The General Data Protection Regulation (GDPR), which came into force on 25 May 2018, introduced increased obligations for both data controllers (‘Controllers’) and data processors (‘Processors’). One such obligation is the obligation on Controllers and Processors to enter into a legally binding contract governing the processing of personal data when a Processor is engaged to process personal data on the instruction of a Controller (a ‘Data Processing Contract’).
The use of C.C.T.V. systems has greatly expanded in recent years. So has the sophistication of such systems. Systems now on the market have the capacity to recognise faces. They may also be capable of recording both images and sounds. The expanded use of C.C.T.V. systems has society-wide implications. Unless such systems are used with proper care and consideration, they can give rise to concern that the individual’s “private space” is being unreasonably eroded. Recognisable images captured by C.C.T.V. systems are personal data. They are therefore subject to the provisions of the Data Protection Acts.
A data controller needs to be able to justify the obtaining and use of personal data by means of a C.C.T.V. system. A system used to control the perimeter of a building for security purposes will usually be easy to justify. The use of C.C.T.V. systems in other circumstances – for example, to constantly monitor employees, customers or students – can be more difficult to justify and could involve a breach of the Data Protection Acts.
For more information on Data Protection please follow the link below.