Data Protection for Individuals
As technology improves, systematic automated monitoring for the purpose of property protection, in particular, has become a significant phenomenon in our days.
The use of CCTV installed at private dwellings is based on the collection and retention on images of persons passing through the monitored area. The principal objective is to collect evidence and identify a person who might have maliciously or unintentionally caused damage or harm to one’s property.
Nevertheless, the potential risk of misuse of such data collection increases at par of the area or space being monitored. The risk is also based on the place, time and frequency of the captured angle by each individual camera installed.
In this regard, the General Data Protection Regulation (GDPR) in Article 35 (3)(c) requires that where data shall be capturing or monitoring systematically a public accessible area on a large scale, a data protection impact assessment is required. In such a case, the person installing the CCTV systems may be identified as a ‘data controller’.
However, pursuant to Article 2 (2)(c), the processing of personal data by a natural person in the course of a purely personal or household activity, which can also include online activity, is out of the scope of the GDPR. This provision is known as ‘household exemption’.
The Household exemption is interpreted by the European Court of Justice (CJEU) as “activities which are carried out in the course of private or family life of individuals…”. Therefore, if cameras within a CCTV installation have their angle of focus directed to only capture a private property or area, this is considered as an activity under the household exemption.
However, if a video surveillance system, to the extent it involves the constant recording and storage of personal data and covers, “even partially, a public space and is accordingly directed outwards from the private setting of the person processing the data in that manner, it cannot be regarded as an activity which is purely personal or household activity for the purpose of the second indent of Article 3 (2) of Directive 95/46”. (CJEU Case C-212/13)
Video surveillance is lawful if it is necessary in order to meet the purpose of a legitimate interest pursued by a controller or a third party, unless such interests are overridden by the data subject’s interests or fundamental rights and freedoms (Article 6 (1) (f)).
The European Data Protection Board (EDPB) indicates that legitimate interest may be based on a real and hazardous situation, the purpose to protect property against burglary, theft or vandalism can constitute a legitimate interest for video surveillance. However, the controller should consider that if the data subject objects to the surveillance in accordance with Article 21 the controller can only proceed with the video surveillance of that data subject if it is a compelling legitimate interest which overrides the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
The legitimate interest needs to be of real existence and must be a present issue (i.e. it must not be fictional or speculative) [CJEU Case C-708/18 p.44 ]. A real-life situation of distress needs to be at hand – such as damages or serious incidents in the past – before starting the surveillance.
FAQs in relation to the processing of personal data by means of video devices
Am I allowed to install a CCTV camera on my private property?
Yes, you are allowed to install a CCTV camera on your private property. Under the GDPR this falls within the category of the so-called household exemption. As considered by the European Court of Justice, the so called “household exemption” must “be interpreted as relating only to activities which are carried out in the course of private or family life of individuals”.
It is important therefore that each camera that is installed is pointed solely to the private premises of the household.
A video surveillance system involves the constant recording and storage of personal data. Therefore, if a camera is pointing even partially, a public space and is accordingly directed outwards from the private setting of the person processing the data in that manner, it cannot be regarded as an activity which is a purely ‘personal or household’ activity for the purposes of the second indent of Article 2(2)(c) of Regulation 2016/679.
Besides the above-mentioned elements, the user of video surveillance at home needs to perform an overall assessment before choosing the location of each camera to be installed.
What assessment should I carry out prior to the installation of a CCTV system?
Video surveillance based on the mere purpose of “safety” or “for your safety” is not sufficiently specific (Article 5 (1) (b)). Video surveillance is lawful if it is necessary in order to meet the purpose of a legitimate interest. Given a real and hazardous situation, the purpose to protect property against burglary, theft or vandalism may constitute a legitimate interest for video surveillance.
Personal data should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).
Before installing a video surveillance system a person should always critically examine if this measure is firstly suitable to attain the desired goal, and secondly adequate and necessary for its purposes. Video surveillance measures should only be chosen if the purpose of the processing could not reasonably be fulfilled by other means which are less intrusive.
For how long shall I retain the video footage?
Article 5(1) of the GDPR stipulates the general principle that personal data should not be retained for no longer that is necessary for the purposes for which the personal information is processed (‘storage limitation’). In general, CCTV recordings should not be kept for more than a few days, unless the controller is able to justify a longer retention period based on justifiable grounds.
Am I allowed to disclose the recordings to third parties?
Under Article 4(2) GDPR, ‘disclosure’ is defined as the transmission (e.g. individual communication), dissemination (e.g. publishing online) or otherwise the making available of information.
Any disclosure of personal data is a separate kind of processing activity for which you need to have a legal basis in terms of Article 6(1) GDPR. Therefore, a request for CCTV recordings made by law enforcement authorities during the course of an official investigation, would fall under the legal ground of Article 6(1)(c) GDPR as the processing would be necessary for compliance to a legal obligation to which the controller is subject.