Guidelines for the installation of video surveillance systems
Updated to the Italian Data Protection Authority’s FAQs of 5 December 2020 and to the EDPB's Guidelines no. 3/2019 on processing of personal data through video devices
GENERAL RULES
- To comply with the principle of "data minimization": the data controller must choose the video surveillance systems to be installed and the relocation the cameras on the basis of the specific purposes of the processing and must collect and process only personal data that is relevant and not excessive for such purposes.
- No prior authorization by the Italian Data Protection Authority is needed for the installation of video cameras, but the data controller must carry out an independent assessment on the lawfulness and the proportionality of the processing, taking into account the context and the purposes of the processing itself as well as the risks to the rights and freedoms of physical persons.
- A privacy notice must be provided to the data subjects: both in a short form (through a special sign clearly visible to those passing through the monitored area - the model of this sign is available on the website of the Italian Data Protection Authority - https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9496244) and in an extended form.
- An autonomous assessment of the preservation periods of the images must be carried out by the data controller (in accordance with the principle of "accountability" set forth by the GDPR), considering the context and purpose of processing, as well as the risk to the rights and freedoms of physical persons. This without prejudice to the specific provisions of law that determine how long the images should be stored in particular circumstances.
- A DPIA must be drafted when new technology cameras or "integrated" and/or "intelligent" video surveillance systems are installed (which, for example, detect, record and automatically report anomalous behaviours or events to the competent authorities), in case of a systematic monitoring of a publicly accessible area on a large scale (e.g., highways, large shopping malls) and in the other cases provided for by articles 35 and 36 of the GDPR and by provision no. 467/2018 of the Italian Data Protection Authority.
SPECIFIC CONTEXTS
WORKPLACE
(art. 4 of Italian Law no. 300/1970)
Purposes of processing: organizational and production needs, work safety and protection of company assets.
If the employer can remotely monitor the employees' activities through the video cameras:
- an agreement with the company trade union representatives (RSA/RSU) or the prior authorization from the National Labour Inspectorate is required;
- it is mandatory to carry out the DPIA;
- it is necessary to draft internal policies to be provided to the employees describing in a clear and transparent manner the methods of use of the working tools (pc, smartphone, etc.) and the possible controls that the employer can carry out over the employees;
- it is necessary to comply with the privacy obligations under the GDPR and the Privacy Code;
***
PRIVATE PROPERTY / BUSINESS PREMISES
Purposes of processing: monitoring and protection of private property or business premises, prevention of theft and/or vandalism, etc.
Specific conditions to be met:
- limitation of the angle of the video cameras to the areas of exclusive pertinence, excluding common areas (courtyards, ground floors, etc.) or areas belonging to third parties;
- prohibition on film public areas or areas of public transit;
If specific "home" cameras (so-called "smart cams") are installed within your home, it is necessary to:
- inform any employees (housekeepers, carers, etc.) of the presence of the video cameras;
- avoid monitoring the environments that would damage the persons’ dignity (such as restrooms, locker rooms, etc.);
- protect adequately with appropriate security measures the personal data collected or that can be acquired through the smart cams.
***
CONDOMINIUM
Purposes of processing: monitoring and protection of the common parts of the building and in general of the individual properties.
Specific conditions to be met:
- pursuant to art. 1136 of the Italian Civil Code, a prior deliberation of the condominium meeting is necessary;
- the maximum period for the storage of the images is 7 days from the collection (unless there are other proven needs to extend such deadline).
***
PARTICULAR CATEGORIES OF PERSONAL DATA
(hospitals and clinics)
Purposes of processing: protection of the patients’ health, monitoring of particular hospital departments, etc.
If the video surveillance is used to collect particular categories of data (e.g., to monitor the patient's health), it is necessary to:
- check the existence of a legal basis for the processing under art. 9 of the GDPR (such as, for example, the provision of health care or treatment, ensuring high standards of quality and the safety of health care, etc.).
- pay special attention so that the collection of personal data is limited to only that data necessary for the purposes of the processing ("minimization");
- carry out the mandatory DPIA if the processing of personal data concerning patients, disabled persons, mentally ill persons, minors and the elderly is not occasional;
- constantly monitor the security measures (data storage systems and access to data) applied to the processing.
***
CIRCULATION OF VEHICLES
Purposes of processing: assessment and detection of the violations of the highway code.
Specific conditions to be met:
- limitation of the relocation and angle of the video cameras to the areas necessary for the detection of violations;
- deletion/obscuration of any images collected but not necessary for the purposes of the processing (e.g., images of pedestrians or other road users, passengers present in the vehicle, etc.);
- performance of the mandatory DPIA in case of processing of personal data on a large scale (e.g., highways) to monitor drivers' behaviour.
***
MUNICIPAL LANDFILLS
Purposes of processing: control and monitoring of hazardous substance landfills and "eco station" (checking the type of waste dumped, the time of deposit, etc.).
Limitations:
- only a public body/entity (not a private person/entity) is allowed to conduct the monitoring;
- the monitoring is permitted only if alternative tools and controls are not possible or not effective for reaching the same purposes.
***
EDUCATIONAL INSTITUTES
Purposes of processing: protection of the building, of school properties therein, of staff and students, protection from vandalism, etc.
Specific conditions to be met:
- the video cameras that capture the interior of the institutes can only be activated during closing hours, therefore not during school and extracurricular activities;
- if the video cameras collect the images of the areas out of the school, the angle of the video cameras must be properly limited.
***
URBAN SAFETY
Purposes of processing: protection of urban safety of the public places or of the areas open to the public.
Specific conditions to be met:
- storage of the images for a maximum period of 7 days after the collection, unless there are special preservation needs for a longer period (art. 6, para. 8 of Law Decree no. 11/2009).
***
VIDEO SURVEILLANCE FROM HIGH ALTITUDES
Data protection laws do not apply to the processing of personal data that does not allow for the identification of physical persons, either directly or indirectly, such as in the case of the video surveillance carried out from high altitudes (for example, using drones or similar) or in the case of fake and/or switched-off cameras.