Draft Guidelines
on
personal data processing within video surveillance systems
This project is funded by the European Union
Table of content
1. Introduction: Video cameras and data protection
2. About this guidance paper
3. Scope of this guidance paper
3.1. Intended scope
3.2. Household exemption
3.3. Video surveillance in residential areas and in child care institutions
3.4. Targeted audience / readers of this guidance paper
3.5. Dummy or fake cameras
4. Deciding on whether and which video surveillance system to be used
4.1. Basic and initial considerations at the beginning
4.2. Privacy and Data Protection Impact Assessment (DPIA)
4.3. Possible legal grounds and proportionality considerations
5- Governance over video surveillance data
5.1 Ensuring effective administration
5.2 Maintaining recorded material and using the information
5.2.1 Storing and viewing video surveillance system information
5.2.2 Disclosure
5.2.3 Subject access requests
5.2.4 Freedom of information
5.2.5 Retention and deletion of data
6. Selecting, positioning and using video surveillance systems
6.1. Selection and design of systems
6.2. Positioning of video surveillance cameras
6.3. Using the equipment
6.4 Areas of elevated expectations for privacy
6.5. Quality or resolution of images
7. Instruments for better achieving data protection compliance
7.1 Signposting
7.2 Signs on roads
7.3 Privacy notices
7.4 Other responsibilities
8. New trends in video surveillance technologies
8.1 Body worn video
8.2 Unmanned Aerial Systems (UAS) - drones
8.3 Automated recognition technologies
8.4 Dash cams in automobile vehicles
Appendix A
Checklist for users of limited video surveillance systems, e.g. when monitoring small retail and
business premises
Appendix B
Guiding principles for the deployment of video surveillance systems
1. Introduction: Video cameras and data protection
Private or public organisations1 which think about using video cameras or surveillance systems might
wonder why they have to deal with data protection legislation and requirements laid out by those provisions
that need to be met with regard to this technology. Some might argue that recording images of – in most
cases – totally unknown or unidentified people or capturing images by live-broadcasting (monitoring) only
would not be what they think is to be understood as processing of personal data.
However, recent legislative acts, such as the EU General Data Protection Regulation or the current draft law
on personal data protection in the Republic of Moldova, explain clearly that the term of “personal data” is to
be understood broadly.
Art. 4 (1) of the EU General Data Protection Regulation provides a definition of “personal data”. It says:
“personal data” means any information relating to an identified or identifiable natural person (“data
subject”)”. It further states that “an identifiable natural person is one who can be identified, directly or
indirectly, in particular by reference to an identifier such as name, an identification number, location data,
an online identifier or to one or more factors specific to the physical, physiological, genetic, mental,
economic, cultural or societal identity of that natural person.”.
By including reference to the “physical” or “physiological” identity of a natural person, this definition of
“personal data” will be applicable to images of natural persons that are captured or recorded by video
cameras, because typically data on their physical characteristics, will be seen on video images. It is not
necessary that people who see such video images actually know the individuals shown on the images, so
that these individuals would be recognised making them an “identified natural person”. The definition of
personal data delivered by the EU General Data Protection Regulation expressly also includes data of
“identifiable” natural persons. Natural persons captured on video material will be identifiable by their
appearance, shape or some other physical or physiological characteristics. Thus, also video data or images
of any persons are to be understood as “personal data”, and consequently the legal provisions of data
protection law do apply to capturing and recording of video images by means of video surveillance cameras.
The definition of personal data, which is included in the draft law on personal data protection in the
Republic of Moldova in Art. 3, first bullet point, states that personal data is “any information identifying or
leading to the identification of the personal data subject”; it further stipulates that there may be “two
categories of data: common and special”. The second bullet point of Art. 3 lists elements of data that fall
into the “common category”; these “shall be, non-exhaustively: first name, given name, patronymic the
single identification number, address, phone number, vehicle registration number, location data, voice,
online identifier or one or several particularities related to the physical, physiological, economic, cultural or 1 the word „organisation“ means every public or private person, entity or body, which may want to or does use a video surveillance system.
societal identity of the natural persons concerned, etc.” This definition ensures that also under this draft law
on personal data protection capturing and recording of video images is to be understood as processing of
personal data – here, again, with regard to identifiable natural persons (their looks and appearance being
“physical” and “physiological particularities” can “lead to their identification”) – and therefore, the
requirements of data protection legislation will apply to video surveillance cameras and systems. Data
protection legislation hereby may include a more general national data protection law as well as a data
protection law governing a specific sector or single provisions on data protection in sector specific laws.
It has been noted that the National Centre for Protection of Personal Data in the Republic of Moldova has
elaborated and submitted to the Ministry of Justice a comprehensive draft law “on the regime of video
devices”, which includes general provisions and requirements on the use of video cameras as well as
provisions on a number of special processing situations, e.g. use of video devices for police purposes or use
of fixed video devices in high-risk public spaces. This might be beneficial both to parties being interested in
using video surveillance systems and to potential data subjects by defining common standards that would
need to be met by all kind of users included in the draft law. It would also define in one comprehensive
legal document the rights of data subjects, and thus probably provide for more transparency and facilitating
exercising these rights by data subjects.
2. About this guidance paper
This guidance paper shall provide general explanation as well as practice advice for operating video
surveillance camera devices that view or record images of individuals. It may refer also to other personal
information collected and stored by organisations with regard to individuals (or “data subjects”). Personal
Information held by organisations is covered by data protection law and the guidance in this paper aims at
helping organisations to comply with these legal obligations.
Data protection law not only creates obligations for organisations, but it also gives individuals rights, such
as the right to access their personal information, or to have it deleted when keeping it is no longer necessary,
as far as derogations do not apply.
The basic legal requirement for all organisations is to comply with data protection law itself. This guidance
paper seeks to set out recommendations on how these legal requirements can be met. Organisations may use
alternative methods to meet these requirements, but if they do nothing they risk not being compliant with
the law. This practice guidance covers a wide area of potential users. This is because data protection law is
applicable to all organisations that process personal data in the private as well as in the public sector.
The recommendations of this guidance are based on the data protection principles that constitute the core of
the data protection law, and have been set out to follow the lifecycle and practical operation of video
surveillance systems.
Some sections of this guidance paper rise questions that need to be answered by organisations in order to
ensure that a good level of data protection will be achieved.
3. Scope of this guidance paper
3.1. Intended scope
Many video surveillance systems will be used to monitor or record the activities of individuals. As such
they process individuals’ information – which is their personal data. Consequently, these surveillance
systems will be covered by data protection law – no matter, whether the system is used by a multinational
company to monitor entry of staff and visitors in and out of its premises, or by a local shopkeeper recording
information to help prevent crime.
However, there are exceptions from the applicability of general data protection law. This needs to be taken
into account when it comes to the activities of specific state institutions, which have the legal task to provide
protection and safety to the civil society. This applies, for example, to the Police and to Law Enforcement
Authorities and their efforts to uphold public safety and security. Specific legal grounds may entitle them to
use video surveillance systems according to their particular needs and to derogate from some data protection
principles, e.g. the right of access can be limited when disclosing the information to the data subject would
endanger the purpose of the Police or Law Enforcement Authority´s activity, such as in the context of an
ongoing investigation against a suspected person. The same considerations apply to the penitentiary
administration, which is entitled by its specific legal provisions to use video surveillance systems according
to the needs that derive from the specific tasks and duties in the area of a prison and its detainees. Such
specific legal provisions can be found e.g. in Article 14 or Article 242 (2) of the Enforcement Code of the
Republic of Moldova both of which relating to the Penitentiary Administration. It is acknowledged that
these specific state institutions are fulfilling particular tasks for the entire society, which may justify
exceptions from general data protection rules and provisions.
This guidance paper will touch also some other video surveillance equipment, such as body worn video
(BWV), unmanned aerial systems (UAS – or “drones”) or “dash cams” in cars.
This paper aims at providing guidance also on information governance requirements, such as data retention
and deletion schedules, which are important to follow in order to comply with the data protection principles.
The use of conventional cameras (not video surveillance cameras) by the news media or for artistic
purposes, such as for film making, is not covered by this guidance paper, because an exemption within the
data protection law applies to activities relating to journalistic, artistic and literary purposes. However, this
guidance will apply to information collected by video surveillance systems that is then forwarded to the
media.
3.2. Household exemption
With regard to solely private data processing, it will be likely that the use of video surveillance systems for
limited household purposes may be exempt from data protection law, see Art. 2 (2) c of the EU General
Data Protection Regulation on “purely personal or household activity” or Art. 2 (3) a of the draft law on
personal data protection in the Republic of Moldova on “processing of personal data by natural persons
exclusively for personal, family or domestic needs”, which may not include “professional or commercial
activities”.
However, the Court of Justice of the European Union (CJEU) issued a judgment in the case of Ryneš on 11
December 2014, where it concluded that where a fixed video surveillance camera faces outwards from an
individual’s private domestic property and it captures images of individuals beyond the boundaries of their
property, particularly where it monitors a public space, the recording cannot be considered as being for a
purely personal or household purposes.
This means that cameras attached to a private individual’s home may, depending on the specific
circumstances, no longer be exempt from the requirements of data protection law. Those circumstances are
likely to include cases where the camera monitors any area beyond the interior and exterior limits of that
individual’s home. This will include any camera to the extent that it covers, even partially, a public space
such as the pavement or adjacent street. It will also cover cameras which capture areas such as neighbours’
gardens.
This decision does not mean that using such a camera is not possible any more, but it does mean that
individuals will have to ensure that its use is legitimate and meets the requirements under data protection
law. In fact, the CJEU made clear that use of cameras to protect a property in this way can meet the
legitimate interest condition in the legislation.
3.3. Video surveillance in residential areas and in child care institutions
As a consequence of the Rynes case decision, house owners and associations which administer
condominiums or apartment blocks on behalf of their owners should check whether their video surveillance
system, if they have one in place, meet these enhanced necessity and proportionality requirements. As a
consequence, the layout or scope of some video surveillance systems might need to be modified (e.g. angle
or resolution of the camera, change or limitation of area to be under surveillance).
Whereas video surveillance in purely private areas I (usually rooms inside a building) in residential quarters
can be admissible – due to the household exemption or by consent of the owners (in case of condominiums
or appartment blocks) –, this may be different, when a public space, e.g. a playground lies between two or
more private buildings. If such a space is owned and managed by the condominium owners, then it can be
considered to be a part of their private property, so that video surveillance would be admissible there, too, if
owners have given their consent to this measure either unanoumisly or by majority (rules on majority can
be laid down in the Condominium´s house administrative rules). However, if a square, space or playground
between building blocks is public and maintained by a municipal authority, then only this authority would
be competent to decide on – and to possibly install and use – a video surveillance system.
In any case, if a video surveillance system shall be used, this will need to be done in line with applicable
legal and technical requirements.
Another sensitive area with regard to the use of video surveillance systems are kindergartens, nurseries or
other institutions which take care of children or minors. The general feeling of most people will be that
children should be raised in an environment of trust and care and that the instalment of a video surveillance
system will not be necessary or appropriate in this specific environment. However, from a legal point of
view, using a video surveillance system might be admissible, if there is an urgent need to be addressed thus
defining a legitimate interest of the kindergarten management or if parents have provided their written
consent. In practice, it would be important to assess the exact scope and design of an intended video
surveillance system. Limiting the area or the duration of video surveillance could potentially make such a
system more proportionate. With regards to staff members, their interests need to be taken into account,
too, in a way that would exclude video surveillance in their social room or in bathrooms and toilets. Also in
this context, it is worth remembering that, if a video surveillance system shall be used, this will need to be
done in line with applicable legal and technical requirements.
3.4. Targeted audience / readers of this guidance paper
This guidance paper is primarily aiming at businesses and organisations that routinely capture individuals’
information on their video surveillance systems. This kind of video camera surveillance usually happens in
an open manner with appropriate signposting. However, the – sometimes covert – surveillance activities of
public authorities, such as the police and law enforcement authorities or the penitentiary administration,
which they are entitled to conduct due to specific legal grounds, are not be particularly touched by this
guidance paper, because they are governed by those specific laws that provide competences to these
authorities (see also previous chapter).
Not all sections of the guidance paper will be fully relevant to all users of video surveillance systems; this
will depend upon the extent and use of the information. Although small-scale users, such as small shops or
retailers, are covered by data protection law, they are unlikely to have very complicated systems, so many of
the recommendations given in this guidance paper might not be relevant. An appendix provides more
specific guidance, as an alternative to the full paper, for very limited use of video surveillance systems
where privacy risks are small and resources are limited. However, small scale users, who want to use a
video surveillance system for any purpose that is not covered in the checklist, still should read the entire
guidance paper.
3.5. Dummy or fake cameras
Data protection law applies to information captured by video surveillance systems, both when they record
and when they merely live-broadcast images. Technically, data protection law does not apply to dummy,
fake or non-operational systems, because there will be no data processing operations. However, an
infringement to freedom and fundamental rights of people affected may occur nevertheless, since even the
mere appearance of the existence or use of video cameras can build pressure on people and make them
behave differently, e.g. by avoiding specific ways or areas; this is often called “chilling effects”. Such
infringements could be pursued by individuals affected on other legal grounds than data protection (e.g.
civil or criminal law, compensation). However, due to their detrimental effects, the provisions of data
protection law might be used here in an analogous way – as if processing of data happened. This would
strengthen data subjects` rights as well as the data protection supervisory authority.
4. Deciding on whether and which video surveillance system to be used
Using video surveillance systems will in many cases be privacy intrusive. These systems are capable of
putting large numbers of lawfully behaving people under surveillance and recording their movements as
they go about their daily activities, thus interfering into their privacy.
4.1. Basic and initial considerations at the beginning
Organisations, which are interested in using a video surveillance system, should therefore carefully
consider whether or not to use such a system. The fact that it is possible or affordable should not be the
justification for recording and processing personal data. If you are such an organisation, you should also
take into account the nature of the problem you are seeking to address; whether a video surveillance system
would be a justified and an effective solution, whether less intrusive solutions exist, what effect its use may
have on individuals (residents as well as third-parties), and whether in the light of this, its use is a
proportionate response to the problem. If you are already using a video surveillance system, you should
periodically evaluate whether it is necessary and proportionate to continue using it.
Example: Cars in a car park are frequently damaged and broken into at night. Consider whether improved
lighting would reduce the problem more effectively than the installation of a video surveillance system.
4.2. Privacy and Data Protection Impact Assessment (DPIA)
You should consider the matters explained above as part of an assessment of the scheme’s impact on
people’s privacy. The best way to do this is to conduct a privacy impact assessment. The European Data
Protection Board (EDPB, see Working Paper 248.rev.01) as well as some national data protection
authorities, e.g. in the UK, have adopted specific guidance papers on how to conduct a proper privacy or
data protection impact assessment (DPIA).
A privacy impact assessment looks at privacy in a wider context than the data protection law, it also takes
into consideration the impact on privacy rights and seeks ways or means to mitigate them. It should look at
the pressing need the video surveillance system is supposed to address, and show whether or not the system
will meet this need. It should be based on reliable evidence and show whether the video surveillance system
proposed can be justified as appropriate to the needs identified – always taking into account the the specific
circumstances of the intended video surveillance system, such as placement of cameras or flow of persons,
4.3. Possible legal grounds and proportionality considerations
Having conducted a thorough data protection impact assessment will also help to meet the requirements laid
out in European and national data protection legislation, either in data protection laws as such or in potential
additional more specific data protection acts or in sections of other, maybe sector specific, laws that relate to
ensuring data protection in those specific areas.
These requirements basically stipulate that there needs to be a legal ground for any processing of personal
data. A legal ground can – in principal - be provided by law or by (freely given) consent of the data subject.
In the context of video surveillance systems such a legal ground could be the legitimate interest, as laid out
in Art. 6 (1) f of the EU General Data Protection Regulation or in Art. 5 (1) f of the draft law on personal
data protection in the Republic of Moldova, of a private or public entity, e.g. the interest to protect property
or to prevent thefts in a retail shop. When applying the legal ground of legitimate interest, it is also
necessary to check whether these interests are overridden by the interests of the data subjects affected by the
intended data processing, particularly if the data subject is a child. By making this check, the proportionality
of the measure needs to be assessed. In particular, it needs to be considered whether the use of the video
surveillance system is necessary to achieve the previously defined purpose, whether it is a suitable means
and whether it is appropriate (or non-excessive), By combining these assessments, a proportionality test on
the intended video surveillance measure can be achieved; this could also be done when conducting the Data
Protection Impact Assessment procedure (see previous chapter). As a general rule, it can be said that, if
there shall be installed a more intrusive video surveillance system, you accordingly need to have a better
justified legitimate interest or more pressing need.
However, with regard to areas, where people reasonably may have higher expectations of privacy, such as
social rooms, bathrooms, toilets, swimming pools or recreational facilities and changing or fitting rooms, in
almost all cases the interests of individuals, who would be subject to a potential video surveillance measure,
will prevail.
A privacy impact assessment should look at the urgent need that the video surveillance system is intended to
address and whether its proposed use has a lawful basis and is justified, necessary and proportionate. Where
the system is already in use, the same issues should be considered or considerations should be made as to
whether a less privacy intrusive method could be used to address the pressing need.
Example: A city administration may face problems with burglars or thefts in a specific area of town, e.g. on
a public square, and consider to use a video surveillance system to prevent or investigate such incidents in
this area. These considerations should include assessments of different options, e.g. the installation of a
fixed permanent video surveillance system or the use of a mobile system only at times when those problems
occurred. The second option would be less privacy intrusive, but may still address the pressing need
sufficiently.
Failure to carry out an appropriate privacy impact assessment in advance has contributed to many of the
data protection problems that have occurred in relation to the use of video surveillance systems.
It should be noted that according to the draft for a new data protection law in the Republic of Moldova a
registration of data processing operations at the National Centre for Personal Data Protection will not be
mandatory any more. This means with regard to video surveillance systems that there will be no need for
data controllers to notify the data protection supervisory authority in order to be compliant with the new
data protection law.
However, there are legal requirements and technical specifications to be taken into account with regard to
video surveillance systems, which may be laid down by other than data protection related legislative
documents. In this context, it should be referred to the Governmental decision HG Nr. 667 of 8th July 2005
regarding the measures for the implementation of the Law no. 283-XV of 4 July 2003 regarding the private
detective and security activity as well as to the legal requirements and norms regarding the installation and
maintenance of the technical and fire protection systems (methodological and technical norms for the design
and installation of the Burglar alarm system as per Annex no. 6 to Governmental decision HG Nr. 667 of 8
July 2005). These decisions define special technical requirements that need to be met by video surveillance
systems.
5- Governance over video surveillance data
5.1 Ensuring effective administration
Establishing a clear basis for the processing of any personal information is essential, and the handling of
information relating to individuals that has been collected from video surveillance systems is no different. It
is important to establish within an organisation who has responsibility for the control of this information, for
example, who will decide what is to be recorded, how the information should be used and to whom it may
be disclosed(within the applicable legal framework, of course). If you are the organisation or entity that
makes these decisions, then you are the data controller and you will be legally responsible for compliance
with data protection law.
Where more than one organisation is involved, you should both know your responsibilities and obligations.
If you make joint decisions about the purposes for and operation of the scheme, then both of you are
responsible under data protection law.
Questions to be dealt with by an organisation, which considers using a video surveillance system
Who has responsibility for control of the information and making decisions about how it can be
used? If more than one body is involved, have responsibilities been agreed and does each know its
responsibilities?
If someone outside your organisation provides you with any processing services, for example editing
information (such as video cameras images), is a written contract in place with clearly defined
responsibilities? This should ensure that information is only processed in accordance with your
instructions. The contract should also include guarantees about security, scope and purpose of data
processing as well as recruiting properly trained staff.
Example: Public authorities may share a common control room for a video surveillance system in order to
cut back on running costs. This will include situations where the video surveillance system is managed by a
third-party on behalf of the public authority. If the video surveillance system monitors the inside of a
hospital but also monitors the main shopping street, then different privacy expectations will apply to the
information gained from each area. The agreement to share services must have guidelines and procedures in
place to ensure that control and use of these systems is appropriate and staff of the common control room
must be adequately trained to deal with the different levels of sensitivity of information.
You will also need clear procedures to determine how you use the system in practice.
Questions to be dealt with by an organisation, which considers using a video surveillance system:
Have you identified clearly defined and specific purposes for the use of information, and have these
been communicated to those who operate the system?
Are there clearly documented procedures for how information should be handled in practice? This
could include guidance on disclosures and how to keep a record of these. Have these been given to
the appropriate people?
Has responsibility for ensuring that procedures are followed been allocated to an appropriate
specific individual responsible person? This person should ensure that standards are set,
procedures are put in place to meet these standards, and that the system complies with legal
obligations.
Are checks or audits carried out on a regular basis to ensure that procedures are being complied
with? This can be done either by the responsible person or by a third party.
You should regularly review whether the use of video surveillance systems continues to be justified. You
should also take into account other relevant rules and guidance which may cover your activities. For
example recommendations on privacy notices, transparency or data transfers to third countries.
5.2 Maintaining recorded material and using the information
5.2.1 Storing and viewing video surveillance system information
Recorded material should be stored in a way that keeps the integrity of the information. This is to ensure
that the rights of individuals recorded by video surveillance systems are protected and that the information
can be used effectively for its intended purpose. To do this you need to carefully choose how the
information is recorded and stored and ensure that access is restricted. You will also need to ensure that the
information is secure and, where necessary, encrypted. Thus, you may also meet the legal requirements
included in data protection law on the security of data processing and on maintaining data integrity; to this
end, you should implement appropriate technical and organisational measures at your organisation with
regard to processing personal data by video surveillance systems. Encryption can provide an effective
means to prevent unauthorised access to images processed in a video surveillance system.
If you are going to be collecting and retaining a large amount of information, for example video footage
from body worn cameras, then you may wish to store the data using a cloud computing system. You will
need to ensure that this system is secure and if you have contracted with a cloud provider to provide this
service, you will need to ensure that the provider can ensure the security of the information.
You should keep a record or audit log showing how the information must be handled, if it is likely to be
used as evidence, when requested e.g. by a law enforcement authority. This will serve also as
documentation for the organisation in order to be able to demonstrate later, if needed, how it has dealt with
such a request. Finally, once there is no reason to retain the recorded information, it should be deleted as
soon as possible. Exactly when you decide to do this will depend on the purpose for using the video
surveillance systems. A record of this process should also be captured.
Many modern video surveillance systems rely on digital recording technology and these methods present
their own problems. It is important that your information can be used, if required, by an appropriate law
enforcement agency. However, another effect of digital technology is that data can be copied or transferred
to another storage device rather easily. Therefore, it has become ever more important to prevent
unauthorised access to data.
Questions to be dealt with by an organisation, which considers using a video surveillance system:
How practicable is it to take copies of a recording off your system when requested by a law
enforcement agency? Can this be done without interrupting the operation of the system?
Can it be provided in a suitable format without losing image quality or time and date information?
How can you ensure that information complies with designated standards?
Will they find your recorded information straightforward to use?
What will you do when recorded material needs to be taken away for further examination?
How will you prevent unauthorised access to video data held by your organisation?
Viewing of live images on monitors should usually be restricted to the operator and any other authorised
person where it is necessary for them to see it, for example to monitor congestion for health and safety
purposes.
Example: Monitors in a hotel reception area show guests in the corridors and lifts, i.e. out of sight of the
reception area. They should be positioned so that they are only visible to staff and members of the public
should not be allowed access to the area where staff can view them.
If you have installed a live streaming camera available to the public so that they can, for example, assess
which route to take on their journey to work based on the level of congestion, you should ensure that it is
appropriately zoomed out so that individuals cannot be identified. If individuals can be identified then this
will need to be justified and shown to be necessary and proportionate.
Recorded images should also be viewed in a restricted area, such as a designated secure office. The
monitoring or viewing of images from areas where an individual would have a reasonable and elevated
expectation of privacy should be restricted to authorised personnel, if monitoring is necessary at all.
Where images are in an area of particular sensitivity, such as a changing room, it may be more appropriate
to only view recorded images after an incident has occurred.
Questions to be dealt with by an organisation, which considers using a video surveillance system::
Are your cameras and monitors correctly sited taking into account the images that are displayed?
Is your monitor viewing area appropriate and secure?
Is access limited to authorised people?
Is recording of video images necessary or is real time monitoring sufficient?
5.2.2 Disclosure
Disclosure of information from video surveillance systems must be controlled and consistent with the lawful
purpose(s) for which the system was established. For example, it can be appropriate to disclose video
surveillance information to a law enforcement agency, when the purpose of the disclosure is prevention,
investigation and detection of criminal offences and other offences, but usually it will not be appropriate to
disclose information about identifiable individuals, for example, to the media.
Every request for information should be approached with care as wider disclosure may be unfair to the
individuals concerned. Disclosure of information may be unfair in cases when it is not transparent to third
parties or when they have good reasons to believe that their privacy will not be challenged, such as in areas
of elevated privacy. In some limited circumstances it may be appropriate to release information to a third
party, where their needs outweigh those of the individuals whose information is recorded.
Example: A member of the public requests video surveillance footage of a car park, which shows their car
being damaged. They say they need it so that they, or their insurance company, can take legal action. You
should consider whether their request is genuine and whether there is any risk to the safety of the other
people involved.
Questions to be dealt with by an organisation, which considers using a video surveillance system:
Are arrangements in place to restrict the disclosure of information in a manner that is consistent
with the purpose for establishing the system and with all relevant law?
Does anyone who may handle requests for disclosure have clear guidance on the circumstances in
which it is appropriate to make a disclosure and when it is not?
Do you record the date of the disclosure along with details of who the information has been
provided to (the name of the person and the organisation they represent) and why they required it?
It is important that if you have a video surveillance systems, or if you are planning to have a video
surveillance system, that you have staff members or people available who are able to deliberately use the
system to access and extract information when disclosure is appropriate.
When disclosing video surveillance images of individuals, particularly when responding to subject access
requests, you need to consider whether the identifying features of any of the other individuals in the image
need to be blurred or obscured. It should be possible to achieve blurring of images by using advanced image
editing software, which nowadays has become widely available and more affordable than in the past.
Example: If footage from a camera that covers the entrance to a drug rehabilitation centre is stored, then
consider obscuring or blurring the images of people entering and leaving it, as this could be considered
sensitive personal data. This may involve an unfair intrusion into the privacy of the individuals whose
information is captured and may cause unwarranted harm or distress. On the other hand, footage of
individual’s entering and exiting a bookshop is far less likely to require obscuring or blurring.
It may be necessary to contract obscuring or blurring out to another organisation. Where this occurs, you
will need to have a written contract with the processor that specifies exactly how the information is to be
used and provides you with explicit security guarantees.
Decisions about disclosure should be made by the organisation operating the video surveillance system.
They may refuse any request for information unless there is an overriding legal obligation, such as a court
order or information access rights. Once you have disclosed information to another body, such as the police,
they become the data controller for the copy they hold. Then it will be their responsibility to comply with
the data protection law in relation to any further disclosures.
The method of disclosing information should be secure to ensure that they are only seen by the intended
recipient.
5.2.3 Subject access requests
Individuals whose information is recorded have a right to be provided with that information or, if they are
happy with it, to view that information. As a general rule, information must be provided promptly or as soon
as possible. Providing information in a timely manner is important, particularly where you may have a
defined retention period which will mean that the information will have been routinely deleted after the
defined period of time. In such circumstances it is good practice to extract and preserve the requested the
information. Excessive, abusive or repetitive access requests lodged by data subjects may be denied by an
organisation in line with the rules set out in applicable data protection legislation for such cases.
The first copy of information provided to an individual in responding to an access request shall be free of
charge. But for additional copies you may consider to charge a nominal fee to cover your expenses, if your
data protection law allows this. Those who request access must provide you with details that allow you to
identify them as the subject of the information and also to locate the information on your system. You
should consider:
o how staff involved in operating the video surveillance system will recognise a subject access
request; and
o whether internal procedures for handling subject access requests are in place. This could include
keeping a log of the requests received and how they were dealt with, in case you are challenged.
It is advisable to design a video surveillance system in a way that it allows to locate and extract personal
data in response to subject access requests – based on the details provided by the data subject (particularly
location, date, time of video recording). The system should also allow for the redaction (e.g. obscuring or
blurring) of third party data where this is possible and deemed necessary.
A clearly documented process will also help guide individuals through such requests. This should clearly
explain what information an individual needs to supply. You should consider:
o The details you will need to find the requester’s information. This might include the date, time and
location where the footage was captured.
o A potential fee you possibly may charge for supplying the requested information and how should it
be paid.
o Whether you have effectively labelled information to assist with retrieval.
o How you will provide an individual with copies of the information held.
It is important to note that where a data subject requests a copy of video surveillance footage or other
information that is related to him/her, you need to provide the data subject with such a copy, unless an
exemption applies. This shall be done by supplying them with a copy of the information in a permanent and
readable form. There are limited circumstances where this obligation does not apply. The first circumstance
is where the data subject agrees to receive the information in another way, such as by viewing the footage.
The second circumstance is where the supply of a copy in a permanent form is not possible or would
involve disproportionate effort.
To ensure data subjects rights you should:
explain to people interested how they can make a subject access request, whom it should be sent to
and what information needs to be supplied with their request;
offer them a copy of this guidance paper or details of the data protection authority´s website; and
tell them how to lodge a complaint about either the operation of the system or failure to comply with
legal requirements at the competent authority (e.g. the data protection authority).
As mentioned before, where information of third parties is also shown with the information of the person
who has made the access request, you should consider whether you need to obscure, blur or otherwise redact
this information in the best possible way you could do this
5.2.4 Freedom of information
Public authorities may receive requests under laws governing the access to information held by public
agencies.
Public authorities should have a dedicated unit which is responsible for responding to freedom of
information requests, and understands the authority’s responsibilities.
Access requests to video footage held by public agencies can be based on freedom of information laws by
an individual without any specific pre-conditions. Other than under data protection law, a request does not
need to refer or to be limited to personal data of the requestor. Therefore, also with regard to video
surveillance images, access to information requests need to be handled by public authorities according to the
requirements laid out in national freedom of information laws. Accordingly, public authorities will need to
check in each case
whether they do have the information or video footage which is sought after by the requestor and
whether it can be disclosed, i.e. whether one or more of the exemptions pertaining to the requirement to
disclose publically held information will apply in the specific case of the request.
Where you think obscuring images will appropriately anonymise third party personal data, then it may be
appropriate to do this rather than exempting the information.
If you are a public authority who has video surveillance systems in place, you may also receive requests for
information under freedom of information laws relating to those surveillance systems. For example,
requestors may ask for information regarding the operation of the systems, the siting of them, or the costs of
using and maintaining them.
If this information is held, then consideration will need to be given to whether or not it is appropriate to
disclose this information under freedom of information law. If it is not appropriate to disclose this
information, then an exemption under freedom of information will need to be used, if one is applicable.
This is not an exhaustive guide to handling freedom of information requests. For further information you
may approach your national office responsible for freedom of information affairs (Ombudsman, Ministry of
Justice, or any other).
5.2.5 Retention and deletion of data
Data protection law does not prescribe any specific minimum or maximum retention periods which apply to
all systems or footage. Rather, retention should reflect the organisation’s purposes for recording
information. The retention period should be determined by the purpose for which the information is
collected and how long it is needed to achieve this purpose. It should not be kept for longer than is
necessary, and should be the shortest period necessary to serve the specific and previously defined purpose.
In any case, this should not be determined just by the storage capacity of a system.
Example: Footage from a video surveillance system shouldn’t be kept for five weeks merely because the
manufacturer’s settings on the video surveillance system allow retention for this length of time.
Where it is not necessary to retain information, for example, it does not achieve the purpose for which you
are collecting and retaining information, then it should be deleted immediately or as soon as possible.
Example: If a supermarket uses video surveillance system to monitor use of its car park when there is a two
hour free parking limit and retains the details gathered from the video surveillance system for those cars that
have not exceeded the parking limit, then this is unnecessary and excessive and unlikely to comply with the
data protection principles.
You should not keep information for longer than necessary to meet your purposes for recording it. On
occasion, you may need to retain information for a longer period, where a law enforcement body is
investigating a crime and ask for it to be preserved, to give them opportunity to view the information as part
of an active investigation.
Example: A system installed to prevent fraud being carried out at an ATM machine may need to retain
images for several weeks, since a suspicious transaction may not come to light until the victim gets their
bank statement.
Example: A small system in a pub or retail shop may only need to retain images for a shorter period of time
because incidents will come to light very quickly. However, if a crime has been reported to the police, you
should retain the images until the police have time to collect them.
Questions to be dealt with by an organisation, which considers using a video surveillance system:
Have you decided on the shortest period that you need to retain the information, based upon your
purpose for recording it?
Is your information retention policy documented and understood by those who operate the system?
Are measures in place to ensure the permanent deletion of information through secure methods at
the end of this period?
Do you undertake periodic checks to ensure that the retention period is being complied with in
practice?
5.3 Staying in control
Once you have followed the guidance in this guidance paper and set up the video surveillance system, you
need to ensure that it continues to comply with the data protection law requirements.
Staff members using or administrating the video surveillance system or information should be trained to
ensure they comply with recommendations of this paper. In particular, do they know:
What the organisation’s policies are for recording and retaining information?
How to handle the information securely?
What to do if they receive a request for information, for example, from the police?
How to recognise a subject access request and what to do if they receive one?
All information must be sufficiently protected to ensure that it does not reach the wrong recipient. This
should include technical and organisational measures as well as physical security. For example:
Are sufficient safeguards in place to protect wireless transmission systems from interception?
Is the ability to make copies of information restricted to appropriate staff?
Are there sufficient controls and safeguards in place if the system is connected to, or made available
across, a computer, e.g. an intranet?
Where information is disclosed, how is it safely delivered to the intended recipient (e.g. details on
the methods, ways and technology being used for delivery of data)?
Are control rooms and rooms where information is stored secure?
Are staff members trained in security procedures and are there sanctions against staff who misuse
video surveillance system information?
Have staff members been made aware that they might commit a criminal offence if they misuse
video surveillance system information?
Is the process for deleting data effective and being adhered to?
Have there been any software updates (particularly security updates) published by the equipment’s
manufacturer that need to be applied to the system?
Any documented procedures that you produce following on from legal obligations or recommendations of
this guidance paper should be regularly reviewed, either by a designated individual within the organisation
or by a third party. This is to ensure the standards established during the setup of the video surveillance
system will be maintained.
Similarly, there should be a periodic review, for example bi-annually, of the system’s effectiveness to
ensure that it is still doing what it was intended to do. If it does not achieve its purpose, the video
surveillance system should be stopped or modified.
Questions to be dealt with by an organisation, which considers using a video surveillance system:
Is the video surveillance system addressing the needs and delivering the benefits that justified its
use?
Is information available to help deal with queries about the operation of the system and how
individuals may make access requests?
Does the information include details of the data protection authority if individuals have data
protection compliance concerns?
Is a schedule of regular compliance reviews in place (e.g. every second year), including compliance
with the recommendations of this paper, continued operational effectiveness and whether the system
continues to meet its purposes and remains justified?
Are the results of the review recorded, and are its conclusions acted upon?
Example: A video surveillance system introduced to deal with persistent anti-social behaviour during the
evenings may no longer be justified if this area of the town is no longer popular during this time.
6. Selecting, positioning and using video surveillance systems
Note: This chapter may touch not only data protection issues, but also operational aspects of video
surveillance systems
6.1. Selection and design of systems
The information collected by a video surveillance system must be adequate for the purpose. The type of
video surveillance system you choose and the location it operates within must also achieve the purposes for
which you are using it. You should ensure that the design of any video surveillance systems you purchase
allows you to locate and extract personal data in response to subject access requests. They should also be
designed to allow, as far as possible, for the redaction of third party data where this is deemed necessary.
With regard to design and functionality of a video surveillance system, it might be necessary for the
responsible organisation to check and to take into account legal or technical requirements which may be
defined by other than data protection related provisions.
As outlined earlier in this guidance paper, you should identify, through a privacy impact assessment,
whether or not a video surveillance system is the most appropriate means of addressing the pressing need. If
you decide that a video surveillance system is required then a “privacy by design” approach should be
followed when making decisions about which equipment to purchase. This means that privacy matters
should always be taken into account from the beginning as well as through the whole process of
considering, selecting and installing a video surveilance system by asking whether there is a (more) privacy-
friendly solution. You will need to identify which equipment will address the pressing need in the best
possible and ideally in a privacy-friendly way. The equipment you choose should, for example, be designed
in a way that it collects the information only that is necessary to meet the purpose for which the video
surveillance system was installed.
Example: A video surveillance system that allows recording to be switched on and off easily, and therefore
does not have to record continuously, will help mitigate the potential risk of recording excessive amounts of
information.
6.2. Positioning of video surveillance cameras
Both permanent and movable cameras should be sited and image capture should be restricted in a way that it
is ensured that they do not view areas that are not of interest and are not intended to be subject to video
surveillance, such as individuals’ private property. The cameras shall be sited openly and easily visible to
people who are about to enter an area under video surveillance. The system must have the necessary
technical specification to ensure that unnecessary images are not viewed or recorded, and those that are
recorded are of the appropriate quality.
Example: Check that a fixed traffic monitoring camera will not cover areas that are not relevant for its
purpose, e.g. gardens of private houses next to the street.
Questions to be dealt with by an organisation, which considers using a video surveillance system:
Have you carefully chosen the camera location to minimise viewing spaces that are not of relevance
to the purposes for which you are using a video surveillance system?
Where a video surveillance system has been installed to deal with a specific problem, have you
considered setting the system up so it only records during the time when the problem usually
occurs? Alternatively, have you considered other privacy-friendly ways of processing images? For
example, some systems only record events that are likely to cause concern, such as movement into a
defined area. This can also save on storage capacity.
Will the cameras be sited to ensure that they can produce images of a suitable quality, taking into
account their technical capabilities and the environment in which they are placed?
Is the camera suitable for the location, bearing in mind the light levels and the size of the area to be
viewed by each camera?
Are the cameras sited so that they are secure and protected from vandalism?
Will the system produce images of sufficient size, resolution and frames per second?
6.3. Using the equipment
It is important that a video surveillance system produces information that is of a suitable quality to meet the
purpose for which it was installed. If identification is necessary, then poor quality information that does not
help to identify individuals may undermine the purpose for installing the system.
Questions to be dealt with by an organisation, which considers using a video surveillance system:
Does the video surveillance system produce good quality information? Will the quality of the
information be maintained throughout the recording process?
Have you considered the compression settings for recording material? In a digital system, a high
level of compression will result in lower picture quality on playback.
Have you set up the recording medium in such a way that information cannot be inadvertently
corrupted?
Is there a regular check that the date and time stamp recorded on images is accurate (for example,
if your country switches between summer and winter time)?
Has a regular maintenance scheme been set up to ensure that the system continues to produce high
quality information?
Have you ensured that your wireless transmission system is suitably secure, if one is used? If
necessary, do you have the ability to encrypt information?
6.4. Areas of elevated expectations for privacy
In areas where people reasonably may have a heightened expectation of privacy, such as in changing rooms,
or social rooms at the workplace, cameras should not be used; this might be an option only in the most
exceptional circumstances where it is necessary to deal with very serious concerns. In these cases, you
should make extra efforts to ensure that people affected by video surveillance are aware that they are being
recorded and that appropriate restrictions on viewing and disclosing images are in place. This applies
mainly to the use of video surveillance systems by private entities. Public entities, such as law enforcement
authorities, may have specific legal grounds to use video surveillance systems in these surroundings (see
chapter 3).
6.5. Quality or resolution of images
To judge the necessary quality of images, it will be necessary to take into account the purpose for which a
video surveillance system will be used and the level of quality required to achieve the system´s purpose.
This judgement should be guided by the rule that it usually will be less privacy intrusive to have images of
standard or a lower kind of resolution.
7. Instruments for better achieving data protection compliance
7.1. Signposting
Organisations which use video surveillance systems must let people know when they are in an area where
such a system is in operation.
The most effective way of doing will in most cases be by using prominently placed signs at the entrance to
the video surveillance system’s zone and reinforcing this with further signs inside the area. This message
can also be backed up with an audio announcement, where public announcements are already used, such as
on a train.
Clear and prominent signs are particularly important where the video surveillance systems are very discreet,
or in locations where people might not expect to be under surveillance. As a general rule, signs should be
more prominent and frequent in areas where people are less likely to expect that they will be monitored by a
video surveillance system.
Signposting should:
be clearly visible and readable;
contain details of the organisation operating the system, the purpose for using the surveillance
system and who to contact about the scheme (where these things are not obvious to those being
monitored);
include basic contact details such as a simple website address, telephone number or email contact;
and
be an appropriate size depending on context - for example, whether they are viewed by pedestrians
or car drivers.
Example: “Images are being monitored and recorded for the purposes of crime prevention and public safety.
This scheme is controlled by Chisinau Municipal Council. For more information, call 01234 567890, or see
privacy notice at www...”
Questions to be dealt with by an organisation, which considers using a video surveillance system:
Do you have signs in place informing people that a video surveillance system is in operation?
Do your signs convey the appropriate information?
7.2 Signs on roads
Appropriate signs must be provided to alert drivers to the use of cameras on the road network or in areas
that vehicles have access to, such as car parks. It is important that these signs do not affect the safety of road
users. You should consider the amount of time the driver will have to read the information you provide;
particularly where the road has a high speed limit. Signs must make clear that cameras are in use and
explain who is operating them, so that individuals know who holds information about them and therefore
have the opportunity to make further enquiries about what is happening with their data. Where authorised
signs under road traffic sign regulations are used and these don’t explain which organisation is operating the
cameras, then supplementary signs should be used.
7.3 Privacy notices
It is clear that video surveillance and similar devices present more difficult challenges in relation to
providing individuals with fair and lawful processing information, which is a requirement under data
protection law. For example, it will be difficult to ensure that an individual is fully informed of this
information, if the video surveillance system is airborne, on a person or not visible at ground level.
However, these are issues that must be taken into account, as organisations are unlikely to comply with the
data protection principles. if they do not make all reasonable efforts to provide fair and lawful processing
information. If they are considering using such devices, it will be necessary to come up with appropriate and
potentially innovative ways of informing individuals about their rights.
Example: In addition to more traditional methods, it may be useful to use social media or internet websites
to inform individuals that certain types of video surveillance systems are in operation at a specific time and
in a specific area. Further links can be provided to privacy notices so that data subjects can find out more
information if they are interested.
One of the main rights that a privacy notice helps to deliver is an individual’s right of subject access. If you
have decided that you are going to use these devices you will need to have the ability to provide information
to requestors, be able to obscure or edit the information where necessary and have staff trained to deal with
the different issues that may arise when responding to a subject access request. If you’re a public authority
you will also need to consider your response to freedom of information requests (see previous chapters).
7.4 Other responsibilities
Staff members operating a video surveillance system also need to be aware of further rights that individuals
have under data protection law, such as the right to deletion of personal data or the right to contradict to the
processing of personal data by the data subject. Staff members need to recognise a request from an
individual to prevent a processing of personal data which is likely to cause substantial and unwarranted
harm and a request to prevent automated decision-taking or profiling in relation to the individual.
Experience has shown that it is rather unlikely that operators of video surveillance systems receive such
requests. Should this happen nevertheless, you may seek advice from your data protection authority.
Apart from that, other or sector specific laws and their requirements, e.g. with regard to industrial or health
& safety standards or possibly necessary licensing requirements, need to be taken into account when it
comes to installation, design and use of video surveillance systems.
Question to be dealt with by an organisation, which considers using a video surveillance system:
Do the relevant staff members know how to deal with any data protection request lodged by data
subjects (other than access to data requests; see previous chapters), for example a request to
prevent processing or to prevent automated decision making and where to seek advice?
Does your system meet any potential industry or other relevant standards?
Have you satisfied any relevant licensing requirements?
8. New trends in video surveillance technologies
Video surveillance systems have advanced greatly and are not necessarily limited to conventional, fixed-
type of video cameras. Particularly, technical development and miniaturisation have made cameras and
other devices ever smaller, thus facilitating mobile use of such equipment. Mass production and decreasing
prices have led to a widely extended availability and affordability of devices, even for small private
organisations or individuals.
This section covers some of the recently developed video surveillance technologies and how to approach
them. While the technologies covered in this section might present new issues, the recommendations
throughout the rest of this paper will be relevant, nevertheless.
The way the information collected by these technologies can be linked or matched together means that
video surveillance technologies are becoming more interconnected. This presents further issues with regards
to people’s personal data. If you are intending to match data together from different systems, you will need
to be careful that the information you are collecting is accurate and not excessive.
It is possible for data collected by a range of video surveillance systems to be integrated into broader ‘big
data’ processing systems operated by an organisation – either by itself or by a contracted data processor via
outsourcing. This has implications in terms of profiling, what can be learnt about individuals and how
decisions are made about them. Your data protection authority may provide additional advice on the data
protection implications of big data and how to mitigate them.
While developers and vendors of these new technologies may not be data controllers under data protection
law, data protection authorities worldwide recommend that they consider privacy impact assessments and a
“privacy by design” approach when developing their systems for the market. There is also a case for the
system’s instructions or manuals to include information highlighting the importance of addressing data
protection compliance.
As data controller, you are responsible for ensuring that the design of any video surveillance systems you
purchase allows you to easily locate and extract personal data in response to subject access requests. They
should also be designed to allow for the redaction of third party data where this is deemed necessary (see
previous chapters).
8.1 Body worn video
Body worn video involves the use of cameras that are worn by a person and are usually attached to their
clothing or uniform. These devices can often record both visual and audio information. They are
increasingly used across different sectors, most commonly by law enforcement agencies, but their costs
constantly getting lower means that also small businesses and private persons are increasingly able to
purchase and use such equipment.
Body worn video systems are likely to be more intrusive than the more conventional type of video
surveillance systems because of enhanced mobility and less visibility. Before you decide to procure and
deploy such a system, it is important that you justify its use and consider whether or not it is proportionate,
necessary and addresses a pressing need. If you are going to use a combined video and audio recording
system, you need to de-activate the audio-recording function or make sure that there is a legal ground also
for the audio-recording, such as the previous consent provided by those persons whose conversation shall be
recorded. The Police or law enforcement authorities, however, may be entitled to use audio recording
systems under specific conditions and as prescribed by law.
Body worn video devices have the ability to be switched on or off, but it is important to know when and
when not to record. Continuous recording will require strong justification as it is likely to be excessive and
cause a great deal of collateral intrusion. This is because continuous recording is likely to capture people
doing their daily activities as well as the individual person who is the focus of your attention. Further
justification will be required if you consider recording in more sensitive areas, such as private areas,
schools, care homes etc. The pressing social need will have to be far greater in order to justify the use of
body worn video systems. This will require the operator to provide more evidence to support its use in this
situation.
Example: It may be appropriate for a Parking Enforcement Officer to switch on their body worn video
camera when they believe an individual is being aggressive or there is the potential for aggression.
However, it would not be appropriate to switch it on when an individual is only asking for directions.
Individuals using body worn video systems should be able to provide fair processing to data subjects. As
body worn video cameras can be quite small or hard to see, individuals may not be aware that they are being
recorded. It is therefore important that clear signage is displayed, for example on an individual’s uniform, to
show that recording is taking place. You should also think of ways to provide further information to data
subjects if they wish to find out more information, for example, directing them to the privacy notice on your
website, if you have one.
Because of the volume of personal data and potentially sensitive personal data that body worn video
cameras will process and the portability of them, it is important to have appropriate and robust technical and
physical security in place to protect this data. For example, you should make sure that devices can encrypt
data, or where this is not possible have other ways of preventing unauthorised access to information.
Body worn video cameras will, in many cases, be part of a larger workflow of information. You will need to
make appropriate decisions about retention and deletion of data. As you may be recording a large amount of
data, you need to ensure that you can store all of it and have a retention and deletion policy in place. This
policy must set out how long the information should be kept for (this should be the minimum amount of
time necessary to fulfil its original purpose) and when it should be deleted, so that you do not hold excessive
amounts of personal data. You should also consider whether you need to retain all of the footage captured
by a device, or whether extracting short clips would be sufficient.
The information should be stored in a way that recordings relating to a specific individual or event can be
easily identified, located and retrieved. You should also store the data in a way that remains under your sole
effective control, retains the quality of the original recording and is adequate for the purpose for which it
was originally collected.
You should continue to regularly check the use of the body worn video system as a whole to see if it is still
achieving its original purpose. If it appears that it is no longer achieving this purpose or it is no longer
necessary, you should look at potentially less privacy intrusive methods to address the need.
8.2 Unmanned Aerial Systems (UAS) - drones
Unmanned Aerial Systems (UAS) refer to the whole system under which unmanned aerial vehicles (UAV)
operate. They are also referred to using different names such as Remotely Piloted Aircraft Systems (RPAS)
and “drones”. UAV are unmanned vehicles which, if fitted with a camera, are capable of recording images
whilst airborne. These devices can vary in size from the very large, up to the size of a plane, to the very
small, which can be the size of a remote control plane or helicopter. They were first used by the military, but
are now much more affordable and popular. As with BWV systems, the smaller devices can easily be
purchased by businesses and members of the public.
A distinction should be drawn between those individual persons who can be considered as ‘hobbyists’ and
are therefore generally using their device for domestic purposes, and those individuals or organisations who
use the device for professional or commercial purposes. Where UAS are used for non-domestic purposes,
operators will need to comply with data protection obligations and it will be good practice for domestic
users to be aware of the potential privacy intrusion which the use of UAS can cause to make sure they are
used in a responsible manner.
Example: A business may purchase UAS to monitor inaccessible areas, such as a roof to check for potential
damage. Its use should be limited to that specific function and recording should not occur when flying over
other areas that may capture images of individuals.
The use of UAS has a high potential for collateral intrusion by recording images of individuals
unnecessarily and therefore can be highly privacy intrusive. Because of the height UAS can operate at and
the unique vantage point they afford. Individuals may not always be directly identifiable from the footage
captured by UAS, but often could still be identified through the context they are captured in or by using the
devices ability to zoom in on a specific person. As such, it is very important that you can provide a strong
justification for their use. As with all of the other technologies discussed in this guidance paper, performing
a robust privacy impact assessment will help you decide if using UAS is a good method to address the need
that you have identified.
As with other technologies discussed, it is important that the recording system on UAS can be switched on
and off when appropriate. This is particularly important given the potential for the cameras to capture large
numbers of individuals from a significant height. Unless you have a strong justification for doing so, and it
is necessary and proportionate, recording should not be continuous. This is something which you should
look at as part of the privacy impact assessment.
UAS cover the whole system, rather than just the device in the air, so you need to ensure that the whole
system is compliant. You should ensure that any data which you have collected is stored securely, for
example by using encryption or another appropriate method of restricting access to the information. You
should also ensure that data is retained for the minimum time necessary for its purpose and will be deleted
when no longer required.
You may be able to reduce the risk of collateral intrusion by incorporating privacy by design methods. For
example, you may be able to use a device that has restricted vision so that its focus is only in one place.
Privacy by design can be incorporated into your privacy impact assessment and can form part of your
procurement process.
One major issue with the use of UAS is the fact that on many occasions, individuals are unlikely to realise
that they are being recorded, or may not know that UAV have a camera attached. The challenge of
providing fair processing information is something that you must address if you decide to purchase UAS
and if the household exemption does not apply to you.
You may need to consider innovative ways of providing this information. For example, this could involve
wearing highly visible clothing identifying yourself as a (commercial) UAS operator, placing signage in the
area you are operating UAS explaining its use or having a privacy notice on a website that you can direct
people to, or some other form of privacy notice, so they can access further information.
8.3 Automated recognition technologies
The use of technologies to identify individuals’ faces, the way that they walk or their eye movements, for
example when they are looking at advertising, are being increasingly used by organisations. These types of
technologies attract the same data protection concerns as those discussed already in this paper. If you
consider using such systems you must provide fair processing information to data subjects. If you store this
information, you will also need to have an appropriate retention and deletion schedule and have suitable
technological and physical security measures in place. In general, organisations should be very cautious and
reluctant using such technologies due to its potential far reaching effects on privacy of individuals.
Any use of automated technologies should involve some level of human interaction and should not be done
on a purely automated basis. Possibly due to its potential effects on the privacy of individuals, some
jurisdictions – e.g. California or the city of San Francisco – are considering to ban the use of (automated)
facial recognition technology.
8.4. Dash cams in automobile vehicles
Due to the rapid technological development, video cameras have become so small and affordable that they
can easily be used in cars. Such devices may gain popularity, because users tend to consider that dash cams
are a suitable instrument to record what is happening inside their cars or outside of the car and the video
footage will help them in cases of accidents or other events to prove whether they behaved correctly, if such
a proof might be asked by their insurance company or could be introduced as evidence into a court
proceeding.
However, using dash cams in cars will have implications on the privacy of those people who are subject to
this kind of video surveillance. Recording individuals by a video camera constitutes a way of processing
personal data. Therefore, a legal ground will be necessary to fulfil the requirement of lawfulness of the data
processing. The household exemption will in most cases not apply here, since users of dash cams usually
will want to record the surrounding of their vehicles (not only inside the car). Thus, unavoidably other
individuals will be affected by the use of dash-cams.
A possible legal ground for using a dash-cam could be that the user wants to pursue a legitimate interest,
such as protecting his car – but only if the interests of other parties affected by a dash cam do not prevail.
Accordingly, the interest of the user and the interests of other individuals need to be assessed and, if
possible, a balance of interests should be found. The result of such assessments will depend on the specific
circumstances of each case.
In general, a dash cam which runs permanently and covers a wide area will not be acceptable from a data
protection point of view, because the infringement into the privacy rights of others will be too strong.
However, it is worth thinking about how dash cams could be made more privacy-friendly. Some recent
court decisions have provided advice how this could be achieved.
- Recording images should happen only when it – probably – will be necessary
- Video recording should start only when triggered by a specific event or scenario, therefore the dash cam
could be connected to sensors in the car, e.g. with the airbag or the brakes system
- The angle of the cameras should be set in way that it will cover the immediate surrounding area of the car,
but not more remote areas.
- Captured images of individuals could be obscured or blurred
- Regular deletion of video data after a short period of time, if not needed any more; this could be done if
old data will be replaced by new data in the storage device.
- Button to turn a dash cam on or off, if not needed
- A sticker on the car indicating that a dash cam might be used.
Another issue is whether video data collected by a dash cam may be used as evidence in a court proceeding,
even if the use of the dash cam was not compliant with data protection law. It will be within the
responsibility of courts to decide about this in each individual case specifically applying the relevant
provisions of court procedural law. But even if courts allow such evidence, data protection supervisory
authorities still would have the opportunity to start investigations against users of non-compliant dash cams.
Sources / Further reading:
Draft law on personal data protection in the Republic of Moldova (provided by the Centre and by the
RTA of the EU Twinning Project)
Draft law on the regime of video devices in the Republic of Moldova (provided by the Centre and by the
RTA of the EU Twinning Project)
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April on the protection
of natural persons with regard to the processing of personal data and on the free movement of such data,
and repealing Directive 95/46/EC (General Data Protection Regulation)
in the picture: A data protection code of practice for surveillance cameras and personal information,
published by the Information Commissioner of the United Kingdom of Great Britain and Northern
Ireland (UK ICO)
Orientierungshilfe “Videoüberwachung durch nicht-öffentliche Stellen” des Düsseldorfer Kreises der
Konferenz der Datenschutzbeauftragten des Bundes und der Länder in Deutschland (available in German
language only; Orientation guidelines on „video surveillance by non-public bodies“ of the Dusseldorf
Circle of the Conference of the Federals and of State Data Protection Commissioners in Germany)
Appendix A
Checklist for users of limited video surveillance systems, e.g. when monitoring small retail and
business premises
This video surveillance system and the images produced by it are controlled by ………………….. who is
responsible for how the system is used and for notifying the data protection authority about the video
surveillance system and its purpose (which is a legal requirement of data protection law).
We (……) have considered the need for using a video surveillance system and have decided that it is
required for the prevention and detection of crime and for protecting the safety of customers in our
premises. It will not be used for other purposes. We regularly conduct review (e.g. bi-annually) of our use of
the video surveillance system.
Nr Requirement fulfilled
(yes or
no)
Checked
(Date)
By Date of
next
review
1 Notification has been submitted to the
data protection authority and the next
renewal date recorded.
2 There is a named individual who is
responsible for the operation of the
system.
3 The problem we are trying to address has
been clearly defined and installing
cameras is the best solution. This
decision should be reviewed on a regular
basis.
4 A system has been chosen which
produces clear images which the law
enforcement bodies (usually the police)
can use to investigate crime and these can
easily be taken from the system when
required.
5 Cameras have been sited so that they
provide clear images and are visible to
customers.
6 Cameras have been positioned to avoid
capturing the images of persons not
visiting the premises or areas outside of
our premises.
7 There are visible signs showing that a
video surveillance system is in operation.
Where it is not obvious who is
responsible for the system contact details
are displayed on the sign(s).
8 Images from this video surveillance
system are securely stored, where only a
limited number of authorised persons
may have access to them.
9 The recorded images will only be
retained long enough for any incident to
come to light (e.g. for a theft to be
noticed) and the incident to be
investigated.
10 Except for law enforcement bodies,
images will not be provided to third
parties.
11 The potential impact on individuals’
privacy has been identified and taken into
account in the use of the system.
12 The organisation knows how to respond
to individuals making requests for copies
of their own images. If unsure the
controller knows to seek advice from the
data protection authority as soon as such
a request is made.
13 Regular checks are carried out to ensure
that the system is working properly and
produces appropriate quality images.
Appendix B
Guiding principles for the deployment of video surveillance systems
1. Use of a video surveillance camera system must always be for a specified purpose which is in
pursuit of a legitimate aim and necessary to meet an identified pressing need.
2. The use of a video surveillance camera system must take into account its effect on individuals and
their privacy, with regular reviews to ensure its use remains justified.
3. There must be as much transparency in the use of a video surveillance camera system as possible,
including a published contact point for access to information and complaints.
4. There must be clear responsibility and accountability for all video surveillance camera system
activities including images and information collected, held and used.
5. Clear rules, policies and procedures must be in place before a video surveillance camera system is
used, and these must be communicated to all who need to comply with them.
6. No more images and information should be stored than that which is strictly required for the stated
purpose of a video surveillance camera system, and such images and information should be deleted
once their purposes have been discharged.
7. Access to retained images and information should be restricted and there must be clearly defined
rules on who can gain access and for what purpose such access is granted; the disclosure of images
and information should only take place when it is necessary for such a purpose or for law
enforcement purposes.
8. Video surveillance camera system operators should consider any approved operational, technical and
competency standards relevant to a system and its purpose and work to meet and maintain those
standards.
9. Video surveillance camera system images and information should be subject to appropriate security
measures to prevent unauthorised access and use.
10. There should be effective review and audit mechanisms to ensure legal requirements, policies and
standards are complied with in practice, and regular reports should be published.