The Spanish data protection authority has sanctioned a video surveillance system company for violating Articles 6 and 13 of the General Data Protection Regulation (GDPR).
The organization had installed a sign informing of the installation of a video surveillance system. However, the sign did not indicate the identity of the controller. Moreover, according to the document labeled "Employee Confidentiality Undertaking", provided by the company for signature by its employees, the collection only concerned the viewing of the worker's image, which was not the case in practice.
The possibility of setting up a video surveillance system
The physical image and voice of a person, as defined in Article 4.1 of the GDPR, are personal data. Images and voice captured by a camera or video camera system are indeed personal data: their processing is therefore subject to the Data Protection Act.
Natural or legal persons, public or private, may set up a video surveillance system for the purpose of preserving the security of persons and property, as well as their facilities, in accordance with Article 6.1 of the GDPR. However, cameras and cameras installed for security purposes may not obtain images of the public highway, unless it is essential for this purpose or it is impossible to avoid it due to the location of the cameras. And, in such an extraordinary case, cameras may only capture the minimum amount necessary to preserve the safety of persons and property, as well as their facilities.
The obligation to inform data subjects
Article 12.1 of the GDPR states that anyone who carries out processing of personal data, such as the capture of images by a video surveillance system, must provide data subjects with the information specified in Articles 13 and 14 of the GDPR.
The basis of the necessary information must at least refer to the existence of the processing (video surveillance), the identity of the controller, the possibility to exercise the rights provided for in Articles 15 to 22 of the GDPR, and where to obtain further information about the processing of personal data.
In addition, the Spanish data protection authority found that the company had not provided sufficient information about the video surveillance, including information about the processing, the identity of the controller and the exercise of data subjects' rights.
Moreover, there is no evidence in the proceedings that the controller informed customers and employees of the collection of their personal data involving the voice of the data subjects.