Hungary’s Data Protection Authority (NAIH) recently imposed a fine of HUF 15 million (EUR 50,000) on a major hypermarket operator with 6,535 employees for a data protection violation in connection with its CCTV operations.
Triggered by an employee complaint, the authority investigated the company’s operations and ruled that its CCTV system was non-compliant with certain points of applicable data protection laws.
This NAIH resolution is important for companies who are currently revising CCTV operations as part of GDPR compliance efforts since NAIH transparency expectations will be applicable also after 25 May 2018.
According to the resolution, companies should:
- Ensure that they use CCTV for security reasons only when they cannot identify unlawful actions or perpetrators by any other means, or do not have other methods to prevent and prove unlawful actions
- Not operate CCTV in rooms where a security service provider interrogates or searches those people who are suspected of theft or other unlawful action. They should instead document the process by taking minutes, and having them witnessed
- Prepare internal bylaws for CCTV operations as part of their “accountability” obligations (even if this is not mandatory under applicable data protection laws)
- Always be able to prove that they provided individuals with data protection notices (NAIH recommends that these notices be in writing)
- Operate CCTV to protect the health and safety of employees only if there is a clear and present danger
- Ensure that security cameras focus only on protected goods, the area where handovers take place, or the cash register, instead of the continuous monitoring of employees
- Allow access to recordings only to those people who have decision making powers or are certified security service providers (személy- és vagyonvédelmi tevékenység végzésére jogosító szakképesítés), and
- Adopt internal rules on purpose and timing as to how responsible persons are entitled to access the recordings.
In CCTV notices, companies should indicate:
- The location of each camera, together with the data processing purpose, the area monitored, and whether video is being recorded
- The legal basis of data processing (if necessary, separate statements of consent by implied conduct in the case of CCTV used for security reasons, and all legitimate interests for employee monitoring)
- A summary of the main data security measures
- The employees (per job title) who are entitled to access the recordings, and how they are to be accessed, and
- The company’s contact information and the applicable deadlines to answer queries on the rights and remedies section of the data protection notice.
For further information, please contact us.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.