The controllers are no longer required to request prior authorisation from the CNPD to install a video surveillance system, they are required to prove the compliance of their processing with the GDPR.
In order to assist them in their GDPR compliance process, the CNPD has published video surveillance guidelines, recalling certain principles and obligations applicable to video surveillance.
These include the following principles:
- Principle of lawfulness of the processing;
- Principle of purpose limitation, for example video surveillance may have for purposes:
- secure access to the building,
- ensure the safety of staff and customers,
- detect and identify potentially suspicious or dangerous behaviours likely to cause accidents or incidents,
- accurately identify the origin of an incident, protect property (buildings, facilities, equipment, etc.),
- organise and supervise the rapid evacuation of people in the event of an incident,
- alert the emergency services or law enforcement authorities in a timely manner and to facilitate their intervention.
Before the installation of a CCTV system, the data controller will have to precisely define the purpose(s) he wants to achieve by using such a system and will not be able to use data for purposes other than those which have been determined.
- Principle of transparency;
- Principle of necessity and proportionality (data minimisation);
- According to the new Article L. 261-1 of the Labour Code, an employer who wishes to install a CCTV must, in addition to respecting the general obligations provided by these guidelines, ensure compliance with the specific rules of the article L. 261-1 of the Labour Code. Video surveillance must be subject to co-decision between the employer and the staff delegation (or joint committee), in accordance with Articles L. 211-8, L. 414-9 and L. 423-1 of the Code, when it is implemented for the following purposes:
- for the safety and health of employees, or
- for production control or employee benefits, where such a measure is the only way to determine the exact salary, or
- in the context of a work organisation according to a mobile schedule in accordance with the Labour Code.
- DPIA when necessary;
- Other obligations to comply with the GDPR: for example, to put in place adequate technical and organisational measures to guarantee the security and confidentiality of the data being processed and to draw up a contract with the processors.