At the outset, it should be mentioned that the methodology is a non-binding recommendation of the Office for Personal Data Protection, not a mandatory regulation. Controllers can therefore choose a different way to prove compliance with the GDPR (e.g. by following a different methodology). The aim of this methodology is to offer practical guidance and contribute to a clearer interpretation of some obligations in the field of personal data processing by camera systems.

When are the uses of the camera system considered to be the processing of personal data?

The methodology newly introduces precise technical criteria for the processing of personal data by cameras. If any character in the frame occupies more than 25% of the height of the image or if there is less than 40 mm of the actual height of the figure per pixel, this is a processing of personal data subject to the GDPR. If the camera system does not meet these criteria, its use is not considered as personal data processing.

A significant change is also the distinction between the camera system with recording and the system in online mode. The methodology also considers the use of online camera systems without long-term storage of recordings to be personal data processing if they meet the above image size criteria. From a technical point of view, even with these cameras, there is a temporary storage of data, albeit a very short time, during which it can be misused.

Balance test

A key element of the new methodology is a detailed guide to performing a balance test for the legitimate interest of the controller. This four-step process includes proving the existence of a real threat, assessing alternative solutions, analysing the necessity of the selected option and comparing the rights of the controller with the rights of data subjects. It is essential that the controller proves that its legitimate interest, such as the protection of property or the safety of persons, takes precedence over the right of the monitored persons to privacy.

Documentation for the camera system

A practical contribution is also the chapter on the documentation for the camera system. The methodology explicitly mentions a two-level information obligation for the data subject. The first level consists of an information sign at the entrance to the monitored area, containing a pictogram of the camera, the identification of the controller and basic information about the purpose of processing. The second level is comprehensive information available on the web or in printed form, including all the essentials required by Article 13 of the GDPR. However, information documents are only a partial part of the necessary documentation. A broader set of internal and operational documents is needed for true compliance, with the methodology explicitly mentioning seven other core documents.

The methodology also divides camera systems into four classes according to the degree of interference with privacy:

• Class 1 (small rate): building facades, cellars, parking lots
• Class 2 (medium rate): entrances to buildings, sales areas
• Class 3 (high rate): school corridors, elevators, waiting rooms
• Class 4 (very high rate): workplaces, systems with biometric functions

Specific mandatory and recommended security measures are established for each class, making it easier for controllers to implement adequate security mechanisms.

The retention period of records is also clearly defined, which in most cases should not exceed 72 hours. This period allows for incident detection and the securing of evidence. A longer retention period must be justified by specific circumstances.

As mentioned in the introduction, the new methodology of the Office for Personal Data Protection is not legally binding, but it represents a useful guideline on how to operate camera systems in accordance with the GDPR. Operators should use it to thoroughly check not only whether they have the necessary documentation, but also whether it is up-to-date and corresponds to the real system settings. During the revision, the operator should verify whether, for example, it has a processing agreement with the camera controller in the event that the system is managed by an external company, and whether the data protection officer is involved in the setup and control. At the same time, it is important to check what area the cameras are actually monitoring, how many are in operation and whether internal guidelines and information signs correspond to this situation. Regular screening of these areas significantly reduces the risk of sanctions and at the same time strengthens the trust of those whose privacy is affected by monitoring.