Netherlands: GDPR Update - EDPB Video Surveillance Guidelines

Last Updated: 3 September 2019
Article by Marc Elshof

Introduction

In July 2019, The European Data Protection Board (EDPB) adopted draft Guidelines on processing personal data through video devices (the Guidelines). The Guidelines provide guidance on how to apply the EU General Data Protection Regulation (GDPR) in the event data is processed due to video surveillance. The Guidelines are currently open for consultation until 9 September 2019. The final version of the Guidelines is expected later this year.

The scope of the Guidelines encompasses the use of video devices that collect personal data. Video devices used to process personal data by EU competent authorities for the purposes of prevention, detection or prosecution of criminal offenses, or the execution of criminal penalties or for household purposes do not fall under the scope of the Guidelines.

The household exemption determines that purely personal or household activities are out of scope of the Guidelines. Video surveillance activities that process personal data in the course of the private or family life of individuals and is not made publicly accessible falls under the household exemption.

Legal basis

The Guidelines reiterate that a legal basis under GDPR must be determined in order for controllers to process personal data specifically related to video surveillance. However, the Guidelines highlight some subtle differences as to how a legal basis may be applied.

Firstly, video surveillance based on the mere purpose of "safety" is no longer sufficient or specific enough. The purpose of using video surveillance must be explicit and documented.

Secondly, controllers who claim to have a legitimate interest and necessity under Article 6 (1) (f) GDPR must (as always) consider whether their legitimate interest is compelling enough to override the interests and rights and freedoms of the data subject. The reasonable expectations of data subjects will play a role in this balancing test. For instance, it is reasonable for a data subject to not expect to be under surveillance in a sanitary facility, but it is reasonable for the data subject to expect to be under surveillance at an ATM machine or a bank.

Likewise, the video surveillance must be necessary. Consequently, other means (that are less intrusive) would not suffice. This includes the necessity of the video surveillance usage, but also storage of the data and what data is captured (i.e. are clips taken from the footage, faces blurred, etc.). The Guidelines stipulate that controllers must have taken (or at least considered) other measures before reverting to video surveillance. Examples the EDPB gives include fencing the property, installing regular patrols of security personnel, using gatekeepers, providing better lighting, installing security locks, tamper-proof windows and doors or applying anti-graffiti coating or foils to walls.

Thirdly, the EDPB Guidelines determine that there must be an existing issue to process personal data through video surveillance. Essentially, real life threats/situations will or may dictate whether video surveillance may be used by a controller. Not only will controllers have to specify the purposes for processing data under GDPR, but controllers will also have to make a case for processing personal data using video surveillance before any processing takes place (i.e. there have been previous robberies or presenting statistics on crime in or around the area).

Especially criteria one and two above are a clear step up from how at least the Dutch data protection authority (DPA) assessed video surveillance to date.

Lastly, consent is mentioned as a legal basis in the EDPB Guidelines, but this legal basis must be taken with a grain of salt and used in exceptional cases. It seems impossible to believe that controllers using video surveillance systems would collect the consent of data subjects in large areas before processing personal data. Therefore, consent as a legal basis would most likely be used in exceptional cases (e.g. individual monitoring of an athlete).

Disclosure to third parties

Any transfer or disclosure is considered as a separate processing activity and the controller would thus need a legal basis. Additionally, any footage that is disclosed to a third party, for instance law enforcement agencies, would then place a legal obligation onto the controller and would constitute as a new purpose. Where such disclosure is to law enforcement agencies, this is often done under a legal obligation. The new processing purpose is in such a case unproblematic. However, this may be different if the disclosure is not done pursuant to a legal obligation.

Moreover, aside from controllers determining a legal basis for the transfer, third party recipients must also determine their own legal analysis and identify their own legal basis for receiving and processing the material.

Processing special categories of data

Although video surveillance may collect special categories of personal data (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, and data concerning health or a person's sexual life or sexual orientation), this may not necessarily be the original purpose or intent. In such cases, the captured data would not qualify as special category data.

However, if data controllers wish to collect and process special categories of personal data they must identify an exception for processing special categories of data under Article 9 GDPR.

Video footage of an individual cannot, however, in itself be considered as biometric data under Article 9 GDPR if it has not been specifically and technically processed to contribute to the identification of an individual (i.e. for facial recognition). For it to be considered as processing of special category data it requires that biometric data (facial recognition) is processed "for the purpose of uniquely identifying a natural person". To determine this, three criteria must be considered: 1) nature of data: data relating to physical, physiological or behavioral characteristics of a natural person; 2) means and way of processing: data "resulting from a specific technical processing"; and 3) purpose of processing: data must be used for the purpose to uniquely identify a natural person. Processing biometric data presents a problem if individuals have not consented to their biometric data being captured and are represented in the footage. Certain safeguards must be taken by controllers to ensure that data is stored safely and appropriately;, for instance controllers must consider appropriate places to store the data, retention periods, accessibility (including who may access), speech signals that indicate what data subjects are saying should not be identified.

Also, consent will not be valid if there is a clear imbalance between the data subject and the controller, as evidenced by a very recent fine (21 August 2019) issued by the Swedish DPA protection authority (Datainspektionen) against a school that used facial recognition to track students' attendance in school. This was done as a pilot in one class on the basis of consent, but the Swedish DPA ruled that this consent was invalid in view of the clear imbalance between the students and the school.

Rights of the data subject

The Guidelines further reiterate data subjects' rights under GDPR; however in terms of video surveillance these rights are more limited. Data subjects have the right to access, erasure and objection to the processing of their personal data. However, complying with these rights is not so straightforward. For instance, the right to access footage will be difficult as footage usually contains data of more than one individual, and if data subjects request to have access to such footage or copies controllers may not so readily comply. However, the Guidelines stipulate an interesting solution, where controllers may ask for more specifics regarding the data subject before searching for any footage (i.e. the timeframe). Moreover, the right to erasure does not necessarily mean that controllers will be able to erase data completely. Instead, blurring pictures or images as to not identify the data subject, and erasing the legal basis for processing will constitute erasure. Further, if any footage is published publicly then the controller has the obligation to take necessary steps to inform other controllers of the request. Objections can be made prior, during, or upon leaving surveillance areas. According to the EDPB, the right to object means that unless the controller has compelling legitimate grounds, monitoring an area where individuals could be identified is only lawful if the controller is able to immediately stop the camera from processing personal data, or if the monitored area is restricted so that the controller can ensure the approval from the data subject prior to entering the area. How this would play out in practice, the EDPB does not clarify. Our take is that whenever the video surveillance is for safety and security reasons (and this has been sufficiently clarified as per the comments above), the controller would typically have a compelling legal ground to continue the video surveillance.

Transparency

Data subjects should be aware that video surveillance is in operation, and the Guidelines identify two layers in which data subjects should be informed. The first layer is the most crucial as this is how the controller first engages with the data subject, thus warning signs must be displayed with an icon to give easily understood information of the processing taking place. Controllers may no longer display a sign that solely states, "You are under video surveillance". Instead, under the Guidelines the first layer must identify controllers, the purposes of the processing and data subjects' rights. Not only is the information regarding the processing of personal data more detailed, but it must also be strategically placed. According to the Guidelines, the warning sign must be positioned "at a reasonable distance" from the monitored area; that way data subjects are able to determine which area is under surveillance before they are captured (it is not necessary to divulge the precise location). The EDPB suggests the following sign:

a

The second layer requires that data subjects are also able to access any information regarding the video surveillance and the processing of data in hard copy and in the general vicinity of the area under surveillance. Digital sources are also permitted and must be mentioned in the first layer along with the QR code.

Here too, a number of practical issues arises. For example: how to deal with cameras located at the entrance of a store or shopping center? In such cases, it may not always be possible to provide the information before data subjects are captured. The Guidelines are – unfortunately – silent on this and other practical concerns.

Storage

The Guidelines determine the parameters of storing personal data accessed through video surveillance. The duration of storage of personal data may vary per Member States as they may have their own legislation on this matter, but the EDPB's default position is that camera footage should be deleted after one or two days. It is important to note that the longer data is stored the more the legitimacy of the purpose and necessity must be advocated. This is a clear deviation from the Dutch DPA's current practice, which allowed a standard retention period of four weeks.

Technical and organizational measures

Processing data should be both organized and secure, and data controllers have the obligation to ensure this. Additionally, controllers should select privacy-enhancing technologies for data protection by design and default functionality. Organizational measures must take into account the overall management and operation of the video surveillance system (i.e. who can access video surveillance, storage, who can monitor the video surveillance, measures for a data breach incident, maintenance, recovery procedures, etc.). Technical measures are vital to ensure that video surveillance systems are secure, meaning that systems should include data encryption features, firewalls or anti-virus detection systems, or even measures to physically protect the video surveillance system from theft, vandalism, or other accidents. Lastly, controllers will also need to pay special attention to access controls. For instance, ensuring that monitors are concealed, procedures for granting, changing, or revoking access are defined, user authentication methods are in place, etc.

Data Protection Impact Assessment

Under GDPR and further determined in the Guidelines, controllers are required to undertake Data Protection Impact Assessments (DPIA), particularly if the processing constitutes a systematic monitoring of publicly accessible areas on a large scale.

Given the data processed and the purposes of video surveillance (protection of people and property, detection, prevention and control of offences, collection of evidence and biometric identification of suspects), many cases of video surveillance will require a DPIA. Therefore data controllers should carefully consult these documents to determine whether a DPIA is required.

Conclusion

When considering processing personal data through video devices, controllers and potential controllers should consider the following:

  • Under which legal basis can I use video surveillance?
  • Is there a real necessity to have video surveillance in place?
  • Will I be processing special category data?
  • How do I meet the transparency obligations, in particular the need to provide the first layer information before data subjects are captured by the cameras?
  • How and how long will I store the footage, and is it necessary to store the footage at all?
  • How will the video surveillance system be equipped to handle and protect personal data?
  • Should I perform a Data Protection Impact Assessment?

Finally, the Guidelines are still in draft form and may be subject to changes. We advise to consult the final Guidelines before implementing any measures that have far-reaching practical or operational consequences. Of course, we will share a further update once the Guidelines are final.

Overview of subjects

January 2017 Territorial scope of the GDPR
February 2017 The Concept of Consent
March 2017 Sensitive Data
April 2017 Accountability, Privacy by Design and Privacy by Default
May 2017 Rights of Data Subjects (information notices)
June 2017 Rights of Data Subjects (access, rectification and portability
July 2017 Rights of Data Subjects (erasure, restriction, objectand automated individual decision-making)
August 2017 Data Processors
September 2017 Data Breaches and Notifications
October 2017 Data Protection Officers
November 2017 Transfer of Personal Data (outside the EEA)
December 2017 Regulators (competence, tasks and powers)
January 2018 One Stop Shop
February 2018 Sanctions
March 2018 Processing of Personal Data in the Employment Context
April 2018 Profiling and Retail
May 2018 Overview
October 2018 Overview of developments since May 25, 2018
November 2018 Data Protection Impact Assessments (DPIAs)
December 2018 EDPB Guidelines on the territorial scope of the GDPR
February 2019 Camera Surveillance
May 2019  GDPR in the Netherlands: one year after
September 2019 EDPB Video Surveillance Guidelines

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Practice Guides
by Mondaq Advice Centres
Relevancy Powered by MondaqAI
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions