Appendix: Data Protection Impact Assessment

According to Article 35 of the GDPR, a Data Protection Impact Assessment is required if the surveillance

is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

The data controller must consult the supervisory authority prior to processing where a Data Protection Impact Assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the data controller to mitigate the risk (Prior Consultation, Article 36 of the GDPR).

Create and maintain a Data Protection Impact Assessment, a notice to individuals affected. This document:

  • Describes the purpose of surveillance
  • Is kept by the data controller or data processor
  • Defines the retention policy

A Data Protection Impact Assessment should be carried out before installing and implementing video surveillance systems whenever this adds value to the organization's compliance efforts. The purpose of the Data Protection Impact Assessment is to determine the impact of the proposed system on individuals' privacy and other fundamental rights and to identify ways to mitigate or avoid any adverse effects.

At a minimum, according to Article 35 (7) of the GDPR, the assessment must contain at least:

  • A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the data controller

  • An assessment of the necessity and proportionality of the processing operations in relation to the purposes

  • An assessment of the risks to the rights and freedoms of data subjects referred to in Article 35 (1) of the GDPR:

    Where a type of processing in particular using new technologies, and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.

  • The measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with GDPR taking into account the rights and legitimate interests of data subjects and other persons concerned

The effort that is appropriate to invest in a Data Protection Impact Assessment depends on the circumstances. A video surveillance system with large inherent risks, or one raising complex or novel issues, warrants the investment of much more effort than one with a comparatively limited impact on privacy and other fundamental rights, such as a conventional static CCTV system operated for typical security purposes.

In any event and in all cases, whether in a formal Data Protection Impact Assessment or otherwise, the organizations must assess and justify whether to resort to video surveillance, how to site, select and configure their systems, and how to implement the data protection safeguards.

In addition, there may be cases where an organization proposes a non-standard system. In this case, the organization should carefully assess the planned differences from the practice and recommendations, discuss these with their Data Protection Officer and with other stakeholders, and document its assessment in writing, whether in a formal Data Protection Impact Assessment or otherwise. The organization’s audit of the system should also address the lawfulness of the customization of the system.

Finally, due to their complexity, novelty, specificity, or inherent risks, it is strongly recommended that you carry out a Data Protection Impact Assessment in the following cases:

  • Video surveillance for purposes other than security (including for investigative purposes)
  • Video surveillance of public spaces
  • Employee monitoring
  • Monitoring on Member State territory and in third countries
  • Special categories of data
  • Areas under heightened expectations of privacy
  • High-tech and/or intelligent video surveillance
  • Interconnected systems
  • Audio recording

The Data Protection Impact Assessment may be carried out in-house or by an independent contractor. The assessment should be conducted at an early stage of the project. Based on the results of the Data Protection Impact Assessment an organization may decide:

  • To refrain from or modify the planned monitoring and/or
  • To implement additional safeguards

Inherent risks with using VMS

When maintaining the Data Protection Impact Assessment, you should be aware of the risks that are inherent with using VMS.

The Data Protection Impact Assessment should be adequately documented. As a matter of principle, a Data Protection Impact Assessment report should clearly specify the risks to privacy and/or other fundamental rights that the organization identified, and the additional safeguards proposed. Be aware of the following risks of impinging on personal rights:

  • Company / employer, using the video feeds, alarms or audit logs to:
    • Monitor the work hours of the employees at the surveyed site – for example arrival and departure time
    • Monitor the effectiveness of the employees by monitoring where they spend their time, amount of time spent at the coffee machine, time spent in restrooms, as long as they effectively work at whichever task they have
    • Monitor what the employee is looking at on their computer screens
    • Monitor if employees comply with work or safety requirements – for example on building sites
    • Show video recordings of employees to other employees or managers to bully the employee or threaten other employees to do the same
    • Check if security guards / operators perform their duties effectively – for example checking whether they are actively using the clients, selecting cameras, running playbacks, etc.
  • Company / owner / operator / guards, using the video feeds to:
    • Share video recordings of people (company employees or the general public) in embarrassing or sensitive situations on social media
    • Use PTZ cameras to zoom in on people to get intimate / inappropriate close-up recordings of them without their knowledge
  • Company / owner / operator / guards
    • Export video or providing access to recorded video uncritically to whomever asks for it

Additional sources to identify risk are:

  • The Milestone Hardening Guide provides the Cyber Risk Management Framework, describing the recommended six steps of categorizing, selecting, implementing, assessing, authorizing and monitoring risks. The Milestone Hardening Guide provides a series of technical risks and recommended implementations to mitigate the risks. These include but are not limited to the protection of VMS privacy in terms of a series of data breaches and unauthorized access risks from weak technical configuration, design, and maintenance operations. For more information on how to secure your XProtect VMS installations against cyber-attacks, see the hardening guide.
  • The Milestone Privacy Guide (this) provides recommendations on handling the non-technical operational risks, including handling of data subject rights and requests, roles, and responsibilities of a VMS, templates for On-the-spot-notice, Video Surveillance Policy, and Data Processor Agreements.
  • The Milestone end-user privacy e-learning provides awareness training for VMS operations and supervisors on how, in everyday operation, to handle VMS-related privacy risks. See more information on the Milestone GDPR-ready website.