Any controller shall be obliged to provide information to the data subjects of the processing of personal data which it carries out. This information must meet the requirements of Articles 12 and 13 of the GDPR.
In accordance with Article 12(1) of the GDPR, the provision of information to data subjects and communications addressed to them must be carried out in a ‘concise, transparent, intelligible and easily accessible manner, in clear and plain language’.
The word ‘provide’ is crucial here and it ‘means that the controller must take concrete steps to provide the information in question to the data subject or to actively direct the data subject to the location of that information (e.g. by means of a direct link, QR code, etc.)’. [1]
In order to make it easier for data subjects to understand the processing of data carried out when using a CCTV system, the EDPB Guidelines on the processing of personal data by video devices[2] suggest a two-tier approach.
Such an approach consists in providing – as a first step – a series of information to data subjects via, for example, billboards (see point 3.1. The first level of information), and then – as a second step – to communicate via other means, all the information required under Article 13 of the GDPR (see point 3.2. The second level of information).
Attention: If the video surveillance targets employees of the controller, the CNPD draws the attention of the controllers to the additional obligations, in particular as regards collective information, provided for in Article L. 261-1 of the Labour Code (see point 5. below).
In that regard, it should also be pointed out that employees must be informed individually and that the mere fact that the staff delegation is informed does not ensure that employees have been informed individually of the precise elements of Article 13(1) and (2) of the GDPR.[3]
3.1. First level of information
In order to inform the data subjects of the presence of a CCTV system, the CNPD recommends communicating, for example via billboards, a first level of information containing:
- the identity and contact details of the controller;
- the purpose(s) of the processing;
- information with the greatest influence on the data subject (e.g. retention period of images, live monitoring, publication or transmission of video footage to third parties;
- the existence of the rights available to the data subjects;
- a statement that more complete information exists (second level of information) and the means of accessing it (e.g. a hyperlink to the controller’s website, the use of a QR code, a telephone number to call or an indication of where this more detailed information is available.
These information signs must be displayed visibly (i.e. a sign of sufficient size) at all times at the main entrances and exits or in the vicinity of the site subject to video surveillance and must be easily legible at head height. The data subjects must in principle be able to acquaint themselves with it before entering the supervised area. For a quick and easy warning of the persons concerned, the billboard is ideally accompanied by pictograms.
Example of a billboard[4]
3.2. Second level of information
The second level of information must contain, in detail, all the information required by Article 13 of the GDPR. It must meet the standards of Article 12 GDPR, and must therefore be drafted in a concise, transparent, comprehensible manner, and in clear and plain language. The second level of information must be made available in a place easily accessible by the data subject. It could possibly be provided or made available by other means, such as a copy of the privacy policy sent by e-mail to employees or a link on the website to an information notice for non-employees.[1] A non-digital version should always be available to the data subject, for example via an explanatory document, which is made available by the controller.
For more information on the principle of transparency in video surveillance, please refer to point 7 of EDPB Guidelines 3/2019 on the processing of personal data by video devices.[2]
------------------------------------------------------------------------------------
[1] See in this regard point 33 of the Guidelines of the Article 29 Working Party on transparency within the meaning of Regulation (EU) 2016/679 (WP260rev. 01), taken over by the European Data Protection Board.
[2] Guidelines
3/2019 of the European Data Protection Board on the processing of personal data by video devices, available at: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32019-processing-personal-data-through-video_en.
[3] See Decision 14FR/2021 of 12 May 2021 of the Restricted Formation of the National Commission for Data Protection, paragraph 47.
[4] Attention: This document is a (non-binding) example of the first-level information. The various sections must be completed and adapted according to the video surveillance system implemented by the controller.
[5] See Decision 14FR/2021 of 12 May 2012 of the Restricted Panel of the National Commission for Data Protection, paragraph 54.
[6] Available at: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32019-processing-personal-data-through-video_en