So far, we have dealt with the topic of the new European privacy regulation, aka GDPR, from the “top” trying to shed light on what is provided for by the legislation in question. A regulation that, in spite of the reduced timeframe for complying with it, is still unknown to most people or is not given the right importance. So let’s try to report a “practical case”, an example of how the GDPR will be applied in real life.

One aspect that many companies have in common is the presence of video surveillance systems, aimed at completing the anti-intrusion systems and not only… Have you ever wondered if they are compliant? This is a legitimate question given that the provisions on privacy and processing of personal data also concern video surveillance systems. According to the Italian Privacy Authority (Garante per la Privacy), a video surveillance system is compliant when it complies with the principles of lawfulness, necessity, proportionality and purpose. Briefly, through the video surveillance system is allowed to record images if necessary to comply with legal obligations or to protect a legitimate interest (lawfulness); the filming must be limited only to what is necessary to achieve the intended purposes (necessity); the system must be used only in places where it is really necessary, limiting the filming to the areas concerned and excluding the view of the surrounding areas (proportionality); the purpose of video surveillance must be explicit and legitimate and limited to the purposes of relevance of the holders of the data (purpose).

As for the consent, it is not necessary if the purpose of video surveillance is to protect people and property from possible aggression, theft, robbery, vandalism, fire prevention or work safety…the purpose of monitoring employees’ work activities through video surveillance is not contemplated! It is also important to be clear about the timing of image retention: recordings may be retained temporarily and for a maximum period of 24 hours following their acquisition, except for special needs such as police investigations or judicial requests. However, the timeframe varies depending on the type of activity: in the case of banks, for example, there are longer retention times, but not more than seven days.

The fact that banks are sensitive targets for crimes such as robbery means that normal customers are also recorded, and therefore their protection must be ensured: customers who pass through or stop in areas under video surveillance must be informed by means of clearly visible signs. This reporting obligation is not required in public places where cameras are installed for the protection of public order and safety.

In the case of private entities and public economic entities, they are only allowed to process personal data resulting from video surveillance after having first obtained the consent of the person concerned or in the presence of the principle of lawfulness. The aforementioned consent is only valid if it is expressed and documented in writing.

Sara Avanzi