Video surveillance and privacy: what really matters

Video surveillance offers many benefits to businesses, from crime prevention to investigation. However, these benefits come with complex data protection challenges that should not be underestimated. Data breaches can not only damage a company's image, but can also result in hefty fines. One example is notebooksbilliger.de AG, which was fined €10.4 million. This is where our data protection consultancy comes in: We offer tailored solutions that protect both the security interests of your business and the privacy rights of individuals. Our expertise allows you to focus on your core business while we ensure that your video surveillance practices are fully compliant with current data protection legislation. In this article, we highlight the key elements of compliant video surveillance and how we can help you balance security and privacy.

What is video surveillance?

From a data protection perspective, video surveillance occurs whenever cameras are used to process personal data. This includes not only traditional surveillance cameras, but also any other cameras, such as mobile phone cameras, webcams or drones. On the other hand, it is not even necessary for the camera to be used for surveillance purposes, but rather whether it is actually being filmed. Dummy cameras, on the other hand, do not record any personal data and are not relevant from a data protection perspective. Finally, the footage does not have to be recorded, as even the live transmission, which is viewed on screens and not stored, is video surveillance. It is therefore only the recording itself that is relevant, and the recordings do not even have to be viewed by anyone before they are deleted. The interference with the right to informational self-determination, which is protected by data protection law, occurs as soon as the recording is made.

The legal challenges of video surveillance in public and private spaces

Data protection law is therefore relevant because video recordings of people constitute the collection of personal data as soon as people are clearly recognisable on them, or even if they only contain indications of their identity. Even the information visible through the camera that a certain person was in a certain place at a certain time can constitute personal data.

Being filmed almost always touches on sensitive personal areas. Being free and unobserved in public spaces is therefore a right that cannot be infringed without restriction. The large number of surveillance cameras, their sometimes small size or their positioning can even mean that the people being filmed are not even aware that they are being watched. In addition, new, innovative technical solutions enable extremely high-resolution images. People can be precisely tracked using pan-tilt cameras or identified using facial recognition software. It is now possible for software to identify a person in a corridor. It is also no longer a technical problem to store large amounts of video for very long periods of time. This brings with it a greater risk of increasing interference with fundamental rights, for example those of company employees, guests or others. As a result, there are a number of legal requirements that need to be met. These also vary according to the context in which video surveillance is used. While there are different legal requirements for the surveillance of public and non-public spaces, the GDPR does not apply at all to video recording in purely private areas.

However, private video surveillance of public spaces may fall under a criminal offence, such as the violation of the most personal sphere of life and personal rights through image recording under Section 201a of the German Criminal Code (StGB).

Legal basis for video surveillance: areas of application and data protection provisions according to Art. 6 GDPR

As with any processing of personal data, the lawfulness of the processing requires a legal basis. In principle, any of the legal bases in Art. 6 GDPR can be considered, but the most common legal basis for video surveillance is likely to be processing to protect the legitimate interests of the controller or a third party under Art. 6 para. 1 lit. f GDPR. However, it is possible that higher requirements and other legal bases may be relevant in the context of the employment relationship or the recording of health data.

Purpose of video surveillance: The need for a precise purpose for each camera

The first step is to define the purpose of the video surveillance. It is important that the purposes are not specified for the video surveillance as a whole, but for each individual camera. In addition, the purposes should be described as specifically as possible, and descriptions such as 'as a protective measure' or 'for security reasons' should not be left alone. For example, the above-mentioned protection of property or protection against physical attack could be considered.

Video surveillance in the area of conflict between legitimate interest and data protection under Art. 6 para. 1 lit. f GDPR

Video surveillance may be lawful under Art. 6 para. 1 lit. f GDPR if the company is pursuing a legitimate interest with it. The interest may be of a legal, economic or non-material nature. This includes the prevention of criminal offences or attacks against property or persons as well as the preservation of evidence by the holder of domiciliary rights. In principle, this requires the existence of a specific risk situation based on concrete indications and objective facts, for example if there have already been incidents on the property in the past. However, it is also possible to argue that the circumstances in the specific case typically indicate a dangerous situation, as may be the case in a bank branch or a warehouse with particularly valuable goods, for example.

The requirements of this legal basis include the suitability and necessity of the video surveillance for the intended purpose. In general, it can be said that video surveillance is suitable for the purpose. For video surveillance to be necessary, there must be no equally suitable and less intrusive means available. In particular, it should be checked that the purpose is strictly proportionate to the measure and that, for example, live cameras without recording are not used to preserve evidence, or that (only) the areas where incidents are expected to occur are in the camera's field of view. Alternative measures that should be considered include the use of security guards, burglar-resistant doors and windows, or alarm systems.

Finally, the rights, freedoms and interests of data subjects must be weighed against the interests of the controller (proportionality of video surveillance). It is best to limit the intensity of video surveillance as much as possible in accordance with the purpose pursued. A strict deletion policy also has a positive effect on the balance. The following circumstances may also be relevant to the balancing of interests: Children who are recorded are usually particularly vulnerable. Areas such as canteens or sports facilities are more sensitive, and environments that affect privacy, such as changing rooms and toilets, may not be filmed at all. The legal interests to be protected are also decisive: There is a greater interest in protecting life and limb or valuable property than in protecting low-value items. It is also important what information is recorded, whether sound and conversations are recorded, how large the recording area is and whether people can avoid the cameras. All the circumstances of the individual case must be taken into account and all relevant points must be properly documented.

The limits of consent as a legal basis for video surveillance under the GDPR

Consent under the GDPR is prior consent by means of a voluntary and informed declaration. In the case of video surveillance, however, it is usually not possible to obtain the consent of those being filmed, as it is practically impossible to obtain consent in advance from bystanders who are unknown in advance and who enter the area being filmed. The voluntary nature of giving consent before entering the filmed area may also be questionable. The right to withdraw consent at any time will also often be impracticable, making consent a poor legal basis for video surveillance. This usually also applies to video surveillance on the basis of a contract under Art. 6 para. 1 lit. b GDPR, as video surveillance of uninvolved persons will generally not be necessary for the performance of a contract with them.

Video Surveillance: The Need for Further Action Beyond the Definition of Purpose and Legal Basis

The definition of purpose and legal basis alone is not sufficient to start video surveillance. Depending on the specific design of the planned video surveillance, a number of additional requirements need to be considered and implemented.

Data protection impact assessment for video surveillance according to Art. 35 GDPR: Necessity and Implementation

It should be checked whether a Data Protection Impact Assessment (DPIA) needs to be carried out. According to Art. 35 para. 1 GDPR, a DPIA is generally mandatory if a particular data processing operation is likely to result in a high risk to the rights and freedoms of natural persons, especially when new technologies are used. The analysis of this risk, and the subsequent identification and implementation of appropriate mitigation measures, is central to the conduct of a DPIA. The high risk is quickly reached in the context of video surveillance due to the systematic and extensive monitoring of publicly accessible areas (Art. 35 para. 3 lit. c or the collection of special categories of data).

Defining technical and organisational measures

Irrespective of the DPIA, appropriate technical and organisational measures ("TOM") must always be taken to ensure a level of protection appropriate to the risk (see Article 32 GDPR). In principle, the higher the risks of video surveillance, the higher the level of protection of the measures should be. This depends, on the one hand, on the criteria that are also taken into account in the balancing of interests (see II. 2. above), but also on the risk of unintentional or unlawful deletion, alteration, loss and disclosure of the data or recordings. Measures may include, for example, blacking out or pixellating areas that do not need to be recorded. Security measures such as managing access rights or implementing password protection are also important. Technical features that go beyond normal video recording (zoom, camera movement, sound or recognition software) should be disabled where possible.

The GDPR does not contain a specific rule on the retention period of video recordings. However, recordings may only be kept for as long as is necessary for the specified purpose. Specific deletion periods may therefore vary, depending on factors such as the purpose of the surveillance, applicable laws and internal company policies. In most cases, deletion is likely to be indicated after 48 hours at the latest, or later in exceptional cases. It is also crucial to take into account the rights of data subjects (Art. 12 ff. GDPR): In particular, requests for information and deletion must be dealt with quickly and in accordance with the law.

Information obligations for video surveillance in accordance with Art. 13 and 14 GDPR

Companies must display a corresponding notice that fulfils the requirements of Art. 13 and 14 GDPR and that informs the data subjects moving in the filmed area about

• the video surveillance,
• the controller including contact details,
• the contact details of the data protection officer (if available)
• the legal basis (incl. naming the legitimate interests, insofar as the naming is based on Art. 6 para. 1 lit. f GDPR),
• the purposes,
• the storage duration or the criteria for determining the duration and
• any other recipients.

For this purpose, a clearly visible sign with an appropriate pictogram and the other information mentioned above should be placed in front of the monitored area. Depending on the situation, in addition to the sign, which can only provide an overview of the information, additional information sheets can be displayed to provide more detailed information. In addition, video surveillance must be carefully and comprehensively documented, not least so that the controller can fulfil its accountability obligations (see Article 5(2) GDPR). This includes all circumstances, i.e. the technical and organisational design of the video surveillance, the legal framework and, where applicable, the DPIA. The information should be included in the Record of Processing Activities (ROPA). A separate procedure should be established for each camera in the ROPA.

Special legal requirements for video surveillance: employees and special categories of data under the GDPR

Depending on the area being monitored and the people being filmed, other special legal requirements may apply in addition to the basic requirements mentioned above. The monitoring of employees is often mentioned in this context. Due to the relationship of superiority and subordination between employees and superiors, the increased pressure situation and the possible control of work behaviour, this represents a much greater encroachment on personal rights than, for example, short-term video recordings of passers-by or customers in a shop. However, the exact circumstances of the surveillance must always be taken into account.

There are also significant differences depending on the position of the camera and the duration of the surveillance. It is not permitted to monitor particularly sensitive personal areas such as changing rooms or lounges, or places where work is carried out over an extended period of time. The fewer unguarded rooms or retreats available to employees, or the more intensive the monitoring and surveillance of employees (including for theft or similar purposes), the more likely it is that video surveillance is not permitted. Video surveillance of employees is only permissible to prevent crime if there is concrete evidence that a crime has been committed. Companies should also not simply "secure" themselves by obtaining the consent of employees, as this often fails due to the required voluntary nature. § Section 26(2) of the Federal Data Protection Act (BDSG) makes it clear that the dependence of employees on the basis of their employment relationship and the special circumstances of consent must be taken into account. Companies should always check the video surveillance of employees very carefully in advance.

Video surveillance can also quickly lead to the processing of special categories of data under Art. 9 GDPR, which is also subject to special requirements with regard to its lawfulness. This includes, for example, the recording of biometric data, if the face or body size is precisely recorded, or health data, if a hospital only films the entrance and this may make it possible to determine who is a patient. The processing of special categories of personal data is generally not permitted and is only allowed in the exceptional cases listed in Art. 9(2) GDPR. If special categories of personal data are processed, video surveillance can therefore no longer be carried out solely on the basis of a legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR, but an exceptional case of Art. 9 (2) GDPR must be fulfilled. If special categories of data are also processed extensively, a DPIA must be carried out in accordance with Art. 35 para. 3 lit. b GDPR.

Planned amendment to the BDSG on video surveillance of public spaces

An amendment to the provisions on video surveillance in the Federal Data Protection Act (BDSG) is currently being prepared. Section 4 of the BDSG regulates the video surveillance of public spaces, regardless of whether it is carried out by a public or non-public body. In a ruling of 27 March 2019, the Federal Administrative Court (Bundesverwaltungsgericht - BVerwG) found that the provision does not apply to video surveillance by non-public bodies. Rather, video surveillance by non-public bodies is governed solely by Art. 6 para. 1 lit. f. GDPR alone. Following this decision, the legislator has now submitted a draft bill for August 2023 in which video surveillance by public bodies is to be restricted in Section 4 BDSG solely to publicly accessible areas. However, if this amendment remains in the legislative process, it is unlikely to have much effect in practice. This is because the permissibility of video surveillance by non-public bodies would then be subject to the legality requirements of Art. 6 para. 1 lit. f GDPR, according to which video surveillance must be necessary to safeguard legitimate interests and must not outweigh the interests of the data subject worthy of protection.

Video surveillance in the area of conflict between security and privacy: Effective and compliant solutions for businesses

In summary, the permissibility of video surveillance can only be conclusively assessed on a case-by-case basis, as it depends on many factors. The technical capabilities of the cameras, the areas and people to be monitored, and the interests and reasonable expectations of businesses regarding video surveillance must be balanced against the fundamental rights and interests of the people being monitored. The authorities take privacy very seriously when it comes to video surveillance. Implementation is a balancing act between security needs and privacy requirements. As our article shows, it is possible to make video surveillance legally compliant and at the same time protect the interests of the company. We are at your side as an expert partner to help you meet these challenges. We can ensure that you not only comply with complex data protection regulations, but also use them proactively to build trust with your customers and employees. Contact us for personalised advice tailored to your organisation's needs. Together, we can find the best way to make your video surveillance effective and compliant.