CCTV monitoring and the practice of the Hungarian DPA
CCTV monitoring affects a wide number of organizations and employers. Data processing by CCTV operation is covered by the GDPR in Hungary and Hungarian monitoring laws mainly provide additional rules in terms of internal system management and access rights, as well as data security, and require enhanced transparency bearing in mind the technology’s effect on the private sphere of individuals monitored.
One of the key issues concerning the operation of a CCTV system is often the lack of transparency. Operators of CCTV systems many times only provide minimal or too general information on why they operate such system or – especially in case of smaller entities – only provide oral information on CCTV operation. This can lead to numerous disputes (e.g. in case of an employee leaving the employer or a customer lodging claims against the company) and such operators generally have a hard time proving that such provision of information took place and included all the elements required by the GDPR and the respective provisions of Hungarian monitoring laws. The provision of only oral information also deprives the individuals the chance of easily revising a documented privacy policy related to data processing by CCTV and of being aware of the exact locations monitored.
Another key issue lies in the legal basis of the related data processing. The most common legal basis in case of operating a CCTV system is the legitimate interest of the controller operating it. Controllers often face harsdhips, however, in demonstrating such legitimate interest. In its decision published last year, the Hungarian DPA highlighted, for example, that the operation of a CCTV system cannot be used to prevent disputes in a retirement home between patients and staff members, since other means are at hand, which provide less invasion into the privacy of the individuals monitored. The Hungarian DPA also highlighted many times that a CCTV system cannot be used to assess the quality of work in case of employees (e.g. whether the employee is properly dressed or works efficiently), since such practice leads to an invasion of the employees’ privacy and the interests of the employee hugely outweigh the employer’s economic interests in such a case.
With regard to the above practice, it is highlighly recommended for controllers to carefully assess whether monitoring a given area is necessary to protect their legitimate interests and what arguments they can provide to prove that. In case of using a CCTV system for the purpose of property protection (e.g. monitoring goods or equipment in a warehouse), it is a good practice for the controller to give examples in the legitimate interest test from the recent past of related crimes (e.g. burglary or theft) that took place in the area or to detail security concerns, which necessitate the operation of a CCTV system.
With regard to the above, it can be highlighted that controllers are required to carefully plan their data processing by CCTV with respect to each area monitored. Providing documented information to individuals visiting such areas and being able to prove the necessity of the operation are the cornerstone of compliance, as well as the internal training of employees operating the system and having access to such recordings on the data protection aspects of their activity and on the rights of the individuals concerned.
Article provided by INPLP member: Kinga Madocsai (SimpLEGAL, Hungary)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)