The Data Protection Agency rendered a decision on data subjects’ right to access personal data collected by video surveillance cameras.

On October 6, 2016, the Data Protection Agency (the “DPA”) rendered Decision No. 2009622/2016 (the “Decision”) in response to an inquiry made by a group of bank associations on how to grant data subjects access to personal data collected by video surveillance cameras.

The right to access personal data is safeguarded by Data Protection Law No. 25,326 (the “DPL”), under which data subjects can request and receive information on any of their personal data which is included in public and private databases. The information provided must be clear and uncodified. It must be accompanied by an explanation, if necessary. In addition, it must be ample and include all of the subject’s personal data, although it cannot reveal data belonging to third parties. The DPL states that the data subject can choose whether to receive the information electronically, by telephone, through an image or by any other suitable means. 

Furthermore, Rule No. 10/2015 (the “Rule”) specifically regulates the treatment of personal data collected by video surveillance cameras, adapting the principles established by the DPL to this particular activity. It states that the collection of digital images of people requires their prior consent. However, it also includes several exceptions, among which is data collected within a private property and/or its perimeter, if no public spaces or third party properties are invaded, unless it is inevitable (in which case, the video surveillance must be kept to a bare minimum). The Rule also requires that the existence of cameras is duly informed by the use of signs.

In this context, a number of bank associations consulted the DPA in order to establish how to respond to requests for access to personal data collected using video surveillance cameras. According to the Decision, adapting the requirements of the DPL to this activity implies balancing on one hand the data subject’s right to access, and on the other the fact that the information is gathered for security reasons, the rights of other individuals that may be involved, and the costs and complexity of granting access.

In answering, the DPA analyzed the applicable local regulations, as well as comparative legislation. It concluded that a request to access personal data will be adequately met if the following measures are taken:

  1. The data subject is required to demonstrate his or her identity by providing an ID No., approximate time and date, and any information necessary to distinguish him or her (description or photograph).
  2. The data subject is offered alternatives on how to receive the information. The information must be presented clearly, with an explanation detailing the time frame (beginning and end), location and aim of the recording in which the data subject appears. It must also indicate if the data was assigned and to whom, and if the relevant database is registered with the DPA. In addition, and as long as the data subject accepts to bear the cost of this, an image (printed or in a CD) must be provided if exceptional and substantiated circumstances require so.
  3. No images of third parties are provided. If they exist and are supplied to the data subject, they must be modified so that the third parties cannot be identified.
  4. The data subject is informed that, if unsatisfied with the information received, he or she can file a claim before the DPA, as well as initiating a habeas data action.

Lastly, the DPA states that the Decision does not replace the Rule, but merely complements it on a particular matter.