to legal action for unlawful interference with privacy.
Top privacy, s.r.o.

Top privacy, s.r.o.

"Quality content is not created by copywriters, but by experts."