Data Controller

In the context of video surveillance, Data Controllers own and operate the video surveillance systems. Data Controllers are the legal entity that collects, processes and shares data about the Data Subject.

What are the responsibilities of the Data Controller?

Data Controllers are required to respect data protection principles and fulfill certain specific obligations. The Data Controller must implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR. This also includes:

• Applying and maintaining information security policies and procedures to protect personal data. Such internal policies and processes should be approved at the highest level within the organization and therefore be binding for all staff members.
• Maintaining an overview of personal data records and processing flows, for example Record of Processing Activities (Article 30 GDPR) and a list of systems and archives that handle personal data (the XProtect VMS system and other systems that hold personal data such as staff records, data processor agreements, etc., including information on how and where personal data flows).
• Putting in place mechanisms that execute the internal policies and processes, including complaints procedures, in order to make such policies effective in practice. This includes creating data protection awareness, and training and instruction for staff. Awareness training is available at https://www.milestonesys.com/solutions/services/learning-and-performance/.
• Defining the video surveillance policy (see Appendix: Video surveillance policy). This policy must refer to domestic laws regarding video surveillance.
• Carrying out the Data Protection Impact Assessments, particularly for certain data processing operations deemed to present specific risks to the rights and freedoms of Data Subjects, for example, by virtue of their nature, their scope or their purpose (see Appendix: Data Protection Impact Assessment).
• Ensuring transparency of these adopted measures with regard to Data Subjects and the public in general. Transparency requirements contribute to the accountability of Data Controllers (for example, publication of privacy policies on the internet, transparency in regard to internal complaints procedures, and publication in annual reports).
• Publishing the right of information notice to the public (see Appendix: On-the-spot notice). This notice informs individuals who are affected of the purpose of the surveillance, who keeps the data that is collected (Data Controller), and the retention policy.
• Assigning responsibility for data protection to designated persons with direct responsibility for their organizations' compliance with data protection laws. In particular, appoint the Data Protection Officer (DPO).

Data Protection Officer (DPO)

Every organization must have an appointed DPO or at least an assigned person responsible for privacy.

From the start, the plans to install or update a video surveillance system should be communicated to the DPO. The DPO should be consulted in all cases and should be involved in all stages of the decision making.

The DPO's responsibilities include:

• Participating in defining the business purpose of the video surveillance, for example, crime prevention, fraud detection, product quality verification or public health and safety, and so forth.
• Commenting on the organization's draft video surveillance policy, including its attachments, (see Appendix: Video surveillance policy), and to correcting mistakes and suggesting improvements
• Assisting in communications with the national or regional data protection authorities
• Checking agreements with third-parties when sharing data. That is, maintaining and managing the Data Processor Agreement (see Appendix: Data Processor Agreement)
• Drafting compliance reports and carrying out audits in order to obtain third-party certification approving the internal measures adopted to ensure compliance effectively manages, protects, and secures personal data
• Post the Data Breach Notification within 72 hours of being made aware of a breach of security (see Personal data breach. See also, Milestone Data Breach Notification template).
• Store and make sure that the Record of Processing Activities and Data Protection Impact Assessments (see Appendix: Data Protection Impact Assessment) are updated every time data protection relevant changes are made to the VMS.

Data Controller roles

The following sections describe the responsibilities of the respective Data Controllers:

• Security officer (VMS supervisor)
• VMS system administrator
• VMS operator