Questions about CCTV in GDPR

1. Is it correct if I mention in DPIA two data collection reasons for the CCTV: facility intrusion detection and labor discipline?

Mentioning those two data collection requests is correct, but this is not going to be enough. The DPIA must review all the risks to the freedoms and rights of the data subject, per article 35 GDPR - Data protection impact assessment, and it must address each risk with relevant technical and organizational measures in order to address all of them. In the case of the CCTV system, labor discipline can be seen as intrusive in many EU countries. Individuals have the right to private life even if they are at the job, per article 8 in the European Convention of Human Rights - Right to respect for private and family life, home, and correspondence. Facility intrusion detection can be a suitable purpose for processing personal data, however, certain measures need to be implemented in order to respect the freedoms and rights of data subjects, such as limited CCTV coverage (entrance, corridors, etc), limited access to CCTV feed, deletion timeframes, legitimate interest assessments/ Data Protection Impact Assessments, prior employee consultation, prior employee notification and so on. In many countries, 24/7 CCTV systems were found to be intrusive to the private lives of employees. In Germany, a Data Protection Authority issued a 10.4 million EUR GDPR fine for a retailer that installed a 24/7 CCTV system,  even if the purpose was just theft prevention/ location security.

Please also consult these links:

• Article 35 GDPR – Data Protection Impact Assessment: https://advisera.com/eugdpracademy/gdpr/data-protection-impact-assessment/
• Article 8 ECHR: Right to respect for private and family life, home and correspondence: https://www.echr.coe.int/documents/guide_art_8_eng.pdf
• Germany GDPR Fine: https://lfd.niedersachsen.de/startseite/infothek/presseinformationen/lfd-niedersachsen-verhangt-bussgeld-uber-10-4-millionen-euro-gegen-notebooksbilliger-de-196019.html

2. What is the size of the CCTV sign inside the office and outside premises should be?

You need to make sure that the sign is big enough to be seen and that the information present on the sign is sufficient. Per article 13 GDPR - Information to be provided where personal data are collected from the data subject – a data subject must be notified regarding the processing of personal data. Namely, the data subject must understand who is the data controller, what personal data categories are being processed, with what purpose and legal ground, whom the data is being shared with and why, data exports outside European Economic Area, and for how long the data is being stored and what rights the data subject has and how can they be exercised. Thus, all measures need to be taken in order to make sure that the data subject is being informed. Some best practices include multi-layered privacy notices, such as CCTV signs, containing some basic information about the data controller (or joint data controllers), storage timelines, purposes, etc, and a QR code and/or a link to the full privacy notice where everything is detailed (including how the data subject can exercise the rights to access/rectification/deletion/restriction/export of personal data, and how he/she can object to the processing if it is based on legitimate interest).  

Please also consult these links:

• Article 13 GDPR – Information to be provided where personal data are collected from the data subject: https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/
• Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/
• European Data Protection Board Guidelines 3/2019 on processing of personal data through video devices: https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201903_video_devices_en.pdf

3. There is CCTV in the office with no automated processing. Sometimes there are kids visiting the office. Do I need to mention about the kids' data in recordings?"

The privacy notice should be generic, but it must detail ways in which data subjects can exercise their rights. The issue with kids visiting the office is not about mentioning their data in the recordings but making sure that the kids understand how their personal data is being processed. Article 12 GDPR clearly states that: “The controller shall take appropriate measures to provide any information referred to in Articles 13 […] relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child”. Consider that children might not know how to read so you might choose to inform them in a different way (animations, videos, audio information, etc), making sure they understand how their personal data is being processed.  

I recommend performing a thorough DPIA in order to see whether this processing is not too intrusive. At ADVISERA we have a full EU GDPR Premium Toolkit that also contains a DPIA methodology and privacy notice templates that you can use.

Please also consult these links:

• Article 12 GDPR – Transparent information, communication and modalities for the exercise of the rights of the data subject: https://advisera.com/eugdpracademy/gdpr/transparent-information-communication-and-modalities-for-the-exercise-of-the-rights-of-the-data-subject/
• EU GDPR PREMIUM DOCUMENTATION TOOLKIT: https://advisera.com/eugdpracademy/eu-gdpr-premium-documentation-toolkit/