Update regarding video surveillance - only documented purposes justify the means
There are hardly any companies that do not use video surveillance systems (CCTV). Such systems record areas such as plant and work facilities or entrance areas. Oftentimes, the video images are not only displayed live on a monitor (“camera-to-monitor system”), but are also recorded automatically for a certain period of time. Possible purposes for video surveillance include protecting domiciliary rights and detection as well as prevention of crimes such as theft, unlawful entry and trespassing, or property damage.
Nonetheless, the use of CCTV equipment in practice does raise a number – in part yet unresolved – of issues from a data protection perspective. These issues include, from a formal perspective, questions relating to the implementation of obligations to inform and, from a substantial perspective, in particular the question of permissibility of the data processing pursuant to the requirements under the General Data Protection Regulation (GDPR). This is due to the fact that the use of CCTV systems is deemed automated processing and the video recording within companies, stores, and doctors’ offices typically contain personal information since individuals can be identified using such recordings. The German Federal Administrative Court (Bundesverwaltungsgericht) has now provided statements regarding the permissibility of video surveillance from a GDPR perspective – so to speak in an obiter dictum form – in its ruling dated March 27, 2019 (Ref. No. 6 C 2.18).
FACTS UNDERLYING THE DECISION BY THE GERMAN FEDERAL ADMINISTRATIVE COURT
The plaintiff, a dentist, owns a practice in a building housing various other doctors’ offices, as well as a psychiatric outpatient clinic. The front door of the practice is not locked during business hours and the front desk is not manned, i.e., accessible for the public. The plaintiff installed a digital camera above the front desk which recorded images in real-time. The images were transmitted to monitors in the treatment rooms. Beyond that, the video images were not recorded.
The digital camera monitored the area behind the reception desk as well as those areas where visitors stayed after entering the practice without any monitoring (area in front of the reception desk, the hallway between the entrance door and the front desk and part of the waiting area adjoined to the hallway).
On the outside of the front door and at the reception desk, the plaintiff installed a sign reading “Videogesichert” [under video surveillance].
The data protection authority required, inter alia, the installation of the digital camera in such manner that the areas accessible to visitors were no longer being monitored during the business hours of the practice. The plaintiff unsuccessfully appealed this order in all three administrative court instances.
NON-PERMISSIBILITY OF SUCH VIDEO SURVEILLANCE
The German Federal Administrative Court confirmed that the plaintiff’s video surveillance was impermissible. The Court was of the opinion that this type of video surveillance was not in compliance with Sec. 6b (1) s. 1 BDSG [German federal data protection act] (old version). In said case, previous legal regulations of the BDSG (old version) had to be taken into account since the ruling was prior to the GDPR becoming effective. According to this regulation, video surveillance of publicly accessible areas was permitted when it (No. 2) was necessary to exercise the right to determine who shall be allowed or denied access or (No. 3) was necessary to safeguard legitimate interests for specifically defined purposes and there were no indications that the protection of the data subjects’ interests would prevail.
The Court believed that the plaintiff was not able to provide proof that they had justified interests or was protecting their owner’s rights to such extent that it would be verified that video surveillance was required. Video surveillance is required or necessary if a reason, for example a dangerous situation, is supported sufficiently by fact or general life experience and it cannot be dealt with equally well by another measure which is just as efficient, but less invasive.
The reasons of solving and preventing a crime are recognized justified interests; however, video surveillance in such cases can only be justified when and if there is a risk or danger that goes beyond the general risk to life. According to actual findings, this would require an endangerment, i.e., subjective concerns or a feeling of uncertainty do not suffice. Indeed, there would have to be clues or objective indications that crimes such as breaking and entering, robbery or assaults could occur. According to the Court, the storage of valuables and medical drugs does not suffice. Also, the practice was not located in a high-risk area either. The rights of the data subjects are thus more worthy of protection when it comes to video surveillance.
The Court pointed out the efforts to reduce operating costs by decreasing personnel would basically be deemed justified interests within the meaning of Sec. 6b (1) s. 1 (3) BDSG (old version); however, the plaintiff did not provide sufficient arguments and evidence in this regard. The plaintiff did in particular not provide sufficient arguments that the personnel costs could not be reduced equally efficiently by other organizational measures.
Furthermore, the Court clarified that the installation of warning signs and accessing the premises could not be deemed consent for data protection purposes, merely due to the fact that the written form requirement – prescribed by the previous legal regulations – was not met.
STATEMENTS REGARDING THE GDPR
As a mere alternative, the Court stated that the video surveillance was unlawful also in respect of Art. 6 (1) GDPR. First, Art. 6 (1) lit. e) GDPR could not justify data processing since said regulation, in principle, only applied to authorities. Neither does Sec. 4 (1) s. 1 BDSG (new version) apply to video surveillance by private parties.
Finally, the Court states that video surveillance measures can be justified when weighing interests pursuant to Art. 6 (1) lit. f) GDPR. With regard to the assessment of justified interests, necessity or requirement and the weighing of interests, the comments regarding Art. 6b (1) s. 1 (3) BDSG (old version) can be reverted to. Furthermore, the Court made reference to recital 47 of the GDPR, according to which, for example, preventing fraud is deemed a justified interest. Conclusively, the Court accorded greater weight to the data subjects’ information autonomy, also under consideration of the GDPR.
RECOMMENDATIONS FOR ACTION IN PRACTICE
Data surveillance in publicly accessible areas should be designed in compliance with the requirements of the balancing of interests pursuant to Art. 6 (1) lit. f) GDPR. In practice, it is decisive that the company does not merely refer in an abstract manner to an existing owner’s right or risk or danger relating to potential crimes, but must document that there is indeed a risk which can only be mitigated by way of video surveillance.
In addition, it should specifically be reviewed which areas are recorded by the camera and it should be scrutinized whether the area to be recorded could not be restricted equally efficiently (principle of data minimization).
Other GDPR requirements should also be considered when using video surveillance: The data protection supervisory authorities believe that video surveillance recordings should be deleted within a period not to exceed 48 hours if there are no other reasons for storing the images for a longer period of time.
Furthermore, the obligations to inform should be fulfilled by installing appropriate warning signs in order to meet the transparency requirements under Art. 5 (1) lit. a) GDPR, as well as the other obligations to inform. In addition, video surveillance typically requires an evaluation of data protection and privacy consequences.
Link to article
- IT Outsourcing by Banks and Insurers Facilitated by Revised Regulations
- Reading the Tea Leaves for 2020
- Federal Council Considers Introduction of Cyber Incident Reporting Duty
- CCPA: The 1st Major American Foray into Comprehensive Data Privacy Regulation
WSG Member: Please login to add your comment.