08.08.2023
Latviešu Русский
Download Print
Other opportunities
Download Print

What should businesses know about video surveillance? (2) 1/32/23

Legal Tax

This article wraps up what we wrote last week.

Smile, you are being watched!

The controller should assess whether a data subject entering the surveillance area can easily spot the security camera. Its location doesn’t need to be disclosed if it’s clear which areas are being observed. The placement of security cameras should be chosen carefully to ensure the scope of surveillance doesn’t go beyond the actual necessity. The controller should put up an information sign that gives Level 1 and Level 2 information described below.

It’s also important to determine the angle and the area the security camera will cover. If this includes some public space or another person’s private property, the controller should take all possible steps to minimise the target area.

Level 1 information

This is the most important piece of information to be placed on the information sign. This information may be placed visually to notify the data subject in a way that’s easy to understand. The Level 1 information should also refer to Level 2 information.

The minimum Level 1 information includes the following details:

  • The controller’s name
  • The controller’s contact details
  • The purpose of data processing
  • A statement of ways to obtain more information prescribed by GDPR article 131

Level 2 information

These are details of video surveillance that must be given in addition. This information should be provided in a place the data subject can easily access, in the form of a completed information sheet or a conspicuous poster, for example. Additional details may also be given on the website or with a QR code, making it easily accessible to the data subject.

How long footage may be retained and the right to have your data deleted

The law is silent on how long security camera footage may be retained, yet personal data must not be retained longer than the required purpose. The controller should determine the retention period so that this data processing follows the principle of data minimisation. The controller should evaluate how long security camera footage is retained depending on whether the risk is low or high. For example, a couple of days will be enough to discover a crime in a small shop. However, discovering such a crime in a large warehouse may take more than a couple of days.

A data subject has the right to object to video surveillance at any time if he has been subject to it. The controller must reply to such a request within a month and stop recording unless there is a legitimate interest that’s more important than the data subject’s rights. The data subject has the right to access any security camera footage that’s still retained and file a complaint with the National Data Office if such retention is unlawful. Yet the controller has the right to refuse a request that’s unreasonable or excessive.

Key takeaways

  • Reconsider the need for video surveillance if it’s possible to install alternatives.
  • Setting up an information sign requires you to notify the data subject of video surveillance.
  • Choose the location of video surveillance carefully.
  • Make sure that technical measures are adopted.
  • The data subject has the right to object to video surveillance.
  • Security camera footage must not be retained longer than is necessary.
____________________
1 Section 36(3) of the Personal Data Processing Act

Share the article

If you have any comments on this article please email them to lv_mindlink@pwc.com

Ask question

Related articles

See all Flash News
01.08.2023

What should businesses know about video surveillance? (1) 1/31/23
Legal Tax

Video surveillance may be treated as personal data processing by automated means if particular persons can be recognised in the footage. We often get asked if security cameras may be installed if they cover only an area, if nobody can be recognised in the footage, if the footage is not retained, etc. The scope of the General Data Protection Regulation (GDPR) excludes any personal data processing someone merely does as part of a private or domestic event.  This article takes a brief look at steps you should take to ensure your video surveillance is lawful.
25.07.2023

What to do if personal data has been sent to wrong recipient? 2/30/23
Legal Business Tax

From time to time we hear about data protection breaches involving personal data emailed to the wrong recipient. The question is, what do you do if this has happened?
13.06.2023

Transparency of crypto-asset industry 3/24/23
Accounting Legal Business Tax Technology

The crypto-asset sector has made changes to the payment and investment markets and challenged the tax authorities to trace capital gains arising on crypto-asset trades. On 16 May 2023 the EU Council supported the European Commission’s proposal to require crypto-asset service providers to report on transactions their EU customers perform in crypto-asset markets. This will help the tax authorities monitor crypto-asset trading and revenues, thereby reducing the risk of tax fraud and tax evasion. The reporting system is to be implemented with amendments to the Directive on Administrative Cooperation (“DAC”), which is the main system for exchanging data between the tax authorities. The new reporting rules have been passed in addition to the Regulation on Markets in Crypto Assets (“MiCA”) amending Directive (EU) 2019/1937, and to the Regulation on information accompanying transfers of funds, and these rules are fully consistent with the OECD’s crypto-asset reporting initiative.