We used to think of personal data as personal ID numbers, birth dates, medical records, and entries in various types of documents. But the fact is that anything which allows anyone to identify them and associate them with another piece of information is considered personal data. Images of individuals registered on video or photo materials are no different. This creates some profound legal implications for anyone operating visual monitoring or taking, collecting and storing photos.
The entities affected are all kinds of CCTV operators, among them security companies, railway, parking and medical facilities operators and many others. Likewise, GIS (Geographic Information Systems) companies, construction companies and research institutions collect large amounts of photos for the purpose of documentation in their projects. They all comply with the same privacy and personal data protection regime, as it is in the case of non-visual data. And if the data is collected for commercial reasons and on an industrial scale, the obligations become stricter, with possibly much higher fines and penalties for infringement. All your systems, processes, and means have to be in place for the security, access and lawful sharing of personal data.
Rights of the data subject under Article 15 of GDPR
Article 15 of the General Data Protection Regulation guarantees the right of access to the processed information to all concerned persons. It means that not only authorized offices, government bodies, and law enforcement agencies such as the police can request photos or recordings. Anyone who has been captured on photo or video can file for a copy of the material where they have been captured. If your organization collects personal data in any form, you may encounter a situation where someone requests its release. What should be your response?
First of all, each person has the right to ask the personal data administrator to confirm whether their data is processed. If this is indeed the case, under the provisions of GDPR, they may demand access to it.
“The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data […]”
Art. 15 GDPR: Right of access by the data subject
In such a situation, you, as the personal data administrator, must provide them with the following information:
- Purposes of personal data processing
- Categories of processed data
- Data recipients (especially in third countries and international organizations)
- Planned period of data storage (or criteria for its determination)
- The rights of the data subject (including rectification, deletion or limitation of data processing, but also filing a complaint)
- Source of personal data (unless it was collected directly from the data subject)
- Information on automated decision-making processes (including profiling)
Your obligations as the personal data administrator - providing recordings and photos on demand
Upon receipt of a request for access to personal data, the administrator must provide a copy of the data to the data subject. In our case - it is a section of the recording or photos containing the image of a person being the data subject.
A reasonable fee may be charged for any subsequent copies based on administrative costs, but in practice, it rarely happens. The information is usually provided electronically unless stated otherwise in the request.
It is very common for organizations processing personal data to refuse to provide copies, arguing that they can only do so at the request of the police and other authorized bodies and agencies. This is obviously not true. Making such claims can make the situation much worse for the data processor, who is, therefore, exposed to even more severe fines imposed by national data protection authorities.
The other reason for refusal is a statement that there are other people in the photo or recording than the data subject. Of course, it is crucial that when providing processed personal data, you must also respect the rights of other persons to whom the information relates. The right to obtain a copy should not have any adverse result on the rights of other people. It means that you cannot reveal their identity if other individuals are in the recording or photo.
This kind of justification for refusing the right to access is also groundless because one can easily take steps to protect the privacy of random people appearing in the materials. In the past, the only way to do so was to blur faces and license plates manually, which required proper software and skilled personnel. On a large scale, this method would be expensive and ineffective. Thanks to advancements in technology, today, one can use solutions such as software for automated face and license plate anonymization, which are widely available and cost-effective.
To sum up - in theory, the administrator has the right to refuse to issue a copy of the data only in the case of the following scenarios:
- Evident unfoundedness or excessiveness of the request
- Submitting an application in a form different than imposed by data protection regulations
- The actual threat to the rights of others
What is the penalty for non-compliance?
As video monitoring and photo gathering on an industrial scale are prevalent, regulators also become aware of privacy-related challenges. On the other hand, citizens and consumers also get more informed about their rights. As a result of complaints and fines for refusing to provide material on demand to the data subject - something that was a rare exception just a few years ago - nowadays are more common, and the trend is on the rise.
Below, we mention some of the recent fines showing the significance of this issue:
- In 2020, a local store owner in Hungary denied handing over video material from CCTV monitoring. The national data protection body decided that it was a stark violation of Art. 15 of GDPR and imposed a fine of 54,800 EUR.
- In 2022 a Croatian energy company which operates gas stations received a fine of 124,000 EUR for a similar infringement.
- In Ireland, the Limerick City and County Council has been punished with a penalty of 110,000 EUR for several breaches and negligence in the field of CCTV monitoring. The Irish DPA referred in the decision, i.a., to article 15 of GDPR. In the same year, the Spanish DPA ordered Mercadona S.A., a supermarket chain store, with a fine of 170,000 EUR, for denial of its customer access to video surveillance recordings. The data subject suffered an accident and asked to provide recordings on demand.
Leave your email to be among the first to receive the report!