What do cameras, GDPR and cybersecurity have in common?

GDPR vs. kamerové systémy
The GDPR has been in force since May 2018. But even today, 6 years later, not everyone is aware of some of the intricacies of this legislation, especially when it comes to CCTV systems. CCTV systems collect video or voice recordings and often other data using artificial intelligence technologies. This data is personal data. However, the GDPR does not necessarily apply in the case of an individual using a camera, as it contains a so-called 'domestic exemption'. This states that the GDPR does not apply to the processing of personal data by an individual in connection with purely personal or domestic processing. When might this situation arise?
Monitoring of your own home and privately demarcated land

In the case of interior or exterior and garden monitoring, the domestic exemption may apply, but only if some adjacent third-party area, neighboring area, public space or common parts of the property are not also monitored. For example, a communal hallway, entrance area etc. (in which case CCTV monitoring is covered by the GDPR).

This includes, for example:

Videos capturing hobbies, house parties and gatherings involving friends and family.

It is important to say here that if videos are to be posted on social media, for example, the posts should tend to be directed to a limited circle of friends and family members or acquaintances so that it is truly a domestic exception. The extent and frequency of processing of personal data should not indicate a professional nature, such as a business activity.

This includes, for example:

The new methodology of the Office for Personal Data Protection

As already indicated, it is important to note that the domestic exception is interpreted restrictively, is intended to track only the personal or domestic sphere of the individual and applies only to natural persons. Thus, it cannot be applied to processing carried out by legal persons or natural persons engaged in business - entrepreneurs. Nor does it apply to professional or commercial activities.

Therefore, if the monitoring involves, for example, a unit owners' association (HOA) or if a business has a CCTV system on its business premises for the purpose of protecting its property, the risks under the GDPR must be assessed. Office for Personal Data Protection issued a new methodology on CCTV cameras in early 2024. In addition to practical recommendations, it also contains templates for the most drafted documents related to CCTV systems and their operation in terms of data processing and data protection.

The Office's methodology can be found here.

What do cameras, GDPR and cybersecurity have in common?

In the recently published methodology of the Office for Personal Data Protection on the issue of cameras, the effort to link the protection of privacy and personal data with cybersecurity should not be overlooked. The GDPR, as is well known, places only generic requirements on controllers and processors to take reasonable security measures. However, specific requirements are not entirely easy to find here.

The methodology emphasizes that security is a key aspect of the operation of CCTV systems. Ensuring security is intended to include technical and organizational measures to protect the availability, confidentiality and integrity of personal data, and the Authority lists these in a clear manner in the Methodology. But how else to arrive at these security measures than by means of a risk analysis?

Here are the practical steps:

It is important to note here that a risk analysis under the GDPR has certain specificities compared to a risk analysis developed according to cybersecurity standards, when it comes to assessing the impact of processing activities on personal data and the rights and freedoms of data subjects.

However, the Methodology mentions cybersecurity in one more place, namely in connection with the determination of the purpose of processing or the reason or purpose pursued by the controller (the operator of the CCTV system) by the processing itself. The correct formulation of the purpose to the satisfaction of all parties involved is a common pitfall, especially in the case of cameras. Every supervisory authority tries to minimize the risks and scope of the processing itself (ideally if there is none) precisely by proving the illegitimate determination of the purpose of the processing by the controller.

However, the Methodology states directly in this context that in the context of data processing in information systems subject to the Cybersecurity Act, the use of cameras may be part of the technical and organizational measures to protect such a system. The purpose of the processing of personal data includes the processing of personal data to ensure the security of ICT, the protection of property, although in this case it may be a preventive measure against potential targeted attacks on systems subject to the regulation of the Cybersecurity Act.

Be GDPR compliant

We can help you process personal data securely and transparently and improve your company's data protection culture.

More articles

Plans such as BCP, DRP, or risk management plans ensure cybersecurity and help maintain business continuity. What should they include?
Listen to the podcast with Katka Hůtová, who will guide you through the upcoming changes according to the new cybersecurity law.
Crisis communication during a cyber-attack should be swift, transparent and consistent to minimize damage and maintain the trust of all stakeholders. How to do it?

Newsletter

Do you want to be sure that your company is protected from cyber threats and at the same time comply with the applicable legislation? Sign up for the newsletter and get practical advice from our legal consultants.

By clicking submit, you consent to the processing of your personal data for marketing purposes.