There’s no doubt that, among the most common technologies, the videosuervillance is the one which has a greater privacy impact in terms of risks relating to the processing, this means present potential negative rights impact, fundamental freedom and the dignity of the natural person (data subject).
The reasons for this are multiple and have to be sought in technological development, which converts this system of always more evolution “control” (see the algorithms of face detection and recognition in facial recognition) both in the use now disseminated and cross-sectional, and in all private areas (companies, businesses, supermarkets, shopping centers, outlet, hospitals, clinics, professional studies, and others more) and public (municipal, local police, Law Enforcement, University, Courts).
For all these reasons the controller, private or public, will have to observe the principles and legal forms referred to in a detailed rule. We can think of the regulatory package under EU Regulation 679/2016 and Decree 196/2003, as amended since Decree 101/2018, or Decree 51/2018, which has received Directive 680/2016 on “police treatment” treatments or also in Article 4 of the Workers’ Statute on remote control and the well-known procedure of the Supervisory Authority on the vidéosurveillance del 8 April 2010.
Added to this legislation are the directives and interpretative opinions of the European Committee for the Protection of Personal Data, among which it is important to recall the recent “Directives 3/2019 on the processing of personal data through video devices” of 29 January 2020.
For this reason, whoever wants to install a video surveillance impandent cannot be exempted from evaluating, leaves in the headquarters of projection, as a controller, what are called “risk inherent to the treatment” and that is to say verify whether or not this system has a negative impact on rights, fundamental freedoms and the dignity of the data subject.
A precise risk assessment will allow the controller to use a properly configured system and also to avoid administrative sanctions, in case of control by the Supervisory Authority (Guarantee and Labour Inspectorate).
Indeed, under the latter aspect, it is important to note that also today the major part of the sanctions procedures relate to violations of the principle of lawfulness (Article 5(1) EU Regulation 679/2016) of ex-Article information13 Defective EU Regulation 679/2016 (see the subject of so-called vidéosurveillance cartels in the Guarantor procedure of 8 April 2010 and the new EDPB Directives n. 3/2020) or because of the lack of union agreement or the authorisation of the Labour Inspectorate (Article 4 n. 300/1970).
Of course, the controller will also be aggravated from the obligation to correct the fullness of other normative profiles, they also bring with them possible responsibilities, such as, for example, time of preservation of the images, the need or not to conduct a privacy impact assessment in accordance with Article 35, EU Regulation 679/2016 or the verification of the correct positioning of the viewing angle of the camcorders.
It is true that vidéosurveillance is a polyhedral technology, capable of integrating with other technologies, such as thermal cameras in access control, or seeking specific applications, such as in the field of public safety with body cams in endowment with police forces, but it is clear that it always asks for a prior assessment of the implications “privacy” with the participation, when present, of the Data Protection Officer (or what is also called Data Protection Officer – DPO).
SOURCE: FEDERPRIVACY