Appendix: Video surveillance policy

The video surveillance policy has many purposes and serves to meet the following needs:

  • Adopting this document is often necessary to complete and specify the legal basis and thus, help establish a lawful ground for the video surveillance (see Article 5 of the GDPR).
  • Putting practices in writing and thinking through what other additional measures need to be taken are likely to improve procedures and ensure better compliance.
  • Adopting a policy and making it publicly available will help fulfill the obligation under the GDPR to provide the public with the information necessary to guarantee fair processing.
  • The policy establishes a set of rules against which compliance can be measured (for example, during an audit).
  • By increasing transparency and demonstrating compliance efforts, organizations induce trust in their employees and in third-parties, and help facilitate consultation with stakeholders.

The video surveillance policy should provide the following:

  • Give an overview of the video surveillance system and describe its purposes
  • Describe how the system is operated, personal data are used, and what data protection safeguards are put in place
  • Explicitly confirm compliance with GDPR
  • Outline any necessary measures required for implementation

Organizations should make their video surveillance policies publicly available on their intranet and internet sites. If this document contains confidential information, then a non-confidential version should be made publicly available.

To be able to serve as an adequate data protection notice, the following information must be integrated into your video surveillance policy in user-friendly language and format:

  • Identity of the Data Controller (for example, organization, Directorate General, Directorate and unit)
  • Brief description of the coverage of the video surveillance system (for example, entry and exit points, computer rooms, archive rooms)
  • The legal basis of the video surveillance, for example Article 6 subparagraph 1 (f) of the GDPR
  • The data collected and the purpose of the video surveillance (any limitations on the permissible uses should also be clearly specified)
  • Who has access to the surveillance material, and to whom the recordings may be disclosed
  • How the information is protected and safeguarded
  • How long the data is kept
  • How Data Subjects can verify, modify or delete their information (including contact information for further questions and information on how to obtain recourse in-house)

In addition, the video surveillance policy should provide references to:

  • The organization's audit reports
  • The organization's impact assessment reports

For a sample template of a Video Surveillance Policy, see the Milestone Video Surveillance Policy template.

Disclaimer: The sample Video Surveillance Policy must be checked by the Controller. GDPR compliance using this sample is his area of responsibility.

Please be aware: collecting audio and meta data is not covered by the European Privacy Seal. A VMS configuration with the collection of audio and meta data is not entitled to use the EuroPriSe certified product profile. A controller / processor doing so cannot point out that he or she is using a product which especially facilitates data protection and GDPR compliance.