The Italian Data Protection Authority, with the newsletter 472 of 25 January 2021, announced that on 14 January, the EDPB (“European Data Protection Board”) adopted new Guidelines (“Guidelines 01/2021 on Examples regarding Data Breach Notification”, the “Guidelines”) aimed at supporting companies and public administration in correctly addressing data breaches and defining risk management processes.
The document adds to the previous guidelines of Working Party 29 (“Guidelines on Personal data breach notification under Regulation 2016/679”) which, include a technical-theoretical analysis of what is prescribed by Regulation (EU) 2016/697 (the “Regulation”) about personal data breaches (or “Data Breach”).
Considering information security principles, recalling “Opinion 3/2014” and “Guidelines WP 250”, EDPB provides a classification of the type of breaches, namely:
Aiming to provide useful guidance to data controllers and data processors on how to handle a personal data breach correctly, the Guidelines illustrate what to avoid (e.g. failure to encrypt data). They also contain numerous practical case studies involving hospitals, banks, businesses and online service companies of various kinds in different European countries.
These case studies describe the preventive measures that can be taken and suggest how to carry out a breach risk assessment, the potential measures that can be taken to reduce the risks and legal obligations that must be met.
EDPB launched a European public consultation on the document that will end on 2 March 2021.
Others insights related:
On 5 December last, the Data Protection Supervisory Authority (the “Authority”) developed FAQ (“Frequently Asked Questions”) on personal data processing carried out by public and private entities using video surveillance systems.
The Authority’s clarifications take account of what was introduced by Regulation (EU) 2016/679 on personal data protection (known as “GDPR”) and by the Guidelines adopted by the European Data Protection Board (“EDPB”) on the point.
The FAQ clarify, firstly, that (i) processing carried out using video surveillance systems must be performed in respect of the principle of minimisation, in relation to the choice of recording methods and the positioning of the system, and (ii) the data processed must be pertinent and not excessive with respect to the purposes pursued.
Based upon the principle of accountability, it is the duty of each Controller to carry out assessments of the lawfulness and proportionality of processing, considering the context and respective purposes, as well as the risk to the rights and freedoms of the data subjects.
In the Authority’s opinion, each Controller must assess if the requirements are in place to carry out a data protection impact assessment (“DPIA”) before commencing the processing.
In relation to the privacy notice to be provided to the data subjects, the FAQ specify that the simplified model (warning sign), developed by the EDPB and disseminated with its Guidelines, may be adopted. The sign must contain (i) contact details of the Controller and, where present, Data Protection Officer (DPO); (ii) storage period of information collected and (iii) purposes of processing carried out. The sign must be positioned before the surveilled area, so that the data subjects can see which area is covered by a video camera, and must refer to a complete privacy notice containing all information indicated in Article 13 of the GDPR, including indications on the methods of acknowledgement.
The Authority also reiterates that the recorded images should be erased after a few days (24/48 hours) and that the longer the storage period, the more detailed the analysis on the legitimacy of the purpose and the actual need for longer storage must be.
Finally, it is noted that video surveillance systems can only be installed in workplaces for organisational and production requirements, for workplace safety and protection of company property, in respect of the guarantees envisaged by Article 4 of Italian Law no. 300/1970.
◊◊◊◊
In conclusion, the FAQ, available on the Authority’s website (www.garanteprivacy.it), contain indications on the necessary requirements in order for personal data processing carried out using video surveillance systems to be lawful.
The FAQ supersede, albeit partially, the previous “Measure on video surveillance dated 8 April 2010”, adjusting the provisions contained therein to what was introduced by the GDPR and by the EDPB Guidelines.
Other insights related:
EDPB: Preliminary version of Guidelines 3/2019 on video surveillance
On 6 September 2019, the European Data Protection Board (“EDPB“) completed its public consultation on the document containing the draft of the forthcoming Guidelines 3/2019 concerning video surveillance (“Guidelines 3/2019 on processing of personal data through video devices“).
The images and audio tracks that are processed through the use of video surveillance systems, fall under the definition of “personal data” as they enable individuals to be identified, be it directly or indirectly. The processing of such information must therefore fully comply with EU Regulation 2016/679 – GDPR – on the protection of personal data and (in accordance with Italian law) and Legislative Decree 196/2003 as amended by Legislative Decree 101/2018 containing the rules for adapting national legislation to the said Regulation.
The aim that the European Committee intends to achieve with the issuance of these new Guidelines, is to ensure a uniform application of the legislation on video surveillance within all Member States of the European Union.
In view of the foregoing, it
must first be made clear that the clarifications given in the draft concerning
the legal basis on which the installation of the system is based are of
fundamental importance.
In principle, it is possible that all the conditions for lawfulness set forth
in Article 6, paragraph 1), of the GDPR
are met, even if those most applied in practice are the legitimate interest
that the Data Controller needs to pursue (Article. 6, paragraph 1),
section f), GDPR) or the performance of a task in the public interest (Article
6, paragraph 1), section e), GDPR).
The European Committee clarifies that the Data Controller must specify in detail both the legal basis on which the data processing carried out is based and the detail of the purposes pursued. A system based on “security” in its simplest and most general sense is no longer a sufficiently detailed purpose.
Another important clarification concerns filming based on legitimate interest. Data processing is considered lawful only if this legal basis remains real, current and demonstrable at all times.
The Italian Data Protection Authority has, on several occasions, recommended that Data Controllers use the video surveillance tool in a proportionate and non-excessive manner and this approach can be found in the draft of the forthcoming Guidelines. Before proceeding with the installation of such systems, in fact, the Data Controller must use other tools (such as, for example, support by appropriate security staff, the provision of remote-controlled gates or adequate lighting) and demonstrate the effective need for the adoption of a video surveillance system. This, paying particular attention to limiting and defining, both temporally and geographically, filming in order to constantly respect the principle of minimisation of personal data pursuant to Article 5, point 1, section c) of the GDPR.
Each Data Controller is required to balance the interests involved by analysing, on a case-by-case basis, the legitimate interests of the Data Controller, on the one hand, and the fundamental rights and freedoms of the data subjects on the other.
In view of the above, the EDPB is awaiting the publication of the final text of the Guidelines, which are not only the first document to apply the principles of the GDPR to data processing carried out by video filming, but also, by national law, the first new document on the subject after the “Provision on video surveillance” issued by the Italian Data Protection Authority on 8 April 2010.
