Compliant video surveillance
Today, video surveillance plays a vital role in maintaining security and running a business. GDPR and data legislation has become a key element in ensuring that video surveillance is carried out in a way that protects personal information and individual rights. But what exactly does the GDPR say about video surveillance and how do you carry out compliant video surveillance?
This blog is about how to practice video surveillance as a company or organisation in order to comply with GDPR.
What does GDPR say about video surveillance?
In short, GDPR aims to protect the rights of individuals and ensure that companies handle personal data responsibly. When it comes to video surveillance, it is crucial to understand how GDPR principles such as data security and transparency apply.
The GDPR protects personal data, regardless of format. Therefore, its principles are more or less the same for video as for text. Video material can thus be considered sensitive when it involves or contains information that relates to people’s personal or private affairs. Sensitive video material includes, for example:
- Identification: If video material clearly shows faces or other identifying features, it is considered sensitive, especially when combined with other information.
- Personal activities: Recordings of personal activities, e.g. health information, religious practices or political affiliations are also considered sensitive.
- Sensitive Locations: Videos that show people in sensitive locations such as healthcare facilities, places of personal recreation or private homes may also be considered sensitive.
- Behavior: Recordings that document sensitive behavior or interactions, such as emotional reactions, are sensitive material.
- Children: Whenever a video shows a person under 18, it is sensitive data.
Want to know more about the GDPR and video surveillance?
In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.
When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.
Video surveillance in accordance with the GDPR
GDPR-compliant video surveillance requires you ensure the protection of individuals’ privacy so that you meet the basic principles of the data protection regulation. Here are some key points to follow:
- Define your purpose in your policies: First of all, be transparent by stating clearly and specifically the purpose of video surveillance in your privacy policies. For example, for security, crime prevention or property protection.
- Identify a legitimate interest: Do you use legitimate interest as your basis for carrying our video surveillance? If so, this interest must be well-founded and outweigh the rights of the people depicted. If you do not have a legitimate interest, get consent from all persons pictured. Consent must be voluntary, informed and specific.
- Use signs to inform people: Whenever you use video surveillance in locations with general access, you must use clear signage to let people know they are on video. If you monitor your employees, make sure you inform them, tell them why, and provide other relevant information.
- Minimise video volume: Keep only the necessary footage for your defined purpose. The principle of data minimisation means that you limit any personal information you store, regardless of its format.
- Store footage securely: Make sure you store video data securely and protect it from unauthorised access. This may include, for example, encryption and access control measures. Read more about technical GDPR measures here.
- Avoid tampering: Further, the GDPR principle of accuracy means you are responsible for preserving the integrity of the personal information you store. Therefore, you must avoid tampering or altering video recordings without a valid reason.
- Establish deletion policies: Establish clear guidelines for how long you will keep video recordings. Then, delete them when the retention period has expired. This is typically around 30 days.
- Answer data requests: Since video surveillance of people is the processing of personal data, it is your responsibility to be able to answer data requests from the person or people who appear in the footage.
- Staff training: Finally, train all employees who handle video data in relevant GDPR requirements. Above all, make sure they understand their responsibility to protect any personal information that could be revealed in videos.
Overall, by following these guidelines, companies and organisations can use video surveillance in a way that complies with the GDPR and respects the individual’s rights and personal data.
Start your GDPR cleanup where it is needed the most
Sensitive data can tends to accumulate in the employees' e-mails. With a GDPR Risk Scan from DataMapper, you get a report that shows any potential GDPR risks in the company's e-mails.
Consequences of leaking data in videos
Data breaches, whether the data is in the form of text or videos, are serious. They can result in serious consequences, including significant fines and legal action. Businesses should be aware of the potential financial and reputational costs of not following video surveillance regulations. Read more about the consequences of GDPR violations here.
Do you have video material with sensitive content?
At Safe Online, we develop software solutions that are user-friendly and designed to support companies in meeting GDPR and other regulations that relate to the protection of personal information. Our three solutions can each help in their own way to solve tasks when it comes to video surveillance and the processing of sensitive video material.
DataMapper – Find your sensitive data
ShareSimple – Send and receive data securely in Outlook
RequestManager – Process data subject requests easily
Sebastian Allerelli
Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →