Personal Data Processing Through Video Devices
Widely use of the video surveillance systems is an unpreventable feature of evolving tech friendly world. Cameras are being used in many places such as workplaces, hospitals, schools, and etc. However, there are many aspects of video surveillance systems which may cause breach and misuse of personal data of anyone who enters the visual angle of camera, even if such data processing is being made for legitimate purposes. We will be discussing peculiar features of video surveillance systems and their lawfulness in light of data protection law.
Despite of the fact that, General Data Protection Regulation (“GDPR”) stipulates a number of requirements such as conducting Data Protection Impact Assessment or assigning a Data Protection Officer for processing large scale of personal data by virtue of monitoring, there is a primary assessment has to be made before starting to observe some specific area with video surveillance systems in terms of data processing principles.
Necessity of Video Surveillance Systems
First of all, the observing via video surveillance systems has to be a necessity regarding that specific situation. As mentioned in Guideline 2019/3, video surveillance measures should be considered as a second option and alternative security measures should be reviewed before settling on the monitoring.
In cases where desired goal can be obtained by other less intrusive means of security measures, the processing made upon camera systems shall be deemed unlawful. Furthermore, data controllers are obligated to assess where and when monitoring is necessary. If the operating video surveillance systems at night is enough to fulfill the desired goal such as keeping premises from burglary or theft, the daytime operating shall be unnecessary and may cause data processing that is contrary to data minimization principle.
The video surveillance’s period of retention is also as important as where and when the monitoring will be made. While in some cases, live monitoring is sufficient for the desired goal, it may require retaining such surveillance for specific time period. Most of the cases, 72 hours is enough to spot security breaches and unwanted incidents. Storage periods longer than 72 hours may be object to more argumentation for the legitimacy of the purpose and the necessity of storage. In such cases, data controllers have to provide why storage periods longer than 72 hours are necessary. After a certain storage period, the unnecessary recordings have to be deleted. In case of any ongoing investigation, complaint or lawsuit footages shall be retained for such purposes related to ongoing processes.
Legitimate Interest of Data Controller
Legitimate interest of a data controller is usually the legal ground of the processing of personal data made by video surveillance systems. Data controllers have to assure that there is not an overriding interest or fundamental right and freedom of data subjects and the balance between the interests is provided. Fundamental rights and freedoms on one hand and the data controller’s legitimate interests on the other hand have to be evaluated and balanced carefully in order to make sure that processing is lawful. Pursuant to GDPR, data controllers have to make a careful case by case assessment to decide on whether the lawful base of legitimate interest is applicable to that specific situation or not.
Not only the processing made by monitoring, but any kind of processing intended to be made pursuant to the legitimate interest of data controller require a detailed assessment. The assessment has to be made while considering the intensity of intervention for the rights and freedoms of the individuals. Besides, the reasonable expectations of data subjects at the time and in the context of the processing of its personal data, have to be regarded objectively. The reasonable expectations of data subjects may change according to the relationship between data controller and subjects or the features of the observed area. The observed area may need an examination on whether it has a public or private nature, or it is a remote or central location. While individuals expect to be observed in places require a high degree of security such as airports, they usually do not expect to be monitored in public areas related to their social lives such as parks, sitting areas, and cinemas etc. European Data Protection Board (“EDPB”) stated in Guideline 2019/3 that signs which inform data subjects on monitoring have no relevance with the reasonable expectations of individuals and assessment decisions solely based on the fact that the observed area is provided with such signs are unlawful.
Processing of Special Categories of Personal Data
Due to the nature of monitoring, any personal data can be distinguished from appearance of individuals that enter the visual angle of camera shall be processed through such systems. However, EDPB highlights that special categories of data shall not be deemed processed through such systems and article 9 of GDPR shall not be applied unless video footage is used for the purposes related to special categories of data. For instance, in cases where monitoring is been conducted solely to maintain security of premises, data controllers do not have to fulfill the requirements of article 9 of GDPR since the desired aim is not related to special categories of data. Nevertheless, data controllers should always make an effort to minimize the risk to record special categories of data.
In places where there are higher possibility to capture special categories of data by camera such as religious places, medical and rehabilitation centers, data controllers have to make careful assessment regarding the nature of the data and the balance between the interests, if the monitoring will be made on the legal ground of legitimate interest of data controller.
If special categories of data is aimed to be deduced and processed by video surveillance systems, in order to lawfully process such data, data controllers must identify both a lawful basis under Article 6 and a separate condition for processing under Article 9 of GDPR. EDPB also clarifies that being objected to the monitoring cannot be deemed that the data subject intends to make public special categories of data relating to him or her.
Highlights of Personal Data Processing Through Video Devices
Pursuant to Article 13 of GDPR, data controllers have to inform data subjects regarding data processing in operation in a concise and transparent manner. Data controllers may prefer to use a layered information to fulfil their obligations for maintaining flexibility and accessibility in daily life.
First layer information has to include positioned at a reasonable distance from the observed area. By virtue of first layer information, data subjects should be able to easily recognize that the area she/he about to enter is under the observation. Such information has to be given at a distance from the places monitored that if individual prefer so, they can avoid. Moreover, the specific observed areas have to be expressed. The first layer warning sign has to refer clearly to the second layer information which provides individuals with the further mandatory details.
 Regulation (EU) 2016/679 Of The European Parliament And Of The Council
 Guidelines 3/2019 on processing of personal data through video devices (Adopted on 10 July 2019)
Author: Aslı Naz Ünlü