On 5 December last, the Data Protection Supervisory Authority (the “Authority”) developed FAQ (“Frequently Asked Questions”) on personal data processing carried out by public and private entities using video surveillance systems.

The Authority’s clarifications take account of what was introduced by Regulation (EU) 2016/679 on personal data protection (known as “GDPR”) and by the Guidelines adopted by the European Data Protection Board (“EDPB”) on the point.

The FAQ clarify, firstly, that (i) processing carried out using video surveillance systems must be performed in respect of the principle of minimisation, in relation to the choice of recording methods and the positioning of the system, and (ii) the data processed must be pertinent and not excessive with respect to the purposes pursued.

Based upon the principle of accountability, it is the duty of each Controller to carry out assessments of the lawfulness and proportionality of processing, considering the context and respective purposes, as well as the risk to the rights and freedoms of the data subjects.

In the Authority’s opinion, each Controller must assess if the requirements are in place to carry out a data protection impact assessment (“DPIA”) before commencing the processing.

In relation to the privacy notice to be provided to the data subjects, the FAQ specify that the simplified model (warning sign), developed by the EDPB and disseminated with its Guidelines, may be adopted. The sign must contain (i) contact details of the Controller and, where present, Data Protection Officer (DPO); (ii) storage period of information collected and (iii) purposes of processing carried out. The sign must be positioned before the surveilled area, so that the data subjects can see which area is covered by a video camera, and must refer to a complete privacy notice containing all information indicated in Article 13 of the GDPR, including indications on the methods of acknowledgement.

The Authority also reiterates that the recorded images should be erased after a few days (24/48 hours) and that the longer the storage period, the more detailed the analysis on the legitimacy of the purpose and the actual need for longer storage must be.

Finally, it is noted that video surveillance systems can only be installed in workplaces for organisational and production requirements, for workplace safety and protection of company property, in respect of the guarantees envisaged by Article 4 of Italian Law no. 300/1970.

◊◊◊◊

In conclusion, the FAQ, available on the Authority’s website (www.garanteprivacy.it), contain indications on the necessary requirements in order for personal data processing carried out using video surveillance systems to be lawful.

The FAQ supersede, albeit partially, the previous “Measure on video surveillance dated 8 April 2010”, adjusting the provisions contained therein to what was introduced by the GDPR and by the EDPB Guidelines.

Other insights related:

EDPB: Preliminary version of Guidelines 3/2019 on video surveillance

With the main goal of balancing private life and work, DDL 2233-B has been approved in its final version, which, in fact, governs the so-called remote work, that is the type of work performed outside of the employer’s premises and without specific requirements in terms of working hours. The intrinsic characteristics of remote work clearly imply a lower level of monitoring by the employer; this also applies to those elements that may have an impact on the health and safety of the worker. As a result, and without prejudice to the fact that the employer remains responsible for the health and safety of the worker, the law-maker established that the employer shall provide the worker and to the Workers’ representative, at least once a year, with a written information notice detailing the general and specific risks connected to performing a specific type of work while employed by the employer. On the other hand, the employer is made aware and becomes liable since he/she is expressly obligated to cooperate in implementing the preventive measures established by the employer to face the risks connected to the performance of the duties outside the workplace. However, the aforementioned requirements do not void the liability of the employer to guarantee the worker’s health and safety. In fact, unless exceptions are applied, please note that the employer must also follow the regulations established in the Consolidated Law on Safety (Legislative Decree 81/2008) applicable to the specific matters that characterise remote work.