GDPR For Video Surveillance Guide
Now enforced for five years, GDPR has become fundamental to how video surveillance is used in the European Union.
In this guide, IPVM answers major questions such as who risks getting fined and what kind of video analytics are permitted, including:
- Enforcement Focus: End Users
- Median GDPR Fine
- Number of GDPR Fines
- Largest GDPR Fines So Far
- Reasons For Fines
- Best Practices Guidelines Adopted
- GDPR And Fever Screening
- Public Signage Official Example
- Best Practices On Storage
- Using Face Recognition Against Shoplifters
- Gender, Age Analytics Not Considered Biometrics
- Race Analytics & GDPR
- Failure To Appoint DPO Example
We first released this guide in 2018, when GDPR started, and now this new guide shows what has changed and how GDPR has worked in practice.
Executive *******
****** *** **** *** *******, ***** were*********** ******* ***** ************ **** ***********, *** users, *** ************* ***** ** ****** by ***** *********** *** ***** *****, with *** ************ *********** ******.
*******, **** ***** *****, ***** ***** have *** **** ** ****. ***** can ** ******* ******* ***** ***** like ******* ** ******* *** ******** filming ****** *****. ***** **** ********** is *********, *********** ** ************** ******* end *****, ****** **** ******** *****.
***** ************ **** ****** ***********, ***** screening, *** ***** ********* **** **** allowed ** *********** ** **** **** countries, ****** **** **** ************. ******** authorities **** **** ****** ******** **** practices ****** *** ***** ******* ******* clarity.
Enforcement ******* ** *** *****
***** **** *** **** *** ********* of ***** ************ ************* ** *****/***** providers ***** ***** **** **** ********** so ***.
*** ***** ** ********** *** ************** been ** *** ***** ** ***** surveillance, *.*., *****, ***********, ******, *** homeowners - ******* *********** ******* ***** ************ - 79 ***** ******** (****).
*** *********** **** **** *****. **** could **** **** *** ******** ** far: *** ********** ** ******* *** fined ************ *************** ****** ******* ** ****** ***** for ************* ******** ** ****, ***** another ********** ** ******** ***** ** ******* ******* ** ******* * **** Protection ******* (**** **** ** ******** employee *** ** ********* ** ***).
Median **** **** ***
*** ****** *** ******* ***** ***** the **** *** ******* ********* ******* ** ******* ***** ($**.* *******) or *% ** ****** *******, ********* is ******. *******, *** ****** **** video ************ **** *** ~$*,***** ** ****, ***** ** *** *************, *** manageable *** **** *********.
Fines ********** *******
**** ********* **** ***** ***, ***** have **** ***** *** **** *** video ************ *****, *****, ****** *** Europe. **** ** *** * **** high ******, ***** *** **** *** been ** ***** *** * ***** and ****** ** ********* **** ~*** million ******. **** *********, **** ***** ones **** *** **,**** *** ** ******* ****** **** ***** ************ ****. Spain ** ** *** *** **** prolific, ******* ***** ** *****. (**** fines *** *** **** **** ********-********, so ***** ******* *** *********).
Largest **** ***** ** ***
*** ******* **** ******* *** ************-******* company ** ******* ****** *********** ************* ***** ******** ******** ** ******'* **** images ******* ***** *******, ********* ** ~$68 ******** *** ** ***** ***** by******,******, ********. **** **** *********, ***** ** US-based, *** ******* ** ***, ***************** *****.
*** ******* **** *** ***** *************** $** ******* ** **** ******** ****** ****** ****** ******** *** monitoring * **** ***** ** ******** areas **** ** "**********, ***** ******, warehouses *** ***** *****".
**** ****** **** *** ** *******, however, **** ** ***** ****** ***** anywhere ***** ** **** *** ***** surveillance **********. *** ******* **** ***** surveillance **** ***** **** *** **** IPVM ***** ******** *** *********** ******** ******** ~$***,*** *** ***** ***** cameras, *********** ******** *******, ****** ***********, *** legal *************.
******* *** *****
*** **** ****** ******* ********** ******** ******* ****** *****, ********** ********* constantly, ******* ** *** ** *******, and ******* ******* ***** (**** * neighbor's ****). ****-******, *** ***** *********, reasons ******* ******* ******** ****** ******* without ******* *** *** ********* **** subject **** ********.
Best ********* ********** *******
** ****, *** ******** **** ********** Board, ** ** **** ******** ** encourage **** **********, ********** ******* ****************** ** *** **** *** ***** surveillance.
***** *******'* ************* *** *********, **** ******* **** examples ** **** ********* *** ********** clarity.
- VIP ****** *********** ** * *****: A hotel’s use of facial recognition for 'VIP' recognition is unlawful if deployed on any guests who have not explicitly consented.
- Private ****** **********: A homeowner filming their own private fenced garden is not regulated by the GDPR, as long as public and neighbor spaces are not captured.
- Misuse ** *******: Video footage intended for damage resolution at a parking lot, violates the GDPR if posted without consent, e.g. sharing a fight video on Facebook for entertainment purposes.
- Identifying ********/**********: An employer using cameras to identify employees participating in a strike or protest is illegal under the GDPR, as trade union membership and political opinions are protected data categories.
GDPR *** ***** *********
************* **** **** ********* ***** *********** screening ******* ** **** ** ******** are ***** ** ********* **** ********' rights, *** **** *** ********.
**** *******,******* ******** ******** ***,*** ***** (~$***,***) *** violating *** **** ** ***** ***** cameras, *********** ******** *******, ****** ***********, *** legal *************.**** *** *** ***** *** ** far **** **** **** *** ***** screening ** ******.
***** *********' *********** ****:
- *********** ***** ********* ** "********** ************" with *** ****.
- ********** ***** ********* ** ********* *** schools, **** ******* **********.
- ***UK is much more lax, only recommending regular compliance reviews.
- *************** ***** ******* *** ******** ** humans.
- ******,Spain, *** ***** allow fever screening but prohibit combining it with facial recognition.
- *** *************** ***** ********* ** *********.
Public ******* ************
******* *** **** ******************* ** ******* ************* ************ ********** ****** ********** *******, ** ** **** ********* **** ever *** ************ ********* ** ****** the ****** ** **** *** ********* video ** ****.
******* ** ******* ******** ******* *** the ***** **** ****** ****** *** GDPR *****, *******'* **** ********.
** ******* ***** **** **** *** ********* ******* should ** ******** ** *******:
- *** ******** *** ******* ******* ** the **** **********
- “*** ******** ** *** ********** *** which *** ******** **** *** ******** as **** ** *** ***** ***** for *** **********”
- “*** ****** *** ***** *** ******** data **** ** ******, ** ** that ** *** ********, *** ******** used ** ********* **** ******”
- ********* **** ******** ** ***** “***** to ***** * ********* **** * supervisory *********”
- *** ********* ** *** ***** ** request ******, *************, *** ******* ** the ****
***, ** **********, **** *****:
- *** ******* ******* ** ***, ** you **** ***
- ** *** **** **** ** *********** to ******* *******, *** ******** ********** in *****
- ********** ** *** ******** **** (** other **** *** ***-****)
- “*** ********* ** ********* ********-******, ********* profiling... ***, ** ***** ** ***** cases, ********** *********** ***** *** ***** involved, ** **** ** *** ************ and *** ********* ************ ** **** processing *** *** **** *******.” (**** would ****** ***** ** ****** **** facial *********** ** ***** ********* **********.)
*** ***** ****** **** ****** *** this ** ******* ******* *** ******* written.
Public ******* ******** *******
*** ****'****** ************ ***************** * ***** ******* ** **** public *******:
No ******* ******* *********
*** **** *** ** *** ****** on *** **** **** ****** ** stored *** ****** **** **** ****** not ** **** *** ****** **** is ********* *** *** ******** ********. The **** **** ****** ****** ******* periods *** “****** ********, **********, ** historical ******** ********” (******* *). ** *** **** **** ************ stores *** ***** ********** ** ****** violating *** **** ****** ** *** prove ** ** ****** ********* ** these *******.
Best ********* ** *******
*** ****'****** ************ *************** **** ** ***** ** "**********" storage *** * ***** ****, *** this *** ** ****** ** **** as *** **** ********* ** **** a ***** ****** **** ** *.*. recent ******, ********, ***. *** **********, again, ** *** ****** *** ******* storage *********.
Usage ** ********* **** **********, **** **********
******* ********** ********** ** ********* ****, ***** with **** **** ******* ****** ** ethnic ****** *** ******/*********/***** ***** **********-******* data:
********** ** ******** ****revealing ****** ** ****** ******, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric **** *** *** ******* ** ******** *********** * ******* ******, data concerning health or data concerning a natural person’s sex life or sexual orientation shall ** **********. [emphasis added]
********* **** ***** ******** ***** "******** identifying * ******* ******" *.*. ********** like ****** ***********.
Article * *********: *********** ****** ********
*******, *** **** ********** * ***** number ** ********** ** ***** ******* 9 ************. "******* ** *********** ****** interest", ***** ** *** ******* ********* by *** ****, ** *** **** one ***** *** ***** ************, *** typically **** *** ***** *** *** enforcement-related ********.
Face *********** *** *** ****
******* ** ********** ************ ** ********** (**** **********), ********* facial *********** *** ** *****. *** example,****** ****** ****** *** ***** **** *********** to **** **********. ********* **** *********** in * ********** ******* *** ********, without *** ***** *******, ***** ** illegal ** **** *********. *******, ** be ****, ** ******* *** ****** facial *********** *** *** *********** ********, and **** ******* ******* ***** *** GDPR *** *********************.
Using **** *********** ******* ***********
********* ********* **** ********* ** ****** using ****** *********** ** ***** ***********, based ** ***** *************** ** "*********** Public ********:
- ******* ********* ******* ***** **** ***** ****** recognition.
- *** ** **************** ***** ***** ****** *********** ** catch ***********.
- ****** ********** *** ****** *********** ** catch **************** ** ********* ******.
**** ***** *** ****** **** *******'* regulator *** **** ************ *** **** GDPR. **** ** *** **********, ** the **** *** ** ***** ** key ******.
Gender, *** ********* *** ********** **********
*** **** *** ********* **** *** and ****** ********* *** *** ********** biometrics ****** **** *** ******** * specific ******.
****** *** *** ********* *** *** considered ********** ** **** ** ***** do *** ******** ******** ****** (*.*., via ****** ***********), *** ****'****** ************ ************** *********.
Race ********* & ****
********* ******'* **** ***** ***** ***** Article *'* **** ** "********* ****** or ****** ******", **** ********** ** France *** *** *********** **** ****. Detecting ******'* **** ******** *** ** the ******* * ********** ** *****. IPVM *********** *** **** ***** *******'* **** ***** *********** ****.
GDPR: *** ** ********
*** ************* *** ********* ********** *** ******** data ** ****** *** *** ******** in *** ***** ** (******* ******),********** ** ***** *** ******* ***** be *****. ******* ***** ******* ** someone ** ********** ***** ****, *** video ************ ******** ** ******** ******** by *** ****.
***********, *** **** **** ******* ** processing ** ******* ********** ** *** EU. * ***** **** ** *** that ******* * ******* ******* **** not **** ** ****** **** *** GDPR.
Controllers, **********, ******** *********
***** *** ****, *** *** ****** are:
- Data ***********: these are end users like shops, restaurants, malls, or home owners deploying video surveillance - entities which "************ ******** *** ***** ** *** processing ** ******** ****".
- Data **********: any integrator who accesses customer footage, e.g. in Croatia, an integrator that ********* ************** ******* ** *********** *********** "*********" ** **********. **** **** affects ************* *** **** ******** ******* on *** ***** ** *** *****, e.g. ***-******* ** *********. * ************ that **** *** ***** ** ******* end **** ***** ******* ***** *** be ********** * ********* ***** *** GDPR.
- Data ********: these are the people being recorded on a camera.
*******, *** **** ***** **** ******** in ****** *********** *** ****** ** access *** ****** ***** **** ***** imposing ************ ** *** **** **** can ** *********. *******, *** **** itself *** ** ****** ********** ** video ************.
Dealing **** **** ******** **** ********
******** **-** ** *** **** ***** data ******** ********* ****** ** ***** own ****,********* *** ******* ****** *** ******** **** ********* about **** *** *** ***** ** request **** **** **** ** ******* (“*** ***** ** ** *********”). ***** ******** **** ** ******** by ********* **** ** ******. ***** surveillance *********, ** **********, **** ** careful *** **** **** ******' ******** data **** **** ****** **** **** requests, *** ******* ** ********* ***** to * **** ******* **** ********** other ****** ** ****.
********* ******* ***** ** ******* ** **** requests. ***** **** ***** ************ **** is **** *** **** **** * month, **** ***** **** ******** *** video ************ **** *** **********. **** is ********** ** **** ** *** requestor ** ******** *** ******* *** already **** *******, ********* ***** **** **********.*******, **** ******** "****** ******* **** he ** *** ****** *** ********* area ****** ************* * *** ****-*********", the **** ****.
** ********,** ****** ******** **** ***** ************ ***** have **** ****** **** ************* ** subject **** ********, ** ** *** ignore ****.
Data ********** ****** ********** (****) ***********
** *** **** ** “********** ********** of * ******** ********** **** ** a ***** *****,”******* ** ** *** ************ **** * “**** ********** ****** assessment” (****) ** ********* ****** *** system ** *********, *********:
- “* ********** *********** ** *** ********* processing ********** *** *** ******** ** the **********, *********, ***** **********, *** legitimate ******** ******* ** *** **********”
- “** ********** ** *** ********* *** proportionality ** *** ********** ********** ** relation ** *** ********”
- “** ********** ** *** ***** ** the ****** *** ******** ** **** subjects”
- “*** ******** ********* ** ******* *** risks, ********* **********, ******** ******** *** mechanisms ** ****** *** ********** ** personal **** *** ** *********** ********** with **** ********** ****** **** ******* the ****** *** ********** ********* ** data ******** *** ***** ******* *********.”
*** ***** ** ********* ***** *** largely **** ** **** *********** ********** large-scale ***** ************ *******. *** *******,****** ** *********, ***********, **** ***** ** **** *** not ********** * **** ***** ** installing * ********** ****-*** ******* ** its *****.
***** **** ** ********* ** **** controllers******* *** ********** ********* ***** *****. The **’* ******* ** ******* ***** has************* ******** ***** ** *** ******** for ***** ** ** ******** ********* by **** ***********, ** ********** *********** at ***** * ******* ** *** DPIA ** * **** ********.
************, “***** * **** ******* **** residual *****, *** **** ********** **** be ******** ** **** ***** ************ for *** ********** **** *** *********** authority”.
Dealing **** ***** ********/***************
************* **** **** ******** **** ********,**** ** *******, ***** ************* ** ******** ** GDPR *********. *******, ** ***, ** video ************ ************ *** **** ********* for ****.
*** **** ******** ********* **** ********. Breaches ****** ********** **** “**** * **** ** an **********’* ****** *** ********." ** does *** ****** ** ***** ******** are ******** ******** ** ***, *** risk **** ***** ** ** *****.
**** *********** **** ** ***** ** inform ***** *******’* **** ********** ********* about *** ******, *** ** *** breach ******** ******* ******* **** ********, it **** **** ****** ****. *******, if *** **** ********** *** ********* encryption ******** ** ***** ** ******* the **** ** ** ****** ****** to ***********,** ** *** ********* ** ****** data ******** ** *** **** ** their ******** ****. ** ********* ***** **** ******* of * ****** ** ************ *********, the **** **** ****** “* ****** communication ** ******* *******” ** ** issued.
**** ********** **** **** ****** **** breaches ** ***** **** ***********, ******** the **** **** *** ******* * time ***** ** ***** *****.
When ** *************/******* ******* ********?
*** ****’* ******* ** *********** “**************** *** **********” ** **** to ****** **** **** ********** ** “by ****** *** ** *******.” ******* of ***** *******, ** ***** *** GDPR **** ********** **** ******** ****. In ***** ************, **************** (*.*. *************) would **** ****** *********** ** ******** *** ***** ** data ********.
*** **** **** *** ********** ***** when ************* ** ********. *******, ** explained ** ******* **, *** **** of *** **** ** **** “**** personal **** ***** *** ********* *** each ******** ******* ** *** ********** are *********”.
**** ***** **** ** ******** ** a **** ********* ********* **** ********, so **** ***** ******** ******* ******** rather **** *********.
What ********** ** ********?
*** **** ********* ********* ********** ********* “***** **** ****** *** ******** data ************** ** *** ****** *** is *** ********** ** ****** **.” This ***** *** ***** ****** ****** very ***** ******** *******, **** ** complex *********, ******* *******, ***, ** avoid ************ ******.
** ***, **** *** *** ***** any ******* ** ********* ** ****** being ********** *** ******* ****** ***** surveillance **********.
Do * **** ** **** * **** ********** *******?
********** **, * *** **** ** ********* for ********* ***** **** ********** ******* "systematic ********** ** **** ******** ** a ***** *****". *******, **** *** be ********** **** ***** *********, *** can **** ** ***** ******* **** the ****’* *** ***** ** **** part-time.
* *** ** ********* *** "* security ******* *********** *** ********** ******** centres *** ****** ******",*** ** ********** *** ******.
Failure ** ******* *** *******
** *****, * ******** **************** ** ******** *** ** **** *** *** fined **,*** ***** ($**,***) *** **************** **.
Do **** **** ************* ** ***** **************?
******* ** *** **** ** ** stated **** **** **** *** **** of ****** ************* ** *************.
*** **'* ******* ** ******* ***** (an ******** ** ******** ****)********* **** ************ **** ** ******** **** **** "DPOs ****** **** ********* ** ******** and ******** **** ********** **** *** practices *** ** **-***** ************* ** the ****. ** ** **** ******* if *** *********** *********** ******* ******** and ******* ******** *** ****.” ** also ***** **** "*** ******** ***** of ********* [** * ***] ** not ******** ******* *** ** **** be ************ **** *** ***********, ********** and ****** ** **** ** ************ processes."
Do * **** ** *** *********?
***** *** ****, *** **** ** certification ******* *** ******** ********* (******* **, ******* *). ********* **** *********** ********** **** ** ***** ******** *** certified ** **** ********* ** *****-***** schemes *************, *** **** ************** *** *** mandatory. ***** ************** *** ******* *** chiefly ** ******** ******* *** *** PR ********. ** *** ** ****** into ******** *** **** ** ************* is ********* ** ** ********** **** compliant *** *** *****, ***********, ** manufacturers.
DPO ************* *******
***** *** ************* ** *** *********,*****’* **** ********** ************ ******** ********* *** ************* ******, ***** ******** * ****-**** **** and * ******* ****** ** **** experience. ******'* *** *** **** ********* **** ** ******** *** **********,*** ***** *** **'* ***.******* **** *** **** **** ******** their *** *****.
Are ***** ********** ** *** ****?
******* ** ** *** ********** ** ****** ****** *** ***** to ******** **** ** **** **** provisions, ********* *** ***** ** ** forgotten, *** ***** ** ****** *********** gathered ** * **** *******, *** the **** ** **** ******** *** transparent *********** ***** **** **** ** processing ** ***** **. ***** ********** include ******** ********, *******, ****** ********, ongoing ***** *****, *** ***** **********.
**** ** ***** **** ******* ** is ****, *** *******, ******* ******* with ******* * **** ****** ******* that *** **** ****** *** ***** surveillance ******* ** *** ***** *** right ** ** *********, *** ** individual ****** ******* *******-********* ******** ** obtain *** ***** ********** **** **** of ***.
***** *** *****, *** ***'* ** honest **** *** **? **** ****, IMO, * ****** ***** *** ** outlining ****** *** ****************, ** **** everyone *********** ****. ** **** ****** so ** *** *****-*********** ******* **** other **** **** ************.
** ********* **** *** **** ** being ********* ***** ** *******, ** the *** ****, *** ****** **** deployed ****, *** *** ********** ******** such ** ****** ***********, ** **** of * **** ******* ******* **** anyway. **** *** **** ****** ****** the **********.
* ** ********* ******, ***** *** well-known ***** *** ** ******* ** 1 (*) **** ********* ***** **** lifters ****** ** ****** ***********. ** areas ** ****** ** *** **** way ** **** ***** **** ***** in *** ** * ******* **** this ***** ******.