{"id":887,"date":"2024-08-27T17:09:31","date_gmt":"2024-08-27T14:09:31","guid":{"rendered":"https:\/\/sgklegal.gr\/?p=887"},"modified":"2025-05-15T17:26:53","modified_gmt":"2025-05-15T14:26:53","slug":"gdpr-cctv-at-work","status":"publish","type":"post","link":"https:\/\/sgklegal.gr\/en\/gdpr-cctv-at-work\/","title":{"rendered":"GDPR &#038; CCTV at work"},"content":{"rendered":"<p data-start=\"72\" data-end=\"568\"><strong data-start=\"72\" data-end=\"253\">On 30\/12\/2019, the Hellenic Data Protection Authority (hereinafter the &#8220;Authority&#8221; or &#8220;HDPA&#8221;) issued a decision regarding the use of video surveillance systems in the workplace.<\/strong> The case concerned a complaint submitted by a company\u2019s employee union, which focused on the legality of a closed-circuit television (hereinafter &#8220;CCTV&#8221;) system operating in areas such as company warehouses and the call center, not solely for security purposes but also for the monitoring and supervision of staff.<\/p>\n<p data-start=\"570\" data-end=\"810\">The company argued that the operation of the CCTV system on its premises was based on its legitimate interest in protecting individuals and\/or assets (notably high-tech and therefore high-value goods) processed at its stores and facilities.<\/p>\n<p data-start=\"812\" data-end=\"1095\">The HDPA identified various breaches of the applicable data protection framework in force at the time of the complaint, regarding the employer\u2019s obligations. It subsequently issued both a <strong data-start=\"1000\" data-end=\"1011\">warning<\/strong> to the company for the violation and an <strong data-start=\"1052\" data-end=\"1094\">order to implement corrective measures<\/strong>.<\/p>\n<p data-start=\"1097\" data-end=\"1551\">Taking into account this decision of the HDPA and the recent guidance issued both by the HDPA and the European Data Protection Board (EDPB) concerning the lawful and transparent adoption of CCTV systems in the workplace, this document aims to briefly describe both the relevant legal framework and the practical steps a data controller must follow to ensure compliance with the privacy requirements under Regulation (EU) 2016\/679 (GDPR) and national law.<\/p>\n<h3 data-start=\"1558\" data-end=\"1580\">I. Legal Framework<\/h3>\n<p data-start=\"1582\" data-end=\"2107\">It should be noted at the outset that the use and operation of a CCTV system with recording capabilities in the workplace constitutes <strong data-start=\"1716\" data-end=\"1747\">processing of personal data<\/strong>. On 31\/03\/2011, the HDPA issued Guideline 1\/2011, defining CCTV systems as &#8220;systems permanently installed in a space, operating continuously or at regular intervals, and capable of capturing and\/or transmitting video and\/or audio signals from that space to a limited number of display monitors and\/or recording devices\u201d (see also Opinion No. 2\/2010, para. 8).<\/p>\n<p data-start=\"2109\" data-end=\"2655\">In general, the <strong data-start=\"2125\" data-end=\"2153\">lawfulness of processing<\/strong> is assessed based on the <strong data-start=\"2179\" data-end=\"2198\">purpose pursued<\/strong> in conjunction with the <strong data-start=\"2223\" data-end=\"2237\">means used<\/strong>, and the <strong data-start=\"2247\" data-end=\"2260\">necessity<\/strong> and <strong data-start=\"2265\" data-end=\"2284\">proportionality<\/strong> of such means. Specifically, the lawfulness of a CCTV system\u2019s operation is evaluated based on the purpose of the data controller, the level of risk involved, the rights and freedoms of the data subjects, and the existence of alternative measures, according to the <strong data-start=\"2550\" data-end=\"2582\">principle of proportionality<\/strong>, which is crucial in such assessments, especially in workplace settings.<\/p>\n<p data-start=\"2657\" data-end=\"3106\">Regarding CCTV in the workplace, the HDPA has stated that such systems generally constitute a means of <strong data-start=\"2760\" data-end=\"2795\">employee monitoring and control<\/strong>. If installation is deemed necessary for security reasons, <strong data-start=\"2855\" data-end=\"2903\">they must not be used for staff surveillance<\/strong>. Therefore, their installation should not extend to general workplace areas (e.g. hallways, offices, etc.) but only to locations requiring protection (e.g. entrances\/exits, cash registers, safes, etc.).<\/p>\n<p data-start=\"3108\" data-end=\"3349\">This approach is also reflected in Law 4624\/2019, which allows installation of CCTV in workplaces <strong data-start=\"3206\" data-end=\"3261\">only for the protection of individuals and property<\/strong>, <strong data-start=\"3263\" data-end=\"3348\">provided that the core of the data subjects\u2019 rights and freedoms is not infringed<\/strong>.<\/p>\n<p data-start=\"3351\" data-end=\"3931\">If employee data is collected via CCTV, such data <strong data-start=\"3401\" data-end=\"3464\">must not be used to assess employee behavior or performance<\/strong>. Any data used for employee evaluation must be <strong data-start=\"3512\" data-end=\"3562\">directly linked to the employment relationship<\/strong> and must not include unrelated information (e.g. behavioral data, interpersonal relations, etc.). In all cases, the controller must ensure that data subjects are <strong data-start=\"3725\" data-end=\"3762\">informed timely and appropriately<\/strong>, use <strong data-start=\"3768\" data-end=\"3818\">adequate technical and organizational measures<\/strong> (e.g. face masking, image-only capture), and retain the data only for the <strong data-start=\"3893\" data-end=\"3930\">prescribed period (up to 15 days)<\/strong>.<\/p>\n<h3 data-start=\"3938\" data-end=\"3960\">II. Accountability<\/h3>\n<p data-start=\"3962\" data-end=\"4092\">As data controllers, employers may need to conduct a <strong data-start=\"4015\" data-end=\"4059\">Data Protection Impact Assessment (DPIA)<\/strong> before installing a CCTV system.<\/p>\n<p data-start=\"4094\" data-end=\"4374\">Under GDPR, a DPIA is <strong data-start=\"4116\" data-end=\"4129\">mandatory<\/strong> when the data processing involves <strong data-start=\"4164\" data-end=\"4236\">systematic monitoring of a publicly accessible area on a large scale<\/strong>, or when it appears on the <strong data-start=\"4264\" data-end=\"4307\">list of high-risk processing activities<\/strong> defined by the supervisory authority of the relevant Member State.<\/p>\n<p data-start=\"4376\" data-end=\"4636\">According to the HDPA, a DPIA is required where there is \u201csystematic and large-scale monitoring, observation or control of individuals through video surveillance systems in public, publicly accessible, or private spaces open to an unlimited number of persons\u201d.<\/p>\n<p data-start=\"4638\" data-end=\"4793\">The <strong data-start=\"4642\" data-end=\"4670\">Article 29 Working Party<\/strong> has identified <strong data-start=\"4686\" data-end=\"4703\">nine criteria<\/strong> to determine whether a DPIA is necessary. If <strong data-start=\"4749\" data-end=\"4764\">two or more<\/strong> are met, a DPIA is required:<\/p>\n<ol data-start=\"4795\" data-end=\"5238\">\n<li data-start=\"4795\" data-end=\"4841\">\n<p data-start=\"4798\" data-end=\"4841\">Evaluation or scoring, including profiling.<\/p>\n<\/li>\n<li data-start=\"4842\" data-end=\"4920\">\n<p data-start=\"4845\" data-end=\"4920\">Automated decision-making producing legal or similarly significant effects.<\/p>\n<\/li>\n<li data-start=\"4921\" data-end=\"4946\">\n<p data-start=\"4924\" data-end=\"4946\">Systematic monitoring.<\/p>\n<\/li>\n<li data-start=\"4947\" data-end=\"4998\">\n<p data-start=\"4950\" data-end=\"4998\">Processing of sensitive or highly personal data.<\/p>\n<\/li>\n<li data-start=\"4999\" data-end=\"5025\">\n<p data-start=\"5002\" data-end=\"5025\">Large-scale processing.<\/p>\n<\/li>\n<li data-start=\"5026\" data-end=\"5061\">\n<p data-start=\"5029\" data-end=\"5061\">Matching or combining data sets.<\/p>\n<\/li>\n<li data-start=\"5062\" data-end=\"5101\">\n<p data-start=\"5065\" data-end=\"5101\">Data concerning vulnerable subjects.<\/p>\n<\/li>\n<li data-start=\"5102\" data-end=\"5143\">\n<p data-start=\"5105\" data-end=\"5143\">Use of new or innovative technologies.<\/p>\n<\/li>\n<li data-start=\"5144\" data-end=\"5238\">\n<p data-start=\"5147\" data-end=\"5238\">Processing that prevents data subjects from exercising a right or using a service\/contract.<\/p>\n<\/li>\n<\/ol>\n<h3 data-start=\"5245\" data-end=\"5264\">III. Conclusion<\/h3>\n<p data-start=\"5266\" data-end=\"5624\">As discussed above, under both EU and national legal frameworks and in light of CJEU case law and EDPB\/HDPA guidance, <strong data-start=\"5384\" data-end=\"5474\">CCTV installation and use in the workplace is permissible solely for security purposes<\/strong> (e.g., safeguarding goods, facilities, staff engaged in high-risk work). If an employer deems installation necessary, they must ensure the following:<\/p>\n<ul data-start=\"5626\" data-end=\"7096\">\n<li data-start=\"5626\" data-end=\"5703\">\n<p data-start=\"5628\" data-end=\"5703\">No image capture from adjacent streets\/sidewalks or neighboring properties.<\/p>\n<\/li>\n<li data-start=\"5704\" data-end=\"5791\">\n<p data-start=\"5706\" data-end=\"5791\">No image capture in areas violating privacy (e.g., restrooms, locker rooms, showers).<\/p>\n<\/li>\n<li data-start=\"5792\" data-end=\"5860\">\n<p data-start=\"5794\" data-end=\"5860\">As a rule, no audio recording (allowed only in exceptional cases).<\/p>\n<\/li>\n<li data-start=\"5861\" data-end=\"5961\">\n<p data-start=\"5863\" data-end=\"5961\">As a rule, no use of cameras with zoom or pan features (permitted only under specific conditions).<\/p>\n<\/li>\n<li data-start=\"5962\" data-end=\"6122\">\n<p data-start=\"5964\" data-end=\"6122\">No installation in work areas (e.g., offices, hallways, kitchens), except in high-risk facilities, provided cameras focus solely on the asset being protected.<\/p>\n<\/li>\n<li data-start=\"6123\" data-end=\"6186\">\n<p data-start=\"6125\" data-end=\"6186\">Only designated and authorized staff may access CCTV systems.<\/p>\n<\/li>\n<li data-start=\"6187\" data-end=\"6238\">\n<p data-start=\"6189\" data-end=\"6238\">CCTV data must not be used to evaluate employees.<\/p>\n<\/li>\n<li data-start=\"6239\" data-end=\"6413\">\n<p data-start=\"6241\" data-end=\"6413\">Data must be deleted within 15 days. Exceptionally, if an incident occurs, it may be stored separately for up to 30 days; if third-party involvement exists, up to 3 months.<\/p>\n<\/li>\n<li data-start=\"6414\" data-end=\"6612\">\n<p data-start=\"6416\" data-end=\"6612\">No data transfer is allowed unless the data subject consents, or unless lawful requests are made by judicial\/prosecutorial\/police authorities. Victims or perpetrators of crimes may receive copies.<\/p>\n<\/li>\n<li data-start=\"6613\" data-end=\"6767\">\n<p data-start=\"6615\" data-end=\"6767\">Data subject rights must be respected. If a legitimate objection is raised, appropriate action must follow to prevent recurrence of unlawful processing.<\/p>\n<\/li>\n<li data-start=\"6768\" data-end=\"6860\">\n<p data-start=\"6770\" data-end=\"6860\">Employees must be <strong data-start=\"6788\" data-end=\"6822\">timely and adequately informed<\/strong> about the CCTV system\u2019s installation.<\/p>\n<\/li>\n<li data-start=\"6861\" data-end=\"6920\">\n<p data-start=\"6863\" data-end=\"6920\">The <strong data-start=\"6867\" data-end=\"6903\">records of processing activities<\/strong> must be updated.<\/p>\n<\/li>\n<li data-start=\"6921\" data-end=\"6960\">\n<p data-start=\"6923\" data-end=\"6960\">A DPIA must be conducted if required.<\/p>\n<\/li>\n<li data-start=\"6961\" data-end=\"7096\">\n<p data-start=\"6963\" data-end=\"7096\">If the DPIA outcome so mandates, a <strong data-start=\"6998\" data-end=\"7020\">prior consultation<\/strong> with the HDPA must take place to seek guidance on risk mitigation measures.<\/p>\n<\/li>\n<\/ul>\n<p data-start=\"7098\" data-end=\"7328\"><strong data-start=\"7098\" data-end=\"7118\">It is emphasized<\/strong> that, since the GDPR came into effect, <strong data-start=\"7158\" data-end=\"7176\">non-compliance<\/strong> with data protection obligations can lead to <strong data-start=\"7222\" data-end=\"7258\">significant administrative fines<\/strong>, up to <strong data-start=\"7266\" data-end=\"7306\">4% of annual turnover or \u20ac20,000,000<\/strong>, whichever is higher.<\/p>\n<p data-start=\"7330\" data-end=\"7542\">For this reason, it is essential to collaborate with <strong data-start=\"7383\" data-end=\"7407\">specialized advisors<\/strong>, whose expertise ensures both operational continuity and compliance with the data protection legal framework at EU and national level.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On 30\/12\/2019, the Hellenic Data Protection Authority (hereinafter the &#8220;Authority&#8221; or &#8220;HDPA&#8221;) issued a decision regarding the use of video surveillance systems in the workplace. The case concerned a complaint submitted by a company\u2019s employee union, which focused on the legality of a closed-circuit television (hereinafter &#8220;CCTV&#8221;) system operating in areas such as company warehouses [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":1535,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[271,272,111,270,157],"class_list":["post-887","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-en","tag-expert-in-cctv-legal","tag-fine","tag-gdpr-en","tag-gdpr-cctv-at-work","tag-hdpa"],"_links":{"self":[{"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/posts\/887","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/comments?post=887"}],"version-history":[{"count":4,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/posts\/887\/revisions"}],"predecessor-version":[{"id":1611,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/posts\/887\/revisions\/1611"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/media\/1535"}],"wp:attachment":[{"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/media?parent=887"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/categories?post=887"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/tags?post=887"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}