Do you have a lawful basis for collecting data?

GDPR requires that all organizations have a valid, lawful basis for collecting and processing personal data.

Video surveillance on the basis of consent or vital interests may be possible in exceptional situations, for example in the health and care if a person has to be monitored permanently.

You are required to keep track of processing activities in a Record of processing activities (Article 30 GDPR).

Check the legitimacy of processing video data and user data in accordance to the following levels of regulation:

  1. General Data Protection Regulation (GDPR), Article 6

    Particularly subparagraph 1 (b) of the GDPR:

    Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

    and subparagraph 1 (e)(f) of the GDPR:

    Processing shall be lawful if and to the extent processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

  2. Directive (EU) 2016/680 Law Enforcement or the national law based on that directive

    Comply with national law based on the Directive (EU) 2016/680 Law Enforcement in order to establish legal basis to check the legitimacy of the processing.

  3. National law

    Comply with national law, for example, Section 4 German Federal Data Protection Act (FDPA), though this provision does not apply to video surveillance conducted by enterprises.

Before you implement video surveillance, assess the potential benefits and the impact on the rights to privacy and other fundamental rights and legitimate interests of those in the covered area.

When you decide to use video surveillance, document the purpose of the video system, what information is collected, what it will be used for, by whom, and for how long, and provide adequately supported evidence such as statistical data on the actual number of security incidents that occurred, as well as evidence of past effectiveness of the cameras to deter, prevent, investigate, or prosecute those incidents.

The extent of assessment depends on the size of the proposed system and the impact on people’s privacy and other legitimate interests or fundamental rights.

Processing based on legal obligation or on a public task

When is the lawful basis for legal obligations likely to apply? In short, when you are obliged to process the personal data to comply with the law. Article 6 (3) of the GDPR requires that the legal obligation must be laid down by EU law or Member State law.

This does not mean that there must be a legal obligation specifically requiring the specific processing activity. The point is that your overall purpose must be to comply with a legal obligation which has a sufficiently clear basis in either common law or statute. For example, a court order may require you to process personal data for a particular purpose and this also qualifies as a legal obligation.

Public institutions usually use video surveillance to perform a public task. Be aware that the balancing of interests is not a legal basis for public authorities in the performance of these tasks.

For public institutions, video surveillance is only legitimate if it is necessary to perform the public task. When performing a public task, you must conduct a proportionality assessment (see Balancing of interests / proportionality assessment). The Data Controller must consider the principles of data minimization (for example, privacy masking), storage limitation (retention time) and purpose limitation (Article 5 (1) GDPR).

Balancing of interests / proportionality assessment

Private bodies usually operate a VMS to pursue legitimate interests of the Data Controller or a third party (Article 6 (1) (f) GDPR). Therefore, a balancing of interests is necessary to check the legitimacy of the processing. The Data Controller needs to identify and weigh his own interests versus the interests or fundamental rights and freedoms of the data subjects, which require protection of personal data.

The processing of audit and alarm history data can usually be based on the legitimate interest of the Data Controller (Article 6 (1) (f) GDPR). The same is applicable for user management data (account data, authentication credentials, authorization data, configuration data) if the user is an employee of a security company.

You must be clear, open and honest with people from the start about how you will use their personal data. In your assessment, address the following questions:

  • What are the benefits from using video surveillance? Do the benefits outweigh any detrimental effects?
  • Is the purpose of the system clearly specified, explicit and legitimate? Is there a lawful ground for the video surveillance?
  • Is the need to use video surveillance clearly demonstrated? Is it an efficient tool to achieve its intended purpose? Are there less intrusive alternatives available?

More so, the Data Controller can only use the personal data for a new purpose if it’s compatible with the original purpose, or they get consent, or have a clear basis in law.

Typical interests of the Data Controller

Typically, the Data Controller:

  • Exercises the right to determine who shall be allowed or denied access to data
  • Safeguards legitimate interests for specifically defined purposes

In the context of employment, the Data Controller should be informed that the processing of employees’ personal data – video data as well as user data – in the employment context may be subject to more specific rules under member state law (Article 88 GDPR), for example Section 26 FDPA (Germany).

Typical interests and rights of the data subjects

Data subjects have the right of:

  • No long-time surveillance
  • No monitoring of intimate situations
  • Short retention times
  • Adequate safeguards if special categories of personal data (see Art. 9 GDPR) are processed

How XProtect reduces the impact on the interests or fundamental rights and freedoms of the data subject

Milestone XProtect reduces the impact on the interests and fundamental rights of the data subject by:

Transfers and disclosures

There are three main rules in the GDPR governing transfers, depending on whether the recordings are transferred:

  • To a recipient within the organization or in another organization

    In this case, the GDPR provides that the recordings can be transferred to others within the organization or in another organization if this is necessary for the legitimate performance of tasks covered by the competence of the recipient.

  • To others within the European Union

    In this case (transfers outside the organizations but within the European Union), these are possible if this is necessary for the performance of a task carried out in the public interest or subject to the exercise of public authority, or if the recipient otherwise establishes that the transfer is necessary and there is no reason to assume that the legitimate interests of those whose images are transferred might be prejudiced.

  • Or to outside the European Union.

    In this case, transfers outside the European Union can be made: (i) if done solely to allow the organization’s tasks to be carried out and (ii) only subject to additional requirements, mainly to ensure that the data will be adequately protected abroad.

Summed up

Ensure that you do not do anything with the data in breach of any other laws.

You must use personal data in a fair way. This means you must not process the data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned.

You can only use the personal data for a new purpose if it’s compatible with your original purpose, or you get consent, or have a clear basis in law.

In some cases that are deemed high risk of encroaching on privacy, you must conduct a formalized impact assessment (see Appendix: Data Protection Impact Assessment).