How can I delete CCTV footage?

Video surveillance and data protection - that's what matters

How was video surveillance regulated by law before May 25, 2018 and the entry into force of the EU GDPR?

The statutory permit norm for video surveillance of publicly accessible areas and rooms was regulated in Section 6b of the old version of the Federal Data Protection Act (BDSG) until May 25, 2018. According to this, it was only permissible if it was necessary for the fulfillment of tasks by public authorities, for the exercise of house rules or for the safeguarding of legitimate interests for specifically defined purposes and there were no indications that the interests of the data subjects worthy of protection outweighed. In the case of non-public spaces (e.g. factory premises, warehouses, offices), the admissibility was based on §§ 28, 32 BDSG old version.

What changes in video surveillance and data protection does the GDPR bring with it?

The GDPR itself does not contain any explicit regulation on video surveillance. For this reason, no information can yet be given as to the extent to which the previous data protection assessments will endure in practice. The new version of the BDSG contains a regulation on video surveillance in § 4. It remains to be seen whether this paragraph can be applied at all. The priority of application of so-called Union law applies. The provisions of the GDPR must therefore not be undermined by national regulations of the member states.

In the absence of a special regulation, the legality of video surveillance must be assessed on the basis of the general clause in Art. 6 Paragraph 1 Sentence 1 Letter f GDPR. According to this, monitoring is lawful if it is necessary to safeguard the legitimate interests of the person monitoring or third parties and if the interests or fundamental rights of the persons concerned do not outweigh the interests

What measures must be taken when video surveillance is installed in order to comply with the data protection requirements of the GDPR?

Before video surveillance is installed, it must be determined which goal is to be achieved with it. A legitimate interest in the operation of a video surveillance system can be of a non-material, economic or legal nature. If video surveillance is to be used to protect against break-ins, theft or vandalism, this is generally to be seen as a legitimate interest if an actual risk situation can be proven. In doing so, specific facts are to be demanded from which a hazard arises, for example damage or special occurrences in the past. It is therefore advisable to carefully document relevant events (date, type of incident, amount of damage) or to keep any criminal charges. The preservation of evidence through the recording can also represent such a legitimate interest. In certain cases, an abstract risk situation can be sufficient if there is a situation that, according to life experience, is typically dangerous, e.g. in shops that sell valuable goods (e.g. jewelers) or that are potentially particularly at risk with regard to property and property crimes e.g. gas stations).

For video surveillance, a list of processing activities in accordance with Art. 30 GDPR must be drawn up and submitted to the supervisory authority upon request. At least the following information must be provided:

  • Name, contact details of the responsible body
  • Purposes
  • Categories of data subjects, categories of personal data
  • Recipients of personal data
  • Transfers to third countries
  • Deletion periods
  • Description of technical and organizational measures

Do you have to point out the video surveillance?

The GDPR obliges the operators of video systems to identify the surveillance by means of suitable measures. In addition, further extensive information must be provided. This is usually done by a clearly visible sign on the cameras and in front of the monitored area. With the introduction of the GDPR, the transparency and information requirements have risen sharply. The following minimum requirements result from Art. 13 Para. 1 and 2 GDPR:

  • Condition of observation - pictogram, camera symbol
  • Identity of the person responsible for the video surveillance - name including contact details
  • Contact details of the data protection officer - if named, but then mandatory
  • Processing purposes and legal basis in keywords
  • Indication of the legitimate interest - as far as the processing is based on Art. 6 Para. 1 S. 1 lit.f GDPR
  • Duration of storage
  • Reference to access to the further mandatory information according to Art. 13 Para. 1 and 2 GDPR (such as right to information, right of appeal, possibly recipient of the data)

In addition, further information must be made available to the persons concerned at the location of the surveillance, e.g. as a complete information sheet or as a notice.

How long can the recordings be saved?

In the opinion of the supervisory authorities, the data from the video surveillance may be stored for a maximum of 72 hours. However, because this recording period is not always practicable, courts have in some cases decided that a storage period of 10 days may also be permissible under certain circumstances. The decisive criterion for the storage period for video surveillance is the purpose for which the recordings were made. If this no longer applies, the data must be deleted immediately (Art. 17 Paragraph 1 lit. a GDPR). Even taking into account the "data minimization" according to Art. 5 Para. 1 lit. c GDPR and "Storage Limitation" according to Art. 5 Para. 1 lit. e GDPR, the requirements and judgments developed from the old legal situation remain valid.

What rights can perpetrators who are recorded with video surveillance have?

Even if video surveillance is necessary to safeguard house rules or to safeguard a legitimate interest, it may only be put into operation if the interests of the data subjects worthy of protection do not prevail. At this point, a balance must be made between the legitimate interests of the person monitoring and those affected by the monitoring. The yardstick for the evaluation is the right to informational self-determination as a special expression of the personal right on the one hand and the protection of property or physical integrity on the other. When weighing up, the overall circumstances of each individual case are decisive. The intensity of the intervention is often decisive. Observations that violate people's privacy, such as the monitoring of toilets, saunas, showers or changing rooms, are fundamentally inadmissible. In addition, the interests worthy of protection often outweigh those areas where the development of the personality is in the foreground, for example in restaurants and parks.

Do measures need to be taken to protect the perpetrator's personal data?

Video surveillance data must be deleted immediately if they are no longer required to achieve the purpose or if the data subjects' interests worthy of protection stand in the way of further storage. This is the case when a danger does not have to be averted any further or it is not necessary to preserve evidence. If, for example, there was no robbery or theft at a gas station, video recordings are no longer required for evidence purposes and must therefore be deleted. In principle, the aim is to delete the data after 72 hours. However, if there are sufficient reasons, a longer storage period may also be possible, for example if the external data protection officer can point out reasons for a longer retention period.

The video surveillance must be pointed out. The information can be given using appropriate signs or graphic symbols. According to the provisions of the GDPR, it must also be stated who is performing the video surveillance, for what purpose it is used, how the data protection officer can be contacted and for how long the recorded data will be kept.

Furthermore, before a camera system is put into operation, a check must be carried out to determine the locations and times at which monitoring appears to be absolutely necessary. Monitoring during the night or outside of business hours can often be sufficient. Within the scope of the necessity, it must also be examined whether pure observation by means of live monitoring is sufficient or whether a (regularly more intervention-intensive) recording is required to achieve the monitoring purpose.

What are the consequences of video surveillance that does not comply with data protection regulations?

A non-transparent video surveillance is not in accordance with the GDPR (Art. 5 and 13). The supervisory authority can instruct the person responsible to remedy the defect in accordance with Article 58 (2) (d) GDPR or temporarily or permanently restrict or prohibit video surveillance in accordance with Article 58 (2) (f) GDPR. A lack of transparency is also an offense under Article 83 (5) of the GDPR.

What to look out for

The formal and material requirements for the use of video surveillance are not reduced by the GDPR compared to the old BDSG. Rather, they remain high and complex. For this reason, operators of video surveillance systems should meet with their data protection officer at an early stage and check how and through which specific design of the surveillance the changed requirements can be taken into account and a continuation in a legally compliant manner can be achieved. This applies in particular to the increased requirements for transparency and the design of data processing.

What is a data protection impact assessment?

The old Federal Data Protection Act required a check before starting the processing of data (prior checking), "if automated processing posed particular risks for the rights and freedoms of those affected". At best, prior to the introduction of video surveillance with recording, a prior check should have been carried out by the data protection officer within the meaning of Section 4d (5) BDSG. The prior check had to be documented in writing.

By and large, these requirements remain in place. The prior check is replaced by the data protection impact assessment, which has roughly the same content and is standardized in Art. 35 GDPR. A data protection impact assessment is not a one-time process. Should new risks arise, the assessment of risks that have already been identified change, or should there be significant changes in the procedure that were not previously taken into account in the data protection impact assessment, the data protection impact assessment must be reviewed and also adjusted. The authorities therefore recommend a continuous iterative process that can be broken down into preparation, implementation, implementation and review with further specified sub-items.

The report required in accordance with Art. 35 (7) GDPR must in any case contain the systematic description of the planned processing operations and their purposes, the assessment of the necessity and proportionality of the processing, the description and assessment of the risks as well as the remedial measures for risk containment. In addition, it must be supplemented with a description of the residual risks including decisions about how to deal with them.

As a data protection officer, how do you personally rate video surveillance?

Thanks to ease of use, good recording quality and networked technology, video surveillance is now being carried out in more and more companies and private homes. These installations must, of course, comply with the legal basis, although due to the diversity of the conditions on site, a case-by-case assessment must be carried out on a regular basis. In any case, the investment must be lawful and proportionate in order to create a fair balance of interests.

If only necessary and permissible things are recorded with the video surveillance system, the data subjects are correctly informed, the data collected are protected from unauthorized use and a deletion concept has been developed for the recordings, I consider them to be a permissible and effective means of law enforcement.

Contact details of the interviewee

180 ° data protection GmbH
Johannes Schwiegk
[email protected]