Data protection in video surveillance
Video surveillance is advancing more and more. Even though Germany is far from a complete surveillance state, the use of surveillance cameras has increased considerably.
Smaller companies and private individuals in particular are rediscovering the topic video surveillance for themselves. Network cameras and software are becoming less and less expensive, and installation and operation are becoming easier and easier. This lowers the entry barriers for all involved.
Current papers on the state of legal development
At the European level, a working group of the European Data Protection Board, with the cooperation of the German data protection supervisory authorities, has developed a guideline on video surveillance under the GDPR (Guideline 03/2019). This guideline provides a comprehensive overview of all essential elements of data protection law and also addresses new forms of video surveillance in some places.
The Data Protection Conference as a body of independent German federal and state data protection supervisory authorities (DSK) has also produced an orientation guide on video surveillance and a short paper on video surveillance by non-public bodies, in which many legal requirements are presented and analysed.
The legal basis
State Commissioner for Data Protection and Freedom of Information. North Rhine-Westphalia:
Depending on the design, personal image data may be collected and processed during video surveillance. Such data processing is generally prohibited and only permissible as an exception if a legal provision allows it or if the data subjects have given their prior effective consent (so-called prohibition with reservation of consent).
Video surveillance only permitted with exceptions
There are various legal regulations that set out requirements for permissible video surveillance. Which legal basis applies depends primarily on who is responsible for the video surveillance:
only from professionals
The area of video surveillance is subject to strict legal guidelines, which is why we, as an established company with 20 years of experience, advise against installing video surveillance without professional advice.
In our projects, we always make sure to work in a data protection-compliant manner and to comply with all guidelines. For this purpose, we also have a data protection officer in the company who is only responsible for this topic.
General Data Protection Regulation
With the entry into force of the General Data Protection Regulation, all companies are subject to new legal guidelines. VTIS GmbH has also made numerous updates in this regard in order to be able to continue to offer its services in a data protection-compliant manner.
By using our website and all our services, you are on the safe side with regard to the GDPR. You can find all information on this topic on the official homepage of the GDPR.
Data protection impact assessment
“This must always be carried out if particularly sensitive data pursuant to Section 3 (9) BDSG is processed or if the data processing was intended to evaluate the personality of the data subject, including his or her abilities, performance or conduct. In these cases, the data protection officer examines the particular risks to the rights and freedoms of the data subject inherent in the procedure and issues an opinion on the lawfulness of the data processing at the end of this examination. Just like prior checking, the data protection impact assessment thus serves to evaluate risks and their possible consequences for the personal rights and freedoms of the data subjects.” Translated with www.DeepL.com/Translator (free version) Source
Who is liable for data protection breaches?
“Any person who has suffered material or moral damage as a result of a breach of this Regulation shall be entitled to compensation from the controller or processor.” Article 82 GDPR
Release from debt
The installer, end customer and other parties involved have the option of “exoneration” if they can prove that they are not responsible for the data protection breach that has occurred. For this, a complete documentation of the activity must be kept, with the prerequisite that each party knows exactly what they have to do during the project.
Duties of the installers
According to the GDPR, the installer has several documentation obligations. These serve to prove that the installation and implementation of the video surveillance system complies with the regulations. Contractors, on the other hand, must keep a register of their processing activities. Previously, this was only mandatory for end customers/operators according to the BDSG (Federal Data Protection Act).
Operators of video surveillance systems face significantly increased fines since the GDPR. This can be a factor of 67. If, for example, a retailer used to have to pay a fine of €1,000 for installing surveillance cameras that did not comply with the regulations, now up to €67,000 is possible.
End customers, contractors and installers can be sanctioned according to Article 28 ff. DSGVO/83 EU-DSGVO, fines of up to ten million euros or two percent of the total worldwide turnover can be imposed.
What should contractors pay attention to?
In the transition phase, existing installations and contracts for video surveillance should be reviewed. New contracts to be concluded must be drafted in such a way that they take into account the legal situation under the GDPR. Therefore, basic knowledge about data protection is blatantly important for every installer. In short, this means that the installer or installer is no longer allowed to install a camera anywhere the customer wants. What exactly he has to do is described in detail in the “GDPR Video Practice Guide”, which he can obtain free of charge from Deutsche Datenschutzhilfe, provided he is a supporting member. The practical guide contains, among other things, a checklist for the installer/installer so that he knows what he must ask the end customer before he is allowed to start installing the video equipment. The GDPR video guide also includes sample forms for complete data protection management, including the installer’s own processing activities, so that the installer also has proof that he has acted in accordance with data protection regulations during installation and has fulfilled his duty to inform in detail with regard to the BDSG and GDPR.
Source: sicherheit.info / Walter C. Dieterich, Vorstand, Deutsche Datenschutzhilfe e.V.