Changes related to video surveillance, additional documentation required
The European Data Protection Board has issued new guidelines on the processing of data using video recording devices. Among other things, the guidelines address video surveillance for the purpose of protecting property. As this is one of the most popular purposes for which CCTV cameras are used in Lithuania, it is appropriate to summarise the most important points made by the European Data Protection Board.
The General Data Protection Regulation (GDPR) does not foresee any specific rules applicable to video surveillance. The current Law on Legal Protection of Personal Data of the Republic of Lithuania, unlike the pre-GDPR version, also does not provide for any specific rules. Therefore, the most important aspects set out by the European Data Protection Board concerning video surveillance for asset protection purposes will be discussed below.
The legal basis
Video surveillance for asset protection purposes may only be carried out on the basis of a legitimate interest (Article 6(1)(f) GDPR) when the surveillance is carried out by private undertakings and by public authorities and bodies, when necessary for the performance of a task carried out in the public interest or in the exercise of a function of public authority vested in a controller (Article 6(1)(e) GDPR).
Public authorities may rely on legal requirements and entitlements or general health and safety requirements to implement video surveillance. Public authorities may also adopt specific legislation regulating their use of video surveillance, the rules of which should be in line with the principles of the GDPR.
The situation is somewhat different with private companies. The legitimate interest in carrying out video surveillance for the purpose of asset protection should be based on a real and actual threat that the company’s assets may be damaged, destroyed, stolen, etc., and not on the theoretical possibility of a threat. The undertaking should be able to demonstrate that the threat of damage is real, in line with the principle of accountability. This can be demonstrated by various means, such as incidents in the immediate vicinity or incidents involving the company itself. As part of the principle of accountability, the company should keep documentation supporting such incidents (police referral, police reports, court decisions, etc.). A legitimate interest may also exist due to the nature of the company’s business, e.g. the company sells jewellery, or provides banking or similar services. Crime statistics in a particular area may also be used, but should be used with caution – only crimes committed in the immediate vicinity should be considered, taking into account the nature of the crimes that occur.
Need for additional documentation
Following the entry into force of the above-mentioned guidelines, legal persons are required to prepare additional documentation:
- When installing new CCTV cameras, both companies and public authorities and bodies should document the purpose of each CCTV camera (if the purpose of several CCTV cameras is the same, the purposes of the cameras can be documented together).
- Accordingly, clear documentation should be prepared for CCTV cameras already installed, describing the purpose of each camera (if several CCTV cameras have the same purpose, their purposes can be documented together).
- Public authorities should adopt appropriate legislation to legalise their video surveillance. When deciding on the introduction of video surveillance, each case should be assessed on a case-by-case basis, weighing up the potential legitimate interests at stake and their impact on the rights and freedoms of individuals;
- prepare the necessary documents to inform individuals about video surveillance (information signs warning about video surveillance, privacy policy for the website, etc.)
Data retention period
The version of the Law on Legal Protection of Personal Data of the Republic of Lithuania in force prior to the entry into force of the GDPR provided for a maximum retention period of 14 calendar days for video surveillance data. Following the entry into force of the GDPR, the Law on the Legal Protection of Personal Data of the Republic of Lithuania has been radically amended and is currently silent on the retention period for video surveillance data. The GDPR also does not provide for such a time limit. After the entry into force of the GDPR, it was still common practice to comply with this maximum retention period of 14 calendar days for video surveillance data.
The position set out in the European Data Protection Board guidelines radically changes this retention period. It states that one or two days are sufficient to detect damage. Given the principles of limitation of retention periods and data minimisation enshrined in the GDPR, data should not be retained for asset protection purposes for more than a few days. The longer the retention period, the more and more detailed reasoning on the necessity and purpose of video surveillance will be required, especially if the retention period exceeds 3 calendar days. Where weekends are preceded or followed by public holidays, the retention of video surveillance data may be extended for this period to prevent the deletion of the currently recorded video surveillance data if the company or public authority is closed on these days. In any event, information on the retention period must be provided to individuals in a clear and comprehensible form.
Informing individuals about video surveillance
Article 13 of the GDPR specifies what information must be provided to individuals when data are collected directly from the individual himself:
- the identity and contact details of the controller;
- the contact details of the data protection officer, if one has been appointed;
- the purpose of the processing and the legal basis for it;
- if the processing is carried out on the basis of a legitimate interest, the legitimate interest pursued;
- if the data are transferred or accessed, the recipients or categories of recipients;
- in the case of transfers to third countries or international organisations, whether there is a decision of the European Commission on the eligibility of the recipient of the data or other appropriate or adapted safeguards;
- the period of retention of the data or the criteria for determining it;
- the data protection rights of individuals under Articles 15, 16, 17, 18, 20 and 21 of the GDPR;
- inform the individual of the right to withdraw consent at any time if his or her data are processed on the basis of consent;
- inform the individual of his/her right to lodge a complaint with a supervisory authority;
- indicate whether the provision of the data is a legal or contractual requirement or a requirement for the conclusion of a contract, as well as whether the data subject is obliged to provide the personal data, and the possible consequences of not providing such data;
- in the case of automated decision-making and/or profiling, meaningful information on the rationale for such processing, as well as the implications of such processing and the possible consequences for the individual.
All this information, insofar as it applies to the video surveillance being carried out or planned, shall be provided to the persons who may have access to the video surveillance field.
Both the Article 29 Group (which became the European Data Protection Board after the entry into force of the GDPR) and the State Data Protection Inspectorate (‘the EDPS’) have suggested that the information on the video surveillance to be carried out should be provided in two ‘layers’ – part of the information should be provided in an information table (the first ‘layer’), and the rest could be obtained by the individual by contacting the contacts listed in the table or by accessing the website indicated (the second ‘layer’). The DPAI even provided some examples of possible ‘layer one’ tables from which to choose the preferred option. The least informative example had to have a clear symbol warning about the video surveillance, the purpose of the processing and the identity and contact details of the controller.
The Data Protection Board has now outlined clearer guidelines on how individuals should be informed about video surveillance. The model proposed so far does not go far from the one proposed so far, but still proposes the same two-layered notification approach, consisting of the warning sign (the first ‘layer’) and information available from other sources (the second ‘layer’).
To begin with, there is a discussion on how the warning sign itself should be seen – its content must be accessible to the individual without being in the field of view. The sign itself should be at approximately eye level, easily visible and legible.
This sign should contain the most important information and a link to a second “layer” of information. The most important information is considered to be the purpose of the processing, the identity of the controller, and brief information on the rights of the individual. It should also contain information that a person might not normally expect. For example, the guidelines state that individuals cannot expect data to be recorded and stored for a certain period of time, so if the data are retained, the retention period or criteria for determining it must be indicated. Otherwise, it would be considered that the image is not being recorded and stored, i.e. live surveillance is taking place. Also, individuals do not expect that the data may be transferred to anyone, in particular to third countries, so if such transfers exist, it is necessary to provide information on such aspects of data processing in the label. The specific information to be included in the warning sign (the first ‘layer’) should be assessed on a case-by-case basis.
The second ‘layer’ should describe all aspects of the processing referred to in Article 13 of the GDPR (reproduced above). The first ‘layer’, i.e. the warning sign, should point to the second layer, which could be a QR code with a link to the privacy policy for video surveillance, a link to the web page where the privacy policy is posted, a phone number, an email address, a link to the reception desk, etc. The European Data Protection Board encourages the use of electronic means, but points out that this information should also be available in non-digital format where possible, e.g. if a hotel carries out video surveillance in its own courtyard where there is a car park, all non-digital information on the video surveillance should be available at the reception or in the waiting area of the hotel, or, in the case of a store carrying out video surveillance, all non-digital information on the video surveillance should be available at the cash desk or the information desk of the store.
To summarise these developments, there is a more stringent legality requirement for video surveillance, as it is necessary to justify a genuine legitimate interest in video surveillance based on incidents that actually occurred. There is also a new obligation further to document video surveillance and stricter regulation of retention periods.