GDPR and CCTV monitoring in Cyprus: Ensuring GDPR Compliance
By: N. Pirilides & Associates LLC
The GDPR Implications of Closed-Circuit Video Surveillance in Cyprus: Key Guidelines and Compliance Measures
The use of closed circuit video surveillance (CCV) and other audio and video recording devices of identifiable individuals is subject to the provisions of the Law providing for the Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of such Data of 2018 (Law 125(I)/2018), as amended (the “Law”) and the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) because such action constitutes an automated processing of personal data.
Taking Videos and GDPR Implications: General Rules
The use of CCTV for image capture and voice recording in Cyprus is permissible only when no less intrusive means are available to achieve the intended purpose. It is crucial that these systems are not used to monitor personal behaviour, contacts, or performance of individuals and surely cannot be used without regard to the individual's right to privacy and that any member of the public have rights regarding the monitoring and/or recording of their image or activities using such systems.
Article 4 of the Law states that the controller (in this case, the person or organization deciding the purpose and manner of recording/visualization), shall ensure that personal data:
- is processed legitimately and legally.
- is collected for specified, clear and legitimate purposes and are not subjected to subsequent processing incompatible with these purposes.
- is relevant, convenient and no more than is required in each case in view of the purposes of the processing.
Under Article 6 of the GDPR, data processing is lawful only if at least one of the following conditions is met:
- The data subject has given consent for specific purposes.
- Processing is necessary for the performance of a contract with the data subject.
- Processing is required for compliance with a legal obligation.
- Processing is necessary to protect the vital interests of the data subject or another person.
- Processing is necessary for performing a task in the public interest or exercising official authority.
- Processing is necessary for the legitimate interests of the controller or a third party, provided these interests do not override the rights and freedoms of the data subject, especially if the data subject is a child.
GDPR Implications
Currently there is no specific legislative framework governing the use of cameras in Cyprus. According to the Commissioner’s guidelines, the legal basis for processing (including collection, use, storage, and sharing) images and/or audio from dash cams is the prior consent of the affected individuals. Without such consent, such processing violates GDPR principles of legality, purpose limitation, and data minimization.
Taking Videos and GDPR Implications: CCTV in Public Spaces
The legality of using CCTV in public spaces in Cyprus shall be based on compliance with the GDPR and the Law.
Such CCTV may justifiably be used in public places for reasons of crime prevention, crime detection, bringing charges against offenders, public safety, national security, health and safety and regulation of traffic.
According to the Commissioner’s guidance, it is permissible to use CCTV at building entrances/exits, outside elevators (focused merely on the elevator), on top of banks’ card/cash machines and parking spaces. Nevertheless, it is not permitted to use CCTV in corridors, waiting areas, restrooms, dining areas and inside elevators.
To ensure GDPR compliance, warning signs should be prominently displayed to inform persons that such recordings are taking place. Of course such warning signs should designate the presence of CCTV, identify the data controller and explain the purpose of such recording. Furthermore, data subjects should have the right to access their recorded data and the retention period for recorded data should be limited to what is essential for the purpose stated (proportional). It should also be mentioned here that any recorded footage should be stored in a secure location with limited access to authorized people/personnel only. It would be advisable to consult the Commissioner prior to installing any such system. In cases where CCTV installation poses a high risk to individual rights and freedoms, a Data Protection Impact Assessment (DPIA) is required before implementation.
Taking Videos and GDPR Implications: CCTV in Private Places
The installation of CCTV in private places, i.e. at homes for personal or domestic activities does not fall under personal data protection laws in Cyprus, provided that such surveillance and/or recordings do not extend beyond that private space’s perimeter.
Audio Recording and GDPR Implications
Individuals have reasonable expectations that their conversations are not being recorded and shall remain confidential; that is why recording audio data (i.e. conversations) is considered highly invasive and intrusive and is generally prohibited. The Commissioner has determined that recording image and/or sound is equally an extreme measure and excessive for achieving the stated purpose of the controller. This conclusion is consistent with those of other European Data Protection Authorities.
Conducting a Data Protection Impact Assessment (DPIA)
A DPIA is mandatory under the GDPR for projects likely to involve a high risk to personal data. The purpose of conducting a DPIA is to identify risks and implement measures to mitigate such risks to persons' rights and freedoms. This is why it should be done before effecting and/or initiating any data processing activity, that is ideally during the planning stages.
Conclusion
To ensure GDPR compliance when using video and audio surveillance in Cyprus, organizations should have in mind the following:
- Ensuring that such surveillance is necessary and proportionate.
- individuals are aware they are being recorded by posting visible warning signs indicating the presence of a camera. The signs should briefly explain the reason for the recording, identify the data controller, and provide contact information for further inquiries.
- Ensuring that recorded material is stored in a secure location with limited access to people. Proper robust security measures should be in place to protect the data from unauthorized access, alteration, or deletion.
- Ensuring that recorded data is only kept for a period that is reasonable and necessary for the purpose it serves. Such data should then be deleted.
- Ensuring that individuals are given the right to exercise their right to access their data, request rectification and seek erasure rights under GDPR.
- Updating the DPIA as necessary and addressing any new risks that may arise.
- Involve a Data Protection Officer (DPO) who can provide valuable guidance and assistance on compliance and who can address the issue of risks involved and assist in minimizing privacy risks.