Appendix: Data Protection Impact Assessment

According to Article 35 of the GDPR, a Data Protection Impact Assessment is required if the surveillance

is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

The Data Controller must consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the Data Controller to mitigate the risk (Prior Consultation, Article 36 of the GDPR).

Create and maintain an impact assessment, a notice to individuals affected. This document:

  • Describes the purpose of surveillance
  • Is kept by the Data Controller or Data Processor
  • Defines the retention policy

A privacy and data protection impact assessment should be carried out before installing and implementing video surveillance systems whenever this adds value to the organization's compliance efforts. The purpose of the impact assessment is to determine the impact of the proposed system on individuals' privacy and other fundamental rights and to identify ways to mitigate or avoid any adverse effects.

At a minimum, according to Article 35 subparagraph 7 of the GDPR, the assessment must contain at least:

  • A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the Data Controller
  • An assessment of the necessity and proportionality of the processing operations in relation to the purposes
  • An assessment of the risks to the rights and freedoms of data subjects referred to in Article 35 (1) of the GDPR:

    Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.

  • The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with GDPR taking into account the rights and legitimate interests of data subjects and other persons concerned

The effort that is appropriate to invest in an impact assessment depends on the circumstances. A video surveillance system with large inherent risks, or one raising complex or novel issues, warrants investment of much more effort than one with a comparatively limited impact on privacy and other fundamental rights, such as a conventional static CCTV system operated for typical security purposes.

In any event and in all cases, whether in a formal impact assessment or otherwise, the organizations must assess and justify whether to resort to video surveillance, how to site, select and configure their systems, and how to implement the data protection safeguards.

In addition, there may be cases where an organization proposes a non-standard system. In this case the organization should carefully assess the planned differences from the practice and recommendations, discuss these with their DPO and with other stakeholders, and document its assessment in writing, whether in a formal impact assessment or otherwise. The organization’s audit of the system should also address the lawfulness of the customization of the system.

Finally, due to their complexity, novelty, specificity, or inherent risks, it is strongly recommended that you carry out an impact assessment in the following cases:

  • Video surveillance for purposes other than security (including for investigative purposes)
  • Video surveillance of public spaces
  • Employee monitoring
  • Monitoring on Member State territory and in third countries
  • Special categories of data
  • Areas under heightened expectations of privacy
  • High-tech and/or intelligent video surveillance
  • Interconnected systems
  • Audio recording

The impact assessment may be carried out in-house or by an independent contractor. The assessment should be conducted at an early stage of the project. Based on the results of the impact assessment an organization may decide:

  • To refrain from or modify the planned monitoring and/or
  • To implement additional safeguards