Video surveillance systems: new signs’ templates by the Hellenic Data Protection Authority
The Hellenic Data Protection Authority has recently issued new templates of signs that a controller should use when he processes personal data through video devices. Guidelines regarding the legitimacy of such processing have been issued by both the European Data Protection Board (“EDPB”) and the Hellenic Data Protection Authority (“HDPA”).
More specifically, the EDPB has adopted the final version of guidelines under No 3/2019, according to which guidance is provided on how the Regulation (EU) 2016/679 (GDPR) applies in relation to the use of cameras regarding various purposes. In the adopted text it is stated that the purposes of processing must be specified in detail and in any case the balance of interests between the data subject and the controller should be ensured. Furthermore, the guidelines include the exemptions, the rights or the data subjects and the obligations regarding information to be provided, including a relevant template.
The HDPA had issued the guidelines under no 1/2011, which are still in force to the extent they do not overturn the provisions of the GDPR, applying supplementary to the GDPR where needed. The controllers using video surveillance systems are obliged to provide detailed information about the operation of the cameras before the data subject enters the surveillance space. Under the GDPR the general transparency and information obligations are set out in article 12 GDPR et seq., while further details are provided by article 29 of Working Party’s guidelines on transparency (WP260). Therefore, a layered approach may be followed by data controllers where they opt to use a combination of methods to ensure transparency.
In particular, the most significant information should be displayed on the warning sign itself (first layer), while further mandatory details may be provided by other means (second layer). The warning sign should generally convey the most important information, such as the details of the purposes of processing, the identity of controller and the DPO (if there is one), the rights of the data subject, together with information on the greatest impacts of the processing. It should also refer to the second layer of information and how to find it. Such information, referring to the second layer, is suggested to be made available through a digital source (URL or QR). In case the processing is not limited to the typically expected by a data subject, the warning sign must include further information (e.g. transmission to unexpected third parties, particularly if they are located outside the EU, storage period etc.). The information should be positioned in such a way that the data subject can easily recognize the circumstances of the surveillance before entering the monitored area (approximately at eye level).
The second layer information should also be available at a place easily accessible to the data subject or displayed on an easily accessible poster. However, the information should also be easily available non-digitally. It should be possible to access the second layer information without entering the surveyed area (e.g. through links or phone numbers that can be called). The second layer information should refer in more detail to the information of first layer and in any case, the information provided must contain all the mandatory elements provided under article 13 GDPR (the legitimate interests of the controller, the recipients/recipient categories, information on the transmission outside the EU, storage period, how the data subject’s rights may be exercised and information regarding the submission of complaint).
In this framework, the HDPA has drafted and issued several templates for every layer of information, which you may find on the link provided below.