IT Glossary
Video surveillance
Video surveillance refers to the capture, transmission and recording of images taken in places not open to the public (offices, store reserves, closed condominiums …).
It is sometimes confused with video protection, which refers to the capture, transmission and recording of images taken on the public highway and in places open to the public (street, train station, shopping center, shopping area …).
The captured images may or may not be viewed in real time.
The main purpose of video surveillance is to protect property and individuals, but it is sometimes used for other, more intrusive purposes such as monitoring employees or neighbors.
The intensive use of video devices has a consequent impact on the behavior of the persons concerned by restricting their possibilities of anonymous movement and anonymous use of services.
Combined with new tools, particularly facial recognition, the quantity of data generated by video surveillance increases the risk of processing images for purposes other than securing property and people.
Since video surveillance involves the collection and storage of pictorial or audiovisual information that allows the identification of all persons entering the monitored space, based on their appearance or other elements, the processing of personal data is necessarily implemented unless the data is not linked to a natural person if it is not possible to identify him directly or indirectly.
As soon as the GDPR applies to the video surveillance system, its purpose must be documented before it is used, particularly in the processing register.
The persons concerned must also be informed beforehand of the purpose of the video surveillance system, and more generally of the conditions of processing of the data concerning them, of the rights they have with regard to the latter, as well as the details of the places monitored.
The main information should be displayed on an information board that refers to a second level of information where all the necessary information can be provided.
The images may not be kept for a period exceeding that necessary for the purposes for which they are processed, and therefore that the video surveillance system is installed.
It must be secured in an appropriate manner by the data controller to limit the risks of violation.
The organizational and technical security measures implemented must be appropriate to the risks to the rights and freedoms of natural persons resulting in particular from the destruction, loss, alteration or unauthorized disclosure of, or access to, video-surveillance data, whether accidental or unlawful.
Employee update
“No information concerning an employee personally may be collected by a device that has not been brought to his or her attention beforehand.”
Article L1222-4 of the Labor Code
Point of jurisprudence
The supervisory authority of Lower Saxony has fined the company NOTEBOOKSBILLIGER.DE 10,400,000 for having implemented a video surveillance system that was not proportionate to its purpose of detecting theft.
The authority recalls that “the controller should first consider less intrusive means (e.g. random bag checks on leaving the premises). Furthermore, video surveillance to detect criminal offences is only legal if there is reasonable suspicion against certain individuals. If this is the case, it may be permitted to monitor them with a video surveillance device for a limited period of time“.
Landesbeauftragte für den Datenschutz Niedersachsen, 8 January 2021
The Bouchara firm assists you in particular in :
- Making your organization GDPR compliant;
- The drafting of data protection policies (privacy policy, computer charter …);
- Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
- Obtaining certifications and adhering to codes of conduct;
- The study of the legal feasibility of the implementation of a new personal data processing;
- The drafting and transmission of your codes of conduct to the CNIL for approval;
- Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
- Drafting and negotiating your data processing agreements (DPA);
- Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
- Training and awareness of your employees.
We are also the external Data Protection Officer of many data processors and subcontractors.