EDPB: Preliminary version of Guidelines 3/2019 on video surveillance

On 6 September 2019, the European Data Protection Board (“EDPB“) completed its public consultation on the document containing the draft of the forthcoming Guidelines 3/2019 concerning video surveillance (“Guidelines 3/2019 on processing of personal data through video devices“).

The images and audio tracks that are processed through the use of video surveillance systems, fall under the definition of “personal data” as they enable individuals to be identified, be it directly or indirectly. The processing of such information must therefore fully comply with EU Regulation 2016/679 – GDPR – on the protection of personal data and (in accordance with Italian law) and Legislative Decree 196/2003 as amended by Legislative Decree 101/2018 containing the rules for adapting national legislation to the said Regulation.

The aim that the European Committee intends to achieve with the issuance of these new Guidelines, is to ensure a uniform application of the legislation on video surveillance within all Member States of the European Union.

In view of the foregoing, it must first be made clear that the clarifications given in the draft concerning the legal basis on which the installation of the system is based are of fundamental importance.
In principle, it is possible that all the conditions for lawfulness set forth in Article 6, paragraph  1), of the GDPR are met, even if those most applied in practice are the legitimate interest that the Data Controller needs to pursue (Article. 6, paragraph 1), section f), GDPR) or the performance of a task in the public interest (Article 6, paragraph 1), section e), GDPR).

The European Committee clarifies that the Data Controller must specify in detail both the legal basis on which the data processing carried out is based and the detail of the purposes pursued. A system based on “security” in its simplest and most general sense is no longer a sufficiently detailed purpose.

Another important clarification concerns filming based on legitimate interest. Data processing is considered lawful only if this legal basis remains real, current and demonstrable at all times.

The Italian Data Protection Authority has, on several occasions, recommended that Data Controllers use the video surveillance tool in a proportionate and non-excessive manner and this approach can be found in the draft of the forthcoming Guidelines. Before proceeding with the installation of such systems, in fact, the Data Controller must use other tools (such as, for example, support by appropriate security staff, the provision of remote-controlled gates or adequate lighting) and demonstrate the effective need for the adoption of a video surveillance system. This, paying particular attention to limiting and defining, both temporally and geographically, filming in order to constantly respect the principle of minimisation of personal data pursuant to Article 5, point 1, section c) of the GDPR.

Each Data Controller is required to balance the interests involved by analysing, on a case-by-case basis, the legitimate interests of the Data Controller, on the one hand, and the fundamental rights and freedoms of the data subjects on the other.

In view of the above, the EDPB is awaiting the publication of the final text of the Guidelines, which are not only the first document to apply the principles of the GDPR to data processing carried out by video filming, but also, by national law, the first new document on the subject after the “Provision on video surveillance” issued by the Italian Data Protection Authority on 8 April 2010.