Trust is good, control is better?
Video surveillance is all the rage. A large number of companies rely on the use of more or less extensive video surveillance systems for their in-house security concept. The reason for this is plausible and can be easily understood: While a (recognizable) video surveillance system can already ensure a certain preventive "deterrence", criminal offenses or other misconduct can also be uncovered quickly and easily. But is this unproblematic in terms of data protection law?
The following article is intended to provide an initial overview of typical data protection pitfalls in the use of video surveillance systems. Since a large number of other "exceptional cases" come into consideration, we will first examine the "typical" use of a video surveillance system on a company's premises.
At this point, we would like to point out that the use of a video surveillance system is - at least in our experience - the absolute focus of the supervisory authorities, since complaints from affected persons are frequently received. This is also understandable, since video recordings - depending on their use - can lead to very drastic consequences for the persons concerned.
General conditions
Companies naturally have the understandable desire to protect their own premises and, if necessary, employees and/or customers by means of a video surveillance system. However, a large number of data protection and labor law aspects must be taken into account.
In a first step, it should always be examined for which concrete purposes the video surveillance system is to be used. For example, is it (only) about the protection of the company's own premises or should (at least also) further purposes be pursued? For example, strict criteria under labor law must be taken into account if employees are to be convicted of committing a criminal offense if there are concrete grounds for suspicion. Only when the scope of application of the video surveillance system has been clearly defined can a concrete data protection review be initiated.
Before implementing a video surveillance system, companies should always carefully check and record the reasons for this measure. For example, has there already been a break-in, theft or other serious misconduct? The justification may be somewhat "simpler" in the case of particularly sensitive companies which, due to high-value goods or their classification as critical infrastructure, are more frequently the target of attacks by third parties. In any case, the reason for the video surveillance must be known and documented accordingly.
Scope of video surveillance
When it comes to video surveillance, the first principle to consider should be "less is more". According to the requirements of the supervisory authorities, each planned video camera must (be able to) make a measurable contribution to the security concept being pursued. This means that the location of the cameras, their exact times of use and the technical functionalities of the respective cameras must be examined.
While audio recordings should be deactivated, as these can lead to penal consequences, more extensive functions, such as manual or automatic zoom and/or pan functions, should also be justified in detail. Here, the question should always be asked: Why are cameras with fixed coverage areas not sufficient to achieve the purpose pursued in each case?
The reasons for live monitoring, for example, should also be examined particularly thoroughly. If the purpose is to be able to keep evidence ready for the prosecution of crimes, live monitoring is obviously completely unsuitable. If, on the other hand, the purpose (e.g., in the medical field) is to provide rapid assistance in the event of an emergency, this assessment may be different. In any case, you should keep in mind that the use of live monitoring is generally regarded as a more serious intrusion into the privacy rights of the persons concerned than "mere" recording.
By the way: According to the opinion of the supervisory authorities, video recordings - unless there are special circumstances - must generally be deleted after 72 hours (at best by automated overwriting).
In order to comply with the obligation to provide evidence pursuant to Article 5 (2) of the GDPR, it is therefore essential that a site plan is created that records all cameras and their specific recording areas. In addition, we believe it is also useful to create an additional list of all (or at least selected) cameras, in which the specific purpose of the respective cameras is documented. In order to leave no room for attack, the entire system - since a data protection impact assessment will probably have to be carried out anyway - should be provided with a comprehensive system description showing all technical and organizational aspects.
Only if the planned video surveillance system is considered in its entirety can it be checked, for example, whether (irreversible) pixelation of recordings made "beyond the premises" is required.
The imperative of transparency
It should be known that covert video surveillance - if it is permitted at all - can lead to considerable risks under data protection law. Proper signage on the company's own premises must therefore be regarded as an important component of data protection compliance. The latter all the more so since this circumstance is ultimately openly recognizable to any person and must therefore be regarded - in the truest sense of the word - as the "signboard" of the measures taken.
In the case of a video surveillance system, a 2-step procedure is regularly suggested, which differentiates between preliminary and comprehensive information. While initially the "key data" of Art. 13 GDPR must be recognizable for every data subject, further information (e.g. regarding the exercise of data subject rights) can be provided via a QR code. However, it is important in any case that data subjects can obtain this information before they enter an area covered by video surveillance. To ensure that comprehensive information is available, we also regularly suggest that comprehensive signage be provided at least at one "prominent" location on the premises, for example to enable people who do not have a smartphone to obtain information.
Existence of a legal basis
Companies should also ask themselves the specific question of the legal basis on which video surveillance can be based. While in many cases the balancing of interests clause of Art. 6 (1) f) DS-GVO can be used, the conclusion of a works agreement within the meaning of Section 26 (4) BDSG should regularly be considered as a legal basis under data protection law for employees. This is all the more so since Section 87 (1) No. 6 BetrVG requires the involvement of the works council anyway.
In these cases, consent under data protection law will regularly be unsuitable - irrespective of any existing problems in employee data protection - since the use of the video surveillance system is not intended to be dependent on the consent of the persons concerned.
Protection of video recordings
Ultimately, the requirements of Article 32 of the GDPR must be observed - as is the case elsewhere - which obligates the controller to take appropriate technical and organizational measures. In particular, it must be checked who, when and to what extent has access to the video recordings. In addition, it must be ensured that the video surveillance system is provided in a (technically) secure environment that provides for state-of-the-art encryption of the data and the respective communication channels. If security service providers or other (IT) service providers are used, it must also be checked whether a contract for commissioned processing is to be concluded in accordance with Art. 28 DS-GVO. To make the whole matter unnecessarily more complicated, questions of third country transfer within the meaning of Art. 44 et seq. DS-GVO must be taken into account if an (international) cloud is used to store the data.
You can see quite quickly that the use of video surveillance systems should be thoroughly checked and at least cross-checked by "professionals".
Practical advice
SKW Schwarz advises a large number of companies on the planning and use of video surveillance systems. Based on our experience, we have a corresponding sample document for almost every conceivable situation. This includes in particular
- Company agreements and/or guidelines for the use of video surveillance
- Data protection notices for employees as well as samples for signage
- Sample data protection impact assessments, which are specifically geared towards the use of a video surveillance system.
We would be happy to help you master the "video surveillance challenge".