The Legitimate Objective of Video Protection in Business
Before considering the implementation of a video protection system in your company, it is essential to ask the right questions. Firstly, it is necessary to determine whether the purpose of the proposed system meets a legitimate objective. Indeed, if the employer resorts to video surveillance, it must adhere to two principles.
Firstly, it must be justified. Here are some examples of objectives that can justify the use of cameras:
- Ensuring the security of property and individuals
- Monitoring access to premises
- Preventing and managing crisis situations
Secondly, the use of video surveillance must be proportionate to the intended purpose. If your company has a merchandise storage warehouse, it is legitimate to install cameras in the area where the goods are stored. However, video surveillance cannot be generalized to all premises.
If employers fail to respect these two principles, they may be prosecuted by their employees for violating their rights resulting from excessive, constant, permanent, and general surveillance (CNIL declaration No. 2010-112, dated April 2, 2020).
Obligations imposed by the CNIL
In France, the CNIL is the competent authority for the protection of personal data and video surveillance. It imposes several obligations to be respected by companies using such systems:
Prior declaration to the CNIL
Firstly, it is necessary to make a prior declaration to the CNIL before installing any video surveillance system.
This process can be done online and allows the CNIL to verify the conformity of the proposed system.
Respect for the rights of individuals filmed
Respecting the rights of individuals filmed is crucial to ensure the legality of a CCTV system and follow the video surveillance regulations. Here are some key points to consider:
- Inform individuals filmed of the presence of cameras and their right to access the images concerning them
- Do not film certain sensitive areas such as union premises, changing rooms, rest areas, dining rooms, etc.
- Limit access to captured images and their use, especially for authorized personnel
Failure to respect the rights of individuals filmed may have serious consequences for the employer, who may face up to 5 years’ imprisonment and a fine of €300,000 under Article 226-16 of the Penal Code.
Access to images
Again, common sense must prevail. Not every employee of the company will be able to access the images. You will need to designate authorized persons who will be allowed to view the images in the course of their duties, such as your security manager, store manager, etc. These employees should also receive proper training and be made aware of the rules to follow along with the potential impacts of non-compliance.
Retention of images
Your company must define a retention period for the images recorded by the installed video surveillance cameras. This duration may vary from one company to another. Your company must apply the principle of proportionality to refine the retention period. In principle, the CNIL recommends a data retention period of one month, but in most cases, a few days are sufficient. However, in cases of disciplinary or criminal proceedings, the images will be removed from the system (after explicit notation in a register of processing) and retained for the duration of the proceedings.
Consequences of the General Data Protection Regulation (GDPR)
Applicable since May 2018, the GDPR aims to strengthen the protection of the personal data of European citizens and to harmonize national legislations. The implementation of a video protection system within a company therefore involves the processing of personal data subject to this regulation and entails several obligations for employers:
Maintenance of a register of processing activities
Companies using video surveillance must maintain a register of processing activities for personal data, including the purposes and retention periods of the collected images.
Appointment of a Data Protection Officer (DPO)
In some cases, the GDPR requires companies to appoint a Data Protection Officer (DPO), especially when the processing of data is likely to infringe on the fundamental rights and freedoms of the data subjects.
This DPO, sometimes called a « Data Protection Officer, » will ensure the conformity of the system used with the current regulatory framework and make sure the company complies with the video surveillance regulations.
Other mandatory administrative procedures
In addition to the obligations imposed by the CNIL and the GDPR, several other administrative procedures are necessary to ensure the legality of a video protection system in business:
Prefectural authorization
For the installation of cameras in places open to the public such as shops, an application for prefectural authorization must be made to the prefecture responsible for the concerned premices.
Internal regulations and consultation of employee representative bodies
The company’s internal regulations must include provisions regarding the use of cameras, indicating, in particular, the areas filmed and the objectives pursued. Employee representative bodies must also be consulted before implementing any video protection system.
In conclusion:
The implementation of cameras, therefore, requires consideration of the various video surveillance regulations in force, particularly those of the CNIL and the GDPR. It is crucial for employers to comply with these regulations to ensure legal and effective use of these systems within their premices.