New methodology for the processing personal data trough CCTV systems in the Czech Republic coming!

The methodology aims to introduce a very detailed guidance on how to comply with data protection obligations in relation to CCTV under the GDPR, and in line with EDPB Guidance 3/2019 on the processing of personal data by video devices.  Based on the principles of accountability, controllers may fulfil their obligations differently, but the correct implementation of the methodology will ensure compliance with data protection obligations (at least in the eyes of the Czech DPA). 

Let's break down the most important upcoming requirements for data controllers and data processors!

The legitimate interest of the data controller (to protect its property and the safety of individuals, to provide evidence to competent authorities and to settle insurance claims) or of a third party is generally identified as the legal basis for processing. The consent of data subjects is not excluded as a legal basis for processing, but it is not recommended and is considered problematic (especially in terms of accountability and withdrawal of consent).

Fulfilment of the information requirement is detailed by specifying the minimum information to be displayed on the warning sign (first level of information), which must be linked to more detailed minimum information (second level of information). The positioning of warning signs is also specified in detail (area of passage and visibility from a distance of at least 2-5 m). To facilitate the fulfilment of this obligation, the DPA has developed an example of the second level of information in the annex to the methodology. 

When designing the CCTV system and prior to its implementation, data controllers are expected to carry out a Legitimate Interest Assessment (LIA) or, where appropriate, a Data Privacy Impact Assessment (DPIA). The Czech DPA provides guidance on the assessment of legitimate interest and provides a model in the annex to the methodology. The analysis of whether or not an additional DPIA is necessary must be carried out on the basis of the guidelines on DPIA already published by the Czech DPA.

The Czech DPA also gives clear guidance on the retention period: 1-2 days in principle, but no longer than 72 hours. A longer retention period or a combination of different retention periods is possible, but should be specifically justified in the LIA or, if applicable, in the context of the preliminary DPIA.  

The methodology details minimum technical and organisational measures and proposes a classification of camera systems into four classes based on the security of the systems and pre-identifies sources of risk. Once the controller has assessed the security class of the CCTV system, the DPA identifies recommended and minimum mandatory measures depending on the applicable class and the risk addressed. The analysis of the appropriate measures must be included in the LIA or DPIA. 

Finally, the exercise of rights by data subjects and the disclosure of video material to third parties is specifically addressed with the introduction of additional procedural and documentation requirements (such as internal procedure for handling requests and disclosure of video material and provision of request forms, protocols for the disclosure of video materials, and deletion protocols, each with minimum content). 

In view of the highlighted new requirements, we recommend that existing documentation, procedures, and policies relating to existing CCTV systems are reviewed and updated as appropriate once the methodology is finalized and published by the Czech DPA. We will keep you updated!