CNIL and GDPR: the regulation of video surveillance for companies in France

Mar 29, 2024 | Videosurveillance

Réglementation vidéosurveillance entreprise CNIL et RGPD
In a context where security is an increasing concern, video surveillance is becoming a commonly used tool by businesses to protect their premises and personnel. However, the installation of cameras must comply with workplace video surveillance regulations to ensure that the rights of individuals filmed are not violated. In France, several regulations govern this practice, including the CNIL (National Commission for Information Technology and Civil Liberties) and the European Regulation on the Protection of Personal Data (GDPR).

The Legitimate Objective of Video Protection in Business

Before considering the implementation of a video protection system in your company, it is essential to ask the right questions. Firstly, it is necessary to determine whether the purpose of the proposed system meets a legitimate objective. Indeed, if the employer resorts to video surveillance, it must adhere to two principles.

Firstly, it must be justified. Here are some examples of objectives that can justify the use of cameras:

  • Ensuring the security of property and individuals
  • Monitoring access to premises
  • Preventing and managing crisis situations

Secondly, the use of video surveillance must be proportionate to the intended purpose. If your company has a merchandise storage warehouse, it is legitimate to install cameras in the area where the goods are stored. However, video surveillance cannot be generalized to all premises.

If employers fail to respect these two principles, they may be prosecuted by their employees for violating their rights resulting from excessive, constant, permanent, and general surveillance (CNIL declaration No. 2010-112, dated April 2, 2020).

Obligations imposed by the CNIL

In France, the CNIL is the competent authority for the protection of personal data and video surveillance. It imposes several obligations to be respected by companies using such systems:

Prior declaration to the CNIL

Firstly, it is necessary to make a prior declaration to the CNIL before installing any video surveillance system.
This process can be done online and allows the CNIL to verify the conformity of the proposed system.

Respect for the rights of individuals filmed

Respecting the rights of individuals filmed is crucial to ensure the legality of a CCTV system and follow the video surveillance regulations. Here are some key points to consider:

  • Inform individuals filmed of the presence of cameras and their right to access the images concerning them
  • Do not film certain sensitive areas such as union premises, changing rooms, rest areas, dining rooms, etc.
  • Limit access to captured images and their use, especially for authorized personnel

Failure to respect the rights of individuals filmed may have serious consequences for the employer, who may face up to 5 years’ imprisonment and a fine of €300,000 under Article 226-16 of the Penal Code.

Access to images

Again, common sense must prevail. Not every employee of the company will be able to access the images. You will need to designate authorized persons who will be allowed to view the images in the course of their duties, such as your security manager, store manager, etc. These employees should also receive proper training and be made aware of the rules to follow along with the potential impacts of non-compliance.

Retention of images

Your company must define a retention period for the images recorded by the installed video surveillance cameras. This duration may vary from one company to another. Your company must apply the principle of proportionality to refine the retention period. In principle, the CNIL recommends a data retention period of one month, but in most cases, a few days are sufficient. However, in cases of disciplinary or criminal proceedings, the images will be removed from the system (after explicit notation in a register of processing) and retained for the duration of the proceedings.

Consequences of the General Data Protection Regulation (GDPR)

Applicable since May 2018, the GDPR aims to strengthen the protection of the personal data of European citizens and to harmonize national legislations. The implementation of a video protection system within a company therefore involves the processing of personal data subject to this regulation and entails several obligations for employers:

Maintenance of a register of processing activities

Companies using video surveillance must maintain a register of processing activities for personal data, including the purposes and retention periods of the collected images.

Appointment of a Data Protection Officer (DPO)

In some cases, the GDPR requires companies to appoint a Data Protection Officer (DPO), especially when the processing of data is likely to infringe on the fundamental rights and freedoms of the data subjects.
This DPO, sometimes called a « Data Protection Officer, » will ensure the conformity of the system used with the current regulatory framework and make sure the company complies with the video surveillance regulations.

Other mandatory administrative procedures

In addition to the obligations imposed by the CNIL and the GDPR, several other administrative procedures are necessary to ensure the legality of a video protection system in business:

Prefectural authorization

For the installation of cameras in places open to the public such as shops, an application for prefectural authorization must be made to the prefecture responsible for the concerned premices.

Internal regulations and consultation of employee representative bodies

The company’s internal regulations must include provisions regarding the use of cameras, indicating, in particular, the areas filmed and the objectives pursued. Employee representative bodies must also be consulted before implementing any video protection system.

In conclusion:

The implementation of cameras, therefore, requires consideration of the various video surveillance regulations in force, particularly those of the CNIL and the GDPR. It is crucial for employers to comply with these regulations to ensure legal and effective use of these systems within their premices.

Faites de votre bâtiment une forteresse !

Turn your building into a fortress!