Video surveillance and facial recognition control

Video surveillance systems have evolved rapidly in recent years, giving rise to new legal situations for which the law has to provide a solution. The devices used to carry out video surveillance and other control activities linked to private security are constantly updated according to the needs of users and aimed at supplying a chain of efficiency and productivity. It is striking how harmful the use of these new technologies could be in the workplace, civil, public, etc. without due control and what would be the justification applied by the employer or data controller for its use.

The incorporation of facial recognition functionalities in the video surveillance systems used in private security has allowed us to reflect on the matter, as we know this activity involves the processing of biometric data, as defined in article 4.14 of the RGPD “personal data obtained through based on a specific technical treatment, relating to the physical, physiological or behavioral characteristics of a natural person that allow or confirm the unique identification of said person, such as facial images or fingerprint data” and involves the processing of special categories of data regulated in article 9 of the GDPR, as they are “biometric data aimed at uniquely identifying a natural person.”

In this regard, it has been controversial under what circumstances this assumption can be assessed as special category data processing. According to article 4 of the GDPR, it can be interpreted that the concept of biometric data would include identification as the verification/authentication of data. However, and in general, biometric data will only be considered a special category of data in cases in which they are subjected to technical processing aimed at biometric identification (one-to-many) and not in the case of verification/ biometric authentication (one-to-one).

In this sense, the European Data Protection Committee, in its “Guidelines 3/2019 on processing of personal data through video devices” considers the use of video surveillance with facial recognition as a special category of data in article 9 of the GDPR. Consequently, for the processing of biometric data by facial recognition systems integrated into a video surveillance system to be lawful, one of the exceptions that lift the prohibition on their processing must apply.[1], in accordance with section 2 of article 9 of the GDPR.

Finally, the application of this criterion has affected the legitimacy of the application of video surveillance in the private sector, since it is not considered - in most cases - that the legitimate interest is sufficient to add this type of features. It is important to assess that each case will require an individual assessment that allows determining the need and proportionality of the use of these resources, without causing harm to the rights of citizens.

[1] Art. 9 GDPR section 2. Section 1 will not apply when one of the following circumstances occurs:

a) the data subject has given explicit consent to the processing of such personal data for one or more of the specified purposes, except where Union or Member State law provides that the prohibition referred to in paragraph 1 cannot be lifted by the interested;

b) the processing is necessary for the fulfillment of obligations and the exercise of specific rights of the data controller or the interested party in the field of labor law and social security and protection, to the extent authorized by the Law of the Union of the Member States or a collective agreement in accordance with the law of the Member States that establishes adequate guarantees of respect for the fundamental rights and interests of the data subject;

c) the processing is necessary to protect the vital interests of the interested party or of another natural person, in the event that the interested party is not physically or legally capable of giving consent;

d) the treatment is carried out, within the scope of its legitimate activities and with due guarantees, by a foundation, an association or any other non-profit organization, whose purpose is political, philosophical, religious or union, provided that the treatment refers exclusively to current or former members of such bodies or to persons who maintain regular contact with them in relation to their purposes and provided that personal data are not communicated outside them without the consent of the interested parties;

e) the processing refers to personal data that the interested party has made manifestly public;

f) the processing is necessary for the establishment, exercise or defense of claims or when the courts act in the exercise of their judicial function;

g) the processing is necessary for reasons of essential public interest, on the basis of Union or Member State law, which must be proportional to the objective pursued, essentially respect the right to data protection and establish measures adequate and specific to protect the interests and fundamental rights of the interested party;

h) the treatment is necessary for the purposes of preventive or occupational medicine, evaluation of the worker's work capacity, medical diagnosis, provision of health or social care or treatment, or management of health and social care systems and services, especially on the basis of Union or Member State law or under a contract with a healthcare professional and without prejudice to the conditions and guarantees referred to in paragraph 3;

i) the treatment is necessary for reasons of public interest in the field of public health, such as protection against serious cross-border threats to health, or to ensure high levels of quality and safety of healthcare and medicines or medical devices, on the basis of Union or Member State law establishing appropriate and specific measures to protect the rights and freedoms of the data subject, in particular professional secrecy,

j) the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in accordance with Article 89(1), on the basis of Union or Member State law, which must be proportional to the objective pursued, essentially respect the right to data protection and establish appropriate and specific measures to protect the interests and fundamental rights of the interested party.

3. The personal data referred to in section 1 may be processed for the purposes mentioned in section 2, letter h), when their processing is carried out by a professional subject to the obligation of professional secrecy, or under his or her responsibility, in accordance with the law of the Union or of the Member States or with the rules established by the competent national bodies, or by any other person also subject to the obligation of secrecy in accordance with the law of the Union or of the Member States or of the standards established by the competent national bodies.

4. Member States may maintain or introduce additional conditions, including limitations, with respect to the processing of genetic data, biometric data or health-related data.

Do you want to know more about video surveillance and data protection? Check our Master in Compliance and Data Protection Management