In addition to the principles set out in these guidelines, all the provisions of the GDPR remain, of course, applicable to the processing of personal data that constitutes video surveillance.
Thus, the CNPD wishes to recall, in particular, that if the controller uses a service provider to install or manage the video surveillance device (for example, a security company), that service provider will be regarded as a processor within the meaning of Article 4(8) of the GDPR, if it processes personal data on behalf of the controller. In this case, a subcontract meeting the criteria of Article 28 of the GDPR will have to be concluded between the controller and the processor.
Furthermore, the CNPD wishes to draw the attention of controllers and processors to the obligation stemming from Article 32 of the GDPR to put in place adequate technical and organisational measures to ensure the security and confidentiality of the data undergoing processing. This means in particular that:
- access to the data collected via the video-surveillance system must be limited only to persons who, in the course of their duties, have a legitimate need to have access to them, in view of the purposes pursued.
- access to the data must be secure (e.g. with a strong password and login) and each person with access to the data must have an individual access account. An access log must also be available, so that it is possible to trace the persons who accessed the data, as well as the data that were accessed by those persons, in the event of abuse.
For further recommendations, including on the rights of data subjects, the CNPD refers to the EDPS Guidelines 3/2019 on the processing of personal data by video devices.[1]
In addition, the CNPD would like to recall that if a subcontractor is involved (e.g. a security company) in the context of video surveillance, a subcontract meeting the criteria of Article 28 GDPR will have to be concluded. Further information on subcontracting is available on the CNPD website.[2]
Finally, the CNPD wishes to draw the attention of controllers to the importance of the question of the country in which the images captured by the video surveillance system are stored, whether this storage is carried out by the controller himself or by his processor (e.g. in the event of recourse to a processor offering a solution with storage of images in the cloud). Indeed, if the images are transferred to a country outside the European Union, the controller must comply with the GDPR requirements for data transfers to third countries. More information is available on the CNPD website.[3]
--------------------------------------------------------------------------------------------------------
[1] Guidelines 3/2019 of the European Data Protection Board on the processing of personal data by video devices, available at: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32019-processing-personal-data-through-video_en.
[2] https://cnpd.public.lu/en/professionals/obligations/subcontractors.html
[3] https://cnpd.public.lu/en/files-thematics/transfers-international-done-personal.html