Video surveillance and personal data protection guide

Video surveillance and personal data protection guide INFORMATION SECURITY OBSERVATORY

Edition: June 2011 The National Institute of Communication Technologies (INTECO), public cooperation assigned to the Ministry of Industry, Tourism and Trade through the State Secretariat for Telecommunications and Information Society, is a platform for developing the Knowledge Society through projects in the area of innovation and technology. The mission of INTECO is to provide value and innovation to individuals, SMEs, Public Authorities and the information technology sector through developing projects which contribute towards increasing confidence in our country s Information Society services, while also promoting an international course of participation. For this purpose, INTECO will establish the following course of action: Technology Security, Accessibility, ICT Quality and Training. The (http://observatorio.inteco.es) falls within INTECO s strategic course of action concerning Technological Security, and is a national and international icon in serving Spanish citizens, companies and authorities in order to describe, analyse, assess and disseminate the Information Society s culture of security and trust. More information: www.inteco.es Anova IT Consulting is a leading Spanish technological company in the fields of business and technology strategy solutions, security, video surveillance solutions and technological solutions for the tourism sector, digital content and training. It carries out its activity in the fields of public administration, telecommunications, defence, energy and banking and it specializes in the development of mobility systems, information security, support offices for innovation and ICT training. It collaborates with national and international R & D institutions, bringing the experience and knowledge accrued by its researchers and consultants, promoting technological innovation through the transfer of this knowledge, with the aim of providing the best solutions adapted to the needs of its clients, efficiently and flexibly. More information: http://www.anovagroup.es ÍNDICE Video surveillance and personal data protection guide Page 2 of 34

Contents 1. INTRODUCTION... 4 1.1 WHAT IS VIDEO SURVEILLANCE?... 4 1.2 PURPOSES OF VIDEO SURVEILLANCE... 4 2. LEGALLY-PROTECTED RIGHTS AFFECTED AND APPLICABLE REGULATIONS... 6 2.1 AFFECTED LEGALLY-PROTECTED RIGHTS... 6 2.2 APPLICABLE REGULATIONS FOR VIDEO SURVEILLANCE... 7 3. IMAGE PROCESSING PRINCIPLES... 10 4. INDIVIDUAL RIGHTS AFFECTED BY VIDEO SURVEILLANCE SYSTEMS. 12 4.1 RIGHT TO BE INFORMED... 12 4.2 RIGHTS OF ACCESS, RECTIFICATION, CANCELLATION AND OPPOSITION... 12 5. DATA-PROTECTION OBLIGATIONS OF THE CONTROLLER... 14 5.1 VIDEO SURVEILLANCE INFORMATION... 14 5.2 REGISTER OF INFORMATION... 15 5.3 ACCESS TO INFORMATION BY THIRD PARTIES... 16 5.4 INFORMATION SECURITY... 17 5.5 CANCELLATION OF IMAGES... 18 5.6 SUMMARY TABLE... 18 6. PURPOSES OF VIDEO SURVEILLANCE... 20 6.1 VIDEO SURVEILLANCE FOR THE SECURITY OF INDIVIDUALS AND PROPERTY... 20 6.2 VIDEO SURVEILLANCE FOR BUSINESS CONTROL PURPOSES... 29 6.3 OTHER FIELDS OF VIDEO SURVEILLANCE... 31 Video surveillance and personal data protection guide Page 3 of 34

1. Introduction 1. INTRODUCTION 1.1 WHAT IS VIDEO SURVEILLANCE? The installation of video cameras to observe everything that happens in the surroundings has become very common today in both specific premises and on our streets. Video surveillance comprises any activity that means installing a fixed or mobile recording camera, with the aim of ensuring the security of a building or individuals, ensuring that workers comply with their work obligations or being of usefulness in diverse areas. A video surveillance system is basically made up of a device that takes a picture (e.g. a camera), one that displays (e.g. screen) and one that stores (e.g. hard disk). In order to use the captured image immediately or at a later date it has to be transferred to the display device and to the storage device respectively. Below is a diagram of the way a surveillance system based on cameras works: Illustration 1: Video Surveillance System Both technological progress, which has led to a drop in prices of processing systems and the development of video-based surveillance systems, together with the extension of IP technology, has made camera systems easy to distribute and install, enabling them to become well-established. 1.2 PURPOSES OF VIDEO SURVEILLANCE The chief aim of video surveillance is to capture and/or process images to guarantee the security of property and individuals. However, the proliferation of these systems has widened the scope of application. The main ones are outlined below: Video surveillance and personal data protection guide Page 4 of 34

Security of individuals and property Work-control Other purposes For security purposes of individuals and property. This purpose includes capturing images to control public safety, road safety, sporting events, access to private areas, etc. For use in business settings for work-control purposes. In this case, cameras are used to provide employers with information regarding employee compliance with obligations and duties. This verification method does have its limitations and cannot be carried out in a manner that threatens the employees rights to privacy. Other purposes. The increase in popularity of these systems has prompted their use in other fields such as tourism promotion, research, behavioural studies, etc. The use of images containing identifiable people in the various fields of activity has a series of legal implications. Firstly, anonymous people have the specific right to not be filmed in public places (nor private ones obviously) unless the filming is covered by the fundamental right to freedom of expression (article 20 of the Spanish Constitution), which includes image rights with the economic element preventing commercial exploitation without the individual s permission. This principle is based on the fact that capturing an image of a recognisable person constitutes personal data and must, therefore, be treated in compliance with relevant data protection laws. Nevertheless, video recordings of the street and of passers-by, is allowed in certain cases for security reasons. The following chapters explain the legally-protected rights affected by this activity, the applicable regulations and the general rules that must be applied, the duties of the controllers and the rights of the citizens whose image is captured by a video surveillance system. Based on this, each particular field is described in more detail and a series of cases are established such as capturing images in a community of residents, at a sporting event, in shopping centres, or in a work-control setting in a company, amongst others. An explanation is given regarding the specific obligations that the controller of the video surveillance system in each of the cases should be aware of, in order to carry out this activity in compliance with the law and, especially, with the data subject's rights. Video surveillance and personal data protection guide Page 5 of 34

2. Legally-protected rights affected and applicable regulations 2. LEGALLY-PROTECTED RIGHTS AFFECTED AND APPLICABLE REGULATIONS Video surveillance involves capturing and, as the case may be, recording personal information in the form of images. In other words, people may appear in images and be identifiable. This may lead to an invasion of privacy and failure to comply with the data protection law. Current laws regarding the application and treatment of video surveillance establishes the framework for the effective protection of these rights in the various fields in which they are carried out. 2.1 AFFECTED LEGALLY-PROTECTED RIGHTS 2.1.1 Privacy, honour and self-image The right to one s privacy, honour and self- image is guaranteed under section 18.1 of the Spanish Constitution and established by Organic Law 1/1982, of 5 May on Civil Protection of the Right to Honour, Personal and Family Privacy and Image. This law focuses on the civil protection of these rights against all interferences, notwithstanding the existence of a series of offences that these legal rights protect from a criminal perspective 1. Those responsible must avoid installing video surveillance cameras in private areas (changing rooms, bathrooms, etc.); otherwise they may infringe upon the individual s privacy rights. 2.1.2 Data protection If a person is identifiable or could easily be identified from an image, this is considered personal data. Data protection principles must be applied to the field of video surveillance whenever technical means are used to record, capture, process, store and broadcast images of identifiable individuals, be it live or pre-recorded. This obligation is not applicable in the following situations: 1 With regard to video surveillance, the High Court (STS 7549/2010) ruled that installing security cameras that viewed and recorded three doors of a neighbouring property, and therefore the neighbours comings and goings, violated their right to privacy. This ruling confirmed a previous one by the Santa Cruz de Tenerife Court, which observed the neighbour s right to privacy and sentenced the defendant to remove the video cameras and to compensate him for moral damages suffered. In compliance with the Constitutional Court s doctrine regarding the judgement of proportionality on the restriction of fundamental rights, the High Court concluded that the measure adopted was not proportionate for the intended security purpose, given that in order to guarantee security, another person s privacy was invaded. Video surveillance and personal data protection guide Page 6 of 34

When filming in personal or family surroundings, for example family celebrations, providing the setting remains personal. Internet broadcasting of personal or family recordings would mean going beyond these limits. When performing informative tasks carried out by media professionals based on article 20 of the Constitution for freedom of information. 2.2 APPLICABLE REGULATIONS FOR VIDEO SURVEILLANCE This chapter includes the applicable legal regulations which must be complied with when using and processing video surveillance. Specifically, it firstly lists those relevant to the protection of privacy and data subject protection, on a general basis whenever images of people are captured and processed. Secondly, regulations regarding video surveillance for security purposes are listed. And lastly, regulations for workcontrol video surveillance are included. 2.2.1 Right to one s honour, privacy and data protection Spanish Constitution. In particular, article 18.1 covers the right to privacy of individuals and the right to data protection. Organic Law 1/1982, of 5 May, on Civil Protection of the Right to Honour, Personal and Family Privacy and One's Own Image. Organic Law 1/1996, of 15 January, on the Legal Protection of Minors with regards to the minors' right to honour, personal and family privacy and to the child s image. 2.2.2 Right to the protection of personal data Spanish Constitution. In particular, article 18.3 covers the right to privacy of individuals and the right to data protection. Organic Law 15/1999, of 13 December, on the Protection of Personal Data (LOPD in short). Royal Decree 1720/2007, of 21 December, of the regulation on the Protection of Personal Data (LOPD) Video surveillance and personal data protection guide Page 7 of 34

Instruction 1/2006, of 15 D ecember, for video surveillance, Spanish Data Protection Authority (AEPD). Law 32/2010, of 1 October, of the Catalan Data Protection Authority. Instruction 1/2009, of 10 Febr uary 2009, of the Catalan Data Protection Agency, for the handling of personal data using cameras for video surveillance purposes. Recommendation 1/2011, on the creation, modification and deletion of publiclyowned personal data files, by the Catalan Data Protection Authority. Law 8/2001, of 13 July, of the Protection of Personal Data in the Community of Madrid. Instruction 1/2007, of 16 M ay, of the Protection of Personal Data in the Community of Madrid, for the processing of personal data obtained using cameras or video systems in public bodies and Administrations in the Community of Madrid. 2.2.3 Security regulation Organic Law 1/1992, of 21 Febr uary, on the Protection of Citizen Security, modified by Law 10/1999 of 21 April. Law 23/1992 of 20 July, for Private Security, according to modifications to Royal Decree-law 2/1999, of 29 January, Royal Decree-law 8/2007, of 14 September, Law 14/2000, of 29 December, for tax, administration and social order Measures and Law 25/2009, of 22 December amending various Laws to bring them in line with the Law on free access to service activities and the exercise thereof (Omnibus Law). Royal Decree 2364/1994 of 9 December, approving the Regulations for Private Security, modified by Royal Decree 4/2008, of 11 January; Royal Decree 1628/2009, of 30 October; and Royal Decree 195/2010, of 26 February that adapts it to amendments introduced in Law 23/1992, by Law 25/2009, of 22 December. Royal Decree 938/1997, of 20 June, which completes the Regulation of authorization requirements for security companies and private security personnel. Video surveillance and personal data protection guide Page 8 of 34

Organic Law 4/1997 of 4 August, which governs the use of video cameras by Law Enforcement Authorities in public places 2. Royal Decree 596/99 of 16 April, approving the Regulation for the development and execution of Organic Law 4/1997. INT/314/2011 Order, of 1 Febr uary, on private security companies. INT/317/2011 Order, of 1 February, on private security measures. INT/318/2011 Order, of 1 February on private security personnel. 2.2.4 Labour regulation Royal Legislative Decree 1/1995 of 24 M arch, approving the revised text of the Workers Statute. 2 Law Enforcement Authorities, according to Organic Law 2/1986, of 13 March, on Law Enforcement Authorities, in article 2, are: i)security Forces and Agencies under the authority of the Government; ii) Police Forces under the authority of Autonomous Regions; iii) Police Forces under the authority of Local Corporations. Video surveillance and personal data protection guide Page 9 of 34

3. Image Processing Principles 3. IMAGE PROCESSING PRINCIPLES Any person or company that installs video surveillance systems to capture or process images in which identifiable individuals may appear, must comply with general principles of action taken from the data protection law and the Spanish Data Protection Authority (AEPD) 3. Any person or company that installs a video surveillance system to capture or process images in which identifiable people may appear, must abide by some general principles of conduct in accordance with data protection laws and the Spanish Data Protection Authority's (AEDP) Circulars and Resolutions. The following principles are defined: Quality. Images obtained must be suitable, relevant and never excessive with regards to the purpose for the installation of cameras. Proportionality. The controller must give the sought objective much thought and the possible effects on the individuals involved, to ensure that there is no other less invasive method to fulfil the same purpose. For example, using video cameras to film on the street without respecting the proportionality principle could lead to heavy fines 4. Purpose. The purposes sought must be clearly defined in the processing of personal data. 3 Source: Data Protection Authority, AEPD (2009) Video Surveillance Guide; (2009) Sectoral Inspection Internet Video Cameras. 4 The Sustainable Economy Act has modified some sections of the LOPD that affect the finable offence system as follows: The minor fine for Not attending, for reliable motives, the request by the interested party to rectify or cancel the processed personal data when legally required and the possibility of breaching the duty of secrecy as a minor offence. Breaches of the duty to maintain secrecy will become serious offences therefore a very serious breach of the duty to maintain secrecy will not be possible. A further minor offence is added: The transfer of data to a processing manager without complying with the reliable duties established in Article 12 of this Law. With regard to serious offences, the most relevant point is that the transfer of data will be punished as a serious offence, leaving the rating of very serious for specific cases. A new serious offence is added: Non-compliance with the remaining notification or requirement duties imposed by this Law and its implementing regulations Very serious offences are simplified and considerably reduced Fine totals are modified: minor offences will be fined between 900 and 40,000 euros; serious offences will be fined between 40,001 and 300.000 euros and very serious offences will be fined between 300,001 and 600,000 euros. New standards are introduced in order to adjust fines including those related to the volume of the offender s business or activity and objective mitigating circumstances. Video surveillance and personal data protection guide Page 10 of 34

Authentication. This principle requires that controllers obtain permission from the data subject in order to capture their personal image. For video recordings of children under the age of 14, permission must be obtained from their parents or legal guardians (Article 13 of the RDLOPD). However, there are particular situations that do not require this authorization. Specifically, permission is not required: o o If there is a law which indicates that authorization is not compulsory. Organic Law 4/1997 regulates the installation of video cameras and recordings carried out by Law Enforcement Authorities in open or enclosed public places, for purposes of citizen protection. Also, article 20 of the Statute of Worker s Rights allows employers to use the systems they deem necessary in order to verify the correct execution of works carried out by employees, including filming and/or processing of images without authorization from the employees, with certain restrictions. If there is a legal relation stating exemption and an image is required in order to maintain or comply with this, if it forms part of the public Administration functions or is in the interest of the data subject. Other than these exceptions, if the controller does not request authorization, he could face heavy fines according to the LOPD. Information. The data subject whose image is going to be used by the video surveillance systems must be informed of this before this is carried out. Security. The processing controller must establish rules, procedures and actions that guarantee that the information contained in the images will be accessible only to authorized individuals or companies. Duty of Secrecy. Individuals taking part in the processing of images of other individuals captured by video surveillance systems must respect the confidentiality of the personal data that they access during this process. Video surveillance and personal data protection guide Page 11 of 34

4. Individual rights affected by video surveillance systems 4. INDIVIDUAL RIGHTS AFFECTED BY VIDEO SURVEILLANCE SYSTEMS The use of video surveillance systems in order to capture, record or reproduce images relative to identifiable individuals constitutes a practice which may affect the privacy of these people. Nevertheless, those individuals affected by video recordings must be informed beforehand that they are going to be the object of this action, in which case they can execute their rights to access, rectify, cancel and oppose this act, as well as demand compensation for damages incurred by unsuitable handling of their image. 4.1 RIGHT TO BE INFORMED Those individuals exposed to video surveillance must be expressly, precisely and unmistakably informed of the installation of the systems, the area they will monitor, the controller for the installation and the actions that can be carried out by the individuals whose images have been processed. This right goes together with the duty of the controllers to inform those who may be surveyed by video in the terms established in chapter 5.1 Video surveillance information For those who wish to consult the information available regarding the installation of video surveillance may do so in the following areas: In the signs placed in the areas filmed, which inform people of the activity being carried out. In the information leaflets provided by the controller for the installation. These documents certify the existence of a file with the images processed (as they are considered personal data), as well as the identity and contact details of the controller for this data. 4.2 RIGHTS OF ACCESS, RECTIFICATION, CANCELLATION AND OPPOSITION People may exercise their rights of access, rectification, cancellation and opposition (ARCO) to the processing of images captured by the video surveillance systems that they appear in. The controller for the file must have standard application forms and provide these to individuals that request them so that these may exercise their ARCO rights. More specifically, these rights consist of: Right to access. That is to images with personal data. Those individuals who wish to access the registers must provide a current image for the controller to verify their presence in the file. This access must be carried out in a manner that Video surveillance and personal data protection guide Page 12 of 34

does not affect the right of third parties who may also appear in these recordings. In this sense, the person responsible must be meticulous and provide solely the essential information for the interested party to exercise this right, by means of a written certificate specifying the images that have been processed. Right to cancellation. Of conformity with the Instruction 1/2006 of the AEPD 5 as well as the correlative laws of the autonomous Agencies, the images must be cancelled within a maximum term of one month from their capture. Once this term is over the images must be cancelled, which implies their blockade, only available to the Public Administrations, Judges and Courts, for the attention of the possible responsibilities derived from their treatment, within the term of prescription. In those cases in which the responsible establishes the recording of a crime or administrative infraction, and denounces this situation, he/she will have to preserve the images to put them at the disposal of the competent Authority. Should any of these rights be denied, the person affected may file a formal complaint before the correspondent data protection Authority. 5 The AEPD has followed the same criterion that the fixing in the Article 8 of the Organic Law 4/1997 of 4 August specifically regulates the installation of video cameras and recordings carried out by the Law Enforcement Authorities. Video surveillance and personal data protection guide Page 13 of 34

5. Data protection obligations of the controller 5. DATA-PROTECTION OBLIGATIONS OF THE CONTROLLER The video surveillance controller is the physical or legal, public or private person or administrative body that makes decisions regarding the use of recorded images. All those who take images that may contain identifiable people, must follow and comply with the obligations stated in the Spanish Data Protection Authority (AEPD) regarding the processing of personal data for surveillance purposes by means of camera or video camera systems (Instruction 1/2006), in the LOPD and its implementing regulations. The AEPD and the equivalent autonomic Authority in turn, provides the interested parties with forms that ensure the compliance with obligations in the different stages of the video surveillance process. This chapter includes links to the corresponding web pages 6. 5.1 VIDEO SURVEILLANCE INFORMATION The right to information obliges the video surveillance controller to inform individuals that surveillance is taking place, the area where it is taking place and provide relevant information regarding the surveillance system. This controller is also in charge of the file containing the processing of personal data from this activity. In order to inform of the existence of video surveillance systems, specific signs are required based on the model provided by the AEPD and the equivalent autonomic Authorities. This sign must at least be placed wherever the video cameras are installed. People that can be monitored by these devices must be aware that this type of activity is taking place. Illustration 2: Informative sign provided by the AEPD in Instruction 1/2006 6 Spanish Data Protection Authority: www.agdp.es; Catalan Data Protection Authority: www.apd.cat; Data Protection Agency of the Community of Madrid: www.apdcm.org; Basque Data Protection Agency: www.avpd.euskadi.net Video surveillance and personal data protection guide Page 14 of 34

The controller must also have printed hand-outs available for all those interested, including information regarding system characteristics: Existence of a file or processing of personal data, the reason for capturing images and the final recipient of the recording or the resulting information. The identity and contact details of the processing controller, so that anybody can access them. The processing controller must also provide forms and procedures for the data subject to exercise the rights of access, rectification, cancellation and o pposition (ARCO). If there are no forms readily available, he must have the means to print them and provide the data subject with them. These obligatory measures do not rule out the use of other methods of informing people that images are being captured and of the correct processing of these. For example, a company web page can inform clients of this surveillance system in the premises, specific methods may be used for the partially sighted, etc. If the controller does not inform citizens of the existence of video surveillance systems he/she could be subject to a minor fine. Also, if the controller does not provide and guarantee the rights of access, rectification, opposition and cancellation to those who request he/she could face a minor fine. 5.2 REGISTER OF INFORMATION The processing of images via video surveillance means that these images must be kept in a file. A file is an organized group of personal data, created in any manner, stored, organized and accessed, in the terms of Article 3 of the LOPD. Before proceeding with processing data, the controller (in other words, the image processing controller) must inform the Spanish Data Protection Authority or to the corresponding autonomic authority (files of public titularity) of its registration in the corresponding registry. This duty to inform of the file exists whenever data is processed, even though the cameras are not recording, but monitoring or broadcasting live images. Failure to comply with this duty will be subject to a minor fine. The creation, modification or deletion of the public Administration files (e.g. arising from video surveillance by Law Enforcement Authorities) can only be carried out by means of Video surveillance and personal data protection guide Page 15 of 34

general regulations published in the Spanish Official Gazette or the relevant official journal (Art 20 LOPD). 5.3 ACCESS TO INFORMATION BY THIRD PARTIES When the video surveillance system controller (the person responsible for the file or data processing) hires an external security company to install the system and process images, this company becomes administrator and can also be held responsible. Therefore, the administrator can be held responsible for improper use, by not respecting the instructions of the person responsible for the file. When images are captured and stored for any purpose and an external company is in charge of the data processing, the controller must: Ensure that the external company in charge of processing complies with the obligations established by the LOPD. Sign a contract establishing this service and the relationship between the controller and the person in charge of processing. Cancel images once the contract has expired. Ensure that the person in charge does not again subcontract the data processing, unless they are expressly authorised to do so. The contract that regulates the processing of images by third parties is established in the RDLOPD, with the following main characteristics: To identify the purpose of the processing of data by administrator. To expressly establish that the processing of data is carried out in compliance with the controller s instructions and that they are not used for any other purpose other than that stipulated in the contract. To stipulate the security measures the administrator must fulfil. The installation of video surveillance for security purposes is regulated by Royal Decree 2364/1994 which approves the Private Security Regulation. This regulation, which has been recently modified by the law known as Omnibus Law, requires that the installation and processing be carried out by a security company authorized by the Interior Ministry, providing the surveillance system is connected to an alarm centre 7. In this particular case, 7 Source: Legal Department for the Spanish Data Protection Authority (2009). Report 0650/2009. Available at: http://www.agpd.es/portalwebagpd/canaldocumentacion/informes_juridicos/videovigilancia/common/pdfs/2009-0650_modificaci-oo-n-de-los-sistemas-de-videovigilancia-por-la-ley--oo-mnibus.pdf Video surveillance and personal data protection guide Page 16 of 34

a security service contract must be formalized and the relevant authority must be informed. Capturing images for private security purposes without authorization or without employing the services of a security company when the system is going to be connected to an alarm centre, is subject to punishment, both by the AEPD and private security regulations. 5.4 INFORMATION SECURITY The processing and image access controller, be this the interested party or the security company contracted for this purpose, is responsible for adopting or ordering the necessary technical and organizational measures be adopted that guarantee the security of the images, with regards to modification, loss or unlawful access. They must also inform people with access to the images of their security obligations and their duty to confidentiality regarding the available data. Various levels of security 8 are established according to the personal data contained in the images: basic, medium and high. Each level establishes measures to ensure confidentiality and integrity criteria for the information. The basic measures apply whenever there is processing of personal data. These measures refer to identification and authenticity, software management, backup copies, file criteria, security controller, staff, incidences, access control, storage, software custody, copies or reproductions, auditing, telecommunications and transfer of documentation. Medium level measures include the basic level criteria and adds others that involve the fulfilment of superior criterion of confidentiality and integrity for the information with regards to identification, software management, controller, incidents, access control and auditing. The high level measures cover the medium and basic ones and entails the fulfilment of the given criterion at its maximum level. It refers to access control, software management, backup copies, storage, copy or reproduction, telecommunications and transfer of documentation. Also, any system of this type must have a security document that meets the protocols and procedures for the correct custody of personal data. 8 For more information on specific measures: https://www.agpd.es/portalwebagpd/canaldocumentacion/publicaciones/common/guias/guia_seguridad_2010.pdf Video surveillance and personal data protection guide Page 17 of 34

If these measures are not applied to guarantee the security of the data and establish them in a security document, this may be considered a serious sanction and be fined. 5.5 CANCELLATION OF IMAGES The processing controller must eliminate the stored images within a maximum deadline of one month from the date the images are captured. Before reaching this deadline, the filed images must be cancelled or access to them must be blocked. Remind that they must only be kept when a crime or an offence has been registered, for the Law Enforcement Authorities, Public Administrations, Judges and Courts to access them. 5.6 SUMMARY TABLE The following table summarizes the obligations of the data protection controllers, taken from the related regulations: LOPD and its Regulation Development and Instruction 1/2006. Video surveillance and personal data protection guide Page 18 of 34

Table 1: Personal data related obligations for the video surveillance controller Obligation Specific Actions The controller must: Place informative signs in the access to buildings. Video surveillance information Provide data subject with printed information regarding the system. Provide data subject with forms to exercise their right to access, rectification, cancellation and opposition. Register of information Creation of a file regarding the video surveillance system and the processing and registration of the images before the AEPD/corresponding autonomic authority. Public ownership files require prior official notification. Access to information by third parties Information security Cancellation of images Sign a contract that regulates access to the images by third parties. Draw up a Security document with technical and organizational measures. Elimination of images within a maximum of 30 days. Source: INTECO Video surveillance and personal data protection guide Page 19 of 34

6. Use of video surveillance 6. PURPOSES OF VIDEO SURVEILLANCE For information purposes, below is a detailed explanation of the most common uses for video surveillance systems 9 and the regulation for each case as well as determining who is responsible for ensuring the correct fulfilment of the regulation. 6.1 VIDEO SURVEILLANCE FOR THE SECURITY OF INDIVIDUALS AND PROPERTY The most common purpose for video surveillance today is to protect areas and people within the area monitored. There are basically two rules which, together with those relevant to data protection, regulate the use of cameras for security purposes. On the one hand, the Organic Law 4/1997 regulates the installation of video cameras and recordings carried out by Law Enforcement Authorities in open or enclosed public places. On the other, the Royal Decree of 2364/1994 approving Private Security Regulation regulates companies authorized for the installation of video surveillance systems in private areas. 6.1.1 Public security Video surveillance carried out by the Law Enforcement Authorities aims at guaranteeing public safety, as well as preventing crime and offences related to public safety. 1) Video surveillance system and processing controller: the Autonomous Regions are authorized to regulate and allow the Law Enforcement Agencies to use video cameras in this case as well as take custody of the recordings and control image access. 2) Applicable regulation: Organic Law 4/1997 of 4 August specifically regulates the installation of video cameras and recordings carried out by the Law Enforcement Authorities. The LOPD and Instruction 1/2006. 9 Although not exclusively, the applications outlined in the AEPD s Video Surveillance Guide have been taken into account for the elaboration of this chapter. Video surveillance and personal data protection guide Page 20 of 34

3) Obligations of the controllers: Organic Law 4/1997 stipulates: Authorization for the installation of fixed and mobile cameras. Provide Public Administrations, Judges and Courts with the images captured. Offences and fines related to the development of police activity. The LOPD and instruction 1/2006 complement the above, noting: General data protection obligations according to the general obligations of the video surveillance system controller 10. Creation of files by means of general regulations published in a daily journal. 4) Example: video surveillance in public buildings or events such as official celebrations. 6.1.2 Road safety The object of this type of system is to control, regulate, monitor and discipline traffic, as well road safety. 1) Video surveillance system and pr ocessing controller: Public Administrations authorized to regulate traffic and enable the installation and use of video cameras. 2) Applicable regulation: Organic Law 4/1997 of 4 August in its eighth additional law considers the controller to be the person in charge of carrying out the installation and use of video cameras and any other means to capture and reproduce images for the control, regulation, monitoring and discipline of traffic. Law 18/1989 of 25 July for Motor Vehicle Traffic and Road Safety, approved by Royal Decree Legislation 339/1990 of 2 March in its Title I, refers to the 10 See Table 1 Video surveillance and personal data protection guide Page 21 of 34

authorities with the power for carrying out and coordinating motor vehicle traffic and road safety issues. The LOPD and Instruction 1/2006. 3) Obligations of the controllers: Organic Law 4/1997 stipulates: Authorization for the installation of fixed and mobile cameras. Identification of public roads. Measures that guarantee the availability, confidentiality and integrity of the images. The body in charge of the custody and processing. Provide Public Administrations, Judges and Courts with the images captured. The LOPD and instruction 1/2006 complement the above, noting: General data protection obligations according to the general obligations of the video surveillance system controller 11. Creation of files by means of general regulations published in a daily journal. 4) Example: cameras installed in specific points on road networks. 6.1.3 Security at sporting events Sporting events bring together a huge number of fans in an enclosed area. In order to prevent security incidences video surveillance is used as a tool to control the access to the building and surveillance during the gathering. Cameras are installed inside and outside the buildings, covering access areas and the stands where the event is taking place. 11 See Table 1 Video surveillance and personal data protection guide Page 22 of 34

1) Video surveillance system and processing controller: the sports club is responsible. If the images are accessed by an external security company the person in charge of processing will be responsible should they be used unlawfully. 2) Applicable regulation: Royal Decree 203/2010 authorizes the installation of video surveillance systems to prevent violence during sporting events. The LOPD and instruction 1/2006 regarding the processing of captured images. 3) Obligations of controllers: Royal Decree 203/2010 authorizes the installation and filming via fixed or mobile cameras in specific exterior and interior areas of the stadium such as entrances and stands. General data protection obligations according to the general obligations of the video surveillance system controller 12. 4) Example: detection of individuals suspected to be carrying dangerous objects posing a threat to security when accessing the building. 6.1.4 Private security with access to public roads Video recordings of the street and of passers-by, is allowed in some cases for security purposes. The legal standing for the use of video surveillance systems adheres to the protection of private areas. The Law Enforcement Authorities are responsible for preventing crime and guaranteeing safety on the streets. Therefore, the installation of cameras and video cameras in private areas cannot capture images of public areas unless it is essential for the surveillance purpose intended or it cannot be avoided given the position of these. In any case, all unnecessary processing must be avoided for the ultimate purpose. That way, the person responsible for the file will adapt the use of the system so that it has a minimum effect on the rights of passers-by. In no case will surveillance practices beyond the areas for which the system was installed be allowed, particularly the surrounding public areas, adjoining buildings and vehicles other than those that access the monitored area. 12 See Table 1 Video surveillance and personal data protection guide Page 23 of 34

1) Video surveillance system and processing controller: the titleholder of the file. 2) Applicable regulation: Royal Decree 2364/1994 Regulation developing Private Security. Organic Law 4/1997 of 4 August establishes that the job of guaranteeing public safety corresponds exclusively to the Law Enforcement Authorities and specifically regulates the use of video cameras and recordings by Law Enforcement Authorities. The LOPD and instruction 1/2006 regarding the processing of captured images. This legislation must be applied together with the Regulation for Private Security. 3) Obligations of controllers: Royal Decree 2364/1994 stipulates that security systems must be carried out by a company authorized by the Interior Ministry, whenever it is connected to an alarm centre. Under Organic Law 4/1997 capturing images on the public thoroughfare is not permitted, except in specific cases when it is essential for surveillance purposes. 4) Example: a company installs cameras to secure the entrance to a warehouse. The area filmed must not include part of the street, solely and exclusively the warehouse entrances. 6.1.5 Security in shopping centres and recreational areas The use of cameras in the entrances to public and private buildings is increasingly common. These systems process information about people who access the buildings. 1) Video surveillance system and processing controller: The file controller is the company administrating the games room, and which pays for the security service. 2) Applicable regulation: Royal Decree 2364/1994 Regulation developing Private Security. Video surveillance and personal data protection guide Page 24 of 34

The LOPD and instruction 1/2006 regarding the processing of captured images. Instruction 1/1996 regulates the files established in the access to buildings. Instruction 2/1996 regulates the files established in the access to casinos and bingo halls. 3) Obligations of controllers: Royal Decree 2364/1994 stipulates that security systems must be controlled by a company authorized by the Interior Ministry, whenever it is connected to an alarm centre. General data protection obligations according to the general obligations of the video surveillance system controller 13. Instruction 1/1996 stipulates: Data will not be able to be used for any other purpose other than controlling access. Data cannot be transferred to third parties unless the data subject has given consent. Instruction 2/1996 stipulates that data will be destroyed within 6 months that is from when it was last accessed. 4) Example: one of the most obvious examples is the installation of video surveillance cameras in jewellery shops, casinos and games rooms, etc., as these places require high security measures. 6.1.6 Security in financial institutions The exceptional security conditions in banks, saving banks and other credit institutions require cameras to be installed in these buildings. 1) Video surveillance system and pr ocessing controller: the financial institution. 13 See Table 1 Video surveillance and personal data protection guide Page 25 of 34

2) Applicable regulation: Royal Decree 2364/1994 Regulation developing Private Security. The LOPD and instruction 1/2006 regarding the processing of captured images. This legislation must be applied together with the Regulation for Private Security. 3) Obligations of controllers: Private Security Regulations (Art 120) includes a series of specific obligations: Images will be exclusively provided to Law Enforcement Authorities and Public Administrations, Judges, Courts, immediately providing those that are relevant to criminal offences. Access to the recordings will be considered confidential, exclusively for Law Enforcement Authorities and Judges and Courts and solely for identifying the perpetrators of crimes against people and against property and, as the case may be, for Inspection by the Spanish Data Protection Authorities, in exercise of its powers. No employee from financial institutions will be able to access the recordings except for the Security Directors 14. The individual s rights of access cannot be exercised, without prejudice to the fact that the Spanish Data Protection Authorities judicial relief may be referred to. The cancellation of images will be carried out within 15 days unless the judicial authorities or the relevant Law Enforcement Authorities stipulate differently. The existence of specific information available to the public which may substitute the provisions of Instruction 1/2006. General data protection obligations according to the general obligations of the video surveillance system controller 15. 14 Pursuant to the Private Security Act and its implementing Regulation. Video surveillance and personal data protection guide Page 26 of 34

4) Example: s financial institution contracts the security protection of a specialized security company. 6.1.7 Security in public transport The installation of video cameras inside public transport vehicles, such as buses and taxis increase driver and passenger security. 1) Video surveillance system and pr ocessing controller: the owner of the vehicle. 2) Applicable regulation: Royal Decree 2364/1994 which stipulates Private Security Regulation. The LOPD and instruction 1/2006 regarding the processing of captured images. This legislation must be applied together with the Regulation for Private Security. 3) Obligations of controllers: Royal Decree 2364/1994 stipulates that security installations must be carried out by a company authorized by the Interior Ministry, whenever it is connected to an alarm centre. General data protection obligations according to the general obligations of the video surveillance system controller 16. 4) Example: The installation of cameras in taxis is increasingly common to protect the driver from criminals, to identify thieves, etc. 6.1.8 Security in school environments The installation of video cameras in school environments where images of minors is involved, must adopt special measures. The purpose of video surveillance is to control behaviour that could affect security. 1) Video surveillance system and processing controller: school or administrating institution. 15 See Table 1 16 See Table 1 Video surveillance and personal data protection guide Page 27 of 34

2) Applicable regulation: Royal Decree 2364/1994 Regulation developing Private Security. The LOPD and instruction 1/2006 regarding the processing of captured images. 3) Obligations of controllers: Royal Decree 2364/1994 stipulates that security installations must be carried out by a company authorized by the Interior Ministry, whenever it is connected to an alarm centre. LOPD and Instruction 1/2006: General data protection obligations according to the general obligations of the video surveillance system controller 17. Given that minors are involved, the proportionality, quality and purpose principles must be rigorously applied. Video cameras can only be installed in entrances, patios or public areas, never in areas protected by the right to privacy, nor, obviously, in areas protected by the right to intimacy such as changing rooms and bathrooms. 4) Example: the use of cameras in a school helps to reduce insecurity in the play areas. 6.1.9 Security in neighbourhood communities The installation of video recording systems in neighbourhood communities or residential urbanizations must comply with data protection regulation. 1) Video surveillance system and pr ocessing controller: the neighbourhood community, the community representative or administrator. 2) Applicable regulation: Royal Decree 2364/1994 which stipulates Private Security Regulation. The LOPD and instruction 1/2006 regarding the processing of captured images. This legislation must be applied together with the Regulation for Private Security. 17 See Table 1 Video surveillance and personal data protection guide Page 28 of 34

3) Obligations of controllers: Royal Decree 2364/1994 stipulates that security installations must be carried out by a company authorized by the Interior Ministry, whenever it is connected to an alarm centre. LOPD and Instruction 1/2006. General data protection obligations according to the general obligations of the video surveillance system controller 18. The specific case of neighbourhood communities where images are not recorded but they are broadcast through CCTV will not require a data file to be created and registered. 4) Example: A private neighbourhood community where the video surveillance system is to provide protection for property and individuals. 6.1.10 Security in the home Images captured by video cameras installed in the home for security purposes are not subject to the LOPD and Instruction 1/2006 19 as they are seen to be carried out in a private or family environment, providing it does not affect staff employed within the home. 6.2 VIDEO SURVEILLANCE FOR BUSINESS CONTROL PURPOSES 6.2.1 Security in the workplace Article 20.3 of the Worker s Statutes allows employers to install video surveillance systems to verify worker compliance with their work obligations and duties. This practice must respect their right to privacy and must be limited to the legitimate purposes recognised by the Worker's Statutes and current legislation: LOPD and Instruction 1/2006, in this last case, specific applicable provisions must also be complied with. 1) Video surveillance system and processing controller: the company. 2) Applicable regulation: 18 See Table 1 19 See Table 1 Video surveillance and personal data protection guide Page 29 of 34