After a long wait, the Personal Data Protection Office has issued a new methodology for operating video surveillance systems. In addition to practical recommendations, it also contains templates for the most frequently drawn up documents related to the video surveillance systems and their operation from the perspective of data processing and its protection. So how is the practice of operating video surveillance systems in the Czech Republic moving forward? Do you follow all the recommendations to avoid potential problems? Let’s find out.
Until this February, managers of video surveillance systems consulted mainly the European Data Protection Board’s 2019 guidelines (its 2020 updated version) to guide them in their operation. In the Czech environment, the recommendations on how to appropriately deal with the obligations imposed by the GDPR have been updated by the Personal Data Protection Office ("PDPO") after full 12 years. The new methodology, which follows the European recommendations, also provides a sample balancing test, a template for records of processing activities or a simplified form of information document for data subjects.
Although compliance with the methodology is not mandatory, it significantly helps in navigating the legislative environment and reduces the risk of a data breach and possible fine. Operators who choose not to follow this methodology or parts of it (for example, the recommendation to retain video records ideally for up to 72 hours) should prepare to defend alternative practices by which they achieve GDPR compliance. Especially in more complex cases, we definitely recommend consulting experts.
Update of the definition
A significant help and clarity is brought by the setting of the PDPO’s general principle, which now states that if the figure of a person in the frame occupies more than 25% of the image height, this is considered processing personal data. The reason for this is the assumption that in such a situation it will be possible to identify and distinguish individuals. Other factors, such as normal lighting conditions, the behaviour of persons and their distinguishability, etc., may make identification of individuals difficult, which should also be taken into account when considering the design of a video surveillance system.
The video surveillance system can consist of different types of cameras, whether CCTV cameras (with recording), online cameras or camera traps. For all of them, the controller must put in place means providing adequate protection for the processing of personal data. This new methodology overcomes the PDPO’s earlier opinion that use of online cameras generally is not considered processing personal data.
From a technical point of view, online cameras also store and transmit footage, albeit for a very short period of time. However, even after this short period of time, unauthorised persons may gain access to the footage, the footage may leak on the Internet or may be otherwise misused. If this surveillance footage contains images of identifiable natural persons, in other words personal data, there is an overriding reason also for online cameras to be in the GDPR regime.
One possible exception is web cameras showing local weather conditions, providing that it is not possible to get a sufficiently detailed image of a person by zooming in.
Required documentation
In its methodology, the PDPO provides three template documents for video surveillance systems, specifically (i) an information document for data subjects, (ii) a record of the processing activities, and (iii) a balancing test. This provides the controller with a guideline on the most important documents, but it is not a complete documentation. In certain cases, the complete documentation may contain up to ten documents.
The information documents for data subjects should, according to the PDPO, be provided gradually / a layered approach of specifying more general information should be applied.
The first layer should contain basic information that the space is being monitored. In this case, a pictogram or another image of the camera is sufficient. Immediately afterwards, however, the data subject should be informed about who the data controller is and what his or her contact persons are, a summary of the purpose and legal grounds for the processing of the surveillance footage containing personal data, and basic information about the rights of the data subject.
The second layer should include instructions on where the data subject can obtain all the information required under Article 13 of the GDPR. One can refer to the website of the controller providing comprehensive information on the processing of personal data or provide a printed version for inspection. It is questionable whether the provision of certain details may compromise the purpose of the system, such as the protection of property. For example, information on the total number of cameras may be easily exploitable by a potential thief/attacker, but will usually not be of much predictive value to the average data subject.
The methodology also discusses the regulation of relations with personal data processors, the exercise of data subjects’ rights such as access to data, deletion or correction, and methods of managing and reporting security incidents. However, for these areas, the PDPO does not provide template documents for video surveillance system controllers even in general form.
What to consider when implementing a video surveillance system?
As mentioned above, according to the PDPO, the design of a video surveillance system must be assessed under the balancing test. The process consists of several steps, with the assessment of the existence of a real threat, which should be prevented by installing a CCTV system, at the very beginning. It must be demonstrated that this is not a subjective concern but a real risk that can be objectively assessed. The video surveillance systems are then assessed according to the following criteria (the so‑called “proportionality test”):
- the appropriateness criterion: whether an instrument restricting a fundamental right enables the achievement of the stated objective;
- the criterion of necessity: whether the stated objective could be achieved by other measures which enable the achievement of the same objective but do not affect fundamental rights and freedoms;
- the balancing criterion: a comparison of the weight of the two conflicting fundamental rights, which consists of weighing empirical, systemic, contextual and value arguments.
The PDPO emphasizes that the controller is obliged to assess the specific situation and the existence of a legitimate purpose during the design of a video surveillance system. The PDPO demonstrates through a number of examples that the key is the thoughtful placement of (an appropriate number of) cameras and their integration with other protective elements. If the manager of an apartment building wants to defend the facade of the building from vandalism, the PDPO would assess the implementation of a video surveillance system with, say, ten cameras to be disproportionate. The sample balancing test included in the methodology states that two cameras and anti-spray paint would be appropriate. Thus, it can be inferred that the very definition of the purpose for which the camera system is being implemented can largely influence the results of the balancing test.
In our view, it is the sufficiently qualified and convincing execution of the balancing test that video surveillance system operators may not always be able to cope with, especially in more complex cases.
Security measures
In the new methodology, the PDPO divides video surveillance systems into four categories, according to the degree of threat of violation of the data subject’s rights and interests (typically privacy). It lists two types of measures for each category - mandatory and voluntary.
The controller may be obliged to implement security measures ranging from technical measures, such as detection of video surveillance system failures, protection of cameras and data connection or protection against malicious codes, through organisational measures, such as control of access to cameras and footage, to administrative measures, such as documentation preparation and training of camera operators. Of course, the PDPO also deals with the security of cameras, video surveillance systems, transmission systems and data storage. Unauthorised access to video surveillance transmissions or footage poses a significant risk to the persons concerned.
Conclusion
The PDPO in many ways clarifies the approach it would expect (and presumably require) from operators implementing video surveillance systems. Although the new methodology of the PDPO offers templates for the most important documents that will facilitate the basic set-up for video surveillance systems, it is necessary to assess each case individually and to take into account especially more complex situations where the mere adaptation of these templates may not be sufficient.
Thus, data controllers (CCTV operators) may find it difficult to sufficiently and convincingly meet all regulatory requirements in more challenging cases. Video surveillance systems, especially if not properly implemented, can constitute a significant interference with the rights and privacy of individuals, and it can be expected that their proper set-up will increasingly be on the radar of the PDPO and its inspection activities.
We therefore recommend not to underestimate the approach to implementing the video surveillance systems and, especially in more sensitive situations, to consult with experts to ensure compliance with legislation and current best-practice. With our team of data experts, we are ready to help you set everything up correctly and answer all your related questions.