The use of CCTV and the Principle of Transparency

Posted in : Business Legal on Data Security on 25 July 2019
David Fagan
Business Legal
Issues covered:

In this Data Protection Update David Fagan of Business Legal considers the use of CCTV and the principle of Transparency and looks at data protection matters across Europe.

The use of CCTV and the principle of Transparency

The French Data Protection Authority CNIL has fined a company €20,000 for constant video footage of employees.

A reminder of the rules of transparency:

Those affected (employees and visitors) must be informed, using a sign visible in the premises under video surveillance.


  • Do you have a clearly defined purpose for installing CCTV?
  • What are you trying to observe taking place?
  • Is the CCTV system to be used for security purposes only?
  • If not, can you justify the other purposes?
  • Will the use of the personal data collected by the CCTV be limited to that original purpose?


  • What is the legal basis for your use of CCTV?
  • Is the legal basis you are relying on the most appropriate one?


  • Can you demonstrate that CCTV is necessary to achieve your goal?
  • Have you considered other solutions that do not collect individuals’ personal data by recording individuals’ movements and actions on a continuous basis?


  • If your CCTV system is to be used for purposes other than security, are you able to demonstrate that those other uses are proportionate? For example, staff monitoring in the workplace is highly intrusive and would need to be justified by reference to special circumstances.
  • Monitoring for health and safety reasons would require evidence that the installation of a CCTV system was proportionate in light of health and safety issues that had arisen prior to the installation of the CCTV system.
  • Will your CCTV recording be measured and reasonable in its impact on the people you record?
  • Will you be recording customers, staff members, the public?
  • Can you still justify your use of CCTV when the effect it will have on other people is considered?
  • Are you able to demonstrate that the serious step involved in installing a CCTV system that collects personal data on a continuous basis is justified?
  • You may need to carry out a Data Protection Impact Assessment to adequately make these assessments.


  • What measures will you put in place to ensure that CCTV recordings are safe and secure, both technically and organisationally?
  • Who will have access to CCTV recordings in your organisation and how will this be managed and recorded?


  • How long will you retain recordings for, taking into account that they should be kept for no longer than is necessary for your original purpose, and DPC Guidance is to retain for no more than 28 days?


  • How will you inform people that you are recording their images and provide them with the other information required under transparency obligations?
  • Have you considered how they can contact you for more information, or to request a copy of a recording?

Here is the CCTV Guidance from the Irish DPC:


Rights Request over CCTV ruling in Denmark:

Danish DPA rules Art 15 not contravened by a refusal to meet a Data Subject Access Request (“DSAR”) for CCTV as it may give insight into television surveillance recordings revealing the location of cameras and any blind spots, and therefore there was a real risk of compromising the safety of the metro rail system.

Metro emphasized in the assessment that complainants had not provided a specific reason for their interest in gaining insight, for example by (parts of) the recordings showing a relationship of particular importance, for example. a fall accident, assault, theft or the like. This is a first, as normally the reason for a DSAR is considered irrelevant by Data Protection Authorities.

Metro Services argued that CCTV can reveal the location of cameras and any blind spots, and therefore there was a real risk of compromising the safety of the metro. Metro Service had, after a "concrete assessment", found that the interest of the data subject in this case had to be weighed against public interest reasons, including public security and / or prevention, investigation, detection or prosecution of criminal offenses or the enforcement of criminal sanctions , including protection against public security.

Metro Service argued that the data subject had not provided a specific reason for wanting the CCTV footage, for example in order to see evidence of a fall, accident, assault, theft etc. such that the rights of the data subject must give way to the overriding consideration of the public safety of the passengers using the metro.

The CNIL in France fines a Property Management Company €400,000 euro

Following the complaint of an individual, the CNIL issued a penalty of €400 000 euro against a property management company for having inadequately protected the data of users of its website.
The decision here:


Old Databases: The importance of having a plan – and sticking to it

The Danish Data Protection Authority recently proposed a fine of DKK1.5m (€200k) for furniture company, IDDesign A/S for failure to delete the personal data of about 385k customers The DPA investigated whether IDDesign had set deadlines for the deletion of customers’ data and whether the deadlines were complied with.

Some furniture stores used an older system that gathered the names, addresses, telephone numbers, e-mail addresses and purchase history of some 385k customers. The personal data in the old system had never been deleted once it was replaced with a new system.

IDDesign did not indicate if the personal data in the old system were still necessary for processing purposes.

Danish DPA Press Release:

EDPB Press Release:


La Liga fined for foul play over its App

The Spanish Data Protection Authority has imposed a fine of €250,000 on La Liga de Fútbol Profesional for violations of the principle of transparency under the GDPR in respect of its mobile app.

The article states that the app, advertised as allowing supporters follow results of games, is actually being used to detect the establishments that screen football matches without paying licence fees.

When installing the application and giving its approval, La Liga can remotely activate the microphone of any user's mobile so that an automatic system detects by the ambient sound if it is in a bar that emits a 'pirate' signal.

The way in which La Liga warned its users of this procedure was been considered ambigous by the DPA and because this "spy function" of the app involves a recording of the environment where the user is and is seen as collecting personal data, the DPA said that La Liga must notify the user not only when installing the app, but every time which activates this data collection.


Technical News: Interesting ruling on what constitutes GDPR data

An recent decision from the Cologne Regional Court about whether the right of access under the GDPR also includes e-mails or internal notes containing personal data relating to the data subject.

Data subjects have a comprehensive right of access to their personal data processed as well as further information under to Art. 15(1)(a – h). Personal data includes name, date of birth, health data, account number, medical records, expert opinions or other comparable communications from other sources.

However, according to the Court, the right of access does not include all internal processes, such as notes, or to the fact that the person concerned can receive all exchanged correspondence, which is already known to the person concerned, reprinted and sent. Legal evaluations or analyses are also not considered personal data.

The right under Art. 15 is not about accounting to the data subject, but rather is intended to ensure that the data subject can assess the scope and content of the stored personal data. Copies of personal data does not mean a copy of the documents containing personal data, but a copy of the personal data itself.

Technical News: Update on Schrems II case on transfers of data side of the EU

The long-awaited Schrems II case on the validity of Standard Contractual Clauses (SCCs) also called Model Clauses, opened last Tuesday in the Court of Justice of the European Union (CJEU).

Essentially the attitude of the participants could be described as follows: –

1. The United States Government and Facebook took the view that “there is nothing to see here”. Both feel that the SCCs and the unrelated transfer mechanism Privacy Shield work perfectly fine, and that the transfers of personal data to the United States were not problematic under EU laws.

2. The complainant, Mr Schrems, and the various EU Governments (including Ireland which made a submission) feel that the SCCs are a valuable transfer mechanism, but that specific transfers do breach EU law, and that the appropriate remedy is to be found under EU law, including the ordering of the suspension of such transfers by the relevant Supervisory Authority (in Ireland the Data Protection Commission). Of course, suspension of the transfer of data outside the EU is very much a nuclear option, as for some businesses, it would effectively close them down overnight. Separately to the SCCs, Mr Schrems believes that Privacy Shield is invalid.

3. The Data Protection Commission (DPC) in Ireland, holds to the view that the SCCs are themselves non-compliant with EU law. As such the DPC has taken a more radical position than the evangelist data privacy campaigner Max Schrems. If the DPC is successful, then the European Commission may have to reformulate the SCCs into a format that is compliant with whatever ruling may be made in this case. 

One positive side-effect of this might be that the SCCs might be brought into line with Article 28 of the GDPR so that there would no longer be a need for a separate Controller – Processor Agreement (as used to be the case prior to the GDPR, when the SCCs met the requirements for what used to have to be contained in a Controller – Processor Agreement).

A decision of the Advocate – General (AG) is expected on 12 December 2019. The full Court of the CJEU does not have to follow the reasoning or decision of the AG, but in practice it generally does. The decision of the full Court is expected in early 2020.

Scary News: notification of massive fines proposed by the ICO in the UK

The Supervisory Authority of the UK, the ICO, has notified two companies of massive administrative fines to be levied against them. The two companies involved have an opportunity to appeal these fines within 28 days, prior to the fines taking effect. Both are now doing so.

Firstly, in the largest fine yet proposed under GDPR, the ICO has given a notice of intention to impose an Administrative Fine of over €200 million on British Airways.

Although this figure is well in excess of the generally quoted maximum penalty of €20 million, it is an example of the ability of Supervisory Authorities to fine up to 4% of Global Annual Turnover. In this instance, fine represents about 1.5% of the global annual turnover of British Airways. It also gives a benchmark as to the level of fine that a Supervisory Authority may be considering in relation to serious breaches of data security.  Thus, for a relatively small business, with a turnover of perhaps €20 million, this would represent a fine of €300,000.

Secondly, the Marriot International group of hotels was given a notice of intention to impose an Administrative Fine of over €110 million. The turnover of Marriot International (according to the 2018 Annual Report) was €20 billion. In this instance though, the breach occurred prior to Marriot International taking over the hotel chain in which the breach occurred (Starwood Hotels Group). The ICO felt that if Marriot International had done proper due diligence on taking over Starwood in 2016, then it would have discovered the breach in 2016, and not in 2018 when it finally discovered the issue.

It is possible that the fine in this instance was less than in the British Airways case, because the Starwood group would have had a much smaller turnover. Alternatively, it is possible that the ICO felt the breach was not as egregious as in the British Airways case. It does illustrate however, that it is not only high-tech companies, be they social media giants or airlines, that can be subject to massive Administrative fines. This Administrative Fine represents .5% of the turnover of the entire Marriot International group, and if it had been levied against a smaller company with turnover of €20 million per annum, would have represented a fine of €110,000.

This article is correct at 25/07/2019

The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.

David Fagan
Business Legal

The main content of this article was provided by David Fagan . Contact telephone number is +353 1 636 3165 or email

View all articles by David Fagan