In today’s tech-driven world, Closed-Circuit Television (CCTV) systems have become an indispensable tool for businesses. These watchful electronic guardians offer a wide array of advantages, from deterring external criminal actors to monitoring internal employee activities. However, as more businesses embrace CCTV, concerns surrounding data protection and compliance with the General Data Protection Regulation (GDPR) have taken center stage. With numerous reported cases of misuse and noncompliance, it’s imperative to explore the intricate balance between security and privacy in the realm of surveillance technology.
In this article, we’ll delve into the current landscape of CCTV usage in businesses, shedding light on the evolving regulatory environment with a slew of recent cases out of the AEPD in Spain, and the practical strategies required to achieve GDPR compliance while effectively leveraging the potential of modern surveillance systems.
Current Usage
CCTV plays a pivotal role in enhancing security, operational efficiency, and overall productivity. Primarily, businesses employ CCTV systems to safeguard their premises by deterring theft, vandalism, and unauthorized access. These systems provide real-time monitoring, allowing for quick response to security incidents and facilitating evidence collection for investigations. The security aspect is generally seen as a positive Technical and Organizational Security measure if your organization is managing their own office-space.
Beyond security, CCTV is sometimes leaned on to monitor employee performance, to ensure adherence to safety protocols, and enhance customer service by tracking customer behavior and optimizing store layouts. Generally, this is where issues arise as a lawful basis for these purposes is harder to justify than the security angle. It is clear that some of these activities are more GDPR friendly than others – I, personally, would be happier seeing a CCTV camera by the entrance/exit of a retail store than a camera on every aisle to monitor behavior and purchasing patterns. We won’t get into the Amazon Go automated payment store concept, as that is a can of worms that deserves its own article!
AEPD Awareness
- AEPD – PS/00427/2022
In this case, the Spanish Data Protection Authority (DPA) fined the controller €300 for installing security cameras that captured video beyond the boundaries of their private property, violating Article 5(1)(c) of the GDPR. The complaint came from a neighboring individual, who reported that one of the controller’s surveillance cameras captured images of their property without authorization.
The Spanish DPA emphasized that surveillance practices must not extend beyond the camera’s installation area, affecting public spaces, neighboring buildings, or unrelated vehicles. It also stressed that capturing images of third parties’ private or public spaces without proper justification or consent is impermissible. The DPA directed the controller to remove or adjust the cameras to ensure compliance with privacy regulations, preventing the recording or capturing of images from the data subject’s property or the nearby public or private road.
- AEPD (Spain) – PS-00188-2022
The Spanish DPA fined a company €6,000 for improperly using its surveillance system’s audio recording to monitor an employee’s private conversations with a customer, leading to the employee’s dismissal. The employee – understandably – filed a complaint with the DPA, alleging unlawful workplace audio surveillance. The DPA found that the employee wasn’t adequately informed about audio recording, and the surveillance lacked a legitimate basis, violating GDPR Article 6.
The DPA found the controller in violation of GDPR Article 6. The DPA determined that the employee had not been adequately informed about the audio processing, despite the handbook mentioning the functionality. The DPA highlighted that workplace surveillance should respect workers’ dignity and privacy under Spanish labor and data protection law. They emphasized that surveillance systems must be indispensable and strictly necessary for their intended purpose and that mere utility or convenience does not suffice. They concluded that the audio recording was not strictly necessary for monitoring the employee and lacked a legitimate basis. The DPA considered factors such as intentionality and the controller’s responsibility when determining the €6,000 fine, taking into account the small size of the company and the low volume of data processed as mitigating factors.
- AEPD (Spain) – PS/00558/2022
This one is different from the previous cases, as it relates to the use of captured video. We often receive questions at Borneo asking about when and how a company can use a recording captured on CCTV or by an employee. In this instance, the AEPD fined an individual €10,000 for posting a video of a vulnerable person without consent, violating GDPR Article 6(1). The video, recorded without permission, showed the person’s face while they were visibly unwell as a result of alcohol consumption and was widely shared on social media platforms.
The Spanish DPA imposed a €10,000 fine on an individual for sharing a video of a vulnerable person without consent, breaching GDPR Article 6(1). The video, taken without permission, revealed the person’s identity as they struggled with the effects of alcohol on a public road and was extensively circulated on social media.
Conclusion – What Can We Learn
Three key lessons emerge from these cases regarding CCTV use and sharing recorded videos under the GDPR.
First, the purpose and lawful basis of your CCTV or audio recording should be clearly defined and documented. There are usecases – such as avoiding vandalism or theft, or adhering to safety protocols – that enable the organization to clearly demonstrate their legitimate interest in conducting the processing. Others, such as monitoring employee behavior or tracking customers in a retail environment, are harder to justify based on legitimate interest of the controller (GDPR Article 6(1)(f)) – though not impossible, as long as you conduct a thorough Legitimate Interest Assessment (LIA). In some cases, a Data Protection Impact Assessment (DPIA) could also be required.
Second, it is important to provide transparent and appropriate notices justifying the video or audio surveillance at your organization. You should include information on the controller, the purpose of the recording, the lawful basis relied on, information on their data subject rights and how they can execute them, the DPO contact information, and finally how long the data is retained for. Personally, I like to see a QR code on the notice that links to a CCTV-specific privacy notice/policy with more detailed information for those who are interested. When talking about recording employees, this notice should be clearly available and also listed in your employee privacy notice/policy. Failure to do so can result in GDPR violations and fines, as well as the associated negative publicity.
Third, using the recordings from your CCTV or audio devices can be difficult to justify at times. You will have to evaluate each use on a case-by-case basis, as you need to be aware of the purpose limitation principle. As we saw in the second case above, your purpose may not be compatible with your use of the recording – the organization had to prove why recording audio of employees is strictly necessary for the purpose of monitoring said employees, which they could not do.
CCTV and audio recordings are invaluable but can cause issues if used incorrectly. The AEPD in Spain is not the only DPA that is aware of mass non-compliance in the CCTV space, so it would be a good time to review your organization’s use of recording. In all such cases, you should reach out to your DPO or legal team to discuss the lawful use of CCTV.
