Employer’s statement on the introduction of video monitoring

 

Company logo

Employer’s statement on the introduction of video monitoring

 

Name of the company based in   

City name…

Postal code, City, st. Street name

 House number,

 

The company’s premises have been equipped in a video surveillance with the usage of industrial cameras. It covers buildings outside and passageways inside. Monitoring is used only to increase work safety and enables detection of behaviour that harms a company or exposes it to losses. The recordings will not be used for any other purpose. Recordings are stored for overwriting (depends on a size of recordings) up to a maximum of 14 days, unless separate provisions of law provide otherwise.

Video surveillance is an invasive form of personal data processing and as such should be subject to special verification by a personal data administrator (an entrepreneur) on the need for its use and necessity to secure.

Video surveillance should be installed in sites where there are incidents or there is a real threat to safety, and where it is impossible to cover such sites with other forms of supervision.

The use of video surveillance as a form of supervision over data subjects involves processing of personal data of all observed persons.

The scope of personal data processed by video surveillance includes indication of, in particular, images, specific features of persons and identification numbers (e.g. numbers of license plates and side numbers of vehicles).

The most adequate prerequisites to use video monitoring are the fulfilment of legal obligation incumbent on a personal data administrator, performance of a task carried out in the public interest or as a part of exercise of public authority entrusted to a personal data administrator, and goals resulting from legitimate interests pursued by a personal data administrator, for public sector entities and private sector, respectively.

In the case of video surveillance,  processing of personal data are operations that consist in, in particular,  saving, viewing, sharing and deleting recorded events and people, regardless of  the nature of  medium the  data are stored (system hard drives, recordings stored in the memory of a device enabling remote access – Smartphone, notebook computers, etc.).

Art. 5 sec. 1 of the GDPR Regulation (the Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general data protection regulation) (Journal EU L 119 of 04/05/2016, p. 1 and EU Official Journal L 127 of 23/05/2018, p. 2)) set out main rules how to process personal data . These rules appear to be personal data controller basic obligations. Art. 5 content states that personal data must be:

1. 1. Processed in accordance with the law, honestly and transparently for a data subject (lawfulness, fairness and transparency);
2. 2. Collected for specific, explicit and legitimate purposes and not processed further in a manner inconsistent with these purposes (purpose limitation);

c.3. Adequate, relevant and limited to necessary for the purposes the data are processed (data minimization);

4. 4. Correct and, if necessary, updated. Incorrect personal data for purposes of their processing must be immediately removed or rectified (correctness);
5. 5. Stored in a form for an identification of the data subject for no longer than necessary for purposes of processed data (storage limitation);
6. 6. Adequate security of personal data processing, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, (integrity and confidentiality). The security is achieved by appropriate technical or organizational measures.

In accordance with paragraph 2 of the above mentioned provision, a controller of personal data (an entrepreneur) is responsible for compliance with the above principles and must be able to demonstrate it (accountability).

A personal data controller must remember, while taking a decision of video surveillance implementation, to carry out a data protection impact assessment. The activity is required because processing due to its nature, scope, context and purposes is likely to result in a high risk of violating the rights or freedom of natural persons.

The fulfilment of information obligation, towards an observed person, included in Art. 13 of the GDPR is of vital importance. In accordance with Art. 12 of the GDPR, it must be, implemented in a concise, transparent, understandable and easily accessible form, and written in a plain and simple language.

Each person has the right to be informed of being a subject to video surveillance and the right to protect their image against dissemination, unless separate regulations provide otherwise. The obligation to provide such information results from Art. 13 of the GDPR, while the provisions of Chapter III define rights of the data subject in detail.

The rights of persons, subjects to video surveillance include, among others:

♦ the right to be informed about implemented video surveillance in a specific place, its scope, purpose, name of the company responsible for an installation, its address and contact details;

♦ the right to access recordings in justified cases;

♦ the right to delete data of a subject;

♦ the right to anonymize the image on recorded images and / or delete personal data of a subject;

♦ the right to process data for a limited period of time.