Linee Guida EDPB 3/2019 sulla videosorveglianza

100059 | 23.01.2022 / Linee guida IT

Allegati:
- Versione IT
- Versione EN

EU, 29.01.2020

Guidelines 3/2019 on processing of personal data through video devices

Il Comitato Europeo per la Protezione dei Dati (EDPB) ha adottato il 29 gennaio 2020 la versione definitiva delle Linee Guida sui trattamenti di videosorveglianza (Guidelines 3/2019 on processing of personal data through video devices) che illustrano in quali termini il Regolamento 2016/679 si applichi al trattamento dei dati personali quando si utilizzano dispositivi video, e mirano a garantire l’applicazione coerente del GDPR in materia.

Le linee-guida riguardano sia i dispositivi video tradizionali sia i dispositivi video intelligenti. Altre tematiche affrontate nel documento riguardano: la liceità del trattamento, l’applicabilità dei criteri di esclusione relativi ai trattamenti in ambito domestico e la divulgazione di filmati a terzi.
_______

Introduction

The intensive use of video devices has an impact on citizen’s behaviour. Significant implementation of such tools in many spheres of the individuals’ life will put an additional pressure on the individual to prevent the detection of what might be perceived as anomalies. De facto, these technologies may limit the possibilities of anonymous movement and anonymous use of services and generally limit the possibility of remaining unnoticed. Data protection implications are massive.

While individuals might be comfortable with video surveillance set up for a certain security purpose for example, guarantees must be taken to avoid any misuse for totally different and – to the data subject – unexpected purposes (e.g. marketing purpose, employee performance monitoring etc.). In addition, many tools are now implemented to exploit the images captured and turn traditional cameras into smart cameras. The amount of data generated by the video, combined with these tools and techniques increase the risks of secondary use (whether related or not to the purpose originally assigned to the system) or even the risks of misuse. The general principles in GDPR (Article 5), should always be carefully considered when dealing with video surveillance.

Video surveillance systems in many ways change the way professionals from the private and public sector interact in private or public places for the purpose of enhancing security, obtaining audience analysis, delivering personalized advertising, etc. Video surveillance has become high performing through the growing implementation of intelligent video analysis. These techniques can be more intrusive (e.g. complex biometric technologies) or less intrusive (e.g. simple counting algorithms).
Remaining anonymous and preserving one’s privacy is in general increasingly difficult. The data protection issues raised in each situation may differ, so will the legal analysis when using one or the other of these technologies.

In addition to privacy issues, there are also risks related to possible malfunctions of these devices and the biases they may induce. Researchers report that software used for facial identification, recognition, or analysis performs differently based on the age, gender, and ethnicity of the person it’s identifying.

Algorithms would perform based on different demographics, thus, bias in facial recognition threatens to reinforce the prejudices of society. That is why, data controllers must also ensure that biometric data processing deriving from video surveillance be subject to regular assessment of its relevance and sufficiency of guarantees provided.

Video surveillance is not by default a necessity when there are other means to achieve the underlying purpose. Otherwise we risk a change in cultural norms leading to the acceptance of lack of privacy as the general outset.

These guidelines aim at giving guidance on how to apply the GDPR in relation to processing personal data through video devices. The examples are not exhaustive, the general reasoning can be applied to all potential areas of use.

[...]

7. TRANSPARENCY AND INFORMATION OBLIGATIONS

It has long been inherent in European data protection law that data subjects should be aware of the fact that video surveillance is in operation. They should be informed in a detailed manner as to the places monitored.19 Under the GDPR the general transparency and information obligations are set out in Article 12 GDPR and following. Article 29 Working Party’s “Guidelines on transparency under Regulation 2016/679 (WP260)” which were endorsed by the EDPB on May 25th 2018 provide further details. In line with WP260 par. 26, it is Article 13 GDPR, which is applicable if personal data are collected “[…] from a data subject by observation (e.g. using automated data capturing devices or data capturing software such as cameras […].”.

In light of the volume of information, which is required to be provided to the data subject, a layered approach may be followed by data controllers where they opt to use a combination of methods to ensure transparency (WP260, par. 35; WP89, par. 22). Regarding video surveillance the most important information should be displayed on the warning sign itself (first layer) while the further mandatory details may be provided by other means (second layer).

7.1 First layer information (warning sign)

The first layer concerns the primary way in which the controller first engages with the data subject. At this stage, controllers may use a warning sign showing the relevant information. The displayed information may be provided in combination with an icon in order to give, in an easily visible, intelligible and clearly readable manner, a meaningful overview of the intended processing (Article 12 (7) GDPR). The format of the information should be adjusted to the individual location (WP89 par. 22).

7.1.1 Positioning of the warning sign

The information should be positioned in such a way that the data subject can easily recognize the circumstances of the surveillance before entering the monitored area (approximately at eye level). It is not necessary to reveal the position of the camera as long as there is no doubt as to which areas are subject to monitoring and the context of surveillance is clarified unambiguously (WP 89, par. 22). The data subject must be able to estimate which area is captured by a camera so that he or she is able to avoid surveillance or adapt his or her behaviour if necessary.

Content of the first layer

The first layer information (warning sign) should generally convey the most important information, e.g. the details of the purposes of processing, the identity of controller and the existence of the rights of the data subject, together with information on the greatest impacts of the processing.20 This can include for example the legitimate interests pursued by the controller (or by a third party) and contact details of the data protection officer (if applicable). It also has to refer to the more detailed second layer of information and where and how to find it.

In addition the sign should also contain any information that could surprise the data subject (WP260, par. 38). That could for example be transmissions to third parties, particularly if they are located outside the EU, and the storage period. If this information is not indicated, the data subject should be able to trust that there is solely a live monitoring (without any data recording or transmission to third parties).

7.2 Second layer information

The second layer information must also be made available at a place easily accessible to the data subject, for example as a complete information sheet available at a central location (e.g. information desk, reception or cashier) or displayed on an easy accessible poster. As mentioned above, the first layer warning sign has to refer clearly to the second layer information. In addition, it is best if the first layer information refers to a digital source (e.g. QR-code or a website address) of the second layer.

However, the information should also be easily available non-digitally. It should be possible to access the second layer information without entering the surveyed area, especially if the information is provided digitally (this can be achieved for example by a link). Other appropriate means could be a phone number that can be called. However the information is provided, it must contain all that is mandatory under Article 13 GDPR.

In addition to these options, and also to make them more effective, the EDPB promotes the use of technological means to provide information to data subjects. This may include for instance; geolocating cameras and including information in mapping apps or websites so that individuals can easily, on the one hand, identify and specify the video sources related to the exercise of their rights, and on the other hand, obtain more detailed information on the processing operation.

 ...

Table of contents
1 Introduction
2 Scope of application
2.1 Personal Dat
2.2 Application of the Law Enforcement Directive, LED (EU2016/680)
2.3 Household exemption
3 Lawfulness of processing
3.1 Legitimate interest, Article 6 (1) (f)
3.1.1 Existence of legitimate interests
3.1.2 Necessity of processing
3.1.3 Balancing of interests
3.2 Necessity to perform a task carried out in the public interest or in the exercise of official authority vested in the controller, Article 6 (1) (e)
3.3 Consent, Article 6 (1) (a)
4 Disclosure of video footage to third parties
4.1 Disclosure of video footage to third parties in general
4.2 Disclosure of video footage to law enforcement agencies
5 Processing of special categories of data
5.1 General considerations when processing biometric data
5.2 Suggested measures to minimize the risks when processing biometric data
6 Rights of the data subject
6.1 Right to access
6.2 Right to erasure and right to object
6.2.1 Right to erasure (Right to be forgotten)
6.2.2 Right to object
7 Transparency and information obligations
7.1 First layer information (warning sign)
7.1.1 Positioning of the warning sign
7.1.2 Content of the first layer
7.2 Second layer information
8 Storage periods and obligation to erasure
9 Technical and organisational measures
9.1 Overview of video surveillance system
9.2 Data protection by design and by default
9.3 Concrete examples of relevant measures
9.3.1 Organisational measures
9.3.2 Technical measures
10 Data protection impact assessment

...

Fonte: EDPB

Collegati: