During the summer, there was media coverage of video body cameras, the so-called bodycam. The Danish Data Protection Agency now provides an overview of the obligations and considerations that the data protection officer has to understand when using body cameras.

If you record images and sounds using body cameras, in principle you are subject to the rules and general principles of data protection law.

The processing of personal data by means of body-worn cameras can only take place if the basic principles of processing, e.g. lawfulness, accuracy and transparency, purpose limitation and storage limitation are complied with.

You can read more about the rules in a new text, which includes instructions for employees who have body cameras, observing the duty to provide information and deleting records.

Use of body cameras
In general

If you record images and sounds using body cameras, you are subject to the rules and general principles of the data protection law and not to the rules of the television surveillance law.

Here you can read more about the obligations and considerations that you, as a data controller, have to observe when using body cameras.

Rights and duties

Basic requirements for the processing of personal data and processing rules

The rules of the Data Protection Regulation and the Data Protection Act apply to any form of processing of personal data, including image and sound recordings, in connection with the use of body-worn video cameras. The rules apply to private citizens, companies and public bodies. For law enforcement authorities, however, the Law Enforcement Act still applies in some cases.

The processing of personal data by means of body cameras can occur only if the basic principles of processing, e.g. lawfulness, accuracy and transparency, purpose limitation and retention limitation are complied with.

In addition, as a controller, it is necessary to ensure a basis for processing. In this context, it is essential to be aware that there are special rules that must be observed when processing information about crimes or information of a sensitive nature (e.g., health information or information about religious or political conventions) on images and audio recordings.

The controller is also responsible, by means of other appropriate technical and organizational measures, for the protection of personal data from unauthorized or unlawful processing, as well as from accidental loss, destruction or damage. In addition, only authorized personnel should have access to the recordings.

It is the controller’s responsibility to ensure that personal data are not processed in violation of data protection regulations. This is also the case if a data processor is used.

Instructions for employees

The Danish Data Protection Agency recommends the controller to prepare and distribute to employees who have body cameras instructions. The employee instructions have to include guidelines on the use of these body-worn cameras, including when the video camera has to be activated, the duty to provide information and directions on the rights of data subjects.

Duty to provide information, etc.

The data controller has a duty to provide information to persons who appear on recordings of images and sounds from body-worn cameras. The obligation to provide information can, for example, be fulfilled in the form of information on the controller’s website, markings on uniforms, signs at the entrance or other relevant places and, as far as possible, in connection with the actual image and sound recording.

In addition, the data controller must be prepared to respect the rights of data subjects – this means, among other things, that persons appearing in the recordings may, for example, have the right of access, erasure, rectification, etc.

Deletion of images and audio recordings

The archiving of images and video recordings from body cameras that include personal information must comply with the basic principle of restriction of archiving, which implies that the information must be deleted when it is no longer necessary in relation to the purposes of the processing.

Other legislation

The data controller has to ensure compliance with other relevant legislation regarding the processing of images and audio recordings from body cameras, including the rules of the criminal code on violation of privacy and honor.

When do you have to process your personal data?

You must always have a legal basis for the processing of personal data. Here you can read different bases on which you can base the processing.

When processing personal data, it is necessary to have a legal basis. This is also called legal basis.

The legal basis depends on two things:

1. The type of personal information. In data protection law, information is divided into personal data and sensitive personal data. The data protection law also applies special rules for, among others, the processing of CPR numbers. You can read more about this division in the section “What is personal information?”
2. The situation that makes the processing of personal data necessary. is it to fulfill a contract? is it a legal obligation? is it to perform the duties of a public authority? Often it is the context in which a processing is carried out that determines which legal basis is relevant for the data controller.

Legal basis

Personal data may be processed without consent if necessary for the purposes of:

1. A contract with the data subject
2. The obligations of the controller
3. The vital interests of the data subject or another natural person
   a role in the interests of society or in the exercise of public authority
4. A legitimate interest over which the interests or rights of the data subject do not override.

No. 5 does not apply in principle to the processing of personal data by public authorities (see, however, the examples of exceptions) and in most cases should not be used in the processing of personal data concerning minors.

The processing of sensitive personal data

The term personal data covers for example race, political beliefs, religious beliefs, health information and sexual orientation.

It is generally prohibited to process sensitive personal data, but there are some exceptions to this prohibition.

First, sensitive personal data may be processed without consent if the data subject has clearly disclosed the information in advance.

In addition, you may process sensitive personal data if necessary in order to:

1. The data, obligations and rights under health and social law of the data controller or the data subject.
2. Vital interests of the data subject or of another natural person if consent is not possible.
3. Processing of information about membership or regular contacts by a political, philosophical, religious or trade union non-profit organization (does not include the sharing of information not related to the organization)
4. Determination or processing of a legal complaint
5. Significant social interests
6. Processing of a health professional nature in the health sector
7. Processing for archiving, scientific or historical research or statistical purposes.

Consent

As a matter of principle, the processing of personal data can always take place if the data subject has expressed his/her consent.

But for consent to be valid, it must be voluntary, specific, informed and unambiguous. This means, among other things, that consent cannot be given tacitly and that there are no (unnecessary) negative consequences associated with the lack of consent.

The term “consent” is widely used also outside the data protection law and the meaning and validity requirements may vary. However, if the processing of personal data is based on consent, it is important to meet the requirements for data protection consent. For example, statutory consents that do not relate to data protection are used in health care or social administration. However, these are often processing operations in which the consent does not constitute a legal basis for the processing, but where the legislation or similar has chosen to give the data subject the possibility to say no to the processing.

Processing information on crimes and tax code (CPR number)

The information on the crimes cannot be treated from the public administration if not necessary for the fulfillment of the roles of the authority. The data may not be disseminated unless:

1. The interested party has expressed his/her consent to the transfer.
2. The sharing is carried out in the interest of private or public interests that clearly exceed the interests of those who are concerned.
3. The person concerned has expressed his or her consent to the transfer.
4. The sharing is carried out in the interests of private or public interests that clearly exceed the interests of those justifying confidentiality, including the interests of the person to whom the information relates.
5. The sharing is necessary for carrying out the activity of an authority or requested for the adoption of a decision by the authority or
6. The communication is necessary for the exploitation of the person’s or company’s role vis-à-vis the public.

Private parties may process information relating to crimes if the data subject has given his/her consent. In addition, the processing may take place if it is necessary to pursue a legitimate interest and this interest clearly outweighs the interests of the data subject. Also private parties may not share information without the data subject’s express consent. Sharing may still take place without consent when it is in the interest of public or private interests, including the interests of the data subject, which clearly outweigh the interests of the data subject that justify secrecy.

Public authorities may process personal identity number information for the purpose of unique identification or as a registration number.

Private parties may process information about the personal identity number only when:

1. From the law it follows that
2. The data subject has given his consent in accordance with article 7 of the Data Protection Regulation.
3. The processing occurs only for scientific or statistical purposes, i.e. in case of communication of information relating to tax codes, when the communication is an integral part of the normal functioning of the company, etc., of the type in question, and when the communication is of fundamental importance to ensure the unambiguous identification of the data subject or the communication is requested by an authority or a public authority, or when the data subject has given his consent in accordance with article 7 of the Data Protection Regulation.
4. The conditions pursuant to Article 7 are not met.

Social security numbers may not be published without consent in accordance with Article 7 of the Data Protection Regulation.

Basic processing requirements

It is important to be aware that the term “processing” covers a number of different ways of handling personal data. Having the right to carry out a particular form of data processing – also, for example, collection – of information does not automatically mean that you also have the right to carry out other forms of processing – for example, sharing – of the same information.

Normally, there is no doubt that when a public authority or a private company is authorized to collect certain information, it must also collect, record, use and delete it. But it is, for example, not automatically clear that the data may also be communicated to others. This has to be evaluated separately on the basis of the processing rules.

In addition, it is essential that in the processing of personal information some general and basic principles are present that must always be respected. These principles alone do not confer any right to the processing of information, because this also requires a right of processing, but the principles must always be observed when it comes to processing in accordance with data protection regulations.

Special forms of processing

Some of the processing is subject to a special regulation in the data protection law.

In case of:

• Legal information systems
• Processing for statistical or scientific purposes
• Working conditions
• Marketing
• Archive
• Credit bureaus

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA DANIMARCA