Rules for camera surveillance for organisations
Does your organisation want to use camera surveillance to protect property, personnel or buildings? In that case, the General Data Protection Regulation (GDPR) sets requirements for this. On this page you can read what the rules are.
On this page
Legal basis is necessary
You must have a legal basis for camera surveillance. If it concerns the security of property and personnel, the legal basis often is that of legitimate interest. For example, to prevent theft. Or to protect people, such as your customers, visitors, employees, students or patients.
Camera surveillance must be the only option
Camera surveillance must be necessary. This means that you cannot achieve the purpose in any other way. Is there another option that is less intrusive for privacy? You have to check that first.
Also, camera surveillance should not be an isolated matter. It must be part of a total set of measures.
Performing DPIA in the event of a high privacy risk
If the data processing is likely to pose a major privacy risk to the people you film, you are obliged to perform a data protection impact assessment (DPIA) first.
In the following two situations, a DPIA is always necessary. Even if you believe that camera surveillance does not pose a major privacy risk. These are:
- In the case of large-scale and/or systematic camera surveillance to prevent theft or protect people. This is true if, for example, you use camera surveillance for this purpose on a permanent basis or for a longer period of time.
- In the case you want to use a hidden camera (covert camera surveillance). This also applies if the covert camera surveillance is temporary (and therefore not of a permanent or long-term nature).
Requesting consent from works council or employee participation council
If the camera surveillance is aimed at your employees, you must discuss the plans with the works council first.
If the camera surveillance is aimed at your teachers and/or students, you must discuss the plans with the employee participation council first.
The works council or employee participation council must have approved the cameras before you can start camera surveillance.
Taking privacy rights into account
You must ensure that people know a camera has been installed and for what purpose. For example, by putting up signs.
In addition, under the GDPR, the people you are filming have the following privacy rights:
- the right to view data (camera images);
- the right to be forgotten (deletion of camera images);
- the right to restriction of processing;
- the right to object to the use of personal data.
Retention period for camera images: no longer than necessary
You may not retain the camera images longer than necessary. If the camera has captured an incident such as theft, you may retain these images until the incident has been resolved.
Hidden cameras: dos and don’ts
Normally, you are not permitted to use hidden cameras. But if you have clear suspicions of, for example, theft or fraud by employees or students, you may use a hidden camera under certain conditions:
- Despite your best efforts, you are unable to put an end to the theft or fraud.
- Monitoring with the hidden camera is temporary. Permanent covert camera surveillance is not permitted.
- The invasion of the privacy of the people you film is as minor as possible. Cameras are not allowed in fitting rooms, changing rooms or toilets.
- You have informed your customers, visitors, employees, students or patients in advance that hidden cameras may be installed in certain situations (theft or fraud). This can be done in the staff rules or camera surveillance regulations.
- If it concerns camera surveillance of employees and/or students, you must have asked for consent from the works council or employee participation council for an arrangement about the use of hidden cameras. And you must inform the employees and/or students involved afterwards about the use of the hidden camera.
- You have performed a DPIA.
- Did the DPIA show that the intended use of hidden cameras entails a great privacy risk? And are you unable to find measures to mitigate this risk? Then you have to consult with the Dutch Data Protection Authority (DPA) before you start processing. This is called prior consultation.