EDPB’s Guidelines 3/2019 on the processing of personal data through video devices – Part 3 of 13

In this follow-up post in our series analyzing video surveillance under the GDPR, the European Data Protection Board (EDPB)’s Guidelines 3/2019 on the processing of personal data through video devices will be addressed in relation to the general principles of the GDPR for ensuring privacy during processing of personal data.

Despite there is no specific section in the GDPR for the video surveillance systems and security cameras, European Data Protection Board (EDPB) published a guideline for the processing of personal data through video devices on July 10, 2019 (“Guidelines”).

The Guidelines provides important guidance on how companies and organizations can ensure compliance with the GDPR when using video surveillance systems and security cameras. In this post, we will provide an overview of the EDPB’s Guidelines and general principles of the GDPR to be considered while dealing with video surveillance systems and security cameras.

EDPB acknowledges the prevalence of video devices (everything from smartphone cameras to security cameras) in contemporary life and recognizes that many people can be comfortable using such devices for certain purposes, such as security.

However, Guidelines on the processing of personal data through video devices emphasizes that:

• Precautions should be taken to prevent any misuse of video recordings for completely different and unexpected purposes (e.g. marketing, monitoring employee performance, etc.),
• Data controllers should carefully consider the general principles relating to the processing of personal data ( Article 5 of GDPR ) when dealing with video surveillance,
• Data controllers should be aware of the risk of malfunction of display devices and the prejudices that this may cause, and take precautions regarding these,
• For the purposes of creating a legitimate basis, video surveillance will not be necessary if the purpose of data processing by another means or method is achievable.

The Guidelines specifically clarifies the following:

• Application of the GDPR to the processing of personal data via video devices
• Legitimacy of personal data processing via video devices
• Processing of special categories of personal data, including the processing of biometric data via video devices
• Rights of the data subject regarding the processing of their data in the aforesaid manner
• Obligations of storage and retention of the data obtained in the aforesaid manner
• Technical and institutional measures required for data processing as mentioned.

In our next posts within the GDPR and Video Surveillance series, we will try to cover all main points of the Guidelines.

General Principles Relating to Processing of Personal Data

Article 5 of GDPR describes seven (7) general principles, for ensuring privacy during processing of personal data.

1. Lawfulness, Fairness, and Transparency: Processing must be in accordance with the GDPR criteria. Personal data must be handled in a way that the subjects would reasonably expect and should not be used in a way that would have unjustifiable negative consequences on them. Explicit reasons for the collection and processing of personal data are required.
2. Purpose limitations: Personal data can only be obtained for ‘‘specified, explicit and legitimate purposes’’. The purpose for collecting the data must be disclosed to the data subject. Although data pertaining to the public interest, research, or statistical reasons have no requirements in relation to purpose limitation, processing without further consent should not be allowed.
3. Data minimization: Data collected specifically to a subject should be ‘‘adequate, relevant and limited to what is necessary for relation to the purposes for which they are processed’’, which implies that only the necessary information should be gathered and stored for a certain procedure.
4. Accuracy: The collected data must be ‘‘accurate and where necessary kept up to date’’. To ensure effective protection against identity theft, no changes should be made. The creation of editable data management systems is a requirement for data controllers so that subjects can update their data.
5. Storage limitations: Personal data shall be ‘‘kept in a form which permits identification of data subjects for no longer than necessary’’. Data for statistical, academic, or public interest purposes can be stored for a long time with the right security measures in place. A controller’s repositories should be cleaned out of any data that is no longer needed.
6. Integrity and confidentiality: The GDPR requires the data controller to maintain the integrity and confidentiality of the data it collects, essentially keeping it secure from internal or external threats. The controllers should use appropriate technical or organizational measures to provide ‘‘appropriate security of the personal data including protection against unlawful processing or accidental loss, destruction, or damage’’.
7. Accountability: Controllers shall be accountable if the data processing is not compliant with GDPR.

As stated in Guidelines, all data controllers should carefully consider these general principles when dealing with security cameras and video surveillance systems. By adhering to these principles, businesses and organizations can ensure that they are respecting individuals’ privacy and complying with the GDPR. As Intenseye, we conduct all our activities within the scope of these principles.

We hope that our previous blog post about the key definitions of the GDPR along with this post have provided you with a better understanding of the general principles of the GDPR to be considered while dealing with video surveillance systems and security cameras. Don’t miss our next blog post, where we’ll be discussing the lawfulness of video surveillance under the GDPR.