Powered by Smartsupp

General information about the operation of the camera system (GDPR)

Camera surveillance must not excessively interfere with privacy. A CCTV system may be used in principle when the purpose being monitored cannot be effectively achieved by other means (e.g. better security of property). Furthermore, the use of CCTV in areas intended for purely private activities (e.g. toilets, showers) is excluded. However, a solution is possible where the data subject has a choice of alternatives (e.g. the changing rooms (lockers) of a swimming stadium can be monitored, provided that there is a designated changing area which is not monitored by cameras).

The purpose of the recording must be clearly defined in advance and must correspond to important, legally protected interests of the controller (e.g. protection of property against theft). The recordings can thus only be used in connection with the detection of an event that is detrimental to these important, legally protected interests of the controller. The admissibility of the use of the records for any other purpose must be limited to an important public interest, such as the fight against street crime.

A time limit must be set for the retention of records. The retention period should not exceed the maximum time limit allowed to fulfil the purpose of operating the CCTV system. The stored data should be retained within a time loop, e.g. 24 hours if it is a permanently guarded facility, or possibly for a longer period, but in principle not exceeding a few days, if it is not a recording by a police authority under a specific law, and deleted after that period. Only in the case of an existing security incident should the data be made available to law enforcement authorities, a court or another authorised body.

Proper protection of the capture devices, transmission paths and data carriers on which the records are stored from unauthorised or accidental access, alteration, destruction or loss or other unauthorised processing should be ensured. Internal procedures and rules for the operation of the CCTV system and the handling of recordings should be regulated, for example, in the operating rules of the premises or in a security directive. The controller is obliged to document any personal data breaches and to address security incidents.

In most cases, the data subject must be appropriately informed about the use of the CCTV system and who operates it (e.g. e.g. by a sign/sticker). The controller must allow the exercise of other rights of the data subject, in particular the right to further information about the processing of personal data and the right to object.

Unrecorded camera systems

When operating a CCTV system without recording, we only need to comply with the general rules on the protection of personal data. Cameras must not record areas where people are conducting private business ( showers, toilets etc.) or where they do not expect to be monitored.
Persons must be properly informed (e.g. by a sign/sticker) that the area being monitored is being monitored.

Camera systems with recording

The operation of a CCTV recording system is considered to be processing of personal data subject to the obligations under the General Regulation where there is automated recording of the public space being monitored and the purpose of the information and recordings is also to identify individuals in relation to certain conduct.

Data stored in a recording device, whether visual or audio, is personal data provided that a specific natural person can be identified, directly or indirectly, on the basis of those recordings (information from visual or audio recordings). A natural person is identifiable if the image in which he or she is captured shows his or her characteristic identifying features (in particular, his or her face) and, on the basis of the association of the identifying features with other available data, full identification of the person is possible. The personal data then consists of those identifiers which enable the person to be linked to a specific behaviour captured in the image.

The processing of personal data by the operation of a CCTV system is lawful only if it is carried out to the appropriate extent under one of the permissible legal titles for the processing of personal data listed in Article 6 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation - GDPR). In practice, this is usually

processing necessary for the performance of a task carried out in the exercise of a public service; in such cases, the provisions of the relevant law ordering or regulating the specific conditions of CCTV surveillance must be observed,
processing necessary for the purposes of the legitimate interests of the relevant controller.

Does a CCTV system need to be registered with the Office of the Public Prosecutor?

NO. The registration of processing pursuant to Section 16 of Act No. 101/2000 Coll., on the protection of personal data has been terminated. On 25 May 2018, the General Regulation (GDPR), which no longer imposes a similar registration obligation, comes into force.

Does the General Regulation (GDPR) impose any new obligations on the operation of CCTV systems apart from the notification of a security incident?

In connection with the taking of CCTV footage, the controller has an obligation to keep records of the processing activities. However, this obligation is not entirely new; the records effectively replace the existing registration forms, but unlike the existing registration, the controller only keeps the records, i.e. does not send them to the Authority. Like other obligations under the General Regulation, this obligation does not apply to the processing of personal data carried out in the course of purely personal or domestic activities, i.e. not even to the adequate protection of one's own home by a camera. It would only apply to the recording of public spaces described above if it were necessary to protect the rights of the operator of the camera system.

The record of processing activities for the CCTV system must include the following:

  • Custodian's designation.
  • Monetary identification of the controller, i.e. the entity carrying out the processing.
  • Purpose of the processing (e.g. protection of the controller's property, life and health of persons through a permanent CCTV system)
  • Description of categories of data subjects.
  • Employees and persons occasionally entering the monitored area (contractors, visitors, etc.).
  • Description of categories of personal data.
  • Image and visual information on the behaviour and actions of the persons recorded.
  • Recipients of personal data and information on possible transfer of personal data to third countries.
  • In justified cases, law enforcement authorities or other interested parties to fulfil the purpose of the processing (e.g. insurance company).
  • Erasure period (retention period of the record is X days).
  • Recording of the captured incident is kept for the time necessary to process the case.
  • Technical and organisational security measures.
  • Security cover (controlled access to data, training of authorised persons, record keeping of transfer of recordings to authorised authorities and persons).

News and actions by email

Be the first to know about special discounts and actions. You can unsubscribe at any time.

I agree to the processing of personal data.