Principles of video monitoring in the enterprise
Video surveillance is an invasive form of personal data processing and as such should be subject to special verification by the personal data administrator (entrepreneur) of the need for its use and the need to secure it.
Monitoring sites should be designated where there are incidents or there is a real threat to safety, and it is impossible to cover such sites with other forms of supervision.
The use of video surveillance as a form of supervision over data subjects involves the processing of personal data of all observed persons.
With regard to the scope of personal data processed by video surveillance, it is appropriate to indicate in particular images, specific features of people and identification numbers (e.g. numbers of license plates and side numbers of vehicles).
The most appropriate premises for the application of video monitoring are the fulfillment of the legal obligation incumbent on the personal data administrator, the performance of a task carried out in the public interest or as part of the exercise of public authority entrusted to the personal data administrator, and the goals resulting from legitimate interests pursued by the personal data administrator, respectively for public sector entities and the private sector.
In the case of video monitoring, the processing of personal data includes, in particular, saving, viewing, sharing and deleting recordings of recorded events and people, regardless of the nature of the medium in which they are stored (system hard drives, recordings stored in the memory of a device enabling remote access – smartphone, notebook computers, etc.).
The main rules for the processing of personal data are set out in Art. 5 sec. 1 of the GDPR Regulation (Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general data protection regulations) ( Official Journal of the European Union L 119 of 04/05/2016, p. 1 and the Official Journal of the European Union L 127 of 23/05/2018, p. 2)), presenting them as the basic obligations of the personal data controller. Its content shows that personal data must be:
1. Processed lawfully, fairly and in a transparent manner for the data subject (lawfulness, fairness and transparency);
2. Collected for specific, explicit and legitimate purposes and not further processed in a manner inconsistent with these purposes (purpose limitation);
3. Adequate, relevant and limited to what is necessary for the purposes for which they are processed (data minimization);
4. Correct and, if necessary, updated, and personal data that is incorrect in the light of the purposes of their processing, must be immediately removed or rectified (correctness);
5. Stored in a form which permits identification of the data subject for no longer than is necessary for the purposes for which the data are processed (storage limitation);
6. Processed in a manner ensuring adequate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, by appropriate technical or organizational measures (integrity and confidentiality).
In accordance with paragraph 2 of the said provision, the controller of personal data (entrepreneur) is responsible for compliance with the above principles and must be able to demonstrate compliance with them (accountability).
When deciding to introduce monitoring, the personal data controller must remember to carry out a data protection impact assessment. It is required when the processing operation, due to its nature, scope, context and purposes, is likely to result in a high risk of violating the rights or freedoms of natural persons.
The fulfillment of the information obligation included in Art. 13 of the GDPR. It must be, in accordance with Art. 12 of the GDPR, implemented in a concise, transparent, understandable and easily accessible form, in clear and simple language.
Each person has the right to be informed about video surveillance and the right to protect their image against dissemination, unless separate regulations provide otherwise. The obligation to provide such information results from Art. 13 of the GDPR, while the provisions of Chapter III define in detail the rights of the data subject.
The rights of persons subject to monitoring include, among others:
♦ the right to be informed about the existence of monitoring in a specific place, its scope, purpose, name of the entity responsible for the installation, its address and contact details;
♦ the right to access recordings in justified cases;
♦ the right to request the deletion of data relating to it;
♦ the right to anonymize the image on recorded images and / or delete personal data relating to them;
♦ the right to process data for a limited period of time.