In the digital age, video surveillance is everywhere—from public spaces to businesses, enhancing security but also raising significant privacy concerns. Under the General Data Protection Regulation (GDPR), strict rules govern how long video footage can be stored, with the widely recommended guideline being no more than 72 hours. Recent rulings and guidelines from Austria and Germany emphasize the importance of adhering to these rules, but also outline key exceptions.
Case 1: Austria's First Fine for CCTV Misuse
In 2018, Austria issued its first GDPR fine related to CCTV misuse. A company was penalized for excessive and unlawful video surveillance in a public area. The cameras covered public sidewalks, which the Austrian Data Protection Authority found to be disproportionate and unnecessary. The company also failed to provide adequate signage, leading to a violation of transparency obligations under GDPR, the result was a 6000€ fine. This case highlights the importance of limiting video surveillance to necessary areas and ensuring transparency with clear signage.
Case 2: The Hanover Decision on Data Retention
A recent ruling by the Administrative Court of Hannover sheds light on the importance of data minimalism in video surveillance. The case involved a 24-hour self-service gas station that retained video footage for 6–8 weeks to prevent vandalism and theft. However, the data protection authority argued that retaining footage beyond 72 hours was excessive unless justified by specific exceptions, such as holiday absences. The court agreed, emphasizing that video footage should be stored only as long as necessary, generally not exceeding 72 hours.
Regulatory Updates: EDPB Guidelines and Austrian Court Decisions
In addition to these rulings, it's important to note the broader regulatory landscape. The European Data Protection Board (EDPB) published its final guidelines on video surveillance in January 2020, which provide detailed examples of lawful and unlawful video surveillance practices. These guidelines underscore the importance of data minimization, lawful processing, and the need for transparency. Notably, the Austrian Federal Administrative Court (BVwG) found some provisions of the Austrian Data Protection Act concerning video surveillance to be invalid, highlighting the need for businesses in Austria to reassess their video surveillance systems for GDPR compliance.
Why These Cases Matter
Both the Austrian and German cases demonstrate the risks of non-compliance with GDPR when it comes to video surveillance. Organizations must ensure that CCTV coverage is proportionate, necessary, and limited to areas where surveillance is justified. Additionally, video footage should not be stored longer than required, and individuals must be informed about the surveillance through clear signage and information.
The Importance of an External Data Protection Officer (DPO)
Given the complexity of GDPR compliance, particularly regarding video surveillance, having an external Data Protection Officer (DPO) can be invaluable. An external DPO brings specialized knowledge and an objective perspective, helping to identify potential risks and implement best practices. They can conduct regular audits, advise on the appropriate retention periods, and ensure transparency with clear signage and privacy notices. An external DPO can also assist with data protection impact assessments (DPIA), which are often required for video surveillance systems due to their potential risks to individuals' rights and freedoms.
Conclusion
The Austria and Hannover cases, along with recent EDPB guidelines, serve as critical reminders of the importance of strict compliance with GDPR when it comes to video surveillance. By adhering to the 72-hour rule and employing the expertise of an external DPO, organizations can minimize legal risks, protect individuals' privacy, and foster trust with customers. Compliance with GDPR is not just about following rules—it's about respecting privacy and maintaining integrity in the digital age.
Commentaires