Data protection (GDPR): video recording and video surveillance  – to be or not to be?

• Compliance/Data Protection/ESG
• IP-IT
• SME

As the law-enforcement practice shows, video surveillance and other types of video recording are in the focus of attention of data protection authorities. This is an area, where both companies and individuals make a number of mistakes which lead to imposition of fines for violation of data protection legislation, including the EU General Data Protection Regulation (GDPR).

Video recording and GDPR violations: case study

Data protection authorities of different countries have already imposed quite a lot of fines for violating GDPR in a number of cases related to video surveillance and other types of video recording. Inter alia, fines for GDPR violations were imposed:

• on a beverage retailer – for operating a video surveillance system in which the observation angle of the cameras extended into the public space;
• on a company – for conducting  video surveillance in a betting place which was not sufficiently marked as well a video recording of a large part of sidewalk near the facility;
• on a store – for insufficient technical and organisational measures to ensure information security, when camera images of a store, which made video recordings of employees and customers, were distributed without the knowledge and intention of the store due to a faulty configuration;
• on a restaurant – for the excessive use of video surveillance cameras in order to monitor customer areas in the restaurant (in violation of the GDPR principle of data minimisation);
• on a resident of a residential building – for making unlawful video recordings which, inter alia, covered parts of the jointly used inner courtyard;
• on a private individual – for taking secret video recordings during a court hearing with a mobile phone;
• for unlawful use of a dashcam to make recordings of public road traffic and then publishing them on YouTube as a compilation;
• for live video surveillance which was accessible via the Internet and, due to a lack of sufficient pixelation or redaction, allowed persons to be recognized, etc.

Video camera on Volkswagen test vehicle

For example, the German data protection authority imposed a fine for the total of EUR 1.1 million on Volkswagen for insufficient fulfilment of information obligations under the GDPR while installing cameras. In particular, the company installed cameras on a test vehicle which was used to test and train the functionality of a driving assistance system to prevent traffic accidents. For this purpose, the installed cameras recorded the traffic around the vehicle. The data protection authority made a conclusion, that Volkswagen:

• did not provide information in accordance with the GDPR about the data processing by the cameras which were installed in the vehicle,
• did not conclude a data processing agreement with the company that carried out the journeys,
• did not conduct data protection impact assessment,
• did not outline the technical and organizational protection measures in the list of personal data processing activities.

Video surveillance in a restaurant changing room

The Spanish data protection authority imposed a fine for the total of EUR 20,000 on a company which installed video surveillance cameras and microphones in the employee changing room in one of its restaurants. The data protection authority made a conclusion that there was no legal basis for such extensive processing of the employees’ personal data, thus, the data processing was unlawful.

Video surveillance system with permanent monitoring of employees and customers

The German data protection authority imposed a fine for the total of EUR 16,000 on an electronics store which had installed a video surveillance system that permanently recorded employees, customers as well as premises and technical equipment of this company. The purpose of the video surveillance was to protect employees, customers and the property of the store as well as to collect evidences for prosecuting criminal acts and vandalism (if any). However, the data protection authority took a position that:

• in this particular case, the recording of employees was not necessary to ensure such purposes and, therefore, was disproportionate;
• the store violated the principle of data minimization under the GDPR,
• the company stored the video recordings for excessively long period of time,
• the store did not conduct a data protection impact assessment.

Installation of video cameras in a medical clinic

A fine for violation of the GDPR was also imposed on a medical clinic, which installed 21 cameras in its premises for the purpose of protection against crime and property damage. Such cameras enabled the clinic to monitor its employees and patients around the clock. The clinic assumed its video recording was lawful, as it had consent given by its employees as well as information signs placed in the clinic. However, the data protection authority made a conclusion that:

• in this case the consent given by its employees was not a proper legal basis for the video surveillance, as voluntary consent in the employee-employer relationship was questionable,
• clearly visible notices of the video surveillance did not allow to make a conclusion that the patients, by entering the monitored premises, legally expressed their consent to the observation,
• there was no any other evidence that would justify such extensive video surveillance of the clinic.

Video surveillance with sound and image recordings of people living in an institution

The Polish data protection authority imposed a fine on a center which treated people suffering from alcoholism for installing video surveillance cameras at its facility. In particular, the center recorded both images and sound of its residents. The center used the video surveillance system with the purposes related to the safety and health of alcohol-impaired people. However, the data protection authority made a conclusion that these purposes did not constitute a sufficient legal basis for personal data processing in this particular case. Thus, the center unlawfully processed personal data of its residents.

Unlawful use of video surveillance

The Austrian data protection authority imposed a fine on a restaurant for unlawful use of the video surveillance. In particular, it found out that:

• sufficient information about the video surveillance in the restaurant was missing ,
• the video storage period of 14 days was too long in this case and therefore violated the GDPR principle of data minimization.

Violation of data protection when conducting examinations in the form of video conferences

The Polish data protection authority imposed a fine on a medical university for violating the GDPR while conducting exams in the form of videoconferences, where identification of students took place. In particular, when the exams were completed, the video recordings of such exams were available not only to the examinees, but also to other people who had access to the system. Moreover, any outsider person could, by using a direct link, have access to the video records of the examinations as well as the data of the examined students presented during the identification. Besides, the university failed to report such personal data breach to the data protection authority and did not notify the data subjects on their personal data violation. A fine was also imposed on a company for violation of the personal data subject’s rights under the GDPR. In particular, an individual filed a complaint to the data protection authority based on the fact that the company produced a video recording in which that person could be seen. The complainant asked the company to delete the video and to refrain from publishing it in the Internet. However, the company ignored that request and published the video on its website as well as in several social networks.

Conclusions and recommendations

Though a lot of fines have been already imposed on companies and individuals for violating data protection legislation (including the GDPR) while applying video surveillance and other types of video recording, it does not mean that video recording is prohibited at all. In fact, the question is which specific risk mitigation tools shall be applied in order to conduct video recording lawfully. Besides, each particular case should be assessed separately, taking into account the purpose and all the circumstances of the intended video recording, as well as requirements of applicable data protection regulations (including the GDPR), respective guidelines and the best practices in this area.