New GDPR Guidelines for Video Surveillance Examined

By: Charles Rollet, Published on Jul 18, 2019

The highest-level EU data protection authority has issued a new series of provisional video surveillance guidelines.

While GDPR has been in effect for more than a year, how it applies to video surveillance has often been unclear, as we explained in our original GDPR for Video Surveillance Guide.

Now, these new guidelines (though not final and subject to public comment for the next two months) provide good insight and clarifications to common questions about video surveillance GDPR compliance.

In this post, we explain and analyze the new guidelines, including:

EDPB's Background
Legal Impact of Guidelines
Public Signage: Example Provided
Signage Positioning
DPIAs Required for Large Scale Biometrics
Storage: Additional Justification Required for Over 3 Days
Some Analytics Not Considered Biometrics
VIP Recognition: Consent Required from Everyone, Not Just VIPs
Facial Recognition: Why Notification Via Signage Likely Not Enough
Data Requests/Anonymization
No Clarity on Types of Encryption Required
Certification Not Covered
Dummy Cameras Not Covered By GDPR

EDPB ********** *** ***** ******

*** ****** ** *** new ********** ** *********** **** ********** *****, ** ****, ***** is **** ** ** each ** *******'* **** protection ****** *** *** EU's *** ***, *********** **** ********** **********. **************** ******* ** ****** comment ***** ********* *.

**** *** *** ******* binding, *** **** ***** weight ** ** **** protection *********** **** ***** to **** **** ******** on ***** ************ *****.

****** *** ****'* ********** for ********** **** ** Video *******

EDPB ***** ******* ** ****** *******

***** *** *********** ****** of *********** ****** ** be *********, *** **** recommends *********** * ***-***** approach. *** ***** ***** is *** **** ****, with *** ***** **** - **** ** ** example ***** ** *** EDPB:

**** ***** ***** ****** include *** *** ******, EDPB ******, **** **:

******* ******
******* ** **********
******** ** **********
****** ** **** *******
******* ******* ** **** protection ******* (** ***)
******* *** **** **** be **** ** * third *****
***** ** **** *** second ***** ** ***********

Sign ****** ** ************ "****** ******** *** ********* ****"

*** **** **** ***** details ***** *** *********** of *** ***** ***** sign, ******* ******* **** the **** ** ** position *** ****:

** **** * *** that *** **** ******* can ****** ********* *** circumstances ** *** ************before ******** *** ********* ****". The sign should thus be "approximately at eye-level", near the actual zone being monitored, and presented in "an easily visible, intelligible and clearly ******** ******. [emphasis added]

*** *******, ** ***** 2019, ***** *** ****** **** ********* *** ****** ****** the ***** *** *** visible ***** ** ***** monitored:

'Second *****' *********** *******

*** ****** ***** *********** can ** ** *** form ** ** "****** accessible *****" ** *** cashier/other ******* ******** ** simply * ******. **** information "**** ******* *** other *********** **** ** mandatory ************ **** *** ****" (**** can ** ******* "********* decision-making, ********* *********" ** being **** - ****** ******** ****).

Storage: **** ************* ******** ****** ** *****

*** ****, **** *** GDPR, **** *** **** specific ******* ****** *********** but **** *** **** more ******** ** ******* that:

*** ****** *** ******* period ** ***(especially **** ****** ** *****), the more argumentation for the legitimacy of the purpose and the necessity of storage has to be provided. [emphasis added]

**** ***** **** * significant ****** (** *** guidelines *** *** *******), as **** ***-***** ***** video **** **** ** hours,***** ***** ** ** to * *****. *** ****, *******, states **** ** ***** storage ** ****** "**********" for ******** ******:

**********, *** *** ***** storing ***** ****** **** 72 *****, **** ***** mean **** ***** '****** layer' ****** ****** ******* a ***** ************* *** the ****** ******* - such ** ***** ** a ****-***** ****, ******* to ****** **** ****** requests, ***.

Data ********** ****** ********** ******** *** ***** ***** ********** ***

*** **** ****** **** any "***** *****" *** of ********** ********** ******** a ****:

********, ********* ** ******* 35 (*) (*) **** a **** ********** ****** assessment ** **** ******** when *** ********** ******* to ******* ******* ********** of **** ** * large *****.

*******, *** **** **** not **** ********* ***** what ** ***** ** 'large *****', *** ******* does *** ****, ***** defines ** ********* ****:

********** ***** *** ** process * ************ ****** of ******** **** ** regional, ******** ** ************* level *** ***** ***** affect * ***** ****** of **** ******** *** which *** ****** ** result ** * **** risk [...] ** *** rights *** ******** ** data ********

*******, *** **** ******** little ********** ******** *** DPIAs.

Biometrics: ******/**********/*** ********* *** ********** **********, *** *** ******** *********** **

*** ****'* ******* * states **** "********* **** for *** ******* ** uniquely *********** * ******* person" *********** **********, **** * *** important ********** **** ** consent ** '*********** ****** interest'.

*******, *** ****** ***** of ********* ***** ******/**********/*** analytics *** *** **** to **** *** **** as ****, ** *** EDPB ********** ***** **** such ************ *** *** considered **********, ** **** as *** ********* *** not **** ** ******** unique ******:

*******, *** *** *********** by ************ ******* ** retail *******, **** ** VIPs **** ********** ********* to ***** **********, *** store **** ****** ******* or ******* ******* * justification "***************** ** *** ******":

**** **** **** **** not **** **** *** Dahua, ******* ***** * **** complaint ********** ***** ****** *********** on ******** ** ***** without ********* *******. *** Dahua **** *** **** clearly *** **** **** of *****-**, ***-***** ***********, identifying ****** ** '********':

********* ** *** **** guidelines, **** * ****** means*********** ******** ********** **** provide *******. *** *** the ***** ****** ****** stuck ** **** **********/***/****** analytics, ** ***** ****** not ** ********** ********** at ***.

Facial ***********: ************ *** ******* ****** *** ******

*** *************** ** ****'* recent **** ********* ******* Dahua ** **** ******* the **** *** ** a ***** ****** ** its *****, ** *********** obtained '*******' **** * passerby ** **** ******:

*******, *** **** ********** do *** ******* **** this *********** '*******'. **** it ***** ** *******, the ********** *** ***** strict; **** * ******* 'passageway' **** ***** ******* might *** ** ********** 'consent' ****** ******* ********** ***********, **** ******:

***********, *** ************* *********** *** ******* *** much ******* **** * simple ****** **** ******* of *** **********, ******* information, ***, ** ***** displayed ** *****. *** conditions, ** ****** ** the ****, *******:

*** **** ******* ***** have *** ***** ** withdraw *** ** *** consent ** *** ****
Prior ** ****** *******, the data subject shall be informed thereof. [emphasis added]
** ***** ** ** easy ** ******** ** to **** *******.

*******, **** ** ***** conditions *** ********** *** a ****** ****** **** the *** ***** *** in *** *****. * passerby *** ** *** to ** ******** ** the ****** *********** ***** on **********, *** *** withdrawing ******* ** ******.

******: **** **** *** apply ** ****** ***** facial *********** ***** *** enforcement *** ** ********** is *** ***** ** Article *'* ******* ************* in *** ****, *** a ******** **********, ****** *********** *********, ***** ******* ** gives ****** ******* ********.

Data ********/*************

*** **** ********** *** some ******* ** **** requests **** ** ***** to ******* ** *********** filmed ** ***** ************, stating **** ******** ***** to ** ******** (******** down ** * * hour **** ******), *** any ******* ******* ***** people ****** ** **********:

************* ** ******** ***** is * ****** ***** in ***** ************ - IPVM *** ****** *** software ********* (***** **** *****************).

No ******* ** ***** ** ********** ********

*** ********** ** *** give *** ******* ******* as ** **** **** of ********** ******** ***** to ** **** ** comply **** ****.

Certification *** *********

*********, *** **** ********** do *** ******* *** certification *******. **** ** likely ** **** ******* legally, **** ************** *** meaningless, *** *** **** itself ****** **** **** schemes ** *** "****** the **************" *** ********** in *** ***. *** more, **** *** ******** report,***** ******** *** *** GDPR *********, ** ******** Can **.

Other: ***** ******* *** ******* ** ****

**** ******** ******* **- **** *** **** even ***** ** ***** cameras? ***** *** **** regulates ******** ****, ***, by **********, ***** ******* do *** ******* ***, the ****** ** **, EDPB ******* ****** - although ***** ******** *********** may ***** ****:

Update ** ****

** **** ****** **** report **** ***** ********** are *********, ****** *** changes ** ******* ***** this ****.

Comments (12)

Morten Tor Nielsen

prescienta.com | 07/20/19 03:24pm

*****, *** *****'* *** concept ** *** "****** *** ****** ** the ***", *** ********* **** Dahua ********* * ***** you're ******** *** ******** on *** *** ******, and ******** *** ******.

*.*. ** * *** it, *********** *** *** ** not ** ******* ******** at * ***** ************ trade **** **** ***** involuntarily ******* ** **************** * ****** *********** system. * ******* *** intent ** ** ******* data-hoarding *** ******** ********* for *** ***** ******** of ******* ****** *** care ***** **** ****** as **** ** ***** their ***** *****. **** said, * ******* ***** could **** **** **** forthcoming *** *********** ***** their ****-********** (********* *** data ********* ** hours).

**, ** ***** ** that ***** ** ** breach ** *** ****** of *** ***, *** I ***** **** *** in ****** ** *** spirit.

** ********** ** **** the ******* ** **** is *** ** ***** users ** ***** ************ to *** ******* ** post ******* *** ******** opt-out ******* (*** ** you ** **** ** the ***** *******?). *******, it ***** ** ** that ***** ** ***** surveillance **** ** ** reminded ** *** * sensible *** ********** ********* and **** ****** ******, and *** ** ** a ***** *** ***** massive ******* ** (**********) profiling ****.

* *** ** ** a (******** ******) ******* at ******* ****** *************** *** *** ***** subjected ** ******* *********, labeling *** ************** (*** the ***** ** **** data). * ****** ******* of *** ***** ** the******* *** ******* ******** data**** ** ******** ****** to *** ***.

*'* **** ** ***** more ***** *** ******* retention ****** * ***** would **** ** ***** video ************. **'* * hard ******* ******* *********** is ******** *** ******* within ** *******, *** fraud ** ****** ** detect *** ** ***** detected **** ***** *** incident. *** ****** *** also **** ** ******** in **** ********* ***** to **** **************.

John Honovich

IPVM | In reply to Morten Tor Nielsen | 07/20/19 04:56pm

*** ****** ** *** law ** *** ** protect ******** ** * video ************ ***** ****

**** *** *** *** say **** ** **** is ***** ******** *** give ******* ***** ***** it ** ** ** not **********. ***** ***, there ** ** ******* nor ***** ** ****** recognition (**** ******* **** **** **** and **** **** ** was *** ************** ** each ************ *** **** ********** were ******).

Undisclosed #1

07/24/19 12:34pm

*********** *****.
**** ** *** **** on ******** ****** ******** UK ****** ** **** once **** ******** *** country?

** ****** **** **** to ***** *** **. They'll **** ***** ** signage ***** 😂

Simon Lambert

IPVMU Certified | 07/24/19 05:41pm

"******* ******* **** *** goal ** ** ******** the ****: … ** such * *** **** the **** ******* *** easily ********* *** ************* of *** ************before ******** *** ********* ****".

**** *** ********* ** for *** **** ** years ***** **** ***********, is **** **** **** owners *** **** ***** signage ** ***** ********. Often ***** *******, *********, view *** ******** ** their ********, ** *** visitor ** ******* ***** surveillance ****** **** *** feasibly **** *** ****.

***, ****** ** ***** solutions ** *** **********, and *** ****** ******* problems ****, *** ***** the ***** ***** ****? Mount ***** ******* *** down *** ****** ** someone ****'* ********? ******** not *******. **, **'** left **** *** ******* answer ***** ** ** make *** **** * feet **** ** **** it ** ******* **** the ******** ** ***** approach.

"***!", * **** *** cry, "**** ** **** suitable ********? ** * feet *** ******?" Might ** ** *** distance ****** ***** *** visitor ****** ** **********, thereby *********** ***** *********? If **, ****** *** sign ** ******* ** the ******** *** ***** the **** *** "*********" the *******? **** **, where *** ***** ******* 125 **/* ("*********** ** a ***** ******" ********* to *** *****-*).

*'* *** ***** **** in *** **** ****, any ******** ********* *** satisfactorily ********* ** ** the ********* *************. *** does *** ***** ** a **** ****** ****, for ********, **** **** so *** ** ** achieve ***** "***********" (**.* px/m) **** ** **** through *** ***** ********** with ****? ****, ******* it ***** **** ** be "********* ******** ****". But, ** ********** (*** *****-* *****), **** ***** **** contain **** **** **% of *** ****** *********** required *** *********** ** a ******. (** *****, that's **** ** ***** expect * ***** ******* lawyer ** **** *** court **** **'* ****** to *** **** ***** evidence ******* *** ****** dismissed.) **, ** ******* this ************* ******* *** CCTV ***** *** *** lawyer's ****, *******'* **** low ********** ***** ** accepted ** *********** *** visitor's*********? *********, ** ******* required ** **** ****. *********>

**-**! (****** ** *** and ***** ** *** applause.)

Jonathan de Chateau

In reply to Simon Lambert | 07/24/19 06:26pm

******** *** ****** ** much **** ******. **'* a ****** ** ****** projection *** *******.

** *** ****** ** aimed ********* ***** ** no ***** ** *** area **** ** *** protected. **** ** **** privacy ******** ** *** camera ***** *** ** blur/block **** ** *** image.
*** *** **** ** the ******** *** ***** filming *****.

** ***** **** **** which ** ****, ** aids *** **** *********.

Simon Lambert

IPVMU Certified | 07/25/19 03:42pm

****** *** ****** **** to ******, ********.

* ******* **'** **** thinking ** ********* *********. If * ********** ***** correctly, **** * ***'* disagree. ****, *'** **** using ** *** ** model *** ************ **** fields-of-view ***** ****, ** very ********* ******** ******* and *****-**-***** ******************* *** *** * both **** **** ** time ** *** *****.

** ****** ******* *** the ******** ********, *** example, * ***** ***** whose ******** ** *********** adjacent ** ******* ******. ***'* ******* they **** **** ** oversee ***** ******** ******* they've ******** *********, ***-*******, etc. *** ******* ****, therefore, **** *** ****** on *** ****** ** have *** ****** **** of ***** ********. *** where ** *** ******* signage *******? ** ***** store *****? ** ****'* what **** **, (******* they **** ** ********* options ***** **** ** their *** ********) **** anyone ******** ***** ****** to **** *** **** will ******* ** ** the ***** ** **** and, *****, ******* **** their ******** **** ********. Unavoidably.

** *** ****, ** course, ******* ******** ** a ** ****** ****** the ******'* **********, ******** a ***** ** *** shape ** ** ****** tapering ******** ***** *** street. ****, ** ******** the ****** ** ******* interest, ** *****'* ******* the ******** ****** ** this ********.

**** ** ** ******** tongue-in-cheek ********: *-**** ***** that *** ** **** from ****** *** *******' view. *** ****'* *** a ********. **, **** the ******* ********* ******* go **** ** *** resolution ** *** ****** is ************ ***? ** my ********** ** *** UK **** ********** *********** for **** ****, **, owners **** ***** ****** signage, ******* *****-* ******* that **** *** *** sufficient ** ** *******. This ** * ******* inconsistency, *'*** ***? ********, how ** ***** ******* so **** *** *** already ** *** *****-**-****? As *****, ***** ** cannot ** *******.

Charles Rollet

In reply to Simon Lambert | 07/30/19 06:35am

**** ******** *** ***** for *** *****, * was ******** *************** ****** **** ****.

***** ** ***, ****** your **** **** ****** areas ** ***** ** the **. ** ******, a *********** ******* ** ** ** must **** * ******** *********** ** ***********,*** ******* *********** ********* ********. *******'* ***** **** **** **** was *** * ******* shop **** ****** ****** areas **** ******** ******* placed** *** ********.

** ** ***'** ** a ******* ***** *** GDPR , *** ******** shouldn't **** ******* ******* public ***** ** *** first *****. *** **** guide **** ** **** [emphasis *****]:

*******, *** **** ***** does ********* ***** *** be **** ***** ***** filming ****** ***** ** necessary. ** **** ****, using * **** ******** tool ** ***** ******* filter ** *********, *** EDPB ******:

** **** ********, ** order ** ** **** compliant, *** ************ ** ***** ***** having * **** **** that ****** *** ********, ******* if *** ******* ****** is ******* ********, **** of *** ********'* ******** data ** ***** *********. The ******** ************ ********** *** ********** of ******** ****. ****'* why ***** ******* *** not ********* ** *** GDPR, ** ** ********* earlier. ******** **** *** GDPR ******* ******** **** as ********* **** ***** you ** "** ************ ******* ******", ******* *** *** be ******** ********** **** it. * ******* *** stick ****** ****** ****** a ****** ** *** personal ****.

** ***** ** *** specific ** ***********, *** may **** ** ****** local **** *********** *****, but ** *** ** GDPR ********** ** *********, again, *** ***'* **** to ****** **** *** sign *********** **** ** you're *** ********** ******** data ** *** ***** place.

**** *****: *** ********* low ********** ** * stand ** *** * privacy ******. * ***** that's * ***** ********, since *****'* * ****** people *** ***** ** properly ********** **** ****-*** footage (********* *** ****** do *** *** ****). Best ** ***** ** a ******* ****** ** not ******* ****** ***** in *** ***** *****.

**** **** **** *****? Don't ******** ** *** have **** ********* ** concerns.

Undisclosed #2

In reply to Charles Rollet | 07/30/19 09:58am

****'* *** ***** ******* are *** ********* ** the ****, ** ** mentioned *******...

***********, ** * ****** kit ** **** ******* recording ** *** **** of *** ********, *** then * *** ******* pointed ** *** ******, for ********* *****, ** ok?

Charles Rollet

In reply to Undisclosed #2 | 07/30/19 10:15am

***** ******* *** *** regulated ** *** ****, period. ** ****** **** 'film' ****** ***** ** not * **** *********, correct. *** ***** *** be *******-******** *********** ***** that ** *** ****** refer ** **** *******'* Data ********** *********.
** *** *** **** cameras, ** ******* **** you **** ** "*** **** ** *** property". ** **** ******** any ****** ***** **** a ********, *** **** to ** ******* *** consider ***** * ******* filter. *** **** ** you're ******* ** **** that's *** ******, *** need ** *** ** a **** ** ****** people **** *** **** is ***** ********* ****** they ***** **** ****.

Simon Lambert

IPVMU Certified | In reply to Charles Rollet | 08/14/19 04:55pm

** ******* *******. *'* a **** **** ** replying ***.

** ** ***'** ** a ******* ***** *** GDPR , *** ******** shouldn't **** ******* ******* public ***** ** *** first *****.

"********** ********" ****** **** surely ******** ******** ** your ********.

...*** **** ***** **** recognize ***** *** ** some ***** ***** ******* public ***** ** *********.

**** ** *** **** they **, ********* **** would ** ********** ******** of *** **** *****!

...***** * **** ******** tool ** ***** ******* filter ** *********...

******, *** ***** * store ******** ** *********** adjacent ** *** ****** sidewalk (** **** *** the ******** ****) **** completely ********** *** *******' purpose ******* *** ******* masks ***** **** * 2D *********************** ********** ** **** projected ** ******.

**** ** ***** ** a ******* ****** ** not ******* ****** ***** in *** ***** *****.

** ***** ****** * case ** * ******** need ***** ***** ************ is *** **** ****-********* way ** ******* ******* security *****, **** ******** limited ***** **** *** public ***** **** ** acceptable ** *** **** person. *** ***** ******* they **** *** ****** sense ** ******* **** personal ******* ** ****** a ********* *********** ** a ****** ******.

Charles Rollet

In reply to Simon Lambert | 08/15/19 06:31am

** *****, ****** *** following **!

**** *****:

"********** ********" ****** **** surely ******** ******** ** your ********.

********of **** ********, yes. But not public spaces, which are by definition not your property. That is why the EDPB recommends privacy filters, and why * ***** ******** ** Austria *** ******** ******* * ****** thoroughfare.

**** ***** *****:

*** ***** * ***** frontage ** *********** ******** to *** ****** ******** (as **** *** *** previous ****) **** ********** undermines *** *******' ******* because *** ******* ***** drawn **** * ** image****************** ********** ** **** projected ** ******.

* *** **** ******* from * ********* **********, however, * **** ********** Authority ** ******** ** accept **** ** ** excuse. *** **** **** not ******* *** **** of ********* ** ********** personal **** **** ******* it's *********** *** **** to ***** **.

*** **** *****:

******** ******* ***** **** the ****** ***** **** be ********** ** *** sane ******.
******** ******* ** ****** a ********* *********** ** a ****** ******.

***** *** ********-**** ***** that ****** *** **** Austrian ***** ******** ***********.** **** ** *** to *** **** * think ***** *** **** common ***** ** **** the ***** ***** ** be. ** ** ** inform ****'* ******* ***** GDPR **********.

Charles Rollet

09/17/19 06:30am

******: *** ******** *** public ******** *** *** video ************ ****************** ** ********* *(* ********* ******** ********* 6, * ******* ****'* been *****). *** ** tells **** **** **** don't **** **** *** video ************ ********** **** be *********:

** **** *****, ** cannot *** **** ********* when *** ******* **** be *********. *** ************* will *** ** ******** by *** ******** ****** Subgroup *** *** ********** will ** ***** ***** necessary. ***** **** ******* is *********, *** ********** will ** ** *** adoption ** *** ********** plenary *******.

** **** **** ******** this *** ****** **** the ***** ********** *** issued.