CCTV in the company: 7 key points not to be overlooked
Author of the article: Mgr. Petr Hanzel, LL.M., ARROWS law firm (office@arws.cz, +420 245 007 740)
Installing a CCTV system is not only a technical task, but also a legal and ethical challenge. It is not just a matter of selecting the equipment, but above all of ensuring that personal data is protected and the rights of those being monitored are respected. Although practice often varies, a careful needs assessment, risk assessment and balancing tests should always precede the installation itself. The following seven steps will help you create a system that is effective, secure and compliant.
1. Assessing the need for a CCTV system
Before you decide to install cameras, you must assess whether their use is necessary. CCTV should only be deployed where there is a real risk, such as vandalism, theft or a threat to personal safety. Documenting these risks, for example through statistics or previous incidents, is an essential step.
Also consider alternative measures - such as access control, security or special anti-vandal surfaces. CCTV should be a last resort.
2. Balance test: a key decision-making tool
The balancing test, also known as the proportionality test, ensures that the legitimate interests of the controller do not outweigh the rights of those being monitored. The test involves evaluating the benefits of the CCTV system, assessing less invasive alternatives and comparing the impact on privacy. Without this test, the legitimacy of the system cannot be demonstrated and there is a risk that its operation will conflict with the rights of the persons monitored and therefore with the GDPR.
3. Defining the purpose and scope of the processing of personal data
Every CCTV system must have a clearly defined purpose, for example, the protection of property or the prevention of crime. The purpose must not be too broad and must correspond to the specific areas of surveillance. Cameras should not capture more than is strictly necessary and, of course, should not cover sensitive areas such as toilets or changing rooms.
Footage should only be kept for as long as necessary. According to the Office's recommendations, the usual time limit is 72 hours. A longer period must always be justified, for example, by the handling of a specific incident, the nature of the traffic, and does not include the time needed for police or other authorities to intervene.
4. Legal basis and access to records
Processing must be based on a legal basis, in most cases a legitimate interest of the controller. Access to records should be limited to authorised persons who have clearly defined duties and responsibilities.
Records may only be shared with authorised persons or institutions, such as law enforcement authorities or insurance companies, and always on the basis of a legitimate interest or legal obligation. When sharing, it is recommended to use transfer protocols, anonymise unrelated people (for example by blurring faces) and keep records only to the extent necessary.
5. Technical security of the system
Cameras must be set up to minimise invasion of privacy. This includes limiting shots to necessary areas, blurring parts of the image, or even disabling features such as audio recording if it is not necessary. Recordings should be encrypted, access limited to authorised persons and security measures regularly reviewed.
6. Information and rights of persons monitored
Anyone entering the monitored area must be informed of the presence of cameras. The information must be clear, clearly visible and contain details of the controller, the purpose of the processing and the rights of the persons monitored.
Monitored persons have the right to access the footage where they are captured, the right to have their data erased if it is no longer needed or to have its processing restricted.
7. Regular review and updating
The operation of a CCTV system does not end with its installation. The purpose, settings and impact on the rights of the persons monitored should be reviewed regularly. At the same time, it is necessary to keep abreast of current legislation and technical innovations that may offer less invasive solutions.
Conclusion:
The proper deployment of CCTV is more than a technical issue. It is a complex process involving legal, technical and ethical aspects. Non-compliance can lead to fines of up to €20 million or 4% of a company's global turnover. In addition to financial penalties, there is the risk of losing the trust of clients, disclosing sensitive data or even being ordered to stop operating the system.
Key documents must be processed to ensure compliance:
- Balance tests: to assess the proportionality and legitimacy of the processing.
- Internal guidelines and rules: To set out clear procedures for operation.
- Records of processing activities: To demonstrate compliance with the GDPR.
- DPIA: Data Protection Impact Assessment if the system poses a higher risk.
- Model information documents: Including information tables and detailed information for data subjects.