15 Sep Security cameras regulations and the GDPR
The use of security cameras has spread in recent years, as it is a very useful tool when it comes to avoiding crimes or discovering criminals, especially in sensitive places such as solar energy installations, companies or industries. Although the use of recording systems is allowed, you have to know what the limits are, so it is important to know the regulations on security cameras and GDPR.
Complying with data protection legislation is essential
The entry into force at the European level of the General Data Protection Regulation (GDPR) made it necessary to modify Spanish regulations to adapt them to European standards. Consequently, the Data Protection Law is now much stricter and requires more responsibility from those who manage personal data.
In the case of images captured by video security systems, inside or outside buildings, these files are considered personal data, so it is necessary to treat them appropriately.
Failure to comply with the regulations in this matter implies two consequences. The first one is that the captured images can be considered illegal and therefore will not be valid when proving someone’s guilt to an alleged crime. In fact, the people recorded could even claim compensation.
The second consequence is that the Spanish Data Protection Agency (AEPD) is empowered to impose sanctions that can amount to several million euros.
Therefore, to protect others and to protect our business, it is essential that we strictly comply with the regulations of surveillance cameras and GDPR.
Private video security for security purposes
The installation of video security cameras is not a problem when the limits established by the regulations are respected. The first of these is that it is absolutely essential to respect people’s privacy.
This implies that cameras can never be installed in sensitive places such as bathrooms or changing rooms. In addition, the general rule establishes that private cameras cannot capture images of the public highway unless this is necessary to guarantee the security of assets or strategic facilities.
In case the cameras are located in places where they can capture the image of the employees, they must be expressly informed of this.
On the other hand, in every video-monitored area there must be information on the existence of the image recording system that will also indicate to whom the ARCO rights can be exercised. In the case of companies, this obligation is usually fulfilled with the installation of a poster appropriate to the official model approved by the AEPD and which is usually placed at the entrance in a clearly visible place.
Choice of recording systems
The regulations do not impose too many requirements regarding the technical conditions of the recording equipment used, but it is understood that they must be suitable for the purpose they are pursuing.
The normal thing is to choose between the various types of outdoor cameras, which are usually models resistant to humidity, high temperatures, and even night vision. It is important to choose the devices to be used very well, since a wrong choice can lead to the images obtained not having sufficient quality and being useless.
What must be respected is the principle of minimization, evaluating whether it is really necessary to install a security system and determining well the number of cameras to be used. For this, an impact assessment is usually carried out to ensure that security will be guaranteed, citizens’ rights will be respected, and data protection regulations will be complied with.
Access to recordings
Every security video recording system must have a duly identified data controller. It can authorize different people to access the images.
Whoever has access to the images must have their own username or password and be correctly informed about the way in which they should make such access and how to secure the recordings. In addition, your identity will appear on the security document.
The most common is that the people with access are members of the security team, whether they are part of the company’s staff or an external service.
On the other hand, it must be taken into account that the police may also have access to the recordings if they do so with the purpose of preventing crimes, protecting people or conserving and safeguarding property or people who are in danger.
Prescriptions on the conservation of recordings
One of the most common questions is how long security records should be kept. The maximum time allowed by law is 30 days, a limit that is set at 15 days for credit institutions. After that time the captured files must be totally eliminated.
The only exception that allows the recordings to be kept for a longer time is that they are required by the judicial authority within the framework of an investigation. In this case, the copy is kept in a place to which only authorized personnel have access. Once the recording has been delivered to the Security Forces and Bodies, the company cannot keep any copy of it.
We hope we have helped you solve your doubts about the Security cameras regulations and the GDPR.