Data controllers can only process personal data in one of the following circumstances:

• with the consent of the individuals concerned;
• where processing is necessary for the performance of a contract (a contract between your organisation and an individual);
• to meet a legal obligation under EU or national legislation;
• where processing is necessary for the performance of a task carried out in the public interest under EU or national legislation;
• to protect the vital interests of an individual;
• for your organisation’s legitimate interests - except where they are overridden by the rights and freedoms of individuals.

In addition, the GDPR establishes additional conditions for the processing of sensitive data.

More information:

• Process personal data lawfully

The contract between the data controller and the data processor must stipulate that the data processor:

• processes the personal data only on the instructions of the data controller, including with regard to transfers of personal data to a country outside the EEA;
• ensures that the persons authorised to process the data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• ensures security of processing;
• shall not engage another data processor without prior specific or general written authorisation of the data controller;
• assists the data controller for the fulfilment of the data controller’s obligations to respond to individual’s requests for exercising their rights;
• assists the data controller in securing the processing, notifying data breaches, and performing DPIAs;
• at the choice of the data controller, deletes or returns all personal data to the data controller after the end of the provision of services;
• makes available to the data controller all necessary information to demonstrate compliance with the obligations under the GDPR;
• allows for and contributes to audits, including inspections conducted by the data controller or another auditor mandated by the data controller.

In addition, the data processor shall immediately inform the data controller if, in its opinion, instructions infringe the GDPR or other EU or national data protection provisions.

More information:

• Data controller or data processor

The first step to installing CCTV is to identify the purpose or purposes for doing so. The purposes for installing CCTV can be varied, such as ensuring the security of premises, aiding in the prevention and detection of theft and other crimes, or protection of the lives and health of employees, due to the nature of work.

As with any processing of personal data, the recording of individuals  must have a legal basis under the GDPR. Consent can provide a legal basis for such data processing. However, this is unlikely to apply to the use of CCTV in most cases, as it will be difficult to obtain the freely given consent of everyone likely to be recorded. The most common legal ground for this kind of processing of personal data is legitimate interest. When processing is based on a legitimate interest, you will need to carry out a balancing test to determine whether your legitimate interests outweigh individual’s rights.

You will need to inform individuals that they are being recorded. This can be done by placing easy to read signs in prominent places. In addition, a sign indicating the purpose of the CCTV system and the identity and contact details of the data controller should be placed at all entrances.

Individuals whose images are being recorded by a CCTV system should be provided with, the following information:

• the identity and contact details of the data controller;
• the purposes of the processing;
• the legal basis of the processing (if legitimate interest, specific information about which legitimate interests relate to the specific processing, and about which  entity  pursues  each  legitimate  interest.);
• the contact details of the Data Protection Officer, DPO (if there is a DPO);
• the recipients or categories of recipients of the data;
• the security arrangements for the CCTV footage;
• the retention period for CCTV footage;
• the existence of individuals’ rights under the GDPR and the right to lodge a complaint with the national data protection authority.

More information:

• Process personal data lawfully
• Respect individuals’ rights

A Data Protection Impact Assessment or DPIA is a written assessment that your organisation should make to evaluate the impact of a planned processing operation. It helps you to identify the appropriate measures to address the risks, and to demonstrate compliance.

While it is always preferable to anticipate the impact of planned processing operations of your organisation by doing DPIA, it is compulsory to carry out a DPIA when the processing is likely to result in a high risk for individuals’ rights and freedoms.

Specifically, this is the case when the envisaged processing involves:

• the processing - on a large scale- of sensitive personal data or data related to criminal convictions;  
• a systematic and extensive evaluation of an individual’s personal aspects based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual in questions or similarly significantly affect individuals;
• systematic monitoring of a publicly accessible area on a large scale.

The EDPB has developed guidelines which list the criteria you need to take into account when assessing whether a DPIA is mandatory or not. Data protection authorities (DPAs) have also published lists of processing operations which are subject to a DPIA. In addition several DPAs have developed guides, software, or self-assessment tools to help you with your assessment.

More information:

• Be compliant

When there are two or more data controllers who jointly determine the purpose and means of processing, they are considered joint controllers. They decide together to process personal data for a joint purpose. Joint controllership can take many forms and participation of the different controllers may be unequal. Joint controllers must therefore determine their respective responsibilities for compliance with the GDPR.

It is important to note that joint controllership leads to joint responsibility for a processing activity.

• Example of joint controllership:  Companies A and B have launched a co-branded product and wish to organise an event to promote this product. To that end, they decide to share data from their respective client and prospective client databases and decide on the list of invitees to the event on this basis. They also agree on the modalities for sending the invitations to the event, how to collect feedback during the event and follow-up marketing actions. Companies A and B can be considered joint controllers for the processing of personal data related to the organisation of the promotional event as they decide together on the jointly defined purpose and essential means of the data processing in this context.

More information:

• Data controller or data processor

Some types of personal data belong to special categories of personal data, meaning they deserve more protection, so-called sensitive data. Sensitive data includes data that reveals information about:

• an individual’s health;
• an individual’s sexual orientation;
• an individual’s racial or ethnic origin;
• an individual’s political opinions, religious or philosophical beliefs; an individual’s trade union membership;
• an individual’s biometric and genetic data.

The processing of an individual’s sensitive data is generally prohibited, except under specific circumstances that justify its processing.

More information:

• Data protection basics

The GDPR foresees specific rights for individuals that have to be respected. You can do this by:

• informing individuals whose data you process about your processing operations and the processing purposes when you collect their data, for example via a privacy statement on your website;
• by responding to individuals’ requests to exercise their rights, such as access, rectification, objection, erasure or portability requests.

Organisations that are transparent about their use of personal data and that respect the rights of individuals are less likely to become subject to complaints.

More information:

• Respect individuals’ rights

The GDPR imposes obligations on all organisations that process personal data, regardless of whether they are data controllers or data processors.

In particular, you should:

• Ask yourself if the purpose for which personal data may be collected is justified, and collect only personal data that is necessary for the specific purpose(s) envisaged;
• Keep individuals’ personal data accurate and up to date, and delete the data when it is no longer necessary;
• Respect individuals’ rights by informing them about how and why their data are processed, and allowing them to exercise their rights;
• Check if you have an appropriate legal basis for the processing of personal data. In case you intend to rely on the consent of individuals, ask for their consent before processing their personal data;
• Make sure that individuals’ personal data is handled in a secure way;
• Maintain a record of processing operations.

Data processors will have to adhere to the responsibilities set out in the controller-processor contract, and they must not process the data otherwise than according to the controller’s instructions.

More information:

• Be compliant
• Data controller or data processor
• Data protection basics

A valid contract between the data controller and data processor is obligatory under the GDPR. An infringement can be subject to an administrative fine up to 10M€ or up to 2% of the total annual turnover of a company, whichever is higher.

To help guide you when setting up a controller-processor agreement, the Danish and Slovenian data protection authorities, as well as the European Commission, have developed template agreements.

More information:

• Data controller or data processor

DPOs can fulfil other tasks within the organisation, but this cannot result in a conflict of interest. This implies that the DPO cannot have a position in which they determine the purposes and means of the processing activities. Conflicting functions include mainly management positions (chief executive, chief operating, chief financial officer, Head of HR, Head of IT, managing director) but may also involve other functions if they lead to the determination of purposes and means of processing.

The DPO must be able to perform their duties and tasks in an independent manner. This means that your organisation:

• may not give instructions to the DPO with regard to the performance of their DPO duties;
• may not penalise or dismiss the DPO for performing their tasks.

More information:

• Data Protection Officer