- EDPB emphasizes proportionality and requires a case-by-case assessment as well as high requirements for legitimate interests in video surveillance in accordance with Art. 6 para. 1 lit. f GDPR.
- Biometric and particularly sensitive data fall strictly under Art. 9 GDPR; collection, storage or template matching generally requires explicit consent.
The European Data Protection and Privacy Board (EDSA/EDPB), following the Draft has now published the definitive version of its guidelines on video surveillance (Guidelines 3/2019 on processing of personal data through video devices) adopted with date of January 29, 2020 (for the time being only available in English). The guidelines explain in just under 30 pages, among other things, the permissibility of video surveillance (legal basis), disclosure to third parties, the processing of special categories of personal data, the rights of data subjects in connection with video recordings, the information of data subjects, the storage of recordings, the necessary security measures and data protection impact assessments.
Proportionality
The EDSA places emphasis on the Proportionality of the measures, which requires a case-by-case assessment in each case. It also places relatively high requirements on the specific legitimate interest of the controller, insofar as the controller relies on Art. 6 (1) (f) GDPR (cf, Rs. C‑708/18).
Personal data requiring special protection
The comments on personal data requiring special protection are interesting. Here, the EDSA confirms the general view that recordings that potentially show particularly sensitive features (e.g. glasses as a potential health datum) are not per se particularly worthy of protection. Only when these sensitive statements are taken from the recordings is personal data worthy of special protection processed:
However, if the video footage is processed to deduce special categories of data Article 9 applies.
This applies not only to health data, but other categories as well:
Video surveillance capturing a church does not per se fall under Article 9.
However, potentially particularly sensitive personal data is sensitive, which is why the principle of proportionality is of particular importance here.
Biometric data
Also noteworthy are the comments on biometric data. Biometric data within the meaning of Art. 4 No. 14 DSGVO are only processed if
- Data relates to physical, physiological or behavioral Features refer,
- those with special technical processes obtained become and the
- be used to identify a person Clearly identify.
This is not the case, for example, when a camera in a store automatically detects the gender or age of a person, as long as the system cannot identify the person.
However, if the system has a biometric template is created and stored in order to recognize a specific person, this is said to constitute processing of biometric data – even if the person in question is not known by name; with the consequence that Art. 9 GDPR applies. Here, the EDSA relies – without saying so – on the concept of the Singularizationwhich is apparently supposed to be equivalent to an identification here:
If a controller wishes to detect a data subject re-entering the area or entering another area (for example in order to project continued customized advertisement), the purpose would then be to uniquely identify a natural person, meaning that the operation would from the start fall under Article 9. This could be the case if a controller stores generated templates to provide further tailored advertisement on several billboards throughout different locations inside the store. Since the system is using physical characteristics to detect specific individuals coming back in the range of the camera (like the visitors of a shopping mall) and tracking them, it would constitute a biometric identification method because it is aimed at recognition through the use of specific technical processing.
However, the EDSA takes an even stricter view: biometric data processed not only for those individuals for whom a template has been created, but also for all those persons whose characteristics are matched with the template. If, for example, facial features of VIPs are stored in a hotel so that they can be immediately recognized upon check-in, not only the consent of the VIPs is required, but also that of all other guests whose faces are scanned, even though these guests cannot be identified due to the lack of their own template:
A hotel uses video surveillance to automatically alert the hotel manager that a VIP has arrived when the face of the guest is recognized. These VIPs have given their explicit consent to the use of facial recognition before being recorded in a database established for that purpose. These processing systems of biometric data would be unlawful unless all other guests monitored (in order to identify the VIPs) have consented to the processing according to Article 9 (2) (a) GDPR.
The EDSA further comments on the voluntary nature of the consent required and on data minimization in biometric systems.
Data subject rights
There is also a right of access to video recordings. However, the responsible party should not necessarily be forced to hand over copies of recordings if third parties are also depicted in them. In any case, the responsible party is not required to purchase systems, for example, to pixelate other persons. In this case, the EDSA leaves it open how information is to be provided; (edited) still images are a possible option (see the Guidelines of the Irish Regulatory Authority). Furthermore, the EDSA addresses the issue of identifying the person providing the information and the other data subject rights.
Transparency
For the information of the persons concerned, the EDSA recommends quite extensively a staged procedure with a notice at the cameras and the further information e.g. at a reception or similar. The EDSA recommends the following information sign:
Storage duration
Video recordings are to be deleted if they are no longer required. The EDSA recommends a retention period of 1 – 2 days for security systems, because e.g. acts of vandalism are usually discovered after 1 or 2 days. For longer periods, the need for storage must be justified:
Taking into consideration the principles of Article 5 (1) (c) and(e) GDPR, namely data minimization and storage limitation, the personal data should in most cases (e.g. for the purpose of detecting vandalism) be erased, ideally automatically, after a few days. The longer the storage period set (especially when beyond 72 hours), the more argumentation for the legitimacy of the purpose and the necessity of storage has to be provided.