The French Data Protection Authority CNIL recently fined a company €20,000 for constant video footage of employees.
CNIL found that the company violated the GDPR by constantly filming its employees without their full knowledge over a period of more than 4 years.
This breach highlights the requirement for transparency, as a reminder, the key principles to consider include the following;
Communication:Those affected (employees and visitors) must be informed, using a sign visible in the premises under video surveillance.
Purpose: Do you have a clearly defined purpose for installing CCTV? What are you trying to observe taking place? Is the CCTV system to be used for security purposes only? If not, can you justify the other purposes? Will the use of the personal data collected by the CCTV be limited to that original purpose?
Lawfulness: What is the legal basis for your use of CCTV? Is the legal basis you are relying on the most appropriate one?
Necessity: Can you demonstrate that CCTV is necessaryto achieve your goal? Have you considered other solutions that do not collect individuals’ personal data by recording individuals’ movements and actions on a continuous basis?
Proportionality: If your CCTV system is to be used for purposes other than security, are you able to demonstrate that those other uses are proportionate? For example, staff monitoring in the workplace is highly intrusive and would need to be justified by reference to special circumstances. Monitoring for health and safety reasons would require evidence that the installation of a CCTV system was proportionate in light of health and safety issues that had arisen prior to the installation of the CCTV system. Will your CCTV recording be measured and reasonable in its impact on the people you record? Will you be recording customers, staff members, the public? Can you still justify your use of CCTV when the effect it will have on other people is considered? Are you able to demonstrate that the serious step involved in installing a CCTV system that collects personal data on a continuous basis is justified? You may need to carry out a Data Protection Impact Assessment to adequately make these assessments.
Security: What measures will you put in place to ensure that CCTV recordings are safe and secure, both technically and organisationally? Who will have access to CCTV recordings in your organisation and how will this be managed and recorded?
Retention: How long will you retain recordings for, taking into account that they should be kept for no longer than is necessary for your original purpose, and DPC Guidance is to retain for no more than 28 days.
Transparency: How will you inform people that you are recording their images and provide them with the other information required under transparency obligations? Have you considered how they can contact you for more information, or to request a copy of a recording?
Your company should also set out the approach to CCTV usage in a CCTV data Protection Policy – something we specialise in. If you need help with this or other GDPR compliance issues visit www.chalmindataprivacy.ie or message me via Linkedin