On 25th May 2018, the GDPR[1] has come into effect. One of the direct consequences of the GDPR is that it is no longer necessary to seek prior authorisation from the CNPD to install a CCTV system.
Although the obligation to request prior authorisation from the CNPD has been repealed, controllers who install or have installed CCTV are obliged to comply with the principles and obligations deriving from the GDPR, including the obligation to keep a register of the processing of personal data that is carried out under their responsibility.[2] The processing of personal data resulting from video surveillance will therefore have to be included in this register and include all the information required by Article 30 of the GDPR.
Moreover, contrary to the amended law of 2 August 2002[3] (repealed), the GDPR no longer defines the concept of "surveillance". Nevertheless, the installation of a CCTV system aimed at employees is still to be regarded as the processing of personal data for surveillance purposes in the context of employment relationships within the meaning of Article L. 261-1 of the Labour Code, which must be complied with by the employer.
Without wishing to be exhaustive, the CNPD would also like to recall some of the principles and obligations applicable to video surveillance.
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (‘GDPR’).
[2] cf. Article 30 GDPR.
[3] Amended Law of 2 August 2002 on the protection of individuals with regard to the processing of personal data, repealed by the Law of 1 August 2018 on the organisation of the National Commission for Data Protection and the General Data Protection Regime.