Publications

12/2/2021

The CCTV  (internal image capture systems) are widely used to monitor places and facilities preventively, to support security management, and to help identify crimes and accidents. Whenever a CCTV system is used, either at the workplace or in places accessible to the public in general, the company contracting  CCTV to capture, monitor and use these images will be considered the personal data controller, as defined in the Brazilian General Law of Data Protection – (“LGPD” – Law 13.709/2018), that is, who takes the decisions regarding the processing of personal data.

There are numerous issues related to security, and especially in spaces with public circulation, such as stores, supermarkets, banks, educational institutions, shopping malls, condominiums, etc. The controller must take into account the “scale” of the system installed and the degree of risk with the intended data processing, considering the potential impact on the rights of the personal data subjects

CCTV monitoring may even generate additional sensitive personal data (for example, the monitoring of religious sites, unions) or even register images of underaged (children and teenagers) – e.g.: shopping centers, schools, thus requiring additional care in view of the LGPD.

From the employer’s point of view, one of the fragilities in the companies’ data governance structure is the monitoring of the work environment through security cameras. Although the courts in Brazil understand that the monitoring of employees in the workplace by a CCTV does not result moral damage, but rather, it is a lawful too for supervision by the employer (as long as this supervision is proportional and legitimate)[1], the companies that use it should pay attention to the processing of suchpersonal data and to the compliance with the principles related to privacy, especially with respect to the expectation of employees to have their privacy preserved.

In general, the use of a CCTV system is controversial within the scope of labor relations, and the possibility of replacing it or combining it with other alternative measures must always be considered, as well as keeping restrooms, recreational areas, changing rooms, bathrooms, and office areas always preserved.

Another aspect frequently discussed and related to the use of CCTV systems refers to facial recognition which is characterized as biometric data (sensitive personal data by definition) and, consequently requires the compliance with the principles of privacy and data protection since the conception of the use of these tools (privacy by design principle) and should even be separated from the regular use of the CCTV system by the organizations.

Prior to installing a CCTV system, the Controller should consider the checklist below with the main guidelines to be followed:

• Purpose: Determine a clearly defined purpose for installing the CCTV. You should identify all possible purposes for the company’s use of the CCTV, i.e. what the controller aims to monitor. Consider whether the processing of personal data collected by the CCTV will be limited to the original purpose.
• Lawfulness: Identify what is the legal basis for the use of CCTV, making sure that it is the most adequate for processing the data collected by the CCTV system.
• Necessity: The controller must be able to demonstrate that the CCTV is necessary to achieve the purpose aimed with the processing. Assessing what was determining in company’s decision to install the system and the implications of its use will help assess whether it is justified and legal. The assessment of necessity should also take into account the possibility of considering other solutions that do not collect personal data (or at least do not collect sensitive personal data) and compliance with the principle of minimization.
• Proportionality: In this case it is assessed whether the CCTV system is reasonable for the intended purpose. For example, if it is used for purposes other than security, most likely these purposes will not be proportional and will be illegitimate from the perspective of the LGPD. Other relevant questions when doing proportionality assessment are: Will the personal data generated by CCTV recordings be reasonable and does the controller consider the impact on the individual rights of the people filmed? Who will be subject to the camera monitoring? Can the use of CCTV be justified in relation to the effect it has on other people? Can it be demonstrated that the installation of a CCTV system, which collects personal data on a continuous basis, is justified? It is recommendable that in the decision-making process that assesses necessity vs. proportionality, the controller documents his assessment process justifying the implementation of CCTV system, complying with his duty of accountability, which in many cases may result in a Data Protection Impact Assessment (DPIA).
• Security: Define what measures will be put in place to ensure that the CCTV recordings will be secure and protected at a technical and organizational level. This includes determining who will have access to the CCTV recordings and how this will be managed and recorded.
• Retention: The LGPD requires that personal data should not be kept longer than is necessary for its original purpose. Although no specific retention periods are defined, the data controller must be able to justify the defined retention period.
• Transparency: The principle of transparency means that Data Subjects must be informed about the processing of Personal Data. In this regard it must be defined how the data subjects will be informed about the monitoring and whether they will be provided with information about the processing (e.g. purpose, retention period, etc.), including channels for exercising their rights.

All these issues should be considered within the principles of privacy by design and privacy by default, i.e., at the planning stage and at all stages of the use of CCTV systems that collect images and videos of individuals, personal data controllers are required to adopt all technical and organizational measures to maintain the lawful processing of such personal data.

For this purpose, it is recommended that a specific policy be drawn up for the use of CCTV, which will serve as a guide, positively influencing decision making by the data controller and guiding that personal data serve a specific purpose, minimizing risks and bringing greater security to the operation.

Furthermore, in situations identified as high risk during the necessity vs. proportionality analysis, it is recommended that a specific DPIA be prepared, for example, in situations where the system captures images and videos from an area accessible to the public on a large scale, or in cases involving children and adolescents, for example. The DPIA enables the consideration and adoption of specific measures to reduce impacts and risks in specific cases.

Once the CCTV system is justified and implemented, the data controller must keep, whenever possible, the data subjects informed about the data processing in question, through its policies, procedures and/or periodic training.

[1] According to the recent understanding of the Superior Labor Court in the judgment of RR No. 211625120155040014, Judge: Hugo Carlos Scheuermann, Judgment Date: 08/26/2020, Publication Date: 08/28/2020.