• Insights

What to keep in mind on processing personal data through video devices in the EU

European Union
The European Data Protection Board has released provisional guidelines on processing personal data using video.

On 10 July 2019, the European Data Protection Board (‘EDPB’), the advisory body in which all national supervisory authorities are represented, adopted its provisional guidelines on the processing of personal data through video devices. The guidelines are open for comments and suggestions until 9 September 2019. The final version will then be adopted.

The guidelines contain guidance on how the GDPR should be applied to the processing of personal data from video cameras (both traditional and smart cameras). The following topics are covered, among others:

  • the applicability of the GDPR;
  • possible legal grounds for processing;
  • the transmission of camera images to third parties;
  • the processing of sensitive personal data;
  • the rights of data subjects;
  • the transparency and information obligations;
  • the retention periods;
  • technical and organisational security measures;
  • the data protection impact assessment.


The guidelines contain many useful recommendations. The EDPB, for example, states that the legal ground of ‘legitimate interests’ can only be invoked if:

  • There is a present interest based on concrete circumstances (e.g. serious incidents in the past, presence of valuable goods, etc.).
  • Camera surveillance is necessary and there are no alternative less intrusive measures (e.g. fences, security guards etc.).
  • The legitimate interests ground is not overridden by the rights and freedoms of the data subject.


This balancing of interests must be done carefully for employees, who, according to the EDPB, most likely do not expect to be monitored in the workplace.

An additional, separate, legal ground must be invoked if camera surveillance also involves the processing of sensitive personal data. The EDPB elaborates on biometric authentication systems and states that:

  • In most cases these systems will require consent.
  • This consent is only freely given (and therefore valid) if an alternative solution is offered.​


Regarding the right to receive a copy, the protection of other data subjects’ rights must be guaranteed by technical measures (e.g. image-editing). However, this should not be used as an excuse to refuse the request.

The data subject should specify in his or her request when (within a reasonable timeframe) he or she entered the monitored area.

Information on processing can be provided by the controller in two layers. This could be achieved with a warning sign and a more complete information sheet such as a privacy notice that must be accessible to employees for consultation before they enter the monitored area.

Please note that it is not sufficient, according to the EDPB, to make this notification available only in digital form. It should also be available in a non-digital format at a central, easily accessible location.

The EDPB also states that camera surveillance will in most cases require a data protection impact assessment (‘DPIA’). This is a sort of ‘risk analysis’ of the processing of personal data.