Processing personal data is allowed if there is a legal basis for it. In addition to free, specific , informed and unambiguous consent, other legal bases for processing can be used.
In other words, consent is necessary when none of the other legal bases applies.

More information:

• Process personal data lawfully

The first step to installing CCTV is to identify the purpose or purposes for doing so. The purposes for installing CCTV can be varied, such as ensuring the security of premises, aiding in the prevention and detection of theft and other crimes, or protection of the lives and health of employees, due to the nature of work.

As with any processing of personal data, the recording of individuals  must have a legal basis under the GDPR. Consent can provide a legal basis for such data processing. However, this is unlikely to apply to the use of CCTV in most cases, as it will be difficult to obtain the freely given consent of everyone likely to be recorded. The most common legal ground for this kind of processing of personal data is legitimate interest. When processing is based on a legitimate interest, you will need to carry out a balancing test to determine whether your legitimate interests outweigh individual’s rights.

You will need to inform individuals that they are being recorded. This can be done by placing easy to read signs in prominent places. In addition, a sign indicating the purpose of the CCTV system and the identity and contact details of the data controller should be placed at all entrances.

Individuals whose images are being recorded by a CCTV system should be provided with, the following information:

• the identity and contact details of the data controller;
• the purposes of the processing;
• the legal basis of the processing (if legitimate interest, specific information about which legitimate interests relate to the specific processing, and about which  entity  pursues  each  legitimate  interest.);
• the contact details of the Data Protection Officer, DPO (if there is a DPO);
• the recipients or categories of recipients of the data;
• the security arrangements for the CCTV footage;
• the retention period for CCTV footage;
• the existence of individuals’ rights under the GDPR and the right to lodge a complaint with the national data protection authority.

More information:

• Process personal data lawfully
• Respect individuals’ rights

Under the GDPR, there are, in principle, two main ways to transfer personal data to a non-EEA country or international organisation. Transfers may take place on the basis of an adequacy decision, or, in the absence of such a decision, on the basis of appropriate safeguards, including enforceable rights and legal remedies for individuals.

More information:

• International transfers

Every organisation, regardless of the their size or sector, established in the European Economic Area (EEA) or offering products or services to individuals in the EEA, processing personal data whether or not by automated means needs to comply with the GDPR. Even if the GDPR mainly relates to automated processing of personal data, processing operations carried out manually will also be subject to the GDPR from the moment the paper files are organised in a systematic manner, e.g. ordered alphabetically in a filing cabinet. 

Examples of processing operations include collecting, recording, organising, using, modifying, storing, disclosing, altering and erasing individuals’ personal data.

Nevertheless, the application of the GDPR is modulated according to the nature, context, purposes and risks of the processing operations carried out. For SMEs whose core business is not the processing of personal data, the obligations can be less strict than for a large company.

More information:

• Data protection basics

The GDPR foresees specific rights for individuals that have to be respected. You can do this by:

• informing individuals whose data you process about your processing operations and the processing purposes when you collect their data, for example via a privacy statement on your website;
• by responding to individuals’ requests to exercise their rights, such as access, rectification, objection, erasure or portability requests.

Organisations that are transparent about their use of personal data and that respect the rights of individuals are less likely to become subject to complaints.

More information:

• Respect individuals’ rights

You cannot store personal data forever.

As a rule, personal data can only be stored for as long necessary in light of the purposes for which the personal data is processed.

In some cases, the storage period can be determined by specific laws, for example, labour regulations determine a storage period for payroll lists.

Organisations should put in place data retention policies to make sure that personal data is not kept longer than is necessary. Individuals’ personal data must be deleted or anonymised once this data is no longer necessary for the purpose for which is was processed. 

More information:

• Data protection basics

Yes, but in order to do this, you will first need to determine the legal basis for processing this type of personal data. For example, the processing could be considered as a legitimate interest for your organisation. When processing personal data on the basis of legitimate interest, it is always necessary to conduct a balancing test to determine whether your legitimate interests outweigh individuals’ rights, particularly if children are involved.

Another possible legal basis for such processing could be consent. At any rate, individuals should always be informed in advance that the event is being photographed or filmed.

More information:

• Process personal data lawfully

The DPO cannot be held responsible for failure to comply with the GDPR. Compliance with the GDPR is the responsibility of the organisation that appointed the DPO.

More information:

• Data Protection Officer

Processing personal data means any type of activity (processing operation) performed on or with individuals’ personal data. This includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, inquiry, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.

Personal data means any information relating to an identified or identifiable individual. An identifiable individual is anyone who can be identified, either directly or indirectly. Different pieces of information that added together could lead to the identification of a particular person also constitute personal data.

Examples of personal data include:

• name and surname;
• a home address;
• an email address;
• an ID card number;
• location data;
• an Internet Protocol (IP) address;
• a cookie ID;
• bank accounts;
• tax reports;
• biometric data (like fingerprint);
• a social security number;
• passport number;
• test results;
• grades in school;
• browsing history;
• photograph of individual;
• vehicle registration number etc.

More information:

• Data protection basics