Security cameras are one of the most commonly used methods for protecting property and the health and safety of people in monitored areas, as well as for detecting crime and vandalism. Often, it is precisely the footage from security cameras that serves as highly compelling evidence for law enforcement agencies, precisely because of its authenticity and immediacy. In many cases, however, the question arises as to whether these cameras are recording footage beyond the permitted scope, or whether their placement is even legal.
In practice, it often happens that people who decide to install security cameras are not sufficiently aware that their installation and use are subject to a specific legal framework, which undoubtedly includes the area of personal data protection.
A security camera can capture a great deal of information about a person that may be considered personal data for the purposes of the GDPR. This includes, for example, the image of the person captured in the footage, as well as information about their movements and whereabouts at a given time and in a given space. It is therefore important that certain boundaries be established for the use of security cameras as well. The basic rule is to clearly define the purpose for which the security cameras were installed. We note that the definition of the purpose must be specific and as precise as possible so that it cannot be perceived as vague or indefinite, which under certain circumstances could allow situations that would otherwise be illegal to be subsumed under that purpose. In this way, the controller ensures that the principle of purpose limitation is observed, meaning that only those processing operations that are in accordance with the defined purpose and that can be definitively classified under it will be carried out. Such a clear definition may include, for example, ensuring the protection of property or the detection of crime, such as in cases of various petty thefts in supermarkets. When processing personal data, the controller must also consider compliance with the principle of data minimization and thus process personal data only to the extent necessary to achieve the defined purpose. The principle of data minimization also applies to the storage of data itself (in this case, CCTV recordings)—the retention period for CCTV recordings should be as short as possible, most often limited to the time necessary to fulfill the specific purpose.
But what happens when CCTV recordings are used contrary to the defined purpose?
The Office for Personal Data Protection (ÚOOÚ) has addressed this issue on several occasions. Most recently, it ruled on the unauthorized use of CCTV recordings for labor law purposes. The parties to the proceedings were the petitioner—a museum employee—on one side, and the museum as the employer and a public institution on the other. In the proceedings, the petitioner objected that the employer had used security camera footage unlawfully and thus contrary to the predefined purpose, since it was precisely the camera footage that was used as supporting evidence to prove her breach of work discipline. The operator (the museum) stated that the purpose of the security cameras is to ensure the protection of the collection items. However, the evidence presented revealed that the security camera recordings were in fact used as supporting evidence to prove a breach of work discipline, as the operator itself noted this fact in the record of the hearing regarding the breach of work discipline. The Office for Personal Data Protection (ÚOOÚ) therefore concluded that monitoring the employee’s work duties and ensuring the protection of collection items are so distinct that, without the employee’s explicit consent or another legitimate legal basis, one cannot speak of the processing of personal data in accordance with the GDPR.
In this context, it is worth noting that the issue of employee monitoring is not exclusively a matter of personal data protection but is also closely linked to labor law regulations and the rights and obligations of employees and employers. Section 13(4) of the Labor Code stipulates that an employer may not , without serious reasons based on the specific nature of the employer’s activities, infringe upon an employee’s privacy in the workplace and in the employer’s common areas by monitoring the employee without prior notice. At the same time, if an employer implements a monitoring mechanism, they are required to discuss with employee representatives the scope of the monitoring, the method of its implementation, and its duration, and to inform employees of the scope of the monitoring, the method of its implementation, and its duration. A monitoring mechanism may be introduced in the workplace only if the employer has serious grounds for doing so, such as the protection of property, or, as in the case at hand, the protection of collection items. In this context, reference may be made to the established case law of the ECtHR, according to which an employer may not use a monitoring mechanism solely for the purpose of monitoring employees’ work performance. In a situation such as the one described here, it is therefore necessary to note that if an employer monitors its premises for the purpose of ensuring safety and protecting property, it may not use these cameras to monitor employees’ work-related activities without an adequate legal basis. If a monitoring mechanism is implemented in the workplace, the employer must meet the so-called criteria for the lawfulness of the monitoring mechanism, which stem from the ECtHR decision in the case of Bărbulescu v. Romania. These criteria are (i) a duty to inform employees, (ii) the existence of legitimate grounds for monitoring, (iii) whether there was a less intrusive means of interfering with employees’ privacy that would have achieved the same purpose, (iv) how the employer handled the camera recordings, and (v) whether employees had the opportunity to appeal to an impartial body. Since the aforementioned criteria were not met in the case under review, the employer acted unlawfully and beyond the scope of the purpose it had set for itself; the ÚOOÚ found a violation of the principle of purpose limitation under Article 5(1)(b) of the GDPR and imposed a fine of EUR 700 on the employer (controller).
A lesson and a few insights to conclude:
- If you use a camera system, do not forget to clearly identify the purpose of processing personal data,
- Ensure compliance with the principle of data minimization—the European Data Protection Board’s guidelines recommend a maximum 72-hour retention period for CCTV recordings (note: this is only a recommendation; the controller may deviate from this period in justified cases. However, if a specific retention period is clearly established and it is exceeded, this constitutes a violation of the principle of data minimization),
- Ensure that only a clearly defined group of individuals has access to the CCTV recordings, thereby preventing a violation of the principles of integrity and confidentiality of personal data,
- When implementing a monitoring mechanism, ensure compliance with all legislative requirements. The employer must first and foremost meet all the requirements set forth in the Labor Code, specifically Section 13(4) of the Labor Code (informing the employee, discussing the implementation of the mechanism with employee representatives). Next comes compliance with the GDPR, which includes the preparation of a comprehensive DPIA document,
- Only use a monitoring mechanism in the workplace if you have fulfilled all legally required obligations and there are serious grounds for its implementation at your workplace. Use these records only for a predetermined purpose; otherwise, you are infringing on your employees’ privacy, which could ultimately lead to a lawsuit for unauthorized invasion of privacy.
