Increasingly, businesses are using video cameras for general surveillance and building or product security. In daily practice, I regularly see organisations where cameras have been installed on the premises, often without prior consideration of privacy issues. Does your organisation use cameras or are you thinking of implementing a system of camera surveillance? This blog explains which questions you need to ask and what conditions you have to meet.
Camera surveillance usually implies some form of personal data processing. For this processing to be lawful, an organisation must be able to demonstrate one of the legal bases for processing as outlined described in the General Data Protection Regulation, the GDPR. In this blog, I will assume the choice of legitimate interest as a legal basis because, in this context, it will be the most commonly used option. 
An organisation considering the use of camera surveillance, however, has to do more than simply document the applicability of legitimate interest. For this to qualify as a valid legal basis, a strict procedure of assessment will have to be carried out, and it is the controller’s responsibility to do so.
This assessment consists of 3 separate tests:
1. Existence of legitimate interest
Obviously, for your processing to be based on legitimate interest, such interest has to actually exist. You cannot mount a camera over the entrance to your company’s building simply because it makes you feel safe or because of the possibility of burglary or vandalism. Now, if there have in fact been incidents of this nature in the recent past, you may be justified in installing cameras to protect your property and to be able to provide evidence when you report future incidents.  The important thing here is to properly document security issues and to periodically assess whether or not there is continued existence of legitimate interest. The threat of hazardous situations may also present legitimate interest in the implementation of camera surveillance, for example in the case of businesses or shops known to be frequent victims of robbery or ram raiding, like banks, jewellery stores or gas stations.
2. Necessity of processing
Establishing the existence of your organisation’s legitimate interest in camera surveillance, is not the end of the story. Your camera surveillance will need to be appropriate, adequate and necessary to achieve the intended purpose. In other words, you may only use camera surveillance if you cannot achieve your goals with different, less invasive means. So, always consider alternatives. If you can also prevent security incidents by building a fence around your building, by deploying security personnel and installing an alarm system, then that is the way to go. Naturally, this will have to be assessed on an individual basis. If less drastic measures will demonstrably fall short and camera surveillance can be shown to be the only truly effective and, as a result, necessary option, you still need to ensure that processing of personal data is limited to what is absolutely necessary. Minimisation of personal data processing should always be your first priority. What this means, in practical terms, is that, for instance, your cameras are not turned on until after business hours and that they are placed in such a way as to not capture large views of the public road.
3. Weighing of interests
If you have ticked all the boxes on the previous two tests, the next step is a weighing of interests. As an organisation considering the use of camera surveillance, you need to weigh your interests against those of the data subjects, in this case, the people whose images will be captured on camera (visitors to your company, employees and passers-by). Only if the scales tip your way, you may start using, or continue to use camera surveillance.
Decisive in this weighing of interests is the extent to which your surveillance infringes on the rights and freedoms of the data subjects, taking into account, among other things, the specific circumstances of the situation at hand and the reasonable expectations of the persons who will be captured on video. A person withdrawing cash at an ATM, for instance, can expect a camera to be watching, whereas a person visiting a sauna or using a public bathroom will not expect to be filmed. In the latter two cases, moreover, video recording would represent excessive invasion of a person’s privacy, making this type of personal data processing disproportionate.
Whether or not camera surveillance is a lawful option will have to be determined in view of the specific circumstances of each individual case. What remains important is that you document each of the three steps of your assessment procedure, as well as the conclusions reached in all three of these steps. For you as a controller, this is part of your accountability obligation.
Apart from having to have a legal basis for the use of camera surveillance, you also need to notify the data subjects of your practice of video recording.  Also, you must make sure they have been made aware of the presence of cameras before they actually enter within camera range. The best way of doing this is by using a layered approach. 
– First layer: warning sign
The first layer may consist of a warning sign, for instance showing a camera icon and listing the essential information, such as the purpose of processing, the identity of the controller and the rights of the data subjects. It should also identify the second layer of notification, by means of a QR code for instance, or by mentioning the URL of a website. Below is an example of the first notification layer: 
– Second layer: full privacy statement
The second layer of notification must present all the information listed as obligatory in Article 13 of the GDPR. One additional requirement is that the information is not only provided in electronic (digital) formats. It must also be available in a paper version (flyers at the reception desk or posters in the building). This information must also be accessible on locations outside of camera range. In practice, however, fully informing the data subjects before they are actually being filmed may not always be feasible. In the case of store surveillance, for example, one camera may cover the entrance.
Retention period and security
Images recorded by your cameras may be retained no longer than is necessary. The longer you wish to keep the recordings, the more arguments you are going to need to justify prolonged retention. The Data Protection Authority guideline for retention periods is at 4 weeks, but this is a maximum term. Deleting recordings prior to 4 weeks is always the better option.
Until the time of removal, your recordings will obviously need to be stored securely. The security measures to be taken are both of a technical and organisational nature. The former category includes passwords, encryption and firewalls, the latter includes access control. Security must be in place during all stages of processing, i.e. at the time of recording, during transfer of recordings and for the entire period of storage.
Data Protection Impact Assessment
In many cases, a Data Protection Impact Assessment (DPIA) will have to be carried out before you can start using camera surveillance. For instance, where cameras are structurally being deployed to monitor large numbers of persons or when you, as an employer, use cameras to prevent theft and fraud by your employees. Always investigate whether or not a DPIA is necessary and get advice if you need it. Even if a DPIA is not mandatory, performing one can still be useful, because it will guide you through the entire process of checking all the issues described above.
There are numerous cases in which implementation of camera surveillance is not allowed. Whether or not it is a lawful option will have to be determined on an individual basis, taking into account the specific circumstances of the situation. Is your organisation considering the use of camera surveillance while fully complying with GDPR provisions? Here is a little checklist:
- Make sure you can demonstrate and have documented legitimate interest.
- Think about whether you really need camera surveillance.
- Weigh your interests against those of the data subjects.
- Make sure you notify the data subjects on the presence of cameras before they are actually being filmed, preferably in a two-stage (two-layer) model.
- Decide how long recordings will be retained and justify your choice.
- Make sure that technical and organisational security measures are being taken in all stages of processing.
- Investigate whether you are obliged to carry out a DPIA.
1. This basis for processing does not apply to processing carried out by public authorities in the performance of their tasks (Art 6(1)(f) of the GDPR), for instance in the case of a city installing cameras for the purpose of maintaining public order.
3. Covert camera surveillance may also be an option in specific circumstances, but the general rule is that you must advise the data subjects on your use of cameras.