On 10 July 2019, the European Data Protection Board (‘EDPB’), the advisory body in which all national supervisory authorities are represented, adopted its provisional guidelines on the processing of personal data through video devices. The guidelines are open for comments and suggestions until 9 September 2019. The final version will then be adopted.
The guidelines contain guidance on how the GDPR should be applied to the processing of personal data from video cameras (both traditional and smart cameras). The following topics are covered, among others:
The guidelines contain many useful recommendations. The EDPB, for example, states that the legal ground of ‘legitimate interests’ can only be invoked if:
This balancing of interests must be done carefully for employees, who, according to the EDPB, most likely do not expect to be monitored in the workplace.
An additional, separate, legal ground must be invoked if camera surveillance also involves the processing of sensitive personal data. The EDPB elaborates on biometric authentication systems and states that:
Regarding the right to receive a copy, the protection of other data subjects’ rights must be guaranteed by technical measures (e.g. image-editing). However, this should not be used as an excuse to refuse the request.
The data subject should specify in his or her request when (within a reasonable timeframe) he or she entered the monitored area.
Information on processing can be provided by the controller in two layers. This could be achieved with a warning sign and a more complete information sheet such as a privacy notice that must be accessible to employees for consultation before they enter the monitored area.
Please note that it is not sufficient, according to the EDPB, to make this notification available only in digital form. It should also be available in a non-digital format at a central, easily accessible location.
The EDPB also states that camera surveillance will in most cases require a data protection impact assessment (‘DPIA’). This is a sort of ‘risk analysis’ of the processing of personal data.