EDPB ********** *** ***** ******
*** ****** ** *** *** ********** is *********** **** ********** *****, ** ****, ***** ** **** up ** **** ** *******'* **** protection ****** *** *** **'* *** DPA, *********** **** ********** **********. **************** ******* ** ****** ******* ***** September *.
**** *** *** ******* *******, *** they ***** ****** ** ** **** protection *********** **** ***** ** **** when ******** ** ***** ************ *****.
****** *** ****'* ********** *** ********** Data ** ***** *******
EDPB ***** ******* ** ****** *******
***** *** *********** ****** ** *********** needed ** ** *********, *** **** recommends *********** * ***-***** ********. *** first ***** ** *** **** ****, with *** ***** **** - **** is ** ******* ***** ** *** EDPB:

**** ***** ***** ****** ******* *** the ******, **** ******, **** **:
- ******* ******
- ******* ** **********
- ******** ** **********
- ****** ** **** *******
- ******* ******* ** **** ********** ******* (if ***)
- ******* *** **** **** ** **** to * ***** *****
- ***** ** **** *** ****** ***** of ***********
Sign ****** ** ************ "****** ******** *** ********* ****"
*** **** **** ***** ******* ***** the *********** ** *** ***** ***** sign, ******* ******* **** *** **** is ** ******** *** ****:
** **** * *** **** *** data ******* *** ****** ********* *** circumstances ** *** ************before ******** *** ********* ****". The sign should thus be "approximately at eye-level", near the actual zone being monitored, and presented in "an easily visible, intelligible and clearly ******** ******. [emphasis added]
*** *******, ** ***** ****, ***** had ****** **** ********* *** ****** ****** *** ***** and *** ******* ***** ** ***** monitored:

'Second *****' *********** *******
*** ****** ***** *********** *** ** in *** **** ** ** "****** accessible *****" ** *** *******/***** ******* location ** ****** * ******. **** information "**** ******* *** ***** *********** that ** ********* ************ **** *** ****" (**** *** ** whether "********* ********-******, ********* *********" ** being **** - ****** ******** ****).
Storage: **** ************* ******** ****** ** *****
*** ****, **** *** ****, **** not **** ******** ******* ****** *********** but **** *** **** **** ******** by ******* ****:
*** ****** *** ******* ****** ** set(especially **** ****** ** *****), the more argumentation for the legitimacy of the purpose and the necessity of storage has to be provided. [emphasis added]
**** ***** **** * *********** ****** (if *** ********** *** *** *******), as **** ***-***** ***** ***** **** over ** *****,***** ***** ** ** ** * month. *** ****, *******, ****** **** 24 ***** ******* ** ****** "**********" for ******** ******:

**********, *** *** ***** ******* ***** longer **** ** *****, **** ***** mean **** ***** '****** *****' ****** should ******* * ***** ************* *** the ****** ******* - **** ** being ** * ****-***** ****, ******* to ****** **** ****** ********, ***.
Data ********** ****** ********** ******** *** ***** ***** ********** ***
*** **** ****** **** *** "***** scale" *** ** ********** ********** ******** a ****:
********, ********* ** ******* ** (*) (b) **** * **** ********** ****** assessment ** **** ******** **** *** controller ******* ** ******* ******* ********** of **** ** * ***** *****.
*******, *** **** **** *** **** specifics ***** **** ** ***** ** 'large *****', *** ******* **** *** GDPR, ***** ******* ** ********* ****:
********** ***** *** ** ******* * considerable ****** ** ******** **** ** regional, ******** ** ************* ***** *** which ***** ****** * ***** ****** of **** ******** *** ***** *** likely ** ****** ** * **** risk [...] ** *** ****** *** freedoms ** **** ********
*******, *** **** ******** ****** ********** guidance *** *****.
Biometrics: ******/**********/*** ********* *** ********** **********, *** *** ******** *********** **
*** ****'* ******* * ****** **** "biometric **** *** *** ******* ** uniquely *********** * ******* ******" *********** **********, **** * *** ********* ********** such ** ******* ** '*********** ****** interest'.
*******, *** ****** ***** ** ********* using ******/**********/*** ********* *** *** **** to **** *** **** ** ****, as *** **** ********** ***** **** such ************ *** *** ********** **********, as **** ** *** ********* *** not **** ** ******** ****** ******:

*******, *** *** *********** ** ************ cameras ** ****** *******, **** ** VIPs **** ********** ********* ** ***** recognized, *** ***** **** ****** ******* or ******* ******* * ************* "***************** ** *** ******":

**** **** **** **** *** **** well *** *****, ******* ***** * **** ********* ********** ***** ****** *********** ** ******** at ***** ******* ********* *******. *** Dahua **** *** **** ******* *** some **** ** *****-**, ***-***** ***********, identifying ****** ** '********':

********* ** *** **** **********, **** a ****** **************** ******** ********** **** ******* *******. But *** *** ***** ****** ****** stuck ** **** **********/***/****** *********, ** would ****** *** ** ********** ********** at ***.
Facial ***********: ************ *** ******* ****** *** ******
*** *************** ** ****'* ****** **** complaint ******* ***** ** **** ******* the **** *** ** * ***** notice ** *** *****, ** *********** obtained '*******' **** * ******** ** that ******:

*******, *** **** ********** ** *** support **** **** *********** '*******'. **** it ***** ** *******, *** ********** are ***** ******; **** * ******* 'passageway' **** ***** ******* ***** *** be ********** '*******' ****** ******* ********** ***********, **** ******:

***********, *** ************* *********** *** ******* *** **** ******* than * ****** ****** **** ******* of *** **********, ******* ***********, ***, as ***** ********* ** *****. *** conditions, ** ****** ** *** ****, mandate:
- *** **** ******* ***** **** *** right ** ******** *** ** *** consent ** *** ****
- Prior ** ****** *******, the data subject shall be informed thereof. [emphasis added]
- ** ***** ** ** **** ** withdraw ** ** **** *******.
*******, **** ** ***** ********** *** achievable *** * ****** ****** **** the *** ***** *** ** *** booth. * ******** *** ** *** to ** ******** ** *** ****** recognition ***** ** **********, *** *** withdrawing ******* ** ******.
******: **** **** *** ***** ** police ***** ****** *********** ***** *** enforcement *** ** ********** ** *** based ** ******* *'* ******* ************* in *** ****, *** * ******** regulation, ****** *********** *********, ***** ******* ** ***** ****** broader ********.
Data ********/*************
*** **** ********** *** **** ******* to **** ******** **** ** ***** to ******* ** *********** ****** ** video ************, ******* **** ******** ***** to ** ******** (******** **** ** a * **** **** ******), *** any ******* ******* ***** ****** ****** be **********:

************* ** ******** ***** ** * rising ***** ** ***** ************ - IPVM *** ****** *** ******** ********* (***** **** *****************).
No ******* ** ***** ** ********** ********
*** ********** ** *** **** *** further ******* ** ** **** **** of ********** ******** ***** ** ** used ** ****** **** ****.
Certification *** *********
*********, *** **** ********** ** *** mention *** ************* *******. **** ** likely ** **** ******* *******, **** certifications *** ***********, *** *** **** itself ****** **** **** ******* ** not "****** *** **************" *** ********** in *** ***. *** ****, **** our ******** ******,***** ******** *** *** **** *********, No ******** *** **.
Other: ***** ******* *** ******* ** ****
**** ******** ******* **- **** *** **** **** ***** to ***** *******? ***** *** **** regulates ******** ****, ***, ** **********, dummy ******* ** *** ******* ***, the ****** ** **, **** ******* states - ******** ***** ******** *********** may ***** ****:

Update ** ****
** **** ****** **** ****** **** these ********** *** *********, ****** *** changes ** ******* ***** **** ****.
Comments (12)
Morten Tor Nielsen
07/20/19 03:24pm
IANAL, but there's the concept of the "letter and spirit of the law", and regarding your Dahua complaint I think you're focusing too narrowly on the the letter, and ignoring the spirit.
E.g. as I see it, the intent of the law is not to protect visitors at a video surveillance trade show from being involuntarily exposed to a demonstration of a facial recognition system. I believe the intent is to prevent data-hoarding and unwanted profiling for the small minority of regular people who care about such things as they go about their daily lives. That said, I suppose Dahua could have been more forthcoming and transparent about their data-collection (hopefully the data retention is <24 hours).
So, it might be that Dahua is in breach of the letter of the law, but I doubt they are in breach of the spirit.
My impression is that the purpose of GDPR is not to force users of video surveillance to use masking or post signage and offering opt-out options (how do you do that in the local Bauhaus?). Instead, it seems to me that users of video surveillance need to be reminded to use a sensible and reasonable retention and data access policy, and not go on a crazy and hoard massive amounts of (unreliable) profiling data.
I see it as a (somewhat futile) attempt at letting people have some privacy and not being subjected to endless profiling, labeling and categorization (and the trade of such data). A recent example of the trend is the Florida DMV selling personal data with no apparent option to opt out.
I'd like to learn more about the minimum retention period a store would need on their video surveillance. It's a hard problem because shoplifting is detected and handled within 10 minutes, but fraud is harder to detect and is often detected long after the incident. The police may also have an interest in long retention times to help investigations.
Create New Topic
Undisclosed #1
Interesting signs.
Will we see them on highways before entering UK cities or just once when entering the country?
No wonder they want to leave the EU. They'll save money on signage alone 😂
Create New Topic
Simon Lambert
"stating clearly that the goal is to position the sign: … In such a way that the data subject can easily recognize the circumstances of the surveillance before entering the monitored area".
What has perplexed me for the past 19 years about this requirement, is that most CCTV owners can only mount signage on their property. Often their cameras, naturally, view the approach to their property, so the visitor is already under surveillance before they can feasibly read the sign.
Now, trying to bring solutions to the discussion, and not merely dumping problems here, how might the owner solve this? Mount their signage way down the street on someone else's property? Probably not allowed. So, we're left with the obvious answer which is to make the sign 6 feet tall so that it is legible from the distance of first approach.
"Aah!", I hear you cry, "What is that suitable distance? Is 6 feet big enough?" <geek_mode> Might it be the distance beyond which the visitor cannot be identified, thereby maintaining their anonymity? If so, should the sign be legible at the distance for which the CCTV can "recognise" the visitor? That is, where the image gathers 125 px/m ("recognition of a known person" according to IEC 62676-4).
I'm not aware than in all this time, any relevant authority has satisfactorily explained to us the following inconsistency. Why does the owner of a CCTV system that, for instance, only goes so far as to achieve lowly "observation" (62.5 px/m) need to jump through the hoops associated with GDPR? Well, because it deems them to be "gathering personal data". But, by definition (IEC 62676-4 again), this image will contain less than 50% of the visual information required for recognition of a person. (At least, that's what we might expect a smart defence lawyer to tell the court when he's trying to get such video evidence against his client dismissed.) So, to resolve this inconsistency between the CCTV owner and the lawyer's case, shouldn't this low resolution image be accepted as maintaining the visitor's anonymity? Therefore, no signage required in this area. </geek_mode>
Ta-da! (Pauses to bow and bathe in the applause.)
Create New Topic
Simon Lambert
Thanks for taking time to answer, Jonathan.
I suspect we're each thinking of different scenarios. If I understand yours correctly, then I don't disagree. FWIW, I've been using 3D CAD to model and previsualize CCTV fields-of-view since 2000, so very carefully designed layouts and lines-of-sight are clearly something you and I both take lots of time to get right.
My mental picture for the question involves, for example, a store owner whose frontage is immediately adjacent to a public street. Let's imagine they want CCTV to oversee their frontage because they've suffered vandalism, ram-raiding, etc. The cameras must, therefore, view the public on the street to have any useful view of their frontage. But where is the warning signage mounted? On their store front? If that's what they do, (because they have no realistic options other than on their own property) then anyone standing close enough to read the sign will already be in the field of view and, hence, already have their personal data recorded. Unavoidably.
As you know, of course, masking arranged on a 2D screen blocks the camera's projection, creating a block in the shape of 3D volume tapering outwards along the street. Thus, it obscures the region of primary interest, so doesn't provide the complete answer in this scenario.
Back to my original tongue-in-cheek proposal: 6-foot signs that can be read from beyond the cameras' view. But that's not a question. So, does the signage placement problem go away if the resolution of the images is sufficiently low? In my experience of the UK Data Protection regulations for CCTV then, no, owners must still deploy signage, despite 62676-4 stating that they are not sufficient to ID someone. This is a pivotal inconsistency, n'est pas? Secondly, how to mount signage so that its not already in the field-of-view? As above, often it cannot be avoided.
Create New Topic
Charles Rollet
UPDATE: The deadline for public comments for the video surveillance guidelines finished on September 9 (I initially reported September 6, a mistake that's been fixed). The EU tells IPVM that they don't know when the video surveillance guidelines will be finalized:
We will keep tracking this and update when the final guidelines are issued.
Create New Topic