Article 35 of the GDPR requires a "DPIA" to be carried out "where a type of processing, in particular through the use of new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons".
Article 35(3) of the GDPR also provides for three cases in which a ‘DPIA’ is particularly required. One of these three cases concerns the ‘systematic large-scale monitoring of a publicly accessible area’. In some situations, the installation of a video surveillance system could fall in this case.
In addition, the European Working[1] Group (G29) Guidelines on Data Protection Impact Assessment (DPIA) specify the 9 criteria to be taken into account when assessing whether a data processing operation is likely to result in a high risk to the rights and freedoms of natural persons, and therefore whether or not to carry out a DPIA. Depending on the location and context in which video surveillance cameras are implemented, several of these criteria could be met, such as the processing of ‘data concerning vulnerable persons’ (employees, children, the elderly, etc.), large-scale collection, ‘systematic monitoring’ or the criterion of ‘innovative use or application of technological or organisational solutions’.
The CNPD would also like to draw the attention of controllers to Guidelines 3/2019 on the processing of personal data by video devices, which state that:
“Given the common purposes of video surveillance (protection of persons and property, detection, prevention and control of offences, collection of evidence and biometric identification of suspects), it is reasonable to assume that a data protection impact assessment will be necessary in many cases of use of video surveillance. Therefore, it is up to the controllers to carefully consult those documents in order to determine whether an impact assessment should be provided for and to carry it out if necessary.
The result of the analysis carried out should guide the choice of the controller as to the data protection measures implemented. »[2]
---------------------------------------------------------------------------------
[1] Article 29 Working Party Guidelines on Data Protection Impact Assessment (DPIA) and how to determine whether processing is “likely to result in a high risk” for the purposes of Regulation (EU) 2016/679 (WP 248 rev.01), available at: https://ec.europa.eu/newsroom/article29/items/611236
[2] Point 137 of the European Data Protection Board Guidelines 3/2019 on the processing of personal data by video devices. Available at: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32019-processing-personal-data-through-video_en