THE SPANISH DATA PROTECTION AGENCY CAN ASK US AT ANY TIME FOR THE LEGAL AND TECHNICAL SITUATION OF A CCTV INSTALLATION, WHAT DOCUMENTS WILL THEY REQUEST?
The installation of video cameras or Closed Circuit Television (CCTV) are undoubtedly some elements that can endanger the intimacy and privacy of the affected people, whether they are workers, customers, and even pedestrians.
To protect citizens from abuse and possible illegitimate interference, privacy regulations require a series of legal and technical requirements to have a legal and compliant CCTV. The regulations require compliance with principles such as proportionality, security, legitimate interest, information to the affected party, among others.
In any case, in order to facilitate the management of a possible request from the AEPD or another control authority (eg ACPD, AVPD) we recommend that the following supporting documentation be always available and updated:
Information document for the potential workers affected, with special attention to the management of the possible exercises of rights and the correct identification of the purpose of the treatment (eg security, identification, access control, protection of goods and people, others )
Detailed and general plan photographs of the location of the CCTV warning signs at all entrances, (it is important that the text is correct, since on many occasions we have seen said sign without text or with a generic text that does not comply with articles 7, 8 and 9 regarding the duty of information of the RGPD). It should also be noted that the location of the cameras cannot affect the privacy of the workers, users or those affected, therefore, they cannot be located focusing on toilets, union rooms, changing rooms, etc.
In the event that the management of the images and visualization is carried out by a third party, the corresponding treatment manager contract must be signed with everything established in article 28.3 of the RGPD.
Evidence of the technical capabilities of image capture and treatment devices. It should be borne in mind that the devices may have functionalities that affect the risk assessment regarding privacy, such as the use of rotating cameras with built-in zoom (dome) or cameras managed by IP with an Internet connection. It is very important that the entire CCTV system implemented can and does comply with the technical security requirements established by the regulations. For any questions, the AEPD has a specific CCTV management guide of great interest.
Location map of cameras and scope of vision. It is a graphic document where the angles of each device can be determined, attaching a "screenshot" of each viewing plane. In any case, it is convenient to remember the limitations of the use of the image, especially those that may affect public roads or private premises of others.
Registry of Treatment Activities, (RAT) where the analysis of the treatments carried out in the CCTV is included.
Image management protocol, where it is verified who can have access, with what criteria, conservation period, backup system, management systems for possible rights exercises, system security, and all this adjusted to privacy principles by design and by default.
Acts of supervision of the system by the Data Protection Officer, if applicable. To this list made for informative and only illustrative purposes, you can also add the report that has been made prior to the treatment on the suitability and proportionality of the installation (privacy by design), as may be the case of legal obligation ( eg banking entities) or due to antecedents that endanger legal assets to be protected (eg robberies, theft, areas of dangerous or explosive materials, etc.) For more information see "Guide on the use of video cameras for security and other purposes", in www.aepd.es If you have any questions or queries, ATGROUP remains at your disposal.