Right to access

Under Article 15, the GDPR gives individuals control over their personal data, including the right to see that data. Particularly important is the right that data subjects can get a copy of their data and that third persons are masked (using third-party tools).

Upon request, organizations need to deliver to a Data Subject all the personal data collected about them, including video collected by a video surveillance system.

Ensure that you establish formal procedures and policies for handling right to access requests, described here in Register of transfers and disclosures.

Transfers and disclosures

There are three main rules in the GDPR governing transfers, depending on whether the recordings are transferred:

  • To a recipient within the organization or in another organization

    In this case, the GDPR provides that the recordings can be transferred to others within the organization or in another organization if this is necessary for the legitimate performance of tasks covered by the competence of the recipient.

  • To others within the European Union

    In this case (transfers outside the organizations but within the European Union), these are possible if this is necessary for the performance of a task carried out in the public interest or subject to the exercise of public authority, or if the recipient otherwise establishes that the transfer is necessary and there is no reason to assume that the legitimate interests of those whose images are transferred might be prejudiced.

  • Or to outside the European Union.

    In this case, transfers outside the European Union can be made: (i) if done solely to allow the organization’s tasks to be carried out and (ii) only subject to additional requirements, mainly to ensure that the data will be adequately protected abroad.

Register of transfers and disclosures

The organizations should keep a register—whenever possible, in an electronic form—of transfers and disclosures. In it, each transfer to a third-party should be recorded. (third-parties also include anyone within the organization to whom a transfer is made by those having access to the recordings in the first place. This typically includes any transfer outside the security unit.) The register, in addition, should contain all instances where, although the copy of the video surveillance recording was not transferred, third-parties were shown the recordings or when the content of the recordings was otherwise disclosed to third-parties.

The register should include at least the following:

  • Date of the recordings
  • Requesting party (name, title and organization)
  • Name and title of the person authorizing the transfer
  • Brief description of the content of the recordings
  • Reason for the request and the reason for granting it
  • Whether a copy of the recording was transferred, the recording was shown, or verbal information was given