Slide background

Linee Guida EDPB 3/2019 sulla videosorveglianza

ID 10059 | | Visite: 9257 | Documenti Riservati SicurezzaPermalink:

Linee guida 3 2019   Videosorveglianza

Linee Guida EDPB 3/2019 sulla videosorveglianza

100059 | 23.01.2022 / Linee guida IT

- Versione IT
- Versione EN

EU, 29.01.2020

Guidelines 3/2019 on processing of personal data through video devices

Il Comitato Europeo per la Protezione dei Dati (EDPB) ha adottato il 29 gennaio 2020 la versione definitiva delle Linee Guida sui trattamenti di videosorveglianza (Guidelines 3/2019 on processing of personal data through video devices) che illustrano in quali termini il Regolamento 2016/679 si applichi al trattamento dei dati personali quando si utilizzano dispositivi video, e mirano a garantire l’applicazione coerente del GDPR in materia.

Le linee-guida riguardano sia i dispositivi video tradizionali sia i dispositivi video intelligenti. Altre tematiche affrontate nel documento riguardano: la liceità del trattamento, l’applicabilità dei criteri di esclusione relativi ai trattamenti in ambito domestico e la divulgazione di filmati a terzi.


The intensive use of video devices has an impact on citizen’s behaviour. Significant implementation of such tools in many spheres of the individuals’ life will put an additional pressure on the individual to prevent the detection of what might be perceived as anomalies. De facto, these technologies may limit the possibilities of anonymous movement and anonymous use of services and generally limit the possibility of remaining unnoticed. Data protection implications are massive.

While individuals might be comfortable with video surveillance set up for a certain security purpose for example, guarantees must be taken to avoid any misuse for totally different and – to the data subject – unexpected purposes (e.g. marketing purpose, employee performance monitoring etc.). In addition, many tools are now implemented to exploit the images captured and turn traditional cameras into smart cameras. The amount of data generated by the video, combined with these tools and techniques increase the risks of secondary use (whether related or not to the purpose originally assigned to the system) or even the risks of misuse. The general principles in GDPR (Article 5), should always be carefully considered when dealing with video surveillance.

Video surveillance systems in many ways change the way professionals from the private and public sector interact in private or public places for the purpose of enhancing security, obtaining audience analysis, delivering personalized advertising, etc. Video surveillance has become high performing through the growing implementation of intelligent video analysis. These techniques can be more intrusive (e.g. complex biometric technologies) or less intrusive (e.g. simple counting algorithms).
Remaining anonymous and preserving one’s privacy is in general increasingly difficult. The data protection issues raised in each situation may differ, so will the legal analysis when using one or the other of these technologies.

In addition to privacy issues, there are also risks related to possible malfunctions of these devices and the biases they may induce. Researchers report that software used for facial identification, recognition, or analysis performs differently based on the age, gender, and ethnicity of the person it’s identifying.

Algorithms would perform based on different demographics, thus, bias in facial recognition threatens to reinforce the prejudices of society. That is why, data controllers must also ensure that biometric data processing deriving from video surveillance be subject to regular assessment of its relevance and sufficiency of guarantees provided.

Video surveillance is not by default a necessity when there are other means to achieve the underlying purpose. Otherwise we risk a change in cultural norms leading to the acceptance of lack of privacy as the general outset.

These guidelines aim at giving guidance on how to apply the GDPR in relation to processing personal data through video devices. The examples are not exhaustive, the general reasoning can be applied to all potential areas of use.



It has long been inherent in European data protection law that data subjects should be aware of the fact that video surveillance is in operation. They should be informed in a detailed manner as to the places monitored.19 Under the GDPR the general transparency and information obligations are set out in Article 12 GDPR and following. Article 29 Working Party’s “Guidelines on transparency under Regulation 2016/679 (WP260)” which were endorsed by the EDPB on May 25th 2018 provide further details. In line with WP260 par. 26, it is Article 13 GDPR, which is applicable if personal data are collected “[…] from a data subject by observation (e.g. using automated data capturing devices or data capturing software such as cameras […].”.

In light of the volume of information, which is required to be provided to the data subject, a layered approach may be followed by data controllers where they opt to use a combination of methods to ensure transparency (WP260, par. 35; WP89, par. 22). Regarding video surveillance the most important information should be displayed on the warning sign itself (first layer) while the further mandatory details may be provided by other means (second layer).

7.1 First layer information (warning sign)

The first layer concerns the primary way in which the controller first engages with the data subject. At this stage, controllers may use a warning sign showing the relevant information. The displayed information may be provided in combination with an icon in order to give, in an easily visible, intelligible and clearly readable manner, a meaningful overview of the intended processing (Article 12 (7) GDPR). The format of the information should be adjusted to the individual location (WP89 par. 22).

7.1.1 Positioning of the warning sign

The information should be positioned in such a way that the data subject can easily recognize the circumstances of the surveillance before entering the monitored area (approximately at eye level). It is not necessary to reveal the position of the camera as long as there is no doubt as to which areas are subject to monitoring and the context of surveillance is clarified unambiguously (WP 89, par. 22). The data subject must be able to estimate which area is captured by a camera so that he or she is able to avoid surveillance or adapt his or her behaviour if necessary.

Content of the first layer

The first layer information (warning sign) should generally convey the most important information, e.g. the details of the purposes of processing, the identity of controller and the existence of the rights of the data subject, together with information on the greatest impacts of the processing.20 This can include for example the legitimate interests pursued by the controller (or by a third party) and contact details of the data protection officer (if applicable). It also has to refer to the more detailed second layer of information and where and how to find it.

In addition the sign should also contain any information that could surprise the data subject (WP260, par. 38). That could for example be transmissions to third parties, particularly if they are located outside the EU, and the storage period. If this information is not indicated, the data subject should be able to trust that there is solely a live monitoring (without any data recording or transmission to third parties).

Figura video

7.2 Second layer information

The second layer information must also be made available at a place easily accessible to the data subject, for example as a complete information sheet available at a central location (e.g. information desk, reception or cashier) or displayed on an easy accessible poster. As mentioned above, the first layer warning sign has to refer clearly to the second layer information. In addition, it is best if the first layer information refers to a digital source (e.g. QR-code or a website address) of the second layer.

However, the information should also be easily available non-digitally. It should be possible to access the second layer information without entering the surveyed area, especially if the information is provided digitally (this can be achieved for example by a link). Other appropriate means could be a phone number that can be called. However the information is provided, it must contain all that is mandatory under Article 13 GDPR.

In addition to these options, and also to make them more effective, the EDPB promotes the use of technological means to provide information to data subjects. This may include for instance; geolocating cameras and including information in mapping apps or websites so that individuals can easily, on the one hand, identify and specify the video sources related to the exercise of their rights, and on the other hand, obtain more detailed information on the processing operation.


Table of contents
1 Introduction
2 Scope of application
2.1 Personal Dat
2.2 Application of the Law Enforcement Directive, LED (EU2016/680)
2.3 Household exemption
3 Lawfulness of processing
3.1 Legitimate interest, Article 6 (1) (f)
3.1.1 Existence of legitimate interests
3.1.2 Necessity of processing
3.1.3 Balancing of interests
3.2 Necessity to perform a task carried out in the public interest or in the exercise of official authority vested in the controller, Article 6 (1) (e)
3.3 Consent, Article 6 (1) (a)
4 Disclosure of video footage to third parties
4.1 Disclosure of video footage to third parties in general
4.2 Disclosure of video footage to law enforcement agencies
5 Processing of special categories of data
5.1 General considerations when processing biometric data
5.2 Suggested measures to minimize the risks when processing biometric data
6 Rights of the data subject
6.1 Right to access
6.2 Right to erasure and right to object
6.2.1 Right to erasure (Right to be forgotten)
6.2.2 Right to object
7 Transparency and information obligations
7.1 First layer information (warning sign)
7.1.1 Positioning of the warning sign
7.1.2 Content of the first layer
7.2 Second layer information
8 Storage periods and obligation to erasure
9 Technical and organisational measures
9.1 Overview of video surveillance system
9.2 Data protection by design and by default
9.3 Concrete examples of relevant measures
9.3.1 Organisational measures
9.3.2 Technical measures
10 Data protection impact assessment


Fonte: EDPB


Tags: Abbonati Full Plus Privacy

Ultimi archiviati Sicurezza

Gen 30, 2023 37

Decreto Ministeriale n.10 del 26 gennaio 2023

Decreto Ministeriale n.10 del 26 gennaio 2023 ID 18868 | 30.01.2023 Ricostituzione della Commissione per l'iscrizione nell'elenco nominativo degli esperti di radioprotezione di cui all'art. 3 del decreto del Ministro del Lavoro e delle politiche sociali, di concerto con il Ministero della Salute,… Leggi tutto
Gen 29, 2023 27

Sentenza Corte d'Appello Torino, Sez. lavoro n. 519 del 03 novembre 2022

Sentenza Corte d'Appello Torino, Sez. lavoro n. 519 del 03 novembre 2022 ID 18856 | Sentenza in allegato La sentenza della Corte d’Appello di Torino ha confermato l’esistenza di una elevata probabilità tra l’uso eccessivo del cellulare e l’insorgenza di un tumore benigno, diagnosticato ad un… Leggi tutto
Gen 28, 2023 40

Circolare MIT prot. n. 4536 del 30 ottobre 2012

Circolare MIT prot. n. 4536 del 30 ottobre 2012 Primi chiarimenti in ordine all’applicazione delle disposizioni di cui al d.P.R. 5 ottobre 2010, n. 207 in particolare alla luce delle recenti modifiche e integrazioni intervenute in materia di contratti pubblici di lavori, servizi e forniture” (G.U.… Leggi tutto
Intesa Lavoro e Istruzione per ampliare coperture Inail agli studenti
Gen 27, 2023 51

Intesa Lavoro e Istruzione per ampliare coperture Inail agli studenti

Intesa Lavoro e Istruzione per ampliare coperture Inail agli studenti ID 18843 | 27.01.2023 / Comunicato Stampa MLPS ​Verso l'ampliamento della tutela infortunistica degli studenti. In occasione del secondo appuntamento del tavolo tecnico sulla sicurezza sul lavoro, il Ministro del Lavoro e delle… Leggi tutto
Covid 19   Contagi sul lavoro denunciati all INAIL 31 Dicembre 2022
Gen 26, 2023 46

Covid-19 | Contagi sul lavoro denunciati all’INAIL: 31 Dicembre 2022

Covid-19 | Contagi sul lavoro denunciati all’INAIL: 31 Dicembre 2022 ID 18786 | 26.01.2023 31esimo report nazionale elaborato dalla Consulenza statistico attuariale Inail e la versione aggiornata delle schede di approfondimento regionali. L’anno appena concluso pesa per il 37,2% sul totale delle… Leggi tutto
Gen 25, 2023 93

Linee guida del 20 febbraio 2014 della Conferenza Stato-Regioni

Linee guida del 20 febbraio 2014 della Conferenza Stato-Regioni ID 18781 | 25.01.2023 Linee guida per la disciplina per il contratto di apprendistato professionalizzante o contratto di mestiere L'accordo - sottoscritto in data 20 febbraio 2014 - ha previsto alcune modifiche al percorso formativo… Leggi tutto

Più letti Sicurezza