On July 6, 2016, the Bavarian Data Protection Authority (“DPA”) issued a short paper on video surveillance under the EU General Data Protection Regulation (“GDPR”).
This paper is part of a series of papers that the Bavarian DPA will issue periodically on specific topics of the GDPR to inform the public about what topics are being discussed within the DPA. The DPA emphasized that these papers are non-binding.
The GDPR does not contain specific provisions on video surveillance, contrary to the detailed provisions on video surveillance contained in the German Federal Data Protection Act. Since the GDPR will replace the existing data protection laws in the various EU Member States once it becomes effective in May 2018, the detailed German provisions on video surveillance will cease to exist.
According to the DPA, video surveillance under the GDPR can be legitimized based on the general legal ground of legitimate interest following a balancing test. However, video surveillance will constitute a high-risk processing operation for which a privacy impact assessment (“PIA”) will be necessary, in particular with regard to monitoring publicly accessible areas on a large scale. In addition, appropriate internal records should be kept to document the PIAs as well as the specific data processing activities involved. If a PIA indicates that the processing would result in high-risk that cannot be mitigated (e.g., if mitigation is not technically or practically feasible), the DPA should be consulted prior to the use of the video surveillance system.
According to the DPA, currently, companies are already keeping internal inventories when using video surveillance systems. However, under the GDPR, the DPA advises companies to document each video surveillance system, the purpose of the processing, why it is necessary and proportionate, the risks it presents for individuals and the measures that have been implemented to mitigate those risks.