Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.



New methodology for the processing personal data trough CCTV systems in the Czech Republic coming!

PrintMailRate-it

published on 26 June 2023 | reading time approx. 3 minutes


The Czech Data Protection Authority (“Úřad pro ochranu osobních údajů” or “DPA”) recently launched a public consultation process on a new methodology proposed for the design and operation of camera systems from the perspective of the processing and protection of personal data. 

The methodology aims to introduce a very detailed guidance on how to comply with data protection obligations in relation to CCTV under the GDPR, and in line with EDPB Guidance 3/2019 on the processing of personal data by video devices.  Based on the principles of accountability, controllers may fulfil their obligations differently, but the correct implementation of the methodology will ensure compliance with data protection obligations (at least in the eyes of the Czech DPA). 

Let's break down the most important upcoming requirements for data controllers and data processors!

Legal basis

The legitimate interest of the data controller (to protect its property and the safety of individuals, to provide evidence to competent authorities and to settle insurance claims) or of a third party is generally identified as the legal basis for processing. The consent of data subjects is not excluded as a legal basis for processing, but it is not recommended and is considered problematic (especially in terms of accountability and withdrawal of consent).

Information obligation

Fulfilment of the information requirement is detailed by specifying the minimum information to be displayed on the warning sign (first level of information), which must be linked to more detailed minimum information (second level of information). The positioning of warning signs is also specified in detail (area of passage and visibility from a distance of at least 2-5 m). To facilitate the fulfilment of this obligation, the DPA has developed an example of the second level of information in the annex to the methodology. 

Risk and impact assessment (LIA and DPIA)

When designing the CCTV system and prior to its implementation, data controllers are expected to carry out a Legitimate Interest Assessment (LIA) or, where appropriate, a Data Privacy Impact Assessment (DPIA). The Czech DPA provides guidance on the assessment of legitimate interest and provides a model in the annex to the methodology. The analysis of whether or not an additional DPIA is necessary must be carried out on the basis of the guidelines on DPIA already published by the Czech DPA.

Data Retention

The Czech DPA also gives clear guidance on the retention period: 1-2 days in principle, but no longer than 72 hours. A longer retention period or a combination of different retention periods is possible, but should be specifically justified in the LIA or, if applicable, in the context of the preliminary DPIA.  

Technical and organisational measures 

The methodology details minimum technical and organisational measures and proposes a classification of camera systems into four classes based on the security of the systems and pre-identifies sources of risk. Once the controller has assessed the security class of the CCTV system, the DPA identifies recommended and minimum mandatory measures depending on the applicable class and the risk addressed. The analysis of the appropriate measures must be included in the LIA or DPIA. 

Exercise of rights and data disclosure

Finally, the exercise of rights by data subjects and the disclosure of video material to third parties is specifically addressed with the introduction of additional procedural and documentation requirements (such as internal procedure for handling requests and disclosure of video material and provision of request forms, protocols for the disclosure of video materials, and deletion protocols, each with minimum content). 

In view of the highlighted new requirements, we recommend that existing documentation, procedures, and policies relating to existing CCTV systems are reviewed and updated as appropriate once the methodology is finalized and published by the Czech DPA. We will keep you updated!

Authors:
Lenka Hanková - Senior Associate
Alice Meier - Associate

 DATA PROTECTION BITES

author

Contact Person Picture

Lenka Hanková

Advokátka

Senior Associate

+420 236 163 710

Invia richiesta

 RÖDL & PARTNER CZECH REPUBLIC

​Discover more about our offices in Czech Republic. Read more »
Deutschland Weltweit Search Menu