On 6 July 2016, the Bavarian Data Protection Authority issued a brief guidance paper on video surveillance under the new EU General Data Protection Regulation (“GDPR”).
This short paper is the first issue within a series of non-binding guidance papers on selected topics in relation to the GDPR, which the Bavarian Data Protection Authority has planned to publish periodically, and which can be found here.
The Bavarian Data Protection Authority’s startling first finding is that, contrary to the current legal framework under the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), the GDPR does not contain guidance on the regulatory requirements for video surveillance. Rather, under the GDPR, legitimacy of video surveillance measures shall be caught by the general Article 6(1)(f) GDPR, pursuant to which processing shall be lawful if “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”.
Against this backdrop, the Bavarian DPA highlights the following requirements under the GDPR that need to be complied with in connection with operation of video surveillance systems:
- The controller to perform a data protection impact assessment pursuant to Article 35 GDPR. Taking into account recital 91 s. 1 of the GDPR, which reads: “A data protection impact assessment is equally required for monitoring publicly accessible areas on a large scale, especially when using optic-electronic devices or for any other operations where the competent supervisory authority considers that the processing is likely to result in a high risk to the rights and freedoms of data subjects, in particular because they prevent data subjects from exercising a right or using a service or a contract, or because they are carried out systematically on a large scale.” – the Bavarian DPA concludes that such impact assessment will in particular be required for monitoring publicly accessible areas.
- The controller to make sure to be able to demonstrate compliance with the legal requirements for such impact assessment, Article 5(2) GDPR.
- The controller to maintain sufficient records of processing activities, Article 30 GDPR. According to the Bavarian DPA, this shall include in particular the obligation to indicate each individual video camera, the purpose, why the surveillance system is necessary and proportionate, any risk for the data subjects, and the measures envisaged and / or taken to address these risks.
- The controller to consult the DPA prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, Article 36 GDPR.