Guidelines 03/2019 on processing of personal data through video devices
Section 9.3 Concrete examples of relevant measures
128. Most of the measures that can be used to secure video surveillance, especially when digital equipment and software areused, will not differfrom those used in other IT systems. However, regardless of the solution selected, the controller must adequately protect all components of a video surveillance system and data under all stages, i.e. during storage (data at rest), transmission (data in transit) and processing (data in use). For this, it is necessary that controllers and processors combine organisational and technical measures.
129. When selecting technical solutions,thecontroller should consider privacy-friendly technologies also because they enhance security. Examples of such technologies are systems that allow masking or scrambling areas that are not relevant for thesurveillance, or the editing out of images of third persons, when providing video footage to data subjects. On the other hand, the selected solutions should not provide functions that are not necessary (e.g., unlimited movement of cameras, zoom capability, radio transmission, analysis and audio recordings). Functions provided, but not necessary, must be deactivated.
130. There is a lot of literature available on this subject, including international standards and technical specifications on the physical security of multimedia systems, and the security of general IT systems. Therefore, this section provides only a high-level overview of this topic.