Guidelines 03/2019 on processing of personal data through video devices

Paragraph  6.2.1  Right to erasure (Right to be forgotten)

99. If the controller continues to process personal data beyond real-time monitoring (e.g. storing) the data subject may request for the personal data to be erased under Article 17 GDPR.

100. Upon a request, the controller is obliged to erase the personal data without undue delay if one of the circumstances listed under Article 17 (1) GDPR applies (and none of the exceptions listed under Article 17 (3)GDPR does). That includes the obligation to erase personal data when they are no longer needed for the purpose for which they were initially stored, or when the processing is unlawful (see also Section 8 –Storageperiods and obligation to erasure). Furthermore, depending on the legal basis of processing, personal data should be erased:

• for consent whenever the consent is withdrawn (and there is no other legal basis for the processing)

• for legitimate  interest:   – whenever the data subject exercises the right to object (see Section 6.2.2) and there are no overriding compelling legitimate grounds for the processing, or                                   – in case of direct marketing (including profiling) whenever the data subject objects to the processing.

101. If the controller has made the video footage public (e.g. broadcasting or streaming online), reasonable steps need to be taken in order to inform other controllers (that are now processing the personal data in question) of the request pursuant to Article 17 (2) GDPR. The reasonable steps should include technical measures, taking into account available technology and the cost of implementation. To the extent possible, the controller should notify – upon erasure of personal data – anyone to which the personal data previously have been disclosed, in accordance with Article 19 GDPR.

102. Besides the controller’s obligation to erase personal data upon the data subject’s request, the controller is obliged under the general principles of the GDPR to limit the personal data stored (see Section 8).

103. For video surveillance it is worth noticing that by for instance blurring the picture with no retroactive ability to recover the personal data that the picture previously contained, the personal data are considered erased in accordance with GDPR.

104  Example: A convenience store is having trouble with vandalism in particular on its exterior and is therefore using video surveillance outside of their entrance in direct connection to the walls. A passer-by requests to have his personal data erased from that very moment. The controller is obliged to respond to the request without undue delay and at the latest within one month.Since the footage in question does no longer meet the purpose for which it was initially stored (no vandalism occurred during the time the data subject passed by), there is at the time of the request, no legitimate interest to store the data that would override the interests of the data subjects. The controller needs to erase the personal data.