Processing of personal data through video devices
Guidelines 03/2019 on processing of personal data through video devices
Paragraph 9.3.1 Organisational measures
131. Apart from a potential DPIA needed (see Section 10), controllers should consider the following topics when they create their own video surveillance policies and procedures:
-
Who is responsible for management and operation of the video surveillance system.
-
Purpose and scope of the video surveillance project.
-
Appropriate and prohibited use (where and when video surveillance is allowed and where and when it is not; e.g. use of hidden cameras and audio in addition to video recording).
-
Transparency measures as referred to in Section 7 (Transparency and information obligations).
-
How video is recorded and for what duration, including archival storage of video recordings related to security incidents.
-
Who must undergo relevant training and when.
-
Who has access to video recordings and for what purposes.
-
Operational procedures (e.g. by whom and from where video surveillance is monitored, what to do in case of a data breach incident).
-
What procedures external parties need to follow in order to request video recordings, and procedures for denying or granting such requests.
-
Procedures for VSS procurement, installation and maintenance.
-
Incident management and recovery procedures.