At a time when technology, including smart cameras, allows companies to collect much more sensitive information about individuals, more stringent supervision of the protection of personal data is vital. A video recording of an identifiable person naturally forms part of an individual’s personal data. The EU General Data Protection Regulations (GDPR), which came into effect throughout the European Union in May 2018, therefore affects camera system operators.
We asked Mgr. Eva Škorničková, the creator of the Czech GDPR education, training and consulting website, GDPR.cz, what changes were introduced by the GDPR, particularly with regard to video surveillance.
As regards camera systems, under the GDPR there is no longer an obligation to notify the Office for Personal Data Protection. On the other hand, what administrative tasks were added?
The GDPR introduced some new obligations, such as keeping records of activities. Record keeping is a kind of substitute for the cancelled registration duty under the repealed Act No. 101/2000. Since operating a camera system cannot be considered occasional processing, each CCTV operator needs to take this duty into account. Just like Section 13 of the repealed Act No. 101/2000 Coll., the GDPR contains a separate section dealing with data security, which concerns the obligations of the administrator.
So, people who find themselves being filmed by a camera have a right to more accurate information about their data processing?
Exactly. According to the GDPR, the administrator should take all appropriate measures to provide the monitored persons with information in a brief, transparent, comprehensible and easily accessible manner concerning the processing of their data by the camera system, especially when it comes to data about children. This means that when I enter a shop where cameras are watching me, besides the sign with information about cameras, I have the right to know the details of the recording, and the administrator should make this information available in writing or by other means in printed or electronic form.
Another obligation under the GDPR is mandatory reporting of data leaks to the Office for Personal Data Protection. What form should it take?
The reporting of breaches of personal data to the Surveillance Authority (Article 33) is a new obligation under which the administrator must report any breach of personal data security to the competent supervisory authority under Article 55 without undue delay and, if possible, within 72 hours of becoming aware of the breach, unless it is unlikely that the breach would result in a risk to the rights and freedoms of natural persons. This duty applies to the camera system operator, so it is essential that they take full account of the secure processing of these records.
Does the GDPR make employee monitoring harder?
No, the same rules that the Office for Personal Data Protection previously defined in its opinion will apply. Employees must therefore be informed about the location of the camera system, but there is no need to ask employees for their consent, as this involves processing of personal data on the basis of the employer’s legitimate interest. The working group also issued further guidance on employee monitoring at the workplace under Article 29 in June 2017.
How the GDPR affects camera systems
What came into force with the GDPR?
- No obligation to notify the Office for Personal Data Protection of the installation of the camera system (the CS)
- Obligation of the administrator to provide more information about the method of data processing with the help of the CS
- Obligation of the administrator to keep a written record of CS operation
- Obligation of the administrator to report leaks of personal data (or a security breach) to the Office for Personal Data Protection
- Obligation to develop a Data Protection Impact Assessment (DPIA) with regards to “extensive systematic monitoring of publicly accessible premises”
- Obligation to appoint a so-called data protection officer (applies to public entities or specialists for the processing of personal data)
What stayed the same?
- If video surveillance is proportionate, consent is not required, even for employees
- CS operation and stored recordings or personal data must be adequately secured against unauthorized access
A final consideration if you offer video as a service. Consider appointing an Officer. The GDPR specifies the role of the administrator, who has the primary responsibility for the handling of personal data, and the role of the processor. The current trend in video surveillance is a model where the entire solution, including cameras and other hardware, software and data storage, are the property of the processor (outsourcing company), while the administrator only rents the service. The supplier company is likely to be a specialist in the processing of personal data, and in addition, according to the GDPR, it must appoint a so-called data protection officer, a person who acts as a consultant and mediator for all data security issues.
The questions are answered by Eva Skornickova:
Eva is a member of the Working Group for the personal data protection legislation at the Office of the Government of the Czech Republic. She studied law at University of Ottawa in Canada and the Charles University in Prague and has worked as a diplomatic consul at the Czech Embassy in Canada. For 15 years she worked as Executive and the Chief Legal Counsel of the Central European legal divisions in the multinational companies Kimberly-Clark and Mondelēz (former Kraft Foods). She runs the information website GDPR.cz and the expert Czech GDPR group on LinkedIn.