- Rebeka Šťastná
The GDPR has been in force since May 2018. But even today, 6 years later, not everyone is aware of some of the intricacies of this legislation, especially when it comes to CCTV systems. CCTV systems collect video or voice recordings and often other data using artificial intelligence technologies. This data is personal data. However, the GDPR does not necessarily apply in the case of an individual using a camera, as it contains a so-called 'domestic exemption'. This states that the GDPR does not apply to the processing of personal data by an individual in connection with purely personal or domestic processing. When might this situation arise?
Monitoring of your own home and privately demarcated land
In the case of interior or exterior and garden monitoring, the domestic exemption may apply, but only if some adjacent third-party area, neighboring area, public space or common parts of the property are not also monitored. For example, a communal hallway, entrance area etc. (in which case CCTV monitoring is covered by the GDPR).
This includes, for example:
- Catching a dog stealing socks from a wardrobe.
- Checking nightly trips to the fridge.
- Spying on a mystery pest in the garden (maybe it's the same dog stealing socks).
Videos capturing hobbies, house parties and gatherings involving friends and family.
It is important to say here that if videos are to be posted on social media, for example, the posts should tend to be directed to a limited circle of friends and family members or acquaintances so that it is truly a domestic exception. The extent and frequency of processing of personal data should not indicate a professional nature, such as a business activity.
This includes, for example:
- Party karaoke session „All the single ladies“.
- Family cookery diary: "Does pineapple belong on pizza?"“ section.
- Convicting CCTV footage of Uncle Charles cheating at cards.
The new methodology of the Office for Personal Data Protection
As already indicated, it is important to note that the domestic exception is interpreted restrictively, is intended to track only the personal or domestic sphere of the individual and applies only to natural persons. Thus, it cannot be applied to processing carried out by legal persons or natural persons engaged in business - entrepreneurs. Nor does it apply to professional or commercial activities.
Therefore, if the monitoring involves, for example, a unit owners' association (HOA) or if a business has a CCTV system on its business premises for the purpose of protecting its property, the risks under the GDPR must be assessed. Office for Personal Data Protection issued a new methodology on CCTV cameras in early 2024. In addition to practical recommendations, it also contains templates for the most drafted documents related to CCTV systems and their operation in terms of data processing and data protection.
The Office's methodology can be found here.
What do cameras, GDPR and cybersecurity have in common?
In the recently published methodology of the Office for Personal Data Protection on the issue of cameras, the effort to link the protection of privacy and personal data with cybersecurity should not be overlooked. The GDPR, as is well known, places only generic requirements on controllers and processors to take reasonable security measures. However, specific requirements are not entirely easy to find here.
The methodology emphasizes that security is a key aspect of the operation of CCTV systems. Ensuring security is intended to include technical and organizational measures to protect the availability, confidentiality and integrity of personal data, and the Authority lists these in a clear manner in the Methodology. But how else to arrive at these security measures than by means of a risk analysis?
- The risk analysis according to the GDPR (Article 32 GDPR), the output of which is to be the adoption of appropriate security measures, is to be synchronized with the "general risk analysis" (e.g. under Act No. 181/2014 Coll., on cyber security).
Here are the practical steps:
- Step 1: Identify and record the primary and supporting assets related to the processing of personal data by the CCTV system and identify and evaluate the links between them.
- Step 2: Identification of vulnerabilities.
- Step 3: Identification of threats that can exploit vulnerabilities.
- Step 4: Initial determination of the level of risk.
- Step 5: Risk treatment (taking security measures).
- Step 6: Redetermination of the level of risk after acting.
It is important to note here that a risk analysis under the GDPR has certain specificities compared to a risk analysis developed according to cybersecurity standards, when it comes to assessing the impact of processing activities on personal data and the rights and freedoms of data subjects.
However, the Methodology mentions cybersecurity in one more place, namely in connection with the determination of the purpose of processing or the reason or purpose pursued by the controller (the operator of the CCTV system) by the processing itself. The correct formulation of the purpose to the satisfaction of all parties involved is a common pitfall, especially in the case of cameras. Every supervisory authority tries to minimize the risks and scope of the processing itself (ideally if there is none) precisely by proving the illegitimate determination of the purpose of the processing by the controller.
However, the Methodology states directly in this context that in the context of data processing in information systems subject to the Cybersecurity Act, the use of cameras may be part of the technical and organizational measures to protect such a system. The purpose of the processing of personal data includes the processing of personal data to ensure the security of ICT, the protection of property, although in this case it may be a preventive measure against potential targeted attacks on systems subject to the regulation of the Cybersecurity Act.
