How to correctly mark the monitored area

How to correctly mark the monitored area

Picture no. 1 

Picture no. 1 contains all the necessary information that the operator is obliged to provide to the persons concerned when entering the monitored area in the first layer in accordance with Art. 5 par. 1 letter a) of the GDPR Regulation (principle of transparency). They must provide this information before it is obtained or at the latest at the time it is obtained. The first layer contains information for the data subjects on the controller, the purposes of the processing, and other information to ensure the fair and transparent processing of his personal data. At the same time, the first layer should contain information where the person concerned can find all other necessary information. This additional information may be a link to the processing of personal data (e.g., a link to a website or a notice board), where there is a greater scope for multi-layered access to the conditions of personal data processing and the rights of data subjects.

It follows from the above-mentioned guideline that the provision of information to the data subject about the processing of his / her personal data by means of a camera system cannot take place after the acquisition of his / her personal data (after entering the monitored area). The location of the sign of the monitored area is at the same time specific in the way that it informs the persons concerned about the place of entry into the monitored area, resp. that, in accordance with the principle of transparency, it delimits the space in which the personal data of the persons concerned are collected.

According to Art. 4 par. 1 of the GDPR Regulation ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

According to Art. 4 par. 2 of the GDPR Regulation ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Boundaries of the monitored area

If the premises are monitored by means of a camera system, then in the sense of the legitimate interest of the controller in the sense of Art. 6 par. 1 letter f) of the GDPR Regulation, the controller must comply with the principles of minimizing the processing of personal data in accordance with Art. 5 par. 1 letter c) of the GDPR Regulation (personal data must be only such personal data that are relevant to the intended purpose and at the same time necessary to achieve it). It is forbidden to monitor the premises in relation to the intended purpose beyond the specified limit.

Record retention period

The guideline also applies to the recommendation of the retention period of records in case of application of Art. 6 par. 1 letter f) of the GDPR Regulation (processing is necessary for the purposes of legitimate interests pursued by the controller), which is 72 hours. The specific retention period of personal data is not set by the GDPR Regulation or any other generally binding regulation. If the record retention period is more than 72 hours, the controller must be able to sufficiently prove to the supervisory authority that the reasons for the longer retention of records in a way that they are not in a contrary to the Art. 5 par. 1 letter e) of the GDPR Regulation (minimization of retention), i.e., for a period longer than the time necessary to achieve the intended purpose of processing.

The controller is responsible for defining the data retention period in accordance with the principles of necessity and proportionality within the meaning of the given Guideline.

According to Art. 5 par. 1 letter e) of the GDPR Regulation personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

What else can affect record retention period

  • the number of proven thefts or incidents in the monitored area that were investigated by the police and there is evidence of this
  • the number of holidays that could extend the retention period (but keep in mind that this can be a problem, if you have a security guard who monitors the premises)