In closing the comment on the EDPB Guidelines no. 03-2019, about a year ago, we wrote that “the next step, at least for video surveillance, could be a provision of the Guarantor which, on the basis of this novelty, will update the 2010 one still in force.” We didn’t get it right: at least for now, the Guarantor intervened with FAQs, published last December 5th. They constitute “general indications inspired by the answers provided to complaints, reports, questions received by the Office in this period”. These clarifications – the document explains – “were necessary due to the new provisions introduced by the Regulation 2016/679>, in the light of which the validity of the Guarantor’s provision on the matter must be assessed, which dates back to 2010 and contains partially outdated provisions. The FAQs also take into account the Guidelines recently adopted on the subject of video surveillance by the European Data Protection Board (EDPB)…”.
Therefore, the use of video surveillance installations or systems complies with the various provisions of the Regulation (and with other legal provisions of domestic law such as, for example, article 4, Law 300/1970for cases in which video surveillance is provided in the workplace) and to those of the Guarantor’s provision of 2010, as compatible with certain legal provisions (remember that Article 22, paragraph 4, Legislative Decree 101/2018, established that “from 25 May 2018, the provisions of the Guarantor for the protection of personal data continue to apply, as they are compatible with the aforementioned regulation and with the provisions of this decree”); while the EDPB Guidelines n. 03-2019 and the Faqs of the Guarantor intervene to clarify how according to the respective authorities the provisions of the Regulation are to be implemented in the design and implementation of video surveillance systems and (with specific reference to the FAQs) which parts of the Guarantor’s provision of 2010 are to be considered outdated .
Reading the Guarantor’s document we find two key words/concepts of the EU Regulation 2016/679.
The first is to accountabilityarchitrave of the system, which invests the owner with the power and responsibility to make choices on the purposes and means of processing, to document those choices, to account for them.
Accountability is to be exercised starting from the decision (never to be taken lightly) whether or not to use video surveillance systems. Not surprisingly, the EDPB Guidelines warn that video surveillance should not automatically be considered a necessity when other means are available to achieve the underlying purpose. This system (with the connected treatment) should be deemed lawful whenever it represents a necessary response to an effective, concrete need which could not otherwise be satisfied.
Accountability means that the data controller is responsible for assessing the lawfulness and proportionality of the processing, taking into account the context and purposes of the same, as well as the risk to the rights and freedoms of natural persons. This includes, of course, the decision on the retention times of the data.
Its further explanation is the prior submission of the treatment to an impact assessment on data protection. Here the Guarantor calls back ad adiuvandum the WP248 Guidelines rev. 01 of 4 October 2017, while the reference to his own measure n. 467 of 11 October 2018 (in addition to the case referred to in Article 35.3, letter c): systematic surveillance on a large scale of an area accessible to the public) recalls that there are cases in which the holder is deprived of the power to decide whether or not to carry out a DPIA, since it is prescribed by law or by a provision of the supervisory authority (pursuant to art. 35.4).
The second pillar is the minimization principle, to which the owner must pay attention “to the choice of recovery and relocation methods and to the management of the various stages of processing” and the data processed must in any case be pertinent and not excessive with respect to the purposes pursued.
dMinimization (as well as accountability) also involves when the owner must establish data retention times: “in general terms – reads the FAQs – the legitimate purposes of video surveillance are often the security and protection of assets. Any damage can usually be identified within a day or two.” And then, “the longer the retention period envisaged is (especially if it exceeds 72 hours), the more reasoned must be the analysis referring to the legitimacy of the purpose and the need for conservation”.
The above means that for the Guarantor the times indicated in § 3.4 of the 2010 provision must be understood as outdated: here – as elsewhere, in the Faq – it is directly inspired by the content of the Guidelines no. 03-2019 which, we repeat, are not binding. And the resulting picture can be perceived as not immediate and linear.
Again, in the document (since it was already mentioned in the 2010 provision) there is an example of retention time directly fixed by law (pursuant to article 6, paragraph 8, Decree n. 11 of 02/23/2009, in the context of the use by Municipalities of video surveillance systems in public places or places open to the public for the protection of urban security, for which “the retention of data, information and images collected through the use of video surveillance is limited to seven days following the detection, without prejudice to special needs for further conservation”), while in the condominium context a term for the conservation of the images that does not exceed 7 days is still considered congruous; moreover, in some cases it may be necessary to extend the retention times of the images, initially set by the owner or required by law, for example to follow up on a request from the authority or the judicial police in relation to an investigative activity in progress.
The principle of minimization is therefore re-proposed with regard to the activities of the Municipalities for monitoring landfills and ‘eco-pitches’ for monitoring the methods of their use, the type of waste discharged and the time of deposit, where it is required that they verify in advance that it is not possible or ineffective to resort to alternative control tools or systems.
Finally, minimization comes into play (a fortiori) when video surveillance involves the processing of sensitive data – a hypothesis which must be included in one of the exceptions to the general prohibition pursuant to art. 9.2 of EU Regulation 2016/679 -, being in any case the bearer of the effort “to minimize the risk of capturing footage that reveals other sensitive data, regardless of purpose.”
All the legislation on privacy, the guidelines of judicial bodies and the Guarantor Authority, many operational tools for each fulfillment: practical guides, commentaries, magazines, action plans, check lists, formulas, news.
The EDPB Guidelines remind data controllers to comply with information transparency obligations, let us remember this: the persons concerned must be aware of the fact that video surveillance is in operation, indeed they should be informed in detail about the places monitored, with signs placed at the access points to video surveillance areas. Controllers, for their part, will be able to follow a multilevel approach, choosing to use combinations of methods to ensure transparency, so that the most important information is displayed through the sign (first level), while the further mandatory details will be provided with other means (second level).
And it is precisely on the first level information (simplified cartel model) that the Guarantor, referring to the Guidelines, intervenes indicating the contents: data controller and purpose of the processing, contact details of the Data Protection Officer (if appointed), image retention times, function/address to contact to exercise rights, scope or context (e.g. a website) to contact for access to complete information.
The Guarantor reiterates, in the light of the provisions of EU Regulation 2016/679the obvious (but which evidently is not yet obvious): private video surveillance is certainly allowed (so-called ‘domestic exemption’ pursuant to art. 2.2, letter c) but attention must be paid to the visual angle of the footage which, even without recording images, they must never concern common areas in a condominium, areas of private property of others, public areas or areas of public transit.
Likewise, it is not forbidden to private individuals the use of video cameras installed in one’s home for solely personal control and security purposes; except that, where employees or collaborators operate (such as babysitters, housekeepers, etc.), they must in any case be informed of the treatment, which cannot be detrimental to the dignity of the person (as in the case of a device installed to restart the bathrooms) and must be assisted by suitable security measures.