Video surveillance has become increasingly common within organizations, and with the advent of new technologies, such as AI-powered image processing based workplace safety platform that we provide as Intenseye, it has become easier and more convenient for businesses and organizations to monitor their premises. However, with the rise of video surveillance also comes the need to protect individuals’ privacy and ensure that their personal data is being collected, processed, and stored in accordance with the General Data Protection Regulation (”GDPR”).
In our previous blog posts, we have covered various aspects of the GDPR and video surveillance. In this post, we turn our attention to the importance of having a privacy notice and warning sign in place to ensure full compliance with the GDPR. As the GDPR requires the individuals to be informed of how their personal data will be processed, a privacy notice is one way to fulfill this requirement.
In order to make data controllers more transparent about their collection and use of data, the GDPR requires them to publish privacy notices and warning signs stating the identity of the data controller and providing information about the nature of the data processing operations being undertaken. Privacy notices and warning signs are important for the transparency principle of the GDPR because they help to ensure that individuals are aware of the fact that their personal data is being collected and processed.
Accordingly, pursuant to GDPR, it is an obligation of every organization that process personal data through security cameras and video surveillance systems to inform its employees and third parties involved in the camera recording regarding their video surveillance systems. By providing a privacy notice and using warning signs, businesses and organizations can fulfill their obligation by informing individuals about the purpose of the surveillance, the legal basis for processing the data, and the rights of the individuals being monitored. Privacy notices should contain extensive, prescribed disclosures, including; contact details for the data controller, purpose of the processing, with whom the data will be shared, details of any data transfer outside of the EU, how long the data will be kept, what an individual’s rights are, and how to exercise data subject rights and file a complaint.
The notices must be clear and presented in an easy-to-read form; long, illegible terms in legalese are forbidden.
As Intenseye, we strongly recommend our customers to inform their employees and contractors when they visit their on-premises about the collected security camera, CCTV and video surveillance data which is shared with intenseye for the purpose of improving Environmental Health and Safety conditions and ensuring Occupational Health and Safety within the facility. We advise our customers to pay utmost attention to the transparency about the data privacy of their workers.
Warning signs and privacy notices regarding video surveillance allow individuals to make informed decisions about whether or not they want to enter the monitored area and be subject to surveillance.
Because of the volume of information, which is required to be provided to the data subject by the data controller, a layered mechanism for privacy notices may be followed by data controllers as stated in the European Data Protection Board (“EDPB”) published a guideline for the processing of personal data through video devices on July 10, 2019 (“Guidelines”).
Regarding video surveillance systems, the most important information should be displayed on the warning sign itself (first layer) while further mandatory details may be provided by other means (second layer).
First Layer: Warning Sign
The first layer of the layered approach to privacy notices and warning signs is the primary way in which the controller initially communicates with the data subject. During this stage, controllers may use warning signs to display relevant information. This information may be accompanied by an icon to provide a clear and easily understandable overview of the intended processing in a visible and easily readable manner, as required by Article 12 (7) of the GDPR.
The information provided through warning signs should be positioned in a way that is easily noticeable by the data subject before entering the monitored area, at approximately eye level. It is not necessary to disclose the specific location of the camera as long as it is clear which areas are being monitored and the context of the surveillance is clearly communicated. The data subject should be able to understand which areas are being captured by cameras so that they can either avoid being monitored or adjust their behavior accordingly.
The first layer of information provided through warning signs should generally include the most important details, such as the purpose of the processing, the identity of the controller, and information about the data subject’s rights. This may also include the legitimate interests being pursued by the controller or a third party, as well as contact information for the data protection officer (if applicable). Additionally, the warning signs should refer to the more detailed second layer of information and provide information on how and where to access it.
Below, you can find an example for the first layer of warning sign from the Guidelines on the processing of personal data through video devices:
Second Layer: Privacy Notice regarding Video Surveillance
The second layer of information should also be easily accessible to the data subject, for example through a complete information sheet available at a central location like a reception desk or information kiosk, or displayed on an easily visible poster. The first layer warning sign should clearly reference the second layer of information and provide a link to it, such as a QR code or website address. It should also be possible to access the second layer of information without entering the monitored area, particularly if it is provided digitally. Other options for accessing the information could include a phone number that can be called. Regardless of how the information is provided, it must include all of the required details outlined in Article 13 of the GDPR.
In addition to these options, the EDPB recommends the use of technological means to provide information to data subjects. This could include geolocating cameras and including information in mapping apps or websites, allowing individuals to easily identify the video sources related to the exercise of their rights and obtain more detailed information about the processing operation.
A layered approach to privacy notices and warning signs can be useful in ensuring that individuals are fully informed about the surveillance that is taking place. This approach involves providing information at various points throughout the premises, rather than just in a single location. For example, a privacy notice could be displayed at the entrance to the building, while warning signs could be placed at various points throughout the premises to remind individuals that they are being monitored.
In conclusion, privacy notices and warning signs are important tools for businesses and organizations that use video surveillance to ensure that they are compliant with the GDPR and that they are protecting the privacy of the individuals being monitored. By providing clear and concise information about the purpose of the surveillance, the legal basis for processing the data, and the rights of the individuals being monitored, businesses and organizations can help to build trust and ensure that they are treating personal data with the respect and care that it deserves.
Don’t miss the next post of our blog series – where the intenseye Technical Solutions Manager Denizcan Arslan will discuss Biometric Data in Video Surveillance Systems.