GDPR-Compliant Video Surveillance Implementation for Office Security.

Question

As a business planning to install video surveillance in our office for security and performance monitoring, we've informed our employees but haven't received explicit consent.

How can we implement this in a GDPR-compliant way, especially regarding which office areas can be legally covered by video surveillance?

Executive Summary

In the context of video surveillance implementation within your office, GDPR compliance hinges on reconciling employee privacy rights with legitimate company interests. Here’s a consolidation of the key legal concerns and steps to take:

  • Legitimate Interests: Your business can rely on legitimate interests, like security and performance monitoring, as the basis for video surveillance if they don’t impinge on employees’ privacy rights.
  • Consent Considerations: Given the power disparity in employment, consent may not be considered freely given; thus, seeking alternative legal grounds such as legitimate interests could be more suitable.
  • Surveillance Scope and DPIA: Before surveillance, assess high-risk processing areas to determine if a Data Protection Impact Assessment (DPIA) is required, particularly in places accessible to the public.
  • Transparency and Information: Clearly inform employees about surveillance details - its purposes, legal basis, and their rights related to data collection.
  • Data Subject Rights: Ensure systems are in place to enable employees to access, rectify, or delete their personal data captured in surveillance.
  • Documenting Compliance: Maintain detailed, up-to-date records of video surveillance activities, reflecting lawful bases, scope, information provided to employees, and any DPIA conducted. Regular reviews are crucial for ongoing GDPR alignment.

Legal trace

Processing shall be lawful only if and to the extent that at least one of the following applies:

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Article 6(1)

The GDPR allows for processing of personal data under certain conditions, including when it serves legitimate interests of the data controller. For the company, this means that the introduction of video surveillance in the workplace could be lawfully based on its legitimate interests in security and performance monitoring, provided that these interests do not override the fundamental rights and privacy of the employees.

The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Recital 47

This Recital underlines that if the company invokes legitimate interests as the legal basis, it must ensure that employee expectations of privacy are appropriately balanced with the company’s interests. This involves considering the reasonable expectations of employees and whether they are likely to foresee processing for the intended purposes.

Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. Article 7(1)

While consent is one of the possible legal bases, in an employment context, it is challenging to ensure that consent is truly freely given due to the inherent power imbalance between the employer and the employees.

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. Recital 32

This guideline implies that for consent to be valid under GDPR, the company would need to actively involve employees in the process, ensuring it’s not presumed by inactivity or pre-ticked boxes. Given the consent complexity in the workplace, an alternative legal basis, such as legitimate interests, may be more appropriate.

Employee Data Protection and Surveillance Areas

Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. Article 35(1)

When considering areas to be under surveillance, the company must determine whether the proposed surveillance is likely to pose high risks to the personal rights and freedoms of the employees. If so, conducting a Data Protection Impact Assessment (DPIA) is necessary, particularly for areas that may be accessible to the public.

Transparency and Information Duties

The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. Article 12(1)

Transparency is critical when implementing a surveillance system. Employees must be informed about the details of the processing activities, including the purposes and legal grounds for the surveillance, as well as their rights regarding the data collected.

Data Subject Rights and Video Surveillance

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data… Article 15(1)

The employees have various rights concerning their personal data, including the right to be informed of and access surveillance data where they are identified. The company must have measures in place to facilitate these rights, such as procedures for access, correction, and deletion of personal data.

Documentation and Compliance

Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. Article 30(1)

It is the company’s duty to maintain records of processing activities, capturing detailed information about video surveillance practices. These records must be comprehensive, documenting the lawful basis, scope of surveillance, information given to employees, and any DPIA conducted. It is also essential to establish continuous compliance monitoring and regular reviews of surveillance practices in alignment with GDPR.

PDF Repository

We have searched through the PDF repository of ECJ rulings, European Data Protection Board guidelines, and other documents to provide this supplemental answer.

Details

The included excerpts from the European Data Protection Board (EDPB) Guidelines on Video Devices provide an analytical commentary on several aspects of GDPR compliance that are directly applicable to the implementation of video surveillance in a business environment. The guidelines offer concrete examples, clarify terms, and present a nuanced approach to processing personal data via video surveillance. This additional detail can assist in ensuring that your installation of video surveillance is GDPR-compliant.

Legal trace

  1. The legitimate interest needs to be of real existence and has to be a present issue … A real-life situation of distress needs to be at hand – such as damages or serious incidents in the past – before starting the surveillance… Those documented incidents can be a strong evidence for the existence of a legitimate interest. The existence of a legitimate interest as well as the necessity of the monitoring should be reassessed in periodic intervals… Guidelines 3/2019 on processing of personal data through video devices, page 10

The passage provides guidance on establishing a legitimate interest for video surveillance under Article 6(1)(f) of the GDPR. A legitimate interest must be a present, real issue, substantiated by documentation of past incidents. This articulates the importance of periodic reassessments of the necessity and legitimacy of video surveillance, which is directly relevant to the business’s question regarding the implementation of video surveillance for legitimate business interests.

  1. In general, the necessity to use video surveillance to protect the controllers’ premises ends at the property boundaries… In some individual cases it might be necessary to exceed the video surveillance to the immediate surroundings of the premises… Guidelines 3/2019 on processing of personal data through video devices, page 11

This section clarifies the limitation of video surveillance to the controller’s property, which is essential for determining where to place cameras in an office environment. It signifies that surveillance should generally not extend beyond property boundaries unless there’s a clear necessity, which should be considered carefully to remain GDPR-compliant.

  1. … a video surveillance system may only be put in operation, if the legitimate interests of the controller… are not overridden by the interests or fundamental rights and freedoms of the data subject… Fundamental rights and freedoms on one hand and the controller’s legitimate interests on the other hand have to be evaluated and balanced carefully. Guidelines 3/2019 on processing of personal data through video devices, page 11

This excerpt emphasizes the required balancing act when considering video surveillance. The controller must carefully weigh their interests against the data subjects’ fundamental rights and freedoms. This balancing test is an essential part of the GDPR compliance process for any business considering video surveillance for security and performance monitoring.

  1. For instance, an employee in his/her workplace is in most cases not likely expecting to be monitored by his or her employer… Guidelines 3/2019 on processing of personal data through video devices, page 13

The guidelines point out that workplace monitoring is typically outside the reasonable expectation of employees, which is valuable when considering employee privacy rights during the implementation of surveillance systems in the office. This perspective on the expectations of employees should guide decisions on where and how surveillance is implemented within the business premises.

  1. Consent has to be freely given, specific, informed and unambiguous…
  2. Regarding systematic monitoring, the data subject’s consent can only serve as a legal basis in accordance with Article 7 in exceptional cases…
  3. Given the imbalance of power between employers and employees, in most cases employers should not rely on consent when processing personal data, as it is unlikely to be freely given… Guidelines 3/2019 on processing of personal data through video devices, page 14

The consent, as a legal ground for video surveillance, has limitations, particularly in the employment context where power imbalances may prevent it from being freely given. This guidance supports the notion in the AI Agent’s response that consent may not be the most appropriate basis for video surveillance in the workplace and underscores the complexity of using consent as a reliable legal basis.

Example: A private parking company has documented reoccurring problems with thefts in the cars parked… The parking company have a legitimate interest (preventing thefts in the customers’ cars) to monitor the area during the time of day that they are experiencing problems… Guidelines 3/2019 on processing of personal data through video devices, page 12

This practical example from the guidelines mirrors the business’s concern of ensuring security and can serve as a template for articulating legitimate interest in the context of implementing video surveillance.