GDPR

Adatvédelem mindenkinek / Data protection for everyone

Recording as a key element in evaluating data processing activities

2020. szeptember 30. 13:00 - poklaszlo

According to the definition of data processing in the GDPR, processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The definition also gives examples of activities that shall be regardad as processing. Such examplary list includes "recording" as an activity that, if it is performed on personal data, qualifies as data processing. 

Recently, the Hungarian Data Protection Authority interpreted recording as a data processing activity in several different contexts and it seems from these opinions and decisions that recording as a data processing activity can be an important element to be considered when the necessity and the proportionality of the given data processing process is evaluated.

Firstly, the Hungarian DPA issued an opinion on the use of dash cams in trucks. The data controller’s intention was to keep only those recordings that are necessary to investigate certain situations and to use such recordings for internal development and educational purposes. According to the Hungarian DPA, installation of continuously recording dash cams constitutes more than necessary interference with the privacy of persons potentially affected by the recordings. On the basis of this, the Hungarian DPA considers such data processing as an activity that does not comply with the requirements of the GDPR, in particular the principles of necessity and proportionality. (The DPA also referred to Point 35 of the European Data Protection Board's guidelines no. 2019/3 on processing of personal data through video devices: "If a dash cam is installed (e. g. for the purpose of collecting evidence in case of an accident), it is important to ensure that this camera is not constantly recording traffic, as well as persons who are near a road. Otherwise the interest in having video recordings as evidence in the more theoretical case of a road accident cannot justify this serious interference with data subjects’ rights.")

Secondly, a decision in connection with the use of CCTV was published recently (a fine was also imposed on the employer using the cams without proper legal basis). In this decision, the Hungarian DPA examines those situations where cameras are installed but without the capability of recording. In such cases, based on the DPA’s opinion, “[…] the direct observation of the transmitted image are similar to, but to some extent different from, the presence of the observer (e.g., a police officer, security guard, workplace manager, etc.) on site. Today, with the help of technology (for example, zooming in) it is possible to observe much more extensively than in the presence of a person, so the observation of the transmitted images in these cases allows a more detailed control. Furthermore, the transmission or monitoring of live images is usually done for some purpose, so it can be considered a part of a unified data processing process, as a result of which the data controller makes some decision based on the live images. Therefore, technical surveillance as a substitute for personal presence, i.e. access to images, does not constitute data processing under the provisions of the General Data Protection Regulation, except if the technique used during the surveillance allows the observer to obtain additional information from the data subjects. A further condition for this is that the cameras may not serve as secret surveillance devices, but as substitutes for the presence of the person entitled to inspect, so that in all cases they must be placed in a visible way and the presence of those concerned must be brought to light.This means that without recording and if the observation through cameras is a substitute of the presence of a person (i.e. without the possibility of a more extensive collection of information), the use of cameras may be part of the data processing process that requires the observation and shall not be regarded as a separate data processing.

Thirdly, the Hungarian DPA’s opinion regarding temperature checks at workplaces was earlier this year that a general obligation regarding the employees to go through temperature checks is unproportionate. (In certain cases, based on the employer’s risk assessment, staff performing tasks classified as risky, e.g. employees work in customer service, may be required to allow temperature check.) It seems that the position of the DPA may change in this respect since the President of the DPA said to the press in connection with the mandatory temprature check at schools that under the current circumstances (i.e. due to the second wave of COVID-19 pandemic), temperature checks may be regarded as a proportionate measure; however only if the results are not recorded. (Note: This comment was made in a short interview with the President of the DPA, no further details were discussed.)

On the basis of the above, it is important to evaluate the key elements of processing on a case by case basis since the outcome of such analysis may have significant effect on the whole data processing process. 

Szólj hozzá!
Címkék: recording Hungary EN GDPR Hungarian DPA

Ajánlott bejegyzések:

A bejegyzés trackback címe:

https://gdpr.blog.hu/api/trackback/id/tr8016221484

Kommentek:

A hozzászólások a vonatkozó jogszabályok  értelmében felhasználói tartalomnak minősülnek, értük a szolgáltatás technikai  üzemeltetője semmilyen felelősséget nem vállal, azokat nem ellenőrzi. Kifogás esetén forduljon a blog szerkesztőjéhez. Részletek a  Felhasználási feltételekben és az adatvédelmi tájékoztatóban.

Nincsenek hozzászólások.
süti beállítások módosítása