The collection of personal data, i.e. data relating to natural persons, must meet numerous requirements. The European Data Protection Regulation, often abbreviated to RGPD, imposes drastic limitations.
Personal data protection: what do you need to know?
When third parties (customers, suppliers, etc.) are involved, they must explicitly agree to the collection of their data. However, the employer is not required to seek the consent of its employees because of the subordinate relationship.
However, he must be extremely careful: in the absence of consent, he can only collect data on his employees for processing of legitimate interest (access control to premises, payroll management, etc.).
Finally, any data leakage must be notified to the CNIL within 48 hours of its discovery, for example following a hacking of the servers.
Remote surveillance: what role does the CNIL play?
The CNIL, the French authority in charge of ensuring compliance with the Data Protection Act and the RGPD, can impose sanctions for non-compliant remote monitoring regulations.
The use of the cameras must thus answer legitimate purposes. It is possible to monitor the accesses to a company or a warehouse, but it is forbidden to record the employees permanently to monitor them. It is also not possible to film the employees’ toilets or the union premises. The length of time the recordings are kept must be strictly limited.
Finally, employees must be informed of the installation of remote surveillance cameras and the purpose of these installations. These precautions will avoid any dispute or claim settled in court.
The protection of personal data in the context of video surveillance
Remote monitoring applied to building security is a preventive tool that is often indispensable to avoid theft and intrusion or to allow rapid intervention by security services. It must comply with European regulations and the RGPD. The preservation of video recordings does not depend on the disk capacity of the computer systems, but on the objectives pursued.
They must therefore be destroyed, together with any back-up copies, at the end of the set period. The retention period is not strictly fixed, it must be “reasonable”. For remote monitoring, the time frame generally varies between 24 hours and two weeks.
Beyond the chosen duration, the videos can only be kept if an investigation is in progress. Apart from this particular case, only the recipients of these videos, such as the company’s security manager, should be able to consult them, in view of the confidentiality of images not intended for broadcast.