Here are some legal notices regarding the use of Privacy Protector™ in the EU and Switzerland.
- When using KiwiVision™ Privacy Protector™, you are considered a data controller in the meaning of the data protection regulations. As a data controller, you are responsible for compliance with all applicable legal requirements. This includes the obligation to inform any person who will be affected by video surveillance, and to follow all requirements for video surveillance in the context of employment, such as employee monitoring, that are usually regulated by specific laws. A legal evaluation of the operation of your video surveillance system from a data protection perspective is necessary, even when KiwiVision™ Privacy Protector™ is used. However, it is easier to register and audit video surveillance when using Privacy Protector™. Legal requirements must be evaluated on a project-by-project basis and must be checked independently. Genetec Inc. assumes no responsibility for the completeness of the information provided here.
- When using KiwiVision™ Privacy Protector™ in outdoor mode, take note of the information contained in "Configuring privacy protection on cameras" and "Privacy Protector™ security concepts and risk analysis". Outdoor mode is sensitive to large, monochrome areas in the foreground, such as a person wearing a dark coat. These objects can only be reliably blurred, if they are located far enough from the camera. The required distance is approximately 1-2 meters, or more if the camera is equipped with a zoom lens. It is also possible that any person who does not move significantly for a long time will be treated as part of the background and not be pixelated.
- In general, pay attention to the GDPR (REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)) that applies to all member states of the European Union, and in the area of “Video Surveillance” especially to the guidelines 3/2019 of the European Date Protection Board of 29 January 2020.
- In Austria, the use video surveillance systems is regulated by “Image Processing” in §§ 12 and 13 DSG (Datenschutzgesetz, Federal Act on the Protection of Individuals with regard to the Processing of Personal Data, basic version StF: BGBl. I No. 165/1999, as amended by BGBl. I No. 14/2019), effective since May 25, 2018. The website of the Austrian data protection authority https://www.dsb.gv.at/download-links/fragen-und-antworten.html#Videoueberwachung_durch_Private_einschlieszlich_der_Privatwirtschaftsverwaltung_der_oeffentlichen_Hand provides a summary, in German, of the current legal framework, including details for private video surveillance. The rules in §§ 12 and 13 DSG, and potential regulation in other, more specific laws apply to the use of technical facilities for the processing of images related to activities in public and non-public spaces for private use, including any acoustic information that is also processed. Among other things, the DSG bans image recording for the purpose of monitoring employees.
- In Germany, video surveillance of spaces open to the public is also regulated by Bundesdatenschutzgesetz (§ 6b BDSG). Regarding § 4 BDSG-neu, the federal administrative court decided in March 2019, that it only applies to video surveillance by public authorities, not to private responsible parties. These parties must be assessed in accordance with Art. 6 Sec. 1 lit f DSGVO and the “legitimate interest” specified therein. Depending on the area and location under video surveillance, other laws are also applicable. These other laws include the respective state data protection laws and the “Versammlungsgesetz”. Relevant parts of the BDSG are available online at https://dsgvo-gesetz.de/bdsg/. Check the website of the federal data protection commissioner (https://www.bfdi.bund.de) and of the data protection conference for further references, including guidelines on the subject “Video Surveillance” that accounts for the DSGVO and the current provisions of the BDSG, among other things. See https://www.datenschutzkonferenz-online.de/media/oh/20200903_oh_v%C3%BC_dsk.pdf.
- Switzerland has no central law regulating data protection. This regulation varies by canton. There is a current overview of the rules for video surveillance on the website of the federal data protection and information commissioner that includes further information. See https://www.edoeb.admin.ch/edoeb/de/home/datenschutz/technologien/videoueberwachung/videoueberwachung-durch-private.html.
- In Luxemburg, notes on the applicable data protection guidelines can be found on the website of the national commission for data protection. Take note of statements, judicature, and articles found in the section “Video Surveillance”. See https://cnpd.public.lu/de/support/recherche.html?q=video%C3%BCberwachung.
- The KiwiVision™ Privacy Protector™ pixelation algorithm is designed to make recalculation of plain data from the pixelated images impossible.
- KiwiVision™ Privacy Protector™ log files do not contain any personal data. The only personal data that is processed by Privacy Protector(TM) is the incoming plain video data. Outside of Privacy Protector™, the user names of those who apply configuration changes might be captured in VMS audit reports.
Additional consideration for the GDPR
- In cases of large-scale surveillance of publicly accessible areas, the GDPR generally requires a data protection impact assessment for the surveillance.
- The data controller and the data processor are responsible for keeping records of processing activities. Genetec Inc. can help you create these records.
- Your company might be required to designate a data protection officer to ensure the compliance with the data protection regulations of the GDPR and the respective national data protection laws, and to report the designated officer to the national supervisory authority.
- All persons under your supervision, such as employees, with access to personal data are only allowed to process that data at your direction.
NOTE: GDPR regulations can also apply if you are not located in the EU or the European Economic Area (EEA). However, the data processing requirements affect the personal data of persons, who are located in the EU or EEA.
Disclaimer: This information is intended to serve as guidelines to inform our customers and does not replace professional legal advice. Genetec Inc. assumes no liability for the correctness, completeness, or currentness of the information provided. Genetec Inc. has no inﬂuence on the content of third parties linked here.