The Office for Personal Data Protection (Office) has issued a new methodology for the use of CCTV systems in order to help data controllers and data processors better navigate the obligations arising from the GDPR and other relevant laws. The methodology follows the European Data Protection Board’s Guidance No. 3/2019 on the processing of personal data through video devices.
Probably the most important change compared to the previous practice is the fact that the methodology applies not only to camera systems with recording capability, but also to camera systems in online mode, i.e., without recording, which, however, process personal data. In this sense, CCTV systems are therefore not distinguished according to whether or not the CCTV system is recording, but more importantly whether or not the CCTV system can identify data subjects. If the identification of data subjects is not possible, it is not processing of personal data, because it is not personal data within the meaning of the GDPR, otherwise it will usually be processing of personal data (e.g., the transmission of image recordings of identifiable data subjects is itself the processing of personal data according to the methodology). According to the methodology, photo traps are also considered camera systems.
According to the methodology of the Office, camera systems can be divided into six categories according to the degree of image size as defined by the relevant technical standard (ČSN), i.e., monitoring, detection, observation, reconnaissance, identification, and reconnaissance. The image size level can be used to determine whether or not personal data processing is involved, both in online camera systems and camera systems with recording. Simply put, according to the methodology, if any figure in the frame occupies more than 25% of the image height, there is processing of personal data, and if this threshold is not reached, there is no processing of personal data. If we proceed from the above technical standard, then in the case of the first two image size scales mentioned: monitoring and detection (i.e., the lowest resolution), there is no processing, whereas in all other cases of the image size scales: observation, reconnaissance, identification and examination (i.e., higher resolution), there is processing, regardless of whether or not a recording is made (repetitio est mater studiorum!).
The methodology emphasizes compliance with other GDPR requirements in connection with the use of CCTV systems, such as the determination of the legitimate purpose and legal grounds for the processing of personal data, the principle of minimization of processing, i.e., not only the retention period of the recordings (in principle 72 hours, longer retention periods are not excluded, but must be duly justified), but also, for example, the set-up of the camera system (number and location of cameras or setting of the camera frame), the fulfilment of information obligations towards data subjects about their rights (information notice in the first layer and more detailed information in the second layer), including the fulfilment of these rights on the basis of requests from concerned data subjects, and the security of camera systems.
As regards the requirements for the security of CCTV systems, according to the methodology, CCTV systems are divided into four classes according to the level of risk of violation of the rights and interests of data subjects (low, medium, high, and very high level of violation) and depending on this, requirements are set for appropriate technical and organizational measures to secure personal data, respectively the CCTVs processing personal data.
From a practical point of view, the templates contained in three annexes of the methodology are of great help, these are the following:
- Example of information on the processing of personal data by means of camera recording or by means of surveillance of camera images,
- Example of a record of processing activities, and
- Example of a camera system balance test.
The latter annex is quite extensive and it is questionable whether it will be used to this extent in practice. However, as an example it will undoubtedly serve well and, as mentioned below, the methodology is not binding.
From a practical point of view, the part of the methodology describing the complete documentation for CCTV systems is also interesting, i.e., the CCTV system documents that should be at the disposal of every controller who operates a CCTV. This is one of the clues that could indicate whether or not the controller is fulfilling his/her obligations. In the event of an inspection, it is certain that the Office will request similar documentation, and if the controller does not have it at his/her disposal, it means that he or she is probably not fulfilling his or her obligations.
However, it should be emphasized what the Office says on its website on the methodology and in the methodology as well (see links below), i.e., that the methodology is not a legally binding document and personal data controllers may use other methods or procedures to ensure compliance with the obligations set out in the General Data Protection Regulation (GDPR), while they may use only some parts of the methodology and address the rest of the requirements differently. In principle, it is therefore up to the controllers how to ensure that they comply with their obligations under the GDPR and the EDPB Guidance No. 3/2019. According to the Office, the correct application of the methodology should ensure compliance with both the GDPR and the EDPB Guidance.
Each controller who operates a CCTV and processes personal data within the meaning of the GDPR should at least read the methodology, check their CCTV documentation and compare it with the recommendations and the list of complete documentation in the Office’s methodology. If you find deficiencies, address them immediately, as it may be too late when an inspection comes, especially if some documents are missing completely. You should have the documentation in place before you begin processing, i.e., before the camera system is put into operation. We are at your disposal for the preparation of the documentation required for the operation of the camera system and for further consultation.
Brief information on the methodology is available here (CZ): https://uoou.gov.cz/novinky/vse/nova-metodika-uradu-ke-kamerovym-systemum
The complete methodology is available here (CZ): Methodology of the Office for Surveillance Camera Systems
