Who has not seen a video device at the reception of a building or even inside a supermarket? Who has not seen a video surveillance sign for security purposes? But do we know where the limits are? Last July, the European Data Protection Board (the “EDPB”) published Guidelines, subject to a public consultation, on the processing of personal data through video devices (the “Guidelines”). The aim of the document was to provide guidance on how to apply the General Data Protection Regulation(the “GDPR”) when data is processed for video device uses. Last week, the EDPB adopted the final version of the Guidelines and, although there are no major changes, these are the main takeaways:

1. Scope of Application 

GDPR will apply when the processing of data refers to an individual who can be identified, directly or indirectly and when the processing is not carried out by EU competent authorities for the purposes of prevention, detection or prosecution of criminal offences or the execution of criminal penalties. The household activities are also out of the scope, although in the context of video surveillance this exception must be interpreted strictly.

2. Lawfulness of processing

In principle, all the legal bases established by the GDPR can be suitable for processing video surveillance data. However, the EDPB suggests relying on consent only in exceptional cases. For those controllers who rely on legitimate interest the following main aspects need to be considered: balancing of interests, necessity of processing, making case-by-case decisions and data subjects’ reasonable expectations.

3. Disclosure of video footage

The Guidelines point out that any disclosure or sharing of personal data is a separate kind of data processing for which the controller needs to have a proper legal basis.

4. Processing special categories of data

Based on the data minimisation principle, the controller should reduce the risk of capturing footage revealing sensitive data. However, the Guidelines indicate that if the video footage is not processed to deduce special categories of data, video surveillance will not be considered to be processing special categories of personal data

5. Rights of the data subjects whose data is processed using video devices

The EDPB highlights that data subjects’ rights under GDPR will be more limited when using video devices. In this respect, the right to access footage may be difficult to handle as it may contain data of several individuals. In addition, personal data are considered erased by blurring the picture with no retroactive ability to recover the personal data that the picture previously contained. Regarding the right to object, the data subject has this right unless the controller demonstrates compelling legitimate grounds that overrides the rights and interests of the data subject.

6. Transparency

The Guidelines recommend a layered approach when providing the information. The first layer can be based on a warning sign to give easily visible a meaningful overview of the intended processing, while the second layer would include further details to meet the requirements of the GDPR.

7. Storage and erasure obligations

Personal data may not be stored longer than what is necessary for the purposes for which the personal data is processed. In general, legitimate purposes for video surveillance are often property protection or preservation of evidence and usually damages that occurred can be verified within one or two days.

8. Technical and organisational measures

Data controllers must have in place adequate technical and organisational security measures before they start the collection and processing of video footage. One of the main required measures is the implementation of the privacy by design and by default when using video surveillance systems.

9. Data Protection Impact Assessments (DPIA)

Although the GDPR requires that each supervisory authority publish a list of the kind of processing operations that are subject to mandatory DPIA within their country, it also requires to conduct DPIAs when a data processing is likely to result in a high risk to the rights and freedoms of individuals. This includes when the processing constitutes a systematic monitoring of a publicly accessible area on a large scale, so this means that some video surveillance activities will be for sure subject to the performing of a DPIA.