07.12.2022
Video surveillance –public local authorities
Considering the requests received from the public authorities, but also from the public regarding the conditions for the use of the video surveillance systems in public spaces, we hereby bring to the attention of the controllers and interested persons the following aspects:
According to Article 4 point 1 from Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Therefore, there are personal data: first name and last name, the address, place and date of birth, personal identification number, ID series and number, citizenship, profession, e-mail, telephone/fax, image, workplace, position, signature, family status, religion, political orientation, health condition, registration number of the vehicle and other.
By reference to the provisions of Article 4 point 7 from the General Data Protection Regulation, the local public authorities have the capacity of controller when they establish, alone or together with others, the purpose and means for the personal data processing or when the means and purposes of the processing are established through the national law applicable.
In relation to the manner of processing of the personal data through the video surveillance means from the public spaces by the local public authorities, this can be performed solely with the strict observance of the provisions of Article 6 of the General Data Protection Regulation (GDPR).
Therefore, by reference to the conditions of processing of personal data by the controllers, we mention that, according to Article 6 of the General Data Protection Regulation, the processing is legal solely if and to the extent that at least one of the following conditions applies:
- When the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- When the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- When the processing is necessary for compliance with a legal obligation to which the controller is subject;
- When the processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- When the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- When the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Letter f) – legitimate interest from the first paragraph shall not apply to processing carried out by public authorities in the performance of their tasks.
Corroborated with the provisions mentioned above, Article 6 paragraph (3) of the GDPR provides that:
“The basis for the processing referred to in letters (c) and (e) of paragraph 1 shall be laid down by:
(a) Union law or
(b) Member State law to which the controller is subject.
Also, the limitative conditions for the use of the personal data for another purpose than the one regulated by the legal enactments applicable for the activity of that controller shall be taken into consideration, according to Article 6 paragraph 4 from the GDPR.
Therefore, we underline that, in principle, the public authorities (including the territorial administrative units), in their capacity as data controllers, are processing personal data for the observance of a legal obligation, by reference to the specific legal provisions applicable to their field of activity and to the purposes established within the limits of these provisions.
They have the obligation to analyse the existence of the specific legal ground for each processing performed and it is their obligation to observe the specific legal regulations from their own activity sector and the GDPR.
According to those mentioned above, Recital 41 of the GDPR provides that a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case-law of the Court of Justice of the European Union (the ‘Court of Justice’) and the European Court of Human Rights.
In addition, Recital 45 of the GDPR mentions that “Where processing is carried out in accordance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law. This Regulation does not require a specific law for each individual processing. A law as a basis for several processing operations based on a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority may be sufficient. It should also be for Union or Member State law to determine the purpose of processing. Furthermore, that law could specify the general conditions of this Regulation governing the lawfulness of personal data processing, establish specifications for determining the controller, the type of personal data which are subject to the processing, the data subjects concerned, the entities to which the personal data may be disclosed, the purpose limitations, the storage period and other measures to ensure lawful and fair processing.”
At the same time, we mention that Article 5 of GDPR establishes several principles that are to be observed within the processing of data (including the video surveillance of the public spaces). Therefore, the controllers (inclusively the local public authorities) shall observe the lawfulness principle and the one regarding the processing of adequate, relevant and limited data to what is necessary in relation to the established purposes of the processing (the proportionality principle) and the principle of processing of the data in a manner that ensures the adequate confidentiality and security. The controller is responsible for the observance of these principles and shall be able to demonstrate this compliance (the accountability principle).
Also, in case of the intention to use new technologies on a large scale, as those of video surveillance in public spaces, the controllers also have the obligation to perform in advance an impact evaluation. Therefore, article 35 of the GDPR named “Data protection impact assessment” provides that “Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.”
Based on Article 35 of the GDPR, ANSPDCP Decision no. 174/2018 on the list of kind of processing operations which are subject to the requirement for a data protection impact assessment was issued (published within the Official Gazette no 919 from 31.10.2018). Article 1 from this decision provides that the evaluation of the impact on the personal data protection impact is mandatory when there is a large scale processing through the innovative use or the implementation of new technologies, especially if the respective operations limit the ability of the data subjects to exercise their rights, such as the use of facial recognition techniques to facilitate access to different spaces.
In relation to the accountability of the controller, article 24 from the GDPR provides that, considering the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.
In this context, we mention that within Chapter IV of the GDPR the obligations that the data controllers, as well as operator have, are regulated. Among the main obligations of the controller within the implementation of the Regulation are the following: to appoint a data protection officer according to Articles 37-39 of the Regulation (mandatory for the public authorities), to ensure the data confidentiality and security according to Article 33 of the Regulation, the evaluation of the impact on the data protection and the observance of the natural persons rights’ (the right to information, of access, to erasure, to object and others).
We mention that, through Article 12 of the GDPR, the obligation of each controller to ensure the observance of the data subject rights provided under Articles 12-22 GDPR was established, with a significant emphasis on the performance of the information of the persons whose personal data are used.
Also, the controllers have the obligation to provide to the persons involved information on the actions taken following a request received based on Articles 15-22 GDPR, in any case in maximum one month as of the receipt of the request.
In this context, we underline that, in case of finding the breach of the data protection legal provisions, the sanctions provided under the legislation into force become applicable.
We underline that, according to Recital 1 from the GDPR, the protection of the natural persons in relation to the processing of personal data is a fundamental right.
Article 53 of the Romanian Constitution provides that:
“(1) The exercise of certain rights or freedoms may only be restricted by law, and only if necessary, as the case may be, for: the defence of national security, of public order, health, or morals, of the citizens' rights and freedoms; conducting a criminal investigation; preventing the consequences of a natural calamity, disaster, or an extremely severe catastrophe.
(2) Such restriction shall only be ordered if necessary in a democratic society. The measure shall be proportional to the situation having caused it, applied without discrimination, and without infringing on the existence of such right or freedom.”
In this regard also the Romanian Constitutional Court pronounced through Decision no. 498/2018, underlying the following:
“50. …It is observed that guarantees for ensuring the constitutional right provided by art. 26 are contained in a decision of the Government, but such a regulatory manner is totally inadequate, impermissibly weakening the constitutional protection of intimate, family and private life. Practically, the administrative authority can at any time modify the standards of guarantees associated with this right, by issuing normative administrative acts (...). Or, an adequate protection of this right is that established by a law, which is not the case in this case. Consequently, the criticized texts violate art. 26 of the Constitution.
52. Therefore, the legislator has the obligation to regulate the guarantees associated with the right to private and family life. This obligation shall be materialized by law, in the sense of instrumentum. "
In this context, we mention, for example, the fact that at a legal level there has been expressly regulated (through article 56 paragraph (1) of Law no. 218/2002 on the organisation and functioning of the Romanian Police, republished) the possibility of the Romanian Police bodies to register with video-photo-audio means from their equipment, in public spaces, as well as the conditions for the performance, in relation to the purpose of carrying out the activities of prevention, detection, investigation or prosecution of crimes or execution of punishments.
On the other hand, we underline that, within the case-law of the European Court for Human Rights in relation to Article 8 of the European Convention on human Rights and fundamental freedoms (the right to respect for private and family life), the European court ruled that “the protection laid down by this article would be diminished in an unacceptable manner of the use of modern scientific techniques would be allowed at any price and without achieving a balance between the benefits of the extensive use of these techniques and the important interests related to private life.” (Cause S. and M. Marper against the United Kingdom, 4.12.2008).
Therefore, considering the above and within the context of some possible personal data processing in public spaces, through video surveillance means, by the local public authorities, we underline that these controllers have the obligation to strictly observe the legal regulations specific to the public local administration in conjunction with the GDPR provisions, specifically the processing principles, and specifically the lawfulness, proportionality and security and confidentiality of the data processing, regulated under articles 5 and 6 of the GDPR.
Legal and Communication Department
A.N.S.P.D.C.P.