On July 10, 2019, the European Data Protection Board (EDPB) adopted Guidelines 3/2019 on processing of personal data through video devices. Objective of the guidelines is to provide guidance on how to apply the General Data Protection Regulation, GDPR, in relation to the processing of personal data through video devices.
The Guidelines provide several examples to better understand the practical implications of the processing of personal data through video devices.
The document starts by explaining the “household exemption” as set forth by Article 2(2)(c), GDPR, which excludes the processing of personal data by a natural person in the course of a purely personal or household activity, as well as the video surveillance carried out in such circumstances.
The document also deals with the lawfulness of processing and it explains that in principle every legal ground under Article 6(1), GDPR, can provide a legal basis for processing video surveillance data. In particular, the Guidelines explain how to assess the existence of the following grounds for processing (i) legitimate interest, Article 6(1)(f), GDPR; (ii) necessity to perform a task carried out in the public interest, Article 6(1)(e), GDPR; and (iii) – in rather exceptional cases – consent, Article 6(1)(a), GDPR.
Chapter 4, concerns the disclosure of video footage to third parties. It explains how the GDPR’s principles apply to the disclosure of video recordings to third parties in general and also to law enforcement agencies.
Chapter 5 deals with the processing of special categories of data, such as biometric data. The safeguards of Article 9, GDPR, apply when the video footage is processed to deduce special categories of data. The chapter is helpful in suggesting measures to minimize risks when processing biometric data.
Chapter 6 deals with the rights of the data subject: right to access, erasure and right to object.
Chapter 7 provides useful information on how to fulfill the transparency and information obligations laid down under the GDPR. The Guidelines explain how the first layer of information may be provided to the data subject by posting the relevant warning sign with the necessary information.
The EDPB explains that controllers may utilize a layered approach to provide the data subjects with the relevant information. First information should be displayed on a warning sign itself (first layer) while further mandatory details may be provided by other means (second layer).
Chapter 8 deals with the erasure obligation according to which personal data may not be stored longer than what is necessary for the purposes for which it is processed, Article 5(1)(c) and (e), GDPR.
Chapter 9 reminds controllers that processing of personal data during video surveillance must also be adequately secured; proportional organizational and technical measures must be in place in case of risks to rights and freedoms of natural persons that would derive from the unlawful destruction or loss of video surveillance data.
Chapter 10 explains more in detail when, according to Article 35(1), GDPR, controllers are required to conduct data protection impact assessments (DPIAs).
Guidelines 3/2019 on processing of personal data through video devices are available at https://edpb.europa.eu….
For more information on how EU privacy may impact your business, contact Francesca Giannoni-Crystal. Thanks to Federica Romanelli