On 5 December last, the Data Protection Supervisory Authority (the “Authority”) developed FAQ (“Frequently Asked Questions”) on personal data processing carried out by public and private entities using video surveillance systems.
The Authority’s clarifications take account of what was introduced by Regulation (EU) 2016/679 on personal data protection (known as “GDPR”) and by the Guidelines adopted by the European Data Protection Board (“EDPB”) on the point.
The FAQ clarify, firstly, that (i) processing carried out using video surveillance systems must be performed in respect of the principle of minimisation, in relation to the choice of recording methods and the positioning of the system, and (ii) the data processed must be pertinent and not excessive with respect to the purposes pursued.
Based upon the principle of accountability, it is the duty of each Controller to carry out assessments of the lawfulness and proportionality of processing, considering the context and respective purposes, as well as the risk to the rights and freedoms of the data subjects.
In the Authority’s opinion, each Controller must assess if the requirements are in place to carry out a data protection impact assessment (“DPIA”) before commencing the processing.
In relation to the privacy notice to be provided to the data subjects, the FAQ specify that the simplified model (warning sign), developed by the EDPB and disseminated with its Guidelines, may be adopted. The sign must contain (i) contact details of the Controller and, where present, Data Protection Officer (DPO); (ii) storage period of information collected and (iii) purposes of processing carried out. The sign must be positioned before the surveilled area, so that the data subjects can see which area is covered by a video camera, and must refer to a complete privacy notice containing all information indicated in Article 13 of the GDPR, including indications on the methods of acknowledgement.
The Authority also reiterates that the recorded images should be erased after a few days (24/48 hours) and that the longer the storage period, the more detailed the analysis on the legitimacy of the purpose and the actual need for longer storage must be.
Finally, it is noted that video surveillance systems can only be installed in workplaces for organisational and production requirements, for workplace safety and protection of company property, in respect of the guarantees envisaged by Article 4 of Italian Law no. 300/1970.
◊◊◊◊
In conclusion, the FAQ, available on the Authority’s website (www.garanteprivacy.it), contain indications on the necessary requirements in order for personal data processing carried out using video surveillance systems to be lawful.
The FAQ supersede, albeit partially, the previous “Measure on video surveillance dated 8 April 2010”, adjusting the provisions contained therein to what was introduced by the GDPR and by the EDPB Guidelines.
Other insights related:
EDPB: Preliminary version of Guidelines 3/2019 on video surveillance
