GDPR principles & data protection legislation apply to data controllers and processors when cctv is used. CCTV has personal data which will likely include identifiable person on the footage.
The cctv system must be used proportionately, reasonably, lawfully to protect privacy rights and comply with data protection law.
There should be a cctv data protection policy in place. This policy should set out the purpose for the reasons for the cctv system and how it is to be managed. If an employer operates cctv at work employees must be informed.
Evidently if the security system for security purposes it should be used only for that. What is the legal basis to rely on the cctv ? will need to be assessed. Which of the lawfulness reasons pursuant to article 6 of GDPR will the processing of data comply with. With a cctv system the person will not have given consent.
The processing of the cctv footage must be necessary, security for the data records must be in place, a proportionality assessment must be done ie how long is the data to be retained for ? is this appropriate etc.
If a shop keeper wishes to use cctv for security purposes in a shop, focusing the camera where the risk areas in the shop may be appropriate while having a camera in a staff break room would not.
If individuals privacy rights may be interfered with then due consideration must be given to an impact on them, if the cctv of particular area necessary etc. and proportional.
Personal data should not be retained for longer than is necessary. The law does not define retention periods. Keeping data for a just in case rainy day scenario will not be sufficient retention justification.
Need Legal Advice? No problem. Contact Us Today!
We can assist with legal advice on GDPR and Irish data protection law matters.
