Depending on the scope and purpose, video surveillance can be divided into three scales: narrow, medium and wide-scale video surveillance. The scale of video surveillance determines the prerequisites that must be met for its installation to be legal.
The Inspectorate has developed guidelines on the processing of personal data on a large scale, which also include criteria that help determine the scale of video surveillance. Therefore, this time we explain how to determine whether the video surveillance carried out by an organization is considered large-scale video surveillance. We will also explain what requirements must be met for video surveillance to be carried out legally.
Large-scale video surveillance means that the processing is carried out over a significant area and presents high risks for the processing of personal data at regional, national or transnational level. It is usually carried out in a public place, allowing the tracking of a significant number of people. The larger the area monitored and the more people visiting it, the higher the risk of data misuse.
For example, video surveillance could be implemented in a municipality to monitor central streets and parks, thus ensuring public order. It could also be a railway station, which is visited by thousands of people every day, thus recording their daily movements and habits.
Although the scale of data processing should be assessed on a case-by-case basis, the Inspectorate has developed criteria to help determine this. The criteria include the size of the area monitored, the population density and the duration of the data processing. Controllers can use these criteria to determine whether the processing constitutes video surveillance on a large scale.
For example, if a one-hectare area of the Riga city center is monitored, where there is a large flow of people, it will be large-scale video surveillance regardless of the duration of data retention. However, when conducting video surveillance in publicly accessible, but less populated or visited areas, the thresholds for the size of the area and the duration of data retention may be higher for determining large-scale.
If an organization conducts video surveillance of several separate areas, their total area should be taken into account to determine whether video surveillance is taking place on a large scale.
Please note! If video surveillance involves the processing of biometric data for the unique identification of a person, then the criteria specified in the table do not apply and in this case it is considered to be the processing of special categories of data.
What measures must be taken to ensure that video surveillance is carried out legally?
As with any other data processing, video surveillance must have a clear purpose for the processing, a legal basis and the principles of data processing must be observed during the processing. If the core business of an organisation consists of processing activities which, by their nature, scope and/or purposes, require the regular and systematic observation of people on a large scale, it is mandatory to appoint a data protection officer. If the organisation carries out systematic surveillance of a publicly accessible area on a large scale, a data protection impact assessment must also be carried out. It is mandatory to inform people that the area is being monitored by video surveillance, for example by placing information signs. For secure data processing, internal rules must be developed regarding the implementation of appropriate technical and organisational requirements to be followed during the processing.
https://www.dvi.gov.lv/lv/jaunums/dviskaidro-videonoverosana-plasa-meroga-kriteriji-un-nosacijumi