Tag: Guidelines

EDPB adopts Guidelines on processing of personal data through video devices

13. August 2019

Recently, the EDPB has adopted its Guidelines on processing of personal data through video devices (“the guidelines”). The guidelines provide assistance on how to apply the GDPR in cases of processing through video devices with several examples, which are not exhaustive but applicable for all areas of using video devices.

In a first step, the guidelines set the scope of application. The GDPR is only applicable for the use of video devices if

  • personal data is collected through the video device ( e.g. a person is identifiable on basis of their looks or other specific elements)
  • the processing is not carried out by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, or,
  • the so-called “household exemption” does not apply (processing by a natural person in the course of personal or household activity).

Before processing personal data through video devices, controllers must specify their legal basis for it. According to the guidelines, every legal ground under Article 6 (1) can provide a legal basis. The purposes for using video devices for processing personal data should be documented in writing and specified for every camera in use.

Another subject of the guidelines is the transparency of the processing. The controllers have to inform data subjects about the video surveillance. The EDPB recommends a layered approach and combining several methods to ensure transparency. The most important information should be written on the warning sign itself (first layer) and the other mandatory details may be provided by other means (second layer). The second layer must also be easily accessible for data subjects.

The guidelines also deal with storage periods and technical and organizational measures (TOMs). In some member states may be specific provisions for storing video surveillance footage, but it is recommended to – ideally automatically – delete the personal data after a few days. As with any kind of data processing, the controller must adequately secure it and therefore must have implemented technical and organizational measures. Examples provided are masking or scrambling areas that are not relevant to surveillance, or the editing out of images of third persons, when providing video footage to data subjects.

Until September 9th 2019, the guidelines will be open for public consultation and a final and revised version is planned for the end of 2019.

Article 29 WP will release guidelines on the GDPR by the end of 2016

26. October 2016

As Bloomberg reports, the Article 29 WP will provide guidance on the GDPR soon. Isabelle Falque-Pierrotin, Chairwoman of the CNIL as well as of the Article 29 WP, acknowledged that the GDPR text is ambiguous in some aspects. Therefore, these guidelines aim at serving as an operational toolbox.

Amongst others, the guidance to the GDPR shall refer to the following aspects:

  • The designation of the leading Supervisory Authority in case of complaints or in relation to other procedures. Moreover, aspects of the bilateral cooperation and competence to resolve disputes by the Supervisory Authorities and the European Data Protection Board shall be clarified.
  • Guidance on the figure of Data Protection Officers is one of the priorities of the Article 29 WP, as it will play an essential role in companies on achieving GDPR compliance.
  • The right to data portability has been regulated for the first time in the GDPR. This right will allow data subjects to access their data and transfer data to other data controllers, for example upon the change of telephone provider. The guidance should focus on its scope and implementation.
  • The standard by which the proof of consent will take place, will have to be specified. This is especially important for small and medium-sized companies, for which a “simple pedagogical tool” will be developed.
  • A formal guidance on the Privacy Shield will not take place until the EU Commission has reviewed its functioning after the first year, this is summer or early fall 2017.

At the moment, the Article 29 WP remains neutral with regard to the Brexit. However, Falque-Pierrotin remarked that the Privacy Shield may be also useful in UK regarding international data flows with the U.S.A.

Further guidance is also expected in 2017, especially regarding topics such as the EU-U.S. Privacy Shield and the implication of the Brexit in privacy issues.