New GDPR Guidelines for Video Surveillance Examined
The highest-level EU data protection authority has issued a new series of provisional video surveillance guidelines.
While GDPR has been in effect for more than a year, how it applies to video surveillance has often been unclear, as we explained in our original GDPR for Video Surveillance Guide.
Now, these new guidelines (though not final and subject to public comment for the next two months) provide good insight and clarifications to common questions about video surveillance GDPR compliance.
In this post, we explain and analyze the new guidelines, including:
- EDPB's Background
- Legal Impact of Guidelines
- Public Signage: Example Provided
- Signage Positioning
- DPIAs Required for Large Scale Biometrics
- Storage: Additional Justification Required for Over 3 Days
- Some Analytics Not Considered Biometrics
- VIP Recognition: Consent Required from Everyone, Not Just VIPs
- Facial Recognition: Why Notification Via Signage Likely Not Enough
- Data Requests/Anonymization
- No Clarity on Types of Encryption Required
- Certification Not Covered
- Dummy Cameras Not Covered By GDPR
EDPB ********** *** ***** ******
*** ****** ** *** *** ********** is *********** **** ********** *****, ** ****, ***** ** **** up ** **** ** *******'* **** protection ****** *** *** **'* *** DPA, *********** **** ********** **********. **************** ******* ** ****** ******* ***** September *.
**** *** *** ******* *******, *** they ***** ****** ** ** **** protection *********** **** ***** ** **** when ******** ** ***** ************ *****.
****** *** ****'* ********** *** ********** Data ** ***** *******
EDPB ***** ******* ** ****** *******
***** *** *********** ****** ** *********** needed ** ** *********, *** **** recommends *********** * ***-***** ********. *** first ***** ** *** **** ****, with *** ***** **** - **** is ** ******* ***** ** *** EDPB:
**** ***** ***** ****** ******* *** the ******, **** ******, **** **:
- ******* ******
- ******* ** **********
- ******** ** **********
- ****** ** **** *******
- ******* ******* ** **** ********** ******* (if ***)
- ******* *** **** **** ** **** to * ***** *****
- ***** ** **** *** ****** ***** of ***********
Sign ****** ** ************ "****** ******** *** ********* ****"
*** **** **** ***** ******* ***** the *********** ** *** ***** ***** sign, ******* ******* **** *** **** is ** ******** *** ****:
** **** * *** **** *** data ******* *** ****** ********* *** circumstances ** *** ************before ******** *** ********* ****". The sign should thus be "approximately at eye-level", near the actual zone being monitored, and presented in "an easily visible, intelligible and clearly ******** ******. [emphasis added]
*** *******, ** ***** ****, ***** had ****** **** ********* *** ****** ****** *** ***** and *** ******* ***** ** ***** monitored:
'Second *****' *********** *******
*** ****** ***** *********** *** ** in *** **** ** ** "****** accessible *****" ** *** *******/***** ******* location ** ****** * ******. **** information "**** ******* *** ***** *********** that ** ********* ************ **** *** ****" (**** *** ** whether "********* ********-******, ********* *********" ** being **** - ****** ******** ****).
Storage: **** ************* ******** ****** ** *****
*** ****, **** *** ****, **** not **** ******** ******* ****** *********** but **** *** **** **** ******** by ******* ****:
*** ****** *** ******* ****** ** set(especially **** ****** ** *****), the more argumentation for the legitimacy of the purpose and the necessity of storage has to be provided. [emphasis added]
**** ***** **** * *********** ****** (if *** ********** *** *** *******), as **** ***-***** ***** ***** **** over ** *****,***** ***** ** ** ** * month. *** ****, *******, ****** **** 24 ***** ******* ** ****** "**********" for ******** ******:
**********, *** *** ***** ******* ***** longer **** ** *****, **** ***** mean **** ***** '****** *****' ****** should ******* * ***** ************* *** the ****** ******* - **** ** being ** * ****-***** ****, ******* to ****** **** ****** ********, ***.
Data ********** ****** ********** ******** *** ***** ***** ********** ***
*** **** ****** **** *** "***** scale" *** ** ********** ********** ******** a ****:
********, ********* ** ******* ** (*) (b) **** * **** ********** ****** assessment ** **** ******** **** *** controller ******* ** ******* ******* ********** of **** ** * ***** *****.
*******, *** **** **** *** **** specifics ***** **** ** ***** ** 'large *****', *** ******* **** *** GDPR, ***** ******* ** ********* ****:
********** ***** *** ** ******* * considerable ****** ** ******** **** ** regional, ******** ** ************* ***** *** which ***** ****** * ***** ****** of **** ******** *** ***** *** likely ** ****** ** * **** risk [...] ** *** ****** *** freedoms ** **** ********
*******, *** **** ******** ****** ********** guidance *** *****.
Biometrics: ******/**********/*** ********* *** ********** **********, *** *** ******** *********** **
*** ****'* ******* * ****** **** "biometric **** *** *** ******* ** uniquely *********** * ******* ******" *********** **********, **** * *** ********* ********** such ** ******* ** '*********** ****** interest'.
*******, *** ****** ***** ** ********* using ******/**********/*** ********* *** *** **** to **** *** **** ** ****, as *** **** ********** ***** **** such ************ *** *** ********** **********, as **** ** *** ********* *** not **** ** ******** ****** ******:
*******, *** *** *********** ** ************ cameras ** ****** *******, **** ** VIPs **** ********** ********* ** ***** recognized, *** ***** **** ****** ******* or ******* ******* * ************* "***************** ** *** ******":
**** **** **** **** *** **** well *** *****, ******* ***** * **** ********* ********** ***** ****** *********** ** ******** at ***** ******* ********* *******. *** Dahua **** *** **** ******* *** some **** ** *****-**, ***-***** ***********, identifying ****** ** '********':
********* ** *** **** **********, **** a ****** **************** ******** ********** **** ******* *******. But *** *** ***** ****** ****** stuck ** **** **********/***/****** *********, ** would ****** *** ** ********** ********** at ***.
Facial ***********: ************ *** ******* ****** *** ******
*** *************** ** ****'* ****** **** complaint ******* ***** ** **** ******* the **** *** ** * ***** notice ** *** *****, ** *********** obtained '*******' **** * ******** ** that ******:
*******, *** **** ********** ** *** support **** **** *********** '*******'. **** it ***** ** *******, *** ********** are ***** ******; **** * ******* 'passageway' **** ***** ******* ***** *** be ********** '*******' ****** ******* ********** ***********, **** ******:
***********, *** ************* *********** *** ******* *** **** ******* than * ****** ****** **** ******* of *** **********, ******* ***********, ***, as ***** ********* ** *****. *** conditions, ** ****** ** *** ****, mandate:
- *** **** ******* ***** **** *** right ** ******** *** ** *** consent ** *** ****
- Prior ** ****** *******, the data subject shall be informed thereof. [emphasis added]
- ** ***** ** ** **** ** withdraw ** ** **** *******.
*******, **** ** ***** ********** *** achievable *** * ****** ****** **** the *** ***** *** ** *** booth. * ******** *** ** *** to ** ******** ** *** ****** recognition ***** ** **********, *** *** withdrawing ******* ** ******.
******: **** **** *** ***** ** police ***** ****** *********** ***** *** enforcement *** ** ********** ** *** based ** ******* *'* ******* ************* in *** ****, *** * ******** regulation, ****** *********** *********, ***** ******* ** ***** ****** broader ********.
Data ********/*************
*** **** ********** *** **** ******* to **** ******** **** ** ***** to ******* ** *********** ****** ** video ************, ******* **** ******** ***** to ** ******** (******** **** ** a * **** **** ******), *** any ******* ******* ***** ****** ****** be **********:
************* ** ******** ***** ** * rising ***** ** ***** ************ - IPVM *** ****** *** ******** ********* (***** **** *****************).
No ******* ** ***** ** ********** ********
*** ********** ** *** **** *** further ******* ** ** **** **** of ********** ******** ***** ** ** used ** ****** **** ****.
Certification *** *********
*********, *** **** ********** ** *** mention *** ************* *******. **** ** likely ** **** ******* *******, **** certifications *** ***********, *** *** **** itself ****** **** **** ******* ** not "****** *** **************" *** ********** in *** ***. *** ****, **** our ******** ******,***** ******** *** *** **** *********, No ******** *** **.
Other: ***** ******* *** ******* ** ****
**** ******** ******* **- **** *** **** **** ***** to ***** *******? ***** *** **** regulates ******** ****, ***, ** **********, dummy ******* ** *** ******* ***, the ****** ** **, **** ******* states - ******** ***** ******** *********** may ***** ****:
Update ** ****
** **** ****** **** ****** **** these ********** *** *********, ****** *** changes ** ******* ***** **** ****.
*** ****** ** *** *** ** not ** ******* ******** ** * video ************ ***** ****
**** *** *** *** *** **** if **** ** ***** ******** *** give ******* ***** ***** ** ** or ** *** **********. ***** ***, there ** ** ******* *** ***** on ****** *********** (**** ******* **** **** **** *** **** said ** *** *** ************** ** each ************ *** **** ********** **** ******).
*********** *****.
**** ** *** **** ** ******** before ******** ** ****** ** **** once **** ******** *** *******?
** ****** **** **** ** ***** the **. ****'** **** ***** ** signage ***** 😂
"******* ******* **** *** **** ** to ******** *** ****: … ** such * *** **** *** **** subject *** ****** ********* *** ************* of *** ************before ******** *** ********* ****".
**** *** ********* ** *** *** past ** ***** ***** **** ***********, is **** **** **** ****** *** only ***** ******* ** ***** ********. Often ***** *******, *********, **** *** approach ** ***** ********, ** *** visitor ** ******* ***** ************ ****** they *** ******** **** *** ****.
***, ****** ** ***** ********* ** the **********, *** *** ****** ******* problems ****, *** ***** *** ***** solve ****? ***** ***** ******* *** down *** ****** ** ******* ****'* property? ******** *** *******. **, **'** left **** *** ******* ****** ***** is ** **** *** **** * feet **** ** **** ** ** legible **** *** ******** ** ***** approach.
"***!", * **** *** ***, "**** is **** ******** ********? ** * feet *** ******?" ***** ** be *** ******** ****** ***** *** visitor ****** ** **********, ******* *********** their *********? ** **, ****** *** sign ** ******* ** *** ******** for ***** *** **** *** "*********" the *******? **** **, ***** *** image ******* *** **/* ("*********** ** a ***** ******" ********* ** *** 62676-4).
*'* *** ***** **** ** *** this ****, *** ******** ********* *** satisfactorily ********* ** ** *** ********* inconsistency. *** **** *** ***** ** a **** ****** ****, *** ********, only **** ** *** ** ** achieve ***** "***********" (**.* **/*) **** to **** ******* *** ***** ********** with ****? ****, ******* ** ***** them ** ** "********* ******** ****". But, ** ********** (*** *****-* *****), **** ***** **** ******* **** than **% ** *** ****** *********** required *** *********** ** * ******. (At *****, ****'* **** ** ***** expect * ***** ******* ****** ** tell *** ***** **** **'* ****** to *** **** ***** ******** ******* his ****** *********.) **, ** ******* this ************* ******* *** **** ***** and *** ******'* ****, *******'* **** low ********** ***** ** ******** ** maintaining *** *******'**********? *********, ** ******* ******** ** this ****. *********>
**-**! (****** ** *** *** ***** in *** ********.)
******** *** ****** ** **** **** simple. **'* * ****** ** ****** projection *** *******.
** *** ****** ** ***** ********* there ** ** ***** ** *** area **** ** *** *********. **** to **** ******* ******** ** *** camera ***** *** ** ****/***** **** of *** *****.
*** *** **** ** *** ******** and ***** ******* *****.
** ***** **** **** ***** ** good, ** **** *** **** *********.
****** *** ****** **** ** ******, Jonathan.
* ******* **'** **** ******** ** different *********. ** * ********** ***** correctly, **** * ***'* ********. ****, I've **** ***** ** *** ** model *** ************ **** ******-**-**** ***** 2000, ** **** ********* ******** ******* and *****-**-***** ******************* *** *** * **** **** lots ** **** ** *** *****.
** ****** ******* *** *** ******** involves, *** *******, * ***** ***** whose ******** ** *********** ******** ** a****** ******. ***'* ******* **** **** CCTV ** ******* ***** ******** ******* they've ******** *********, ***-*******, ***. *** cameras ****, *********, **** *** ****** on *** ****** ** **** *** useful **** ** ***** ********. *** where ** *** ******* ******* *******? On ***** ***** *****? ** ****'* what **** **, (******* **** **** no ********* ******* ***** **** ** their *** ********) **** ****** ******** close ****** ** **** *** **** will ******* ** ** *** ***** of **** ***, *****, ******* **** their ******** **** ********. ***********.
** *** ****, ** ******, ******* arranged ** * ** ****** ****** the ******'* **********, ******** * ***** in *** ***** ** ** ****** tapering ******** ***** *** ******. ****, it ******** *** ****** ** ******* interest, ** *****'* ******* *** ******** answer ** **** ********.
**** ** ** ******** ******-**-***** ********: 6-foot ***** **** *** ** **** from ****** *** *******' ****. *** that's *** * ********. **, **** the ******* ********* ******* ** **** if *** ********** ** *** ****** is ************ ***? ** ** ********** of *** ** **** ********** *********** for **** ****, **, ****** **** still ****** *******, ******* *****-* ******* that **** *** *** ********** ** ID *******. **** ** * ******* inconsistency, *'*** ***? ********, *** ** mount ******* ** **** *** *** already ** *** *****-**-****? ** *****, often ** ****** ** *******.
**** ******** *** ***** *** *** delay, * *** ******** *************** ****** **** ****.
***** ** ***, ****** **** **** film ****** ***** ** ***** ** the **. ** ******, * *********** ******* ** ** ** **** **** a ******** *********** ** ***********,*** ******* *********** ********* ********. *******'* ***** **** **** **** *** *** a ******* **** **** ****** ****** areas **** ******** ******* ******** *** ********.
** ** ***'** ** * ******* under *** **** , *** ******** shouldn't **** ******* ******* ****** ***** in *** ***** *****. *** **** guide **** ** **** [******** *****]:
*******, *** **** ***** **** ********* there *** ** **** ***** ***** filming ****** ***** ** *********. ** that ****, ***** * **** ******** tool ** ***** ******* ****** ** important, *** **** ******:
** **** ********, ** ***** ** be **** *********, *** ************ ** ***** ***** ****** * huge **** **** ****** *** ********, ******* if *** ******* ****** ** ******* properly, **** ** *** ********'* ******** data ** ***** *********. *** ******** ************ ********** *** ********** ** ******** data. ****'* *** ***** ******* *** not ********* ** *** ****, ** we ********* *******. ******** **** *** GDPR ******* ******** **** ** ********* that ***** *** ** "** ************ ******* ******", ******* *** *** ** ******** identified **** **. * ******* *** stick ****** ****** ****** * ****** is *** ******** ****.
** ***** ** *** ******** ** regulations, *** *** **** ** ****** local **** *********** *****, *** ** far ** **** ********** ** *********, again, *** ***'* **** ** ****** with *** **** *********** **** ** you're *** ********** ******** **** ** the ***** *****.
**** *****: *** ********* *** ********** as * ***** ** *** * privacy ******. * ***** ****'* * risky ********, ***** *****'* * ****** people *** ***** ** ******** ********** from ****-*** ******* (********* *** ****** do *** *** ****). **** ** stick ** * ******* ****** ** not ******* ****** ***** ** *** first *****.
**** **** **** *****? ***'* ******** if *** **** **** ********* ** concerns.
****'* *** ***** ******* *** *** regulated ** *** ****, ** ** mentioned *******...
***********, ** * ****** *** ** real ******* ********* ** *** **** of *** ********, *** **** * few ******* ******* ** *** ******, for ********* *****, ** **?
- ***** ******* *** *** ********* ** the ****, ******. ** ****** **** 'film' ****** ***** ** *** * GDPR *********, *******. *** ***** *** be *******-******** *********** ***** **** ** you ****** ***** ** **** *******'* Data ********** *********.
- ** *** *** **** *******, ** depends **** *** **** ** "*** **** ** *** ********". ** that ******** *** ****** ***** **** a ********, *** **** ** ** careful *** ******** ***** * ******* filter. *** **** ** ***'** ******* an **** ****'* *** ******, *** need ** *** ** * **** to ****** ****** **** *** **** is ***** ********* ****** **** ***** that ****.
** ******* *******. *'* * **** time ** ******** ***.
** ** ***'** ** * ******* under *** **** , *** ******** shouldn't **** ******* ******* ****** ***** in *** ***** *****.
"********** ********" ****** **** ****** ******** security ** **** ********.
...*** **** ***** **** ********* ***** may ** **** ***** ***** ******* public ***** ** *********.
**** ** *** **** **** **, otherwise **** ***** ** ********** ******** of *** **** *****!
...***** * **** ******** **** ** other ******* ****** ** *********...
******, *** ***** * ***** ******** is *********** ******** ** *** ****** sidewalk (** **** *** *** ******** post) **** ********** ********** *** *******' purpose ******* *** ******* ***** ***** onto * ** *********************** ********** ** **** ********* ** volume.
**** ** ***** ** * ******* filter ** *** ******* ****** ***** in *** ***** *****.
** ***** ****** * **** ** a ******** **** ***** ***** ************ is *** **** ****-********* *** ** address ******* ******** *****, **** ******** limited ***** **** *** ****** ***** must ** ********** ** *** **** person. *** ***** ******* **** **** the ****** ***** ** ******* **** personal ******* ** ****** * ********* expectation ** * ****** ******.
** *****, ****** *** ********* **!
**** *****:
"********** ********" ****** **** ****** ******** security ** **** ********.
********of **** ********, yes. But not public spaces, which are by definition not your property. That is why the EDPB recommends privacy filters, and why * ***** ******** ** ******* *** fined*** ******* * ****** ************.
**** ***** *****:
*** ***** * ***** ******** ** immediately ******** ** *** ****** ******** (as **** *** *** ******** ****) this ********** ********** *** *******' ******* because *** ******* ***** ***** **** a ** *********************** ********** ** **** ********* ** volume.
* *** **** ******* **** * technical **********, *******, * **** ********** Authority ** ******** ** ****** **** as ** ******. *** **** **** not ******* *** **** ** ********* to ********** ******** **** **** ******* it's *********** *** **** ** ***** it.
*** **** *****:
******** ******* ***** **** *** ****** space **** ** ********** ** *** sane ******.
******** ******* ** ****** * ********* expectation ** * ****** ******.
***** *** ********-**** ***** **** ****** get **** ******** ***** ******** ***********.** **** ** *** ** *** what * ***** ***** *** **** common ***** ** **** *** ***** ought ** **. ** ** ** inform ****'* ******* ***** **** **********.
******: *** ******** *** ****** ******** for *** ***** ************ ****************** ** ********* *(* ********* ******** ********* *, * mistake ****'* **** *****). *** ** tells **** **** **** ***'* **** when *** ***** ************ ********** **** be *********:
** **** *****, ** ****** *** with ********* **** *** ******* **** be *********. *** ************* **** *** be ******** ** *** ******** ****** Subgroup *** *** ********** **** ** adapt ***** *********. ***** **** ******* is *********, *** ********** **** ** up *** ******** ** *** ********** plenary *******.
** **** **** ******** **** *** update **** *** ***** ********** *** issued.
*****, *** *****'* *** ******* ** the "****** *** ****** ** *** ***", *** ********* **** ***** ********* I ***** ***'** ******** *** ******** on *** *** ******, *** ******** the ******.
*.*. ** * *** **, *********** *** *** ** *** ** protect ******** ** * ***** ************ trade **** **** ***** ************* ******* to **************** * ****** *********** ******. * believe *** ****** ** ** ******* data-hoarding *** ******** ********* *** *** small ******** ** ******* ****** *** care ***** **** ****** ** **** go ***** ***** ***** *****. **** said, * ******* ***** ***** **** been **** *********** *** *********** ***** their ****-********** (********* *** **** ********* is
**, ** ***** ** **** ***** is ** ****** ** *** ****** of *** ***, *** * ***** they *** ** ****** ** *** spirit.
** ********** ** **** *** ******* of **** ** *** ** ***** users ** ***** ************ ** *** masking ** **** ******* *** ******** opt-out ******* (*** ** *** ** that ** *** ***** *******?). *******, it ***** ** ** **** ***** of ***** ************ **** ** ** reminded ** *** * ******** *** reasonable ********* *** **** ****** ******, and *** ** ** * ***** and ***** ******* ******* ** (**********) profiling ****.
* *** ** ** * (******** futile) ******* ** ******* ****** *************** *** *** ***** ********* ** endless *********, ******** *** ************** (*** the ***** ** **** ****). * recent ******* ** *** ***** ** the******* *** ******* ******** ******** ** ******** ****** ** *** out.
*'* **** ** ***** **** ***** the ******* ********* ****** * ***** would **** ** ***** ***** ************. It's * **** ******* ******* *********** is ******** *** ******* ****** ** minutes, *** ***** ** ****** ** detect *** ** ***** ******** **** after *** ********. *** ****** *** also **** ** ******** ** **** retention ***** ** **** **************.